/*
* hal.h
* ----------
* Memory map, access functions, and HAL for Cryptech cores.
*
* Authors: Joachim Strombergson, Paul Selkirk, Rob Austein
* Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
* Copyright: 2019-2020, The Commons Conservancy Cryptech Project
* SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _HAL_H_
#define _HAL_H_
#include <stdint.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
/*
* A handy macro from cryptlib.
*/
#ifndef bitsToBytes
#define bitsToBytes(x) ((x) / 8)
#endif
/*
* Current name and version values for crypto cores.
*
* Should these even be here? Dunno.
* Should the versions be here even if the names should be?
*/
#define ALPHA_BOARD_NAME "ALPHA "
#define ALPHA_BOARD_VERSION "0.20"
#define FMC_INTERFACE_NAME "fmc "
#define FMC_INTERFACE_VERSION "0.20"
#define NOVENA_BOARD_NAME "PVT1 "
#define NOVENA_BOARD_VERSION "0.10"
#define EIM_INTERFACE_NAME "eim "
#define EIM_INTERFACE_VERSION "0.10"
#define I2C_INTERFACE_NAME "i2c "
#define I2C_INTERFACE_VERSION "0.10"
#define TRNG_NAME "trng "
#define TRNG_VERSION "0.51"
#define AVALANCHE_ENTROPY_NAME "extnoise"
#define AVALANCHE_ENTROPY_VERSION "0.10"
#define ROSC_ENTROPY_NAME "rosc ent"
#define ROSC_ENTROPY_VERSION "0.10"
#define RNG_MIXER_NAME "rngmixer"
#define RNG_MIXER_VERSION "0.50"
#define CSPRNG_NAME "csprng "
#define CSPRNG_VERSION "0.50"
#define SHA1_NAME "sha1 "
#define SHA1_VERSION "0.60"
#define SHA256_NAME "sha2-256"
#define SHA256_VERSION "1.82"
#define SHA512_NAME "sha2-512"
#define SHA512_VERSION "0.81"
#define AES_CORE_NAME "aes "
#define AES_CORE_VERSION "0.70"
#define CHACHA_NAME "chacha "
#define CHACHA_VERSION "0.80"
#define MODEXP_NAME "modexp"
#define MODEXP_VERSION "0.10"
#define MODEXPS6_NAME "modexps6"
#define MODEXPS6_VERSION "0.10"
#define MODEXPA7_NAME "modexpa7"
#define MODEXPA7_VERSION "0.25"
#define MODEXPNG_NAME "modexpng"
#define MODEXPNG_VERSION "0.10"
#define MKMIF_NAME "mkmif "
#define MKMIF_VERSION "0.10"
#define ECDSA256_NAME "ecdsa256"
#define ECDSA256_VERSION "0.20"
#define ECDSA384_NAME "ecdsa384"
#define ECDSA384_VERSION "0.20"
#define KEYWRAP_NAME "key wrap"
#define KEYWRAP_VERSION "0.70"
/*
* C API error codes. Defined in this form so we can keep the tokens
* and error strings together. See errorstrings.c.
*/
#define HAL_ERROR_LIST \
DEFINE_HAL_ERROR(HAL_OK, "No error") \
DEFINE_HAL_ERROR(HAL_ERROR_BAD_ARGUMENTS, "Bad arguments given") \
DEFINE_HAL_ERROR(HAL_ERROR_UNSUPPORTED_KEY, "Unsupported key type or key length") \
DEFINE_HAL_ERROR(HAL_ERROR_IO_SETUP_FAILED, "Could not set up I/O with FPGA") \
DEFINE_HAL_ERROR(HAL_ERROR_IO_TIMEOUT, "I/O with FPGA timed out") \
DEFINE_HAL_ERROR(HAL_ERROR_IO_UNEXPECTED, "Unexpected response from FPGA") \
DEFINE_HAL_ERROR(HAL_ERROR_IO_OS_ERROR, "Operating system error talking to FPGA") \
DEFINE_HAL_ERROR(HAL_ERROR_IO_BAD_COUNT, "Bad byte count") \
DEFINE_HAL_ERROR(HAL_ERROR_CSPRNG_BROKEN, "CSPRNG is returning nonsense") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYWRAP_BAD_MAGIC, "Bad magic number while unwrapping key") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYWRAP_BAD_LENGTH, "Length out of range while unwrapping key") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYWRAP_BAD_PADDING, "Non-zero padding detected unwrapping key") \
DEFINE_HAL_ERROR(HAL_ERROR_IMPOSSIBLE, "\"Impossible\" error") \
DEFINE_HAL_ERROR(HAL_ERROR_ALLOCATION_FAILURE, "Memory allocation failed") \
DEFINE_HAL_ERROR(HAL_ERROR_RESULT_TOO_LONG, "Result too long for buffer") \
DEFINE_HAL_ERROR(HAL_ERROR_ASN1_PARSE_FAILED, "ASN.1 parse failed") \
DEFINE_HAL_ERROR(HAL_ERROR_KEY_NOT_ON_CURVE, "EC key is not on its purported curve") \
DEFINE_HAL_ERROR(HAL_ERROR_INVALID_SIGNATURE, "Invalid signature") \
DEFINE_HAL_ERROR(HAL_ERROR_CORE_NOT_FOUND, "Requested core not found") \
DEFINE_HAL_ERROR(HAL_ERROR_CORE_BUSY, "Requested core busy") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_ACCESS, "Could not access keystore") \
DEFINE_HAL_ERROR(HAL_ERROR_KEY_NOT_FOUND, "Key not found") \
DEFINE_HAL_ERROR(HAL_ERROR_KEY_NAME_IN_USE, "Key name in use") \
DEFINE_HAL_ERROR(HAL_ERROR_NO_KEY_SLOTS_AVAILABLE, "No key slots available") \
DEFINE_HAL_ERROR(HAL_ERROR_PIN_INCORRECT, "PIN incorrect") \
DEFINE_HAL_ERROR(HAL_ERROR_NO_CLIENT_SLOTS_AVAILABLE, "No client slots available") \
DEFINE_HAL_ERROR(HAL_ERROR_FORBIDDEN, "Forbidden") \
DEFINE_HAL_ERROR(HAL_ERROR_XDR_BUFFER_OVERFLOW, "XDR buffer overflow") \
DEFINE_HAL_ERROR(HAL_ERROR_RPC_TRANSPORT, "RPC transport error") \
DEFINE_HAL_ERROR(HAL_ERROR_RPC_PACKET_OVERFLOW, "RPC packet overflow") \
DEFINE_HAL_ERROR(HAL_ERROR_RPC_BAD_FUNCTION, "Bad RPC function number") \
DEFINE_HAL_ERROR(HAL_ERROR_KEY_NAME_TOO_LONG, "Key name too long") \
DEFINE_HAL_ERROR(HAL_ERROR_MASTERKEY_NOT_SET, "Master key (Key Encryption Key) not set") \
DEFINE_HAL_ERROR(HAL_ERROR_MASTERKEY_FAIL, "Master key generic failure") \
DEFINE_HAL_ERROR(HAL_ERROR_MASTERKEY_BAD_LENGTH, "Master key of unacceptable length") \
DEFINE_HAL_ERROR(HAL_ERROR_KS_DRIVER_NOT_FOUND, "Keystore driver not found") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_BAD_CRC, "Bad CRC in keystore") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_BAD_BLOCK_TYPE, "Unsupported keystore block type") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_LOST_DATA, "Keystore appears to have lost data") \
DEFINE_HAL_ERROR(HAL_ERROR_BAD_ATTRIBUTE_LENGTH, "Bad attribute length") \
DEFINE_HAL_ERROR(HAL_ERROR_ATTRIBUTE_NOT_FOUND, "Attribute not found") \
DEFINE_HAL_ERROR(HAL_ERROR_NO_KEY_INDEX_SLOTS, "No key index slots available") \
DEFINE_HAL_ERROR(HAL_ERROR_KS_INDEX_UUID_MISORDERED, "Key index UUID misordered") \
DEFINE_HAL_ERROR(HAL_ERROR_KEYSTORE_WRONG_BLOCK_TYPE, "Wrong block type in keystore") \
DEFINE_HAL_ERROR(HAL_ERROR_RPC_PROTOCOL_ERROR, "RPC protocol error") \
DEFINE_HAL_ERROR(HAL_ERROR_NOT_IMPLEMENTED, "Not implemented") \
DEFINE_HAL_ERROR(HAL_ERROR_CORE_REASSIGNED, "Core has been reassigned since last use") \
DEFINE_HAL_ERROR(HAL_ERROR_ASSERTION_FAILED, "Assertion failed") \
DEFINE_HAL_ERROR(HAL_ERROR_HASHSIG_KEY_EXHAUSTED, "Key exhausted") \
DEFINE_HAL_ERROR(HAL_ERROR_NOT_READY, "Not ready for this operation") \
END_OF_HAL_ERROR_LIST
/* Marker to forestall silly line continuation errors */
#define END_OF_HAL_ERROR_LIST
/* Define the error code enum here. See errorstrings.c for the text strings. */
#define DEFINE_HAL_ERROR(_code_,_text_) _code_,
typedef enum { HAL_ERROR_LIST N_HAL_ERRORS } hal_error_t;
#undef DEFINE_HAL_ERROR
/*
* Error translation.
*/
extern const char *hal_error_string(const hal_error_t err);
/*
* Very low level public API for working directly with crypto cores.
*/
/*
* Typedef to isolate code from our current choice of representation
* for a Cryptech bus address.
*/
typedef off_t hal_addr_t;
/*
* Opaque structure representing a core.
*/
typedef struct hal_core hal_core_t;
/*
* Public I/O functions.
*/
extern void hal_io_set_debug(int onoff);
extern hal_error_t hal_io_write(const hal_core_t *core, hal_addr_t offset, const uint8_t *buf, size_t len);
extern hal_error_t hal_io_read(const hal_core_t *core, hal_addr_t offset, uint8_t *buf, size_t len);
extern hal_error_t hal_io_wait(const hal_core_t *core, const uint8_t status, int *count);
extern hal_error_t hal_io_wait2(const hal_core_t *core1, const hal_core_t *core2, const uint8_t status, int *count);
/*
* Core management functions.
*
* Given our druthers, we'd handle public information about a core
* using the opaque type and individual access methods, but C's
* insistence on discarding array bounds information makes
* non-delimited character arrays problematic unless we wrap them in a
* structure.
*
* For performance reasons, we promise that the hal_core_info_t will
* be the first element of hal_core_t, so that we can convert between
* them using inline functions without completely exposing hal_core_t.
* This is icky, but hal_core_base() gets called a lot during I/O, so
* it's worth a bit of ick to eliminate some function call overhead.
*/
typedef struct {
char name[8];
char version[4];
hal_addr_t base;
} hal_core_info_t;
typedef uint32_t hal_core_lru_t;
static inline const hal_core_info_t *hal_core_info(const hal_core_t *core)
{
return (const hal_core_info_t *) core;
}
static inline hal_addr_t hal_core_base(const hal_core_t *core)
{
return core == NULL ? 0 : hal_core_info(core)->base;
}
extern hal_core_t *hal_core_find(const char *name, hal_core_t *core);
extern hal_core_t *hal_core_iterate(hal_core_t *core);
extern void hal_core_reset_table(void);
extern hal_error_t hal_core_alloc(const char *name, hal_core_t **core, hal_core_lru_t *pomace);
extern hal_error_t hal_core_alloc2(const char *name1, hal_core_t **core1, hal_core_lru_t *pomace1,
const char *name2, hal_core_t **core2, hal_core_lru_t *pomace2);
extern void hal_core_free(hal_core_t *core);
/*
* Slightly higher level public API, still working directly with cores.
*/
/*
* Get random bytes from the CSPRNG.
*/
extern hal_error_t hal_get_random(hal_core_t *core, void *buffer, const size_t length);
/*
* Hash and HMAC API.
*/
/*
* Opaque driver structure for digest algorithms.
*/
typedef struct hal_hash_driver hal_hash_driver_t;
/*
* Public information about a digest algorithm.
*
* The _state_length values in the descriptor and the typed opaque
* pointers in the API are all intended to hide internal details of
* the implementation while making memory allocation the caller's
* problem.
*/
typedef enum {
HAL_DIGEST_ALGORITHM_NONE,
HAL_DIGEST_ALGORITHM_SHA1,
HAL_DIGEST_ALGORITHM_SHA224,
HAL_DIGEST_ALGORITHM_SHA256,
HAL_DIGEST_ALGORITHM_SHA512_224,
HAL_DIGEST_ALGORITHM_SHA512_256,
HAL_DIGEST_ALGORITHM_SHA384,
HAL_DIGEST_ALGORITHM_SHA512
} hal_digest_algorithm_t;
typedef struct {
hal_digest_algorithm_t digest_algorithm;
size_t block_length;
size_t digest_length;
size_t hash_state_length;
size_t hmac_state_length;
const uint8_t * const digest_algorithm_id;
size_t digest_algorithm_id_length;
const hal_hash_driver_t *driver;
char core_name[8];
unsigned can_restore_state : 1;
} hal_hash_descriptor_t;
/*
* Opaque structures for internal state.
*/
typedef struct hal_hash_state hal_hash_state_t;
typedef struct hal_hmac_state hal_hmac_state_t;
/*
* Supported digest algorithms. These are one-element arrays so that
* they can be used as constant pointers.
*/
extern const hal_hash_descriptor_t hal_hash_sha1[1];
extern const hal_hash_descriptor_t hal_hash_sha224[1];
extern const hal_hash_descriptor_t hal_hash_sha256[1];
extern const hal_hash_descriptor_t hal_hash_sha512_224[1];
extern const hal_hash_descriptor_t hal_hash_sha512_256[1];
extern const hal_hash_descriptor_t hal_hash_sha384[1];
extern const hal_hash_descriptor_t hal_hash_sha512[1];
/*
* Hash and HMAC functions.
*/
extern void hal_hash_set_debug(int onoff);
extern hal_error_t hal_hash_initialize(hal_core_t *core,
const hal_hash_descriptor_t * const descriptor,
hal_hash_state_t **state,
void *state_buffer, const size_t state_length);
extern hal_error_t hal_hash_update(hal_hash_state_t *state,
const uint8_t * data, const size_t length);
extern hal_error_t hal_hash_finalize(hal_hash_state_t *state,
uint8_t *digest, const size_t length);
extern hal_error_t hal_hmac_initialize(hal_core_t *core,
const hal_hash_descriptor_t * const descriptor,
hal_hmac_state_t **state,
void *state_buffer, const size_t state_length,
const uint8_t * const key, const size_t key_length);
extern hal_error_t hal_hmac_update(hal_hmac_state_t *state,
const uint8_t * data, const size_t length);
extern hal_error_t hal_hmac_finalize(hal_hmac_state_t *state,
uint8_t *hmac, const size_t length);
extern void hal_hash_cleanup(hal_hash_state_t **state);
extern void hal_hmac_cleanup(hal_hmac_state_t **state);
extern const hal_hash_descriptor_t *hal_hash_get_descriptor(const hal_hash_state_t * const state);
extern const hal_hash_descriptor_t *hal_hmac_get_descriptor(const hal_hmac_state_t * const state);
/*
* AES key wrap functions.
*/
extern int hal_aes_use_keywrap_core(int onoff);
extern hal_error_t hal_aes_keywrap(hal_core_t *core,
const uint8_t *kek, const size_t kek_length,
const uint8_t *plaintext, const size_t plaintext_length,
uint8_t *cyphertext, size_t *ciphertext_length);
extern hal_error_t hal_aes_keyunwrap(hal_core_t *core,
const uint8_t *kek, const size_t kek_length,
const uint8_t *ciphertext, const size_t ciphertext_length,
uint8_t *plaintext, size_t *plaintext_length);
extern size_t hal_aes_keywrap_ciphertext_length(const size_t plaintext_length);
/*
* PBKDF2 function. Uses HMAC with the specified digest algorithm as
* the pseudo-random function (PRF).
*/
extern hal_error_t hal_pbkdf2(hal_core_t *core,
const hal_hash_descriptor_t * const descriptor,
const uint8_t * const password, const size_t password_length,
const uint8_t * const salt, const size_t salt_length,
uint8_t * derived_key, const size_t derived_key_length,
unsigned iterations_desired);
/*
* Modular exponentiation. This takes a ridiculous number of
* arguments of very similar types, making it easy to confuse them,
* particularly when performing two modexp operations in parallel, so
* we encapsulate the arguments in a structure.
*/
typedef struct {
hal_core_t *core;
const uint8_t *msg; size_t msg_len; /* Message */
const uint8_t *exp; size_t exp_len; /* Exponent */
const uint8_t *mod; size_t mod_len; /* Modulus */
uint8_t *result; size_t result_len; /* Result of exponentiation */
uint8_t *coeff; size_t coeff_len; /* Modulus coefficient (r/w) */
uint8_t *mont; size_t mont_len; /* Montgomery factor (r/w)*/
} hal_modexp_arg_t;
extern void hal_modexp_set_debug(const int onoff);
extern hal_error_t hal_modexp( const int precalc, hal_modexp_arg_t *args);
extern hal_error_t hal_modexp2(const int precalc, hal_modexp_arg_t *args1, hal_modexp_arg_t *args2);
/* ModExpNG extensions */
typedef struct {
hal_core_t *core;
const uint8_t *msg; size_t msg_len; /* Message */
const uint8_t *exp; size_t exp_len; /* Exponent */
const uint8_t *mod; size_t mod_len; /* Modulus */
uint8_t *result; size_t result_len; /* Result of exponentiation */
uint8_t *coeff; size_t coeff_len; /* Modulus coefficient (r/w) */
uint8_t *mont; size_t mont_len; /* Montgomery factor (r/w)*/
uint8_t *p; size_t p_len;
uint8_t *pC; size_t pC_len;
uint8_t *pF; size_t pF_len;
uint8_t *q; size_t q_len;
uint8_t *qC; size_t qC_len;
uint8_t *qF; size_t qF_len;
uint8_t *dP; size_t dP_len;
uint8_t *dQ; size_t dQ_len;
uint8_t *qInv; size_t qInv_len;
uint8_t *bf; size_t bf_len;
uint8_t *ubf; size_t ubf_len;
} hal_modexpng_arg_t;
extern hal_error_t hal_modexp_use_modexpng(const int onoff);
extern int hal_modexp_using_modexpng(void);
extern hal_error_t hal_modexpng(hal_modexpng_arg_t *a);
/*
* Master Key Memory Interface
*/
extern hal_error_t hal_mkmif_init(hal_core_t *core);
extern hal_error_t hal_mkmif_set_clockspeed(hal_core_t *core, const uint32_t divisor);
extern hal_error_t hal_mkmif_get_clockspeed(hal_core_t *core, uint32_t *divisor);
extern hal_error_t hal_mkmif_write(hal_core_t *core, uint32_t addr, const uint8_t *buf, size_t len);
extern hal_error_t hal_mkmif_write_word(hal_core_t *core, uint32_t addr, const uint32_t data);
extern hal_error_t hal_mkmif_read(hal_core_t *core, uint32_t addr, uint8_t *buf, size_t len);
extern hal_error_t hal_mkmif_read_word(hal_core_t *core, uint32_t addr, uint32_t *data);
/*
* Key types and curves, used in various places.
*/
typedef enum {
HAL_KEY_TYPE_NONE = 0,
HAL_KEY_TYPE_RSA_PRIVATE,
HAL_KEY_TYPE_RSA_PUBLIC,
HAL_KEY_TYPE_EC_PRIVATE,
HAL_KEY_TYPE_EC_PUBLIC,
HAL_KEY_TYPE_HASHSIG_PRIVATE,
HAL_KEY_TYPE_HASHSIG_PUBLIC,
HAL_KEY_TYPE_HASHSIG_LMS,
HAL_KEY_TYPE_HASHSIG_LMOTS,
} hal_key_type_t;
typedef enum {
HAL_CURVE_NONE,
HAL_CURVE_P256,
HAL_CURVE_P384,
HAL_CURVE_P521
} hal_curve_name_t;
/*
* RSA.
*/
typedef struct hal_rsa_key hal_rsa_key_t;
extern const size_t hal_rsa_key_t_size;
extern void hal_rsa_set_debug(const int onoff);
extern void hal_rsa_set_blinding(const int onoff);
extern void hal_rsa_clear_blinding_cache(void);
extern void hal_rsa_set_crt(const int onoff);
extern hal_error_t hal_rsa_key_load_private(hal_rsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const n, const size_t n_len,
const uint8_t * const e, const size_t e_len,
const uint8_t * const d, const size_t d_len,
const uint8_t * const p, const size_t p_len,
const uint8_t * const q, const size_t q_len,
const uint8_t * const u, const size_t u_len,
const uint8_t * const dP, const size_t dP_len,
const uint8_t * const dQ, const size_t dQ_len);
extern hal_error_t hal_rsa_key_load_public(hal_rsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const n, const size_t n_len,
const uint8_t * const e, const size_t e_len);
extern hal_error_t hal_rsa_key_get_type(const hal_rsa_key_t * const key,
hal_key_type_t *key_type);
extern hal_error_t hal_rsa_key_get_modulus(const hal_rsa_key_t * const key,
uint8_t *modulus,
size_t *modulus_len,
const size_t modulus_max);
extern hal_error_t hal_rsa_key_get_public_exponent(const hal_rsa_key_t * const key,
uint8_t *public_exponent,
size_t *public_exponent_len,
const size_t public_exponent_max);
extern void hal_rsa_key_clear(hal_rsa_key_t *key);
extern hal_error_t hal_rsa_encrypt(hal_core_t *core,
hal_rsa_key_t *key,
const uint8_t * const input, const size_t input_len,
uint8_t * output, const size_t output_len);
extern hal_error_t hal_rsa_decrypt(hal_core_t *core1,
hal_core_t *core2,
hal_rsa_key_t *key,
const uint8_t * const input, const size_t input_len,
uint8_t * output, const size_t output_len);
extern hal_error_t hal_rsa_key_gen(hal_core_t *core,
hal_rsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const unsigned key_length,
const uint8_t * const public_exponent, const size_t public_exponent_len);
extern hal_error_t hal_rsa_private_key_to_der(const hal_rsa_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern hal_error_t hal_rsa_private_key_to_der_extra(const hal_rsa_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern hal_error_t hal_rsa_private_key_from_der(hal_rsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const der, const size_t der_len);
extern hal_error_t hal_rsa_public_key_to_der(const hal_rsa_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern size_t hal_rsa_public_key_to_der_len(const hal_rsa_key_t * const key);
extern hal_error_t hal_rsa_public_key_from_der(hal_rsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const der, const size_t der_len);
extern int hal_rsa_key_needs_saving(const hal_rsa_key_t * const key);
static inline size_t hal_rsa_private_key_to_der_len(const hal_rsa_key_t * const key)
{
size_t len = 0;
return hal_rsa_private_key_to_der(key, NULL, &len, 0) == HAL_OK ? len : 0;
}
static inline size_t hal_rsa_private_key_to_der_extra_len(const hal_rsa_key_t * const key)
{
size_t len = 0;
return hal_rsa_private_key_to_der_extra(key, NULL, &len, 0) == HAL_OK ? len : 0;
}
/*
* ECDSA.
*/
typedef struct hal_ecdsa_key hal_ecdsa_key_t;
extern const size_t hal_ecdsa_key_t_size;
extern void hal_ecdsa_set_debug(const int onoff);
extern hal_error_t hal_ecdsa_oid_to_curve(hal_curve_name_t *curve,
const uint8_t * const oid,
const size_t oid_len);
extern hal_error_t hal_ecdsa_key_load_private(hal_ecdsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const hal_curve_name_t curve,
const uint8_t * const x, const size_t x_len,
const uint8_t * const y, const size_t y_len,
const uint8_t * const d, const size_t d_len);
extern hal_error_t hal_ecdsa_key_load_public(hal_ecdsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const hal_curve_name_t curve,
const uint8_t * const x, const size_t x_len,
const uint8_t * const y, const size_t y_len);
extern hal_error_t hal_ecdsa_key_get_type(const hal_ecdsa_key_t * const key,
hal_key_type_t *key_type);
extern hal_error_t hal_ecdsa_key_get_curve(const hal_ecdsa_key_t * const key,
hal_curve_name_t *curve);
extern hal_error_t hal_ecdsa_key_get_public(const hal_ecdsa_key_t * const key,
uint8_t *x, size_t *x_len, const size_t x_max,
uint8_t *y, size_t *y_len, const size_t y_max);
extern void hal_ecdsa_key_clear(hal_ecdsa_key_t *key);
extern hal_error_t hal_ecdsa_key_gen(hal_core_t *core,
hal_ecdsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const hal_curve_name_t curve);
extern hal_error_t hal_ecdsa_private_key_to_der(const hal_ecdsa_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern size_t hal_ecdsa_private_key_to_der_len(const hal_ecdsa_key_t * const key);
extern hal_error_t hal_ecdsa_private_key_from_der(hal_ecdsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const der, const size_t der_len);
extern hal_error_t hal_ecdsa_public_key_to_der(const hal_ecdsa_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern size_t hal_ecdsa_public_key_to_der_len(const hal_ecdsa_key_t * const key);
extern hal_error_t hal_ecdsa_public_key_from_der(hal_ecdsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const der, const size_t der_len);
extern hal_error_t hal_ecdsa_key_to_ecpoint(const hal_ecdsa_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern size_t hal_ecdsa_key_to_ecpoint_len(const hal_ecdsa_key_t * const key);
extern hal_error_t hal_ecdsa_key_from_ecpoint(hal_ecdsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const der, const size_t der_len,
const hal_curve_name_t curve);
extern hal_error_t hal_ecdsa_sign(hal_core_t *core,
const hal_ecdsa_key_t * const key,
const uint8_t * const hash, const size_t hash_len,
uint8_t *signature, size_t *signature_len, const size_t signature_max);
extern hal_error_t hal_ecdsa_verify(hal_core_t *core,
const hal_ecdsa_key_t * const key,
const uint8_t * const hash, const size_t hash_len,
const uint8_t * const signature, const size_t signature_len);
/*
* UUID stuff. All UUIDs we use (or are likely to use) are type 4 "random" UUIDs
*/
typedef struct { uint8_t uuid[16]; } hal_uuid_t;
#define HAL_UUID_TEXT_SIZE (sizeof("00112233-4455-6677-8899-aabbccddeeff"))
static inline int hal_uuid_cmp(const hal_uuid_t * const a, const hal_uuid_t * const b)
{
return memcmp(a, b, sizeof(hal_uuid_t));
}
extern hal_error_t hal_uuid_gen(hal_uuid_t *uuid);
extern hal_error_t hal_uuid_parse(hal_uuid_t *uuid, const char * const string);
extern hal_error_t hal_uuid_format(const hal_uuid_t * const uuid,
char *buffer, const size_t buffer_len);
/*
* Higher level RPC-based mechanism for working with HSM at arm's
* length, using handles instead of direct access to the cores.
*
* Session handles are pretty much as in PKCS #11: from our viewpoint,
* a session is a lock-step stream of operations, so while operations
* from different sessions can interleave, operations within a single
* session cannot.
*
* Client handles are a small extension to the PKCS #11 model,
* intended to support multiple PKCS #11 using applications sharing a
* single HSM. Technically, sessions are per-client, but in practice
* there's no sane reason why we'd use the same session handle
* concurrently in multiple clients. Mostly, the client abstraction
* is to handle login and logout against the HSM's PIN. Clients add
* nothing whatsoever to the security model (the HSM has no way of
* knowing whether the host is lumping multiple applications into a
* single "client"), the point of the exercise is just to make the
* C_Login()/C_Logout() semantics work as expected in the presence of
* multiple applications.
*
* NB: Unlike the other handles used in this protocol, session and
* client handles are created by the client (host) side of the RPC
* mechanism, not the server (HSM) side.
*/
#define HAL_HANDLE_NONE (0)
typedef struct { uint32_t handle; } hal_client_handle_t;
typedef struct { uint32_t handle; } hal_session_handle_t;
typedef enum { HAL_USER_NONE, HAL_USER_NORMAL, HAL_USER_SO, HAL_USER_WHEEL } hal_user_t;
extern const size_t hal_rpc_min_pin_length;
extern const size_t hal_rpc_max_pin_length;
extern hal_error_t hal_rpc_set_pin(const hal_client_handle_t client,
const hal_user_t user,
const char * const newpin, const size_t newpin_len);
extern hal_error_t hal_rpc_login(const hal_client_handle_t client,
const hal_user_t user,
const char * const pin, const size_t pin_len);
extern hal_error_t hal_rpc_logout(const hal_client_handle_t client);
extern hal_error_t hal_rpc_logout_all(void);
extern hal_error_t hal_rpc_is_logged_in(const hal_client_handle_t client,
const hal_user_t user);
/*
* Get the version number of the remote RPC server.
*/
extern hal_error_t hal_rpc_get_version(uint32_t *version);
/*
* Get random bytes.
*/
extern hal_error_t hal_rpc_get_random(void *buffer, const size_t length);
/*
* Combined hash and HMAC functions: pass NULL key for plain hashing.
*/
typedef struct { uint32_t handle; } hal_hash_handle_t;
extern const hal_hash_handle_t hal_hash_handle_none;
extern hal_error_t hal_rpc_hash_get_digest_length(const hal_digest_algorithm_t alg, size_t *length);
extern hal_error_t hal_rpc_hash_get_digest_algorithm_id(const hal_digest_algorithm_t alg,
uint8_t *id, size_t *len, const size_t len_max);
extern hal_error_t hal_rpc_hash_get_algorithm(const hal_hash_handle_t hash, hal_digest_algorithm_t *alg);
/*
* Once started, a hash or HMAC operation is bound to a particular
* session, so we only need the client and session arguments to initialize.
*/
extern hal_error_t hal_rpc_hash_initialize(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_hash_handle_t *hash,
const hal_digest_algorithm_t alg,
const uint8_t * const key, const size_t key_length);
extern hal_error_t hal_rpc_hash_update(const hal_hash_handle_t hash,
const uint8_t * data, const size_t length);
extern hal_error_t hal_rpc_hash_finalize(const hal_hash_handle_t hash,
uint8_t *digest, const size_t length);
/*
* Public key functions.
*
* The _sign() and _verify() methods accept a hash OR an input string;
* either "hash" should be hal_hash_handle_none or input should be NULL,
* but not both.
*
* Use of client and session handles here needs a bit more thought.
*
* Client handles are straightforward: basically, anything that
* creates a new pkey handle should take a client handle, which should
* suffice, as object handles never cross clients.
*
* Session handles are more interesting, as PKCS #11's versions of
* session and object handles do in effect allow one session to hand
* an object handle to another session. So any action which can do
* significant work (ie, which is complicated enough that we can't
* guarantee an immediate response) needs to take a session handle.
*
* There will probably be a few cases where a session handle isn't
* strictly required but we ask for one anyway because the API turns
* out to be easier to understand that way (eg, we probably want to
* ask for a session handle anywhere we ask for a client handle,
* whether we need the session handle or not, so that users of this
* API don't have to remember which pkey-handle-creating calls require
* a session handle and which ones don't...).
*/
typedef struct { uint32_t handle; } hal_pkey_handle_t;
typedef uint32_t hal_key_flags_t;
#define HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE (1 << 0)
#define HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT (1 << 1)
#define HAL_KEY_FLAG_USAGE_DATAENCIPHERMENT (1 << 2)
#define HAL_KEY_FLAG_TOKEN (1 << 3)
#define HAL_KEY_FLAG_PUBLIC (1 << 4)
#define HAL_KEY_FLAG_EXPORTABLE (1 << 5)
/*
* hal_pkey_attribute_t.length would be size_t, except that we also
* need it to transport HAL_PKEY_ATTRIBUTE_NIL safely, which we can
* only do with a known-width type. The RPC code conveys size_t as a
* uint32_t in any case, so we just use that here and have done.
*/
typedef struct {
uint32_t type;
uint32_t length;
const void *value;
} hal_pkey_attribute_t;
#define HAL_PKEY_ATTRIBUTE_NIL (0xFFFFFFFF)
extern hal_error_t hal_rpc_pkey_load(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const uint8_t * const der, const size_t der_len,
const hal_key_flags_t flags);
extern hal_error_t hal_rpc_pkey_open(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
const hal_uuid_t * const name);
extern hal_error_t hal_rpc_pkey_generate_rsa(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const unsigned key_length,
const uint8_t * const public_exponent, const size_t public_exponent_len,
const hal_key_flags_t flags);
extern hal_error_t hal_rpc_pkey_generate_ec(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const hal_curve_name_t curve,
const hal_key_flags_t flags);
typedef enum hal_lmots_algorithm_type hal_lmots_algorithm_t;
typedef enum hal_lms_algorithm_type hal_lms_algorithm_t;
extern hal_error_t hal_rpc_pkey_generate_hashsig(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const size_t hss_levels,
const hal_lms_algorithm_t lms_type,
const hal_lmots_algorithm_t lmots_type,
const hal_key_flags_t flags);
extern hal_error_t hal_rpc_pkey_close(const hal_pkey_handle_t pkey);
extern hal_error_t hal_rpc_pkey_delete(const hal_pkey_handle_t pkey);
extern hal_error_t hal_rpc_pkey_get_key_type(const hal_pkey_handle_t pkey,
hal_key_type_t *type);
extern hal_error_t hal_rpc_pkey_get_key_curve(const hal_pkey_handle_t pkey,
hal_curve_name_t *curve);
extern hal_error_t hal_rpc_pkey_get_key_flags(const hal_pkey_handle_t pkey,
hal_key_flags_t *flags);
extern size_t hal_rpc_pkey_get_public_key_len(const hal_pkey_handle_t pkey);
extern hal_error_t hal_rpc_pkey_get_public_key(const hal_pkey_handle_t pkey,
uint8_t *der, size_t *der_len, const size_t der_max);
extern hal_error_t hal_rpc_pkey_sign(const hal_pkey_handle_t pkey,
const hal_hash_handle_t hash,
const uint8_t * const input, const size_t input_len,
uint8_t * signature, size_t *signature_len, const size_t signature_max);
extern hal_error_t hal_rpc_pkey_verify(const hal_pkey_handle_t pkey,
const hal_hash_handle_t hash,
const uint8_t * const input, const size_t input_len,
const uint8_t * const signature, const size_t signature_len);
extern hal_error_t hal_rpc_pkey_match(const hal_client_handle_t client,
const hal_session_handle_t session,
const hal_key_type_t type,
const hal_curve_name_t curve,
const hal_key_flags_t mask,
const hal_key_flags_t flags,
const hal_pkey_attribute_t *attributes,
const unsigned attributes_len,
unsigned *state,
hal_uuid_t *result,
unsigned *result_len,
const unsigned result_max,
const hal_uuid_t * const previous_uuid);
extern hal_error_t hal_rpc_pkey_set_attributes(const hal_pkey_handle_t pkey,
const hal_pkey_attribute_t *const attributes,
const unsigned attributes_len);
extern hal_error_t hal_rpc_pkey_get_attributes(const hal_pkey_handle_t pkey,
hal_pkey_attribute_t *attributes,
const unsigned attributes_len,
uint8_t *attributes_buffer,
const size_t attributes_buffer_len);
extern hal_error_t hal_rpc_pkey_export(const hal_pkey_handle_t pkey,
const hal_pkey_handle_t kekek,
uint8_t *pkcs8, size_t *pkcs8_len, const size_t pkcs8_max,
uint8_t *kek, size_t *kek_len, const size_t kek_max);
extern hal_error_t hal_rpc_pkey_import(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const hal_pkey_handle_t kekek,
const uint8_t * const pkcs8, const size_t pkcs8_len,
const uint8_t * const kek, const size_t kek_len,
const hal_key_flags_t flags);
extern hal_error_t hal_rpc_client_init(void);
extern hal_error_t hal_rpc_client_close(void);
extern hal_error_t hal_rpc_server_init(void);
extern hal_error_t hal_rpc_server_close(void);
extern hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ilen,
uint8_t * const obuf, size_t * const olen);
/*
* Hash-Based Signatures.
*
* This really ought to be up with RSA and ECDSA, but it has forward
* references to hal_key_flags_t and hal_uuid_t.
*/
enum hal_lmots_algorithm_type {
HAL_LMOTS_RESERVED = 0,
HAL_LMOTS_SHA256_N32_W1 = 1,
HAL_LMOTS_SHA256_N32_W2 = 2,
HAL_LMOTS_SHA256_N32_W4 = 3,
HAL_LMOTS_SHA256_N32_W8 = 4
};
enum hal_lms_algorithm_type {
HAL_LMS_RESERVED = 0,
HAL_LMS_SHA256_N32_H5 = 5,
HAL_LMS_SHA256_N32_H10 = 6,
HAL_LMS_SHA256_N32_H15 = 7,
HAL_LMS_SHA256_N32_H20 = 8,
HAL_LMS_SHA256_N32_H25 = 9
};
typedef struct hal_hashsig_key hal_hashsig_key_t;
extern const size_t hal_hashsig_key_t_size;
extern hal_error_t hal_hashsig_key_gen(hal_core_t *core,
hal_hashsig_key_t **key_,
void *keybuf, const size_t keybuf_len,
const size_t hss_levels,
const hal_lms_algorithm_t lms_type,
const hal_lmots_algorithm_t lmots_type,
const hal_key_flags_t flags);
extern hal_error_t hal_hashsig_delete(const hal_uuid_t * const name);
extern hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern size_t hal_hashsig_private_key_to_der_len(const hal_hashsig_key_t * const key);
extern hal_error_t hal_hashsig_private_key_from_der(hal_hashsig_key_t **key_,
void *keybuf, const size_t keybuf_len,
const uint8_t *der, const size_t der_len);
extern hal_error_t hal_hashsig_public_key_to_der(const hal_hashsig_key_t * const key,
uint8_t *der, size_t *der_len, const size_t der_max);
extern size_t hal_hashsig_public_key_to_der_len(const hal_hashsig_key_t * const key);
extern hal_error_t hal_hashsig_public_key_from_der(hal_hashsig_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const der, const size_t der_len);
extern hal_error_t hal_hashsig_sign(hal_core_t *core,
const hal_hashsig_key_t * const key,
const uint8_t * const hash, const size_t hash_len,
uint8_t *sig, size_t *sig_len, const size_t sig_max);
extern hal_error_t hal_hashsig_verify(hal_core_t *core,
const hal_hashsig_key_t * const key,
const uint8_t * const hash, const size_t hash_len,
const uint8_t * const sig, const size_t sig_len);
extern hal_error_t hal_hashsig_key_load_public(hal_hashsig_key_t **key_,
void *keybuf, const size_t keybuf_len,
const size_t L,
const hal_lms_algorithm_t lms_type,
const hal_lmots_algorithm_t lmots_type,
const uint8_t * const I, const size_t I_len,
const uint8_t * const T1, const size_t T1_len);
extern hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_,
void *keybuf, const size_t keybuf_len,
const uint8_t * const xdr, const size_t xdr_len);
extern size_t hal_hashsig_signature_len(const size_t L,
const hal_lms_algorithm_t lms_type,
const hal_lmots_algorithm_t lmots_type);
extern size_t hal_hashsig_lmots_private_key_len(const hal_lmots_algorithm_t lmots_type);
extern hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len,
uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max);
extern hal_error_t hal_hashsig_ks_init(void);
extern hal_error_t hal_hashsig_export(const hal_uuid_t * const name,
uint8_t *der, size_t *der_len, const size_t der_max);
extern hal_error_t hal_hashsig_import(const uint8_t *der, const size_t der_len,
const hal_key_flags_t flags);
#endif /* _HAL_H_ */
/*
* Local variables:
* indent-tabs-mode: nil
* End:
*/