diff options
author | Rob Austein <sra@hactrn.net> | 2016-05-14 02:59:32 -0400 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2016-05-14 02:59:32 -0400 |
commit | 598e75956634f33ede687da796d5b6c583048a5e (patch) | |
tree | a62d1c9dbe2ea1d559be3d7ec80fb4d6a4f3e193 | |
parent | a0d2fb9dd44af6315f4373956655bb665f86b774 (diff) |
Add mixed-mode key support, for PKCS #11 "session" (ie, not "token") keys.
-rw-r--r-- | hal.h | 7 | ||||
-rw-r--r-- | hal_internal.h | 35 | ||||
-rw-r--r-- | rpc_api.c | 10 | ||||
-rw-r--r-- | rpc_client.c | 281 | ||||
-rw-r--r-- | rpc_hash.c | 7 | ||||
-rw-r--r-- | rpc_misc.c | 8 | ||||
-rw-r--r-- | rpc_pkey.c | 30 | ||||
-rw-r--r-- | rpc_server.c | 8 |
8 files changed, 303 insertions, 83 deletions
@@ -648,6 +648,7 @@ typedef uint32_t hal_key_flags_t; #define HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE (1 << 0) #define HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT (1 << 1) #define HAL_KEY_FLAG_USAGE_DATAENCIPHERMENT (1 << 2) +#define HAL_KEY_FLAG_PROXIMATE (1 << 3) extern hal_error_t hal_rpc_pkey_load(const hal_client_handle_t client, const hal_session_handle_t session, @@ -662,7 +663,8 @@ extern hal_error_t hal_rpc_pkey_find(const hal_client_handle_t client, const hal_session_handle_t session, hal_pkey_handle_t *pkey, const hal_key_type_t type, - const uint8_t * const name, const size_t name_len); + const uint8_t * const name, const size_t name_len, + const hal_key_flags_t flags); extern hal_error_t hal_rpc_pkey_generate_rsa(const hal_client_handle_t client, const hal_session_handle_t session, @@ -717,7 +719,8 @@ typedef struct { extern hal_error_t hal_rpc_pkey_list(hal_pkey_info_t *result, unsigned *result_len, - const unsigned result_max); + const unsigned result_max, + hal_key_flags_t flags); extern hal_error_t hal_rpc_client_init(void); extern hal_error_t hal_rpc_client_close(void); diff --git a/hal_internal.h b/hal_internal.h index 8c0b0bc..c460ed8 100644 --- a/hal_internal.h +++ b/hal_internal.h @@ -40,6 +40,12 @@ #include "verilog_constants.h" /* + * Everything in this file is part of the internal API, that is, + * subject to change without notice. Nothing outside of libhal itself + * should be looking at this file. + */ + +/* * Longest hash block and digest we support at the moment. */ @@ -47,12 +53,6 @@ #define HAL_MAX_HASH_DIGEST_LENGTH SHA512_DIGEST_LEN /* - * Everything in this file is part of the internal API, that is, - * subject to change without notice. Nothing outside of libhal itself - * should be looking at this file. - */ - -/* * Dispatch structures for RPC implementation. * * The breakdown of which functions go into which dispatch vectors is @@ -81,6 +81,17 @@ * taking a hash context instead of a literal hash value, in which * case we have to extract the hash value from the context and * supply it to the pkey RPC client code as a literal value. + * + * ...Except that for PKCS #11 we also have to handle the case of + * "session keys", ie, keys which are not stored on the HSM. + * Apparently people really do use these, mostly for public keys, in + * order to conserve expensive memory on the HSM. So this is another + * feature of mixed mode: keys with HAL_KEY_FLAG_PROXIMATE set live on + * the host, not in the HSM, and the mixed-mode pkey handlers deal + * with the routing. In the other two modes we ignore the flag and + * send everything where we were going to send it anyway. Restricting + * the fancy key handling to mixed mode lets us drop this complexity + * out entirely for applications which have no use for it. */ typedef struct { @@ -145,7 +156,8 @@ typedef struct { const hal_session_handle_t session, hal_pkey_handle_t *pkey, const hal_key_type_t type, - const uint8_t * const name, const size_t name_len); + const uint8_t * const name, const size_t name_len, + const hal_key_flags_t flags); hal_error_t (*generate_rsa)(const hal_client_handle_t client, const hal_session_handle_t session, @@ -191,7 +203,8 @@ typedef struct { hal_error_t (*list)(hal_pkey_info_t *result, unsigned *result_len, - const unsigned result_max); + const unsigned result_max, + hal_key_flags_t flags); } hal_rpc_pkey_dispatch_t; @@ -201,6 +214,12 @@ extern const hal_rpc_hash_dispatch_t hal_rpc_local_hash_dispatch, hal_rpc_remote extern const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch, hal_rpc_remote_pkey_dispatch, hal_rpc_mixed_pkey_dispatch, *hal_rpc_pkey_dispatch; /* + * See code in rpc_pkey.c for how this flag fits into the pkey handle. + */ + +#define HAL_PKEY_HANDLE_PROXIMATE_FLAG (1 << 31) + +/* * Keystore API. * * The original design for this subsystem used two separate tables, @@ -210,11 +210,12 @@ hal_error_t hal_rpc_pkey_find(const hal_client_handle_t client, const hal_session_handle_t session, hal_pkey_handle_t *pkey, const hal_key_type_t type, - const uint8_t * const name, const size_t name_len) + const uint8_t * const name, const size_t name_len, + const hal_key_flags_t flags) { if (pkey == NULL || name == NULL || name_len == 0 || !check_pkey_type(type)) return HAL_ERROR_BAD_ARGUMENTS; - return hal_rpc_pkey_dispatch->find(client, session, pkey, type, name, name_len); + return hal_rpc_pkey_dispatch->find(client, session, pkey, type, name, name_len, flags); } hal_error_t hal_rpc_pkey_generate_rsa(const hal_client_handle_t client, @@ -309,11 +310,12 @@ hal_error_t hal_rpc_pkey_verify(const hal_session_handle_t session, hal_error_t hal_rpc_pkey_list(hal_pkey_info_t *result, unsigned *result_len, - const unsigned result_max) + const unsigned result_max, + hal_key_flags_t flags) { if (result == NULL || result_len == NULL || result_max == 0) return HAL_ERROR_BAD_ARGUMENTS; - return hal_rpc_pkey_dispatch->list(result, result_len, result_max); + return hal_rpc_pkey_dispatch->list(result, result_len, result_max, flags); } /* diff --git a/rpc_client.c b/rpc_client.c index 5aededc..21c4327 100644 --- a/rpc_client.c +++ b/rpc_client.c @@ -338,14 +338,14 @@ static hal_error_t hash_finalize(const hal_hash_handle_t hash, return rpc_ret; } -static hal_error_t pkey_load(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - const hal_key_type_t type, - const hal_curve_name_t curve, - const uint8_t * const name, const size_t name_len, - const uint8_t * const der, const size_t der_len, - const hal_key_flags_t flags) +static hal_error_t pkey_remote_load(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const hal_key_type_t type, + const hal_curve_name_t curve, + const uint8_t * const name, const size_t name_len, + const uint8_t * const der, const size_t der_len, + const hal_key_flags_t flags) { uint8_t outbuf[nargs(8) + pad(name_len) + pad(der_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -371,13 +371,14 @@ static hal_error_t pkey_load(const hal_client_handle_t client, return rpc_ret; } -static hal_error_t pkey_find(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - const hal_key_type_t type, - const uint8_t * const name, const size_t name_len) +static hal_error_t pkey_remote_find(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const hal_key_type_t type, + const uint8_t * const name, const size_t name_len, + const hal_key_flags_t flags) { - uint8_t outbuf[nargs(5) + pad(name_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); + uint8_t outbuf[nargs(6) + pad(name_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); size_t ilen = sizeof(inbuf); hal_error_t rpc_ret; @@ -387,6 +388,7 @@ static hal_error_t pkey_find(const hal_client_handle_t client, check(hal_xdr_encode_int(&optr, olimit, session.handle)); check(hal_xdr_encode_int(&optr, olimit, type)); check(hal_xdr_encode_buffer(&optr, olimit, name, name_len)); + check(hal_xdr_encode_int(&optr, olimit, flags)); check(hal_rpc_send(outbuf, optr - outbuf)); check(hal_rpc_recv(inbuf, &ilen)); @@ -398,13 +400,13 @@ static hal_error_t pkey_find(const hal_client_handle_t client, return rpc_ret; } -static hal_error_t pkey_generate_rsa(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - const uint8_t * const name, const size_t name_len, - const unsigned key_len, - const uint8_t * const exp, const size_t exp_len, - const hal_key_flags_t flags) +static hal_error_t pkey_remote_generate_rsa(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const uint8_t * const name, const size_t name_len, + const unsigned key_len, + const uint8_t * const exp, const size_t exp_len, + const hal_key_flags_t flags) { uint8_t outbuf[nargs(7) + pad(name_len) + pad(exp_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -429,12 +431,12 @@ static hal_error_t pkey_generate_rsa(const hal_client_handle_t client, return rpc_ret; } -static hal_error_t pkey_generate_ec(const hal_client_handle_t client, - const hal_session_handle_t session, - hal_pkey_handle_t *pkey, - const uint8_t * const name, const size_t name_len, - const hal_curve_name_t curve, - const hal_key_flags_t flags) +static hal_error_t pkey_remote_generate_ec(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const uint8_t * const name, const size_t name_len, + const hal_curve_name_t curve, + const hal_key_flags_t flags) { uint8_t outbuf[nargs(6) + pad(name_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -458,7 +460,7 @@ static hal_error_t pkey_generate_ec(const hal_client_handle_t client, return rpc_ret; } -static hal_error_t pkey_close(const hal_pkey_handle_t pkey) +static hal_error_t pkey_remote_close(const hal_pkey_handle_t pkey) { uint8_t outbuf[nargs(2)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(1)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -475,7 +477,7 @@ static hal_error_t pkey_close(const hal_pkey_handle_t pkey) return rpc_ret; } -static hal_error_t pkey_delete(const hal_pkey_handle_t pkey) +static hal_error_t pkey_remote_delete(const hal_pkey_handle_t pkey) { uint8_t outbuf[nargs(2)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(1)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -492,8 +494,8 @@ static hal_error_t pkey_delete(const hal_pkey_handle_t pkey) return rpc_ret; } -static hal_error_t pkey_get_key_type(const hal_pkey_handle_t pkey, - hal_key_type_t *type) +static hal_error_t pkey_remote_get_key_type(const hal_pkey_handle_t pkey, + hal_key_type_t *type) { uint8_t outbuf[nargs(2)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -515,8 +517,8 @@ static hal_error_t pkey_get_key_type(const hal_pkey_handle_t pkey, return rpc_ret; } -static hal_error_t pkey_get_key_flags(const hal_pkey_handle_t pkey, - hal_key_flags_t *flags) +static hal_error_t pkey_remote_get_key_flags(const hal_pkey_handle_t pkey, + hal_key_flags_t *flags) { uint8_t outbuf[nargs(2)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -538,7 +540,7 @@ static hal_error_t pkey_get_key_flags(const hal_pkey_handle_t pkey, return rpc_ret; } -static size_t pkey_get_public_key_len(const hal_pkey_handle_t pkey) +static size_t pkey_remote_get_public_key_len(const hal_pkey_handle_t pkey) { uint8_t outbuf[nargs(2)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -561,8 +563,8 @@ static size_t pkey_get_public_key_len(const hal_pkey_handle_t pkey) return 0; } -static hal_error_t pkey_get_public_key(const hal_pkey_handle_t pkey, - uint8_t *der, size_t *der_len, const size_t der_max) +static hal_error_t pkey_remote_get_public_key(const hal_pkey_handle_t pkey, + uint8_t *der, size_t *der_len, const size_t der_max) { uint8_t outbuf[nargs(3)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2) + pad(der_max)], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); @@ -651,11 +653,12 @@ static hal_error_t hal_xdr_decode_pkey_info(uint8_t **iptr, const uint8_t * cons return HAL_OK; } -static hal_error_t pkey_list(hal_pkey_info_t *result, - unsigned *result_len, - const unsigned result_max) +static hal_error_t pkey_remote_list(hal_pkey_info_t *result, + unsigned *result_len, + const unsigned result_max, + hal_key_flags_t flags) { - uint8_t outbuf[nargs(2)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); + uint8_t outbuf[nargs(3)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf); uint8_t inbuf[nargs(2) + pad(result_max * sizeof(hal_pkey_info_t))], *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf); size_t ilen = sizeof(inbuf); uint32_t len; @@ -663,6 +666,7 @@ static hal_error_t pkey_list(hal_pkey_info_t *result, check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_LIST)); check(hal_xdr_encode_int(&optr, olimit, result_max)); + check(hal_xdr_encode_int(&optr, olimit, flags)); check(hal_rpc_send(outbuf, optr - outbuf)); check(hal_rpc_recv(inbuf, &ilen)); @@ -696,9 +700,17 @@ static hal_error_t pkey_mixed_sign(const hal_session_handle_t session, const uint8_t * const input, const size_t input_len, uint8_t * signature, size_t *signature_len, const size_t signature_max) { + hal_error_t (* const sign)(const hal_session_handle_t session, + const hal_pkey_handle_t pkey, + const hal_hash_handle_t hash, + const uint8_t * const input, const size_t input_len, + uint8_t * signature, size_t *signature_len, const size_t signature_max) + = ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.sign + : hal_rpc_local_pkey_dispatch.sign); + if (input != NULL) - return pkey_remote_sign(session, pkey, hash, input, input_len, - signature, signature_len, signature_max); + return sign(session, pkey, hash, input, input_len, signature, signature_len, signature_max); hal_digest_algorithm_t alg; size_t digest_len; @@ -713,8 +725,7 @@ static hal_error_t pkey_mixed_sign(const hal_session_handle_t session, if ((err = hal_rpc_hash_finalize(hash, digest, digest_len)) != HAL_OK) return err; - return pkey_remote_sign(session, pkey, hal_hash_handle_none, digest, digest_len, - signature, signature_len, signature_max); + return sign(session, pkey, hal_hash_handle_none, digest, digest_len, signature, signature_len, signature_max); } static hal_error_t pkey_mixed_verify(const hal_session_handle_t session, @@ -723,9 +734,17 @@ static hal_error_t pkey_mixed_verify(const hal_session_handle_t session, const uint8_t * const input, const size_t input_len, const uint8_t * const signature, const size_t signature_len) { + hal_error_t (* const verify)(const hal_session_handle_t session, + const hal_pkey_handle_t pkey, + const hal_hash_handle_t hash, + const uint8_t * const input, const size_t input_len, + const uint8_t * const signature, const size_t signature_len) + = ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.verify + : hal_rpc_local_pkey_dispatch.verify); + if (input != NULL) - return pkey_remote_verify(session, pkey, hash, input, input_len, - signature, signature_len); + return verify(session, pkey, hash, input, input_len, signature, signature_len); hal_digest_algorithm_t alg; size_t digest_len; @@ -740,8 +759,124 @@ static hal_error_t pkey_mixed_verify(const hal_session_handle_t session, if ((err = hal_rpc_hash_finalize(hash, digest, digest_len)) != HAL_OK) return err; - return pkey_remote_verify(session, pkey, hal_hash_handle_none, digest, digest_len, - signature, signature_len); + return verify(session, pkey, hal_hash_handle_none, digest, digest_len, signature, signature_len); +} + +static hal_error_t pkey_mixed_load(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const hal_key_type_t type, + const hal_curve_name_t curve, + const uint8_t * const name, const size_t name_len, + const uint8_t * const der, const size_t der_len, + const hal_key_flags_t flags) +{ + return ((flags & HAL_KEY_FLAG_PROXIMATE) == 0 + ? hal_rpc_remote_pkey_dispatch.load + : hal_rpc_local_pkey_dispatch.load + )(client, session, pkey, type, curve, name, name_len, der, der_len, flags); +} + +static hal_error_t pkey_mixed_find(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const hal_key_type_t type, + const uint8_t * const name, const size_t name_len, + const hal_key_flags_t flags) +{ + return ((flags & HAL_KEY_FLAG_PROXIMATE) == 0 + ? hal_rpc_remote_pkey_dispatch.find + : hal_rpc_local_pkey_dispatch.find + )(client, session, pkey, type, name, name_len, flags); +} + +static hal_error_t pkey_mixed_generate_rsa(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const uint8_t * const name, const size_t name_len, + const unsigned key_length, + const uint8_t * const public_exponent, const size_t public_exponent_len, + const hal_key_flags_t flags) +{ + return ((flags & HAL_KEY_FLAG_PROXIMATE) == 0 + ? hal_rpc_remote_pkey_dispatch.generate_rsa + : hal_rpc_local_pkey_dispatch.generate_rsa + )(client, session, pkey, name, name_len, key_length, public_exponent, public_exponent_len, flags); +} + +static hal_error_t pkey_mixed_generate_ec(const hal_client_handle_t client, + const hal_session_handle_t session, + hal_pkey_handle_t *pkey, + const uint8_t * const name, const size_t name_len, + const hal_curve_name_t curve, + const hal_key_flags_t flags) +{ + return ((flags & HAL_KEY_FLAG_PROXIMATE) == 0 + ? hal_rpc_remote_pkey_dispatch.generate_ec + : hal_rpc_local_pkey_dispatch.generate_ec + )(client, session, pkey, name, name_len, curve, flags); +} + +static hal_error_t pkey_mixed_close(const hal_pkey_handle_t pkey) +{ + return ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.close + : hal_rpc_local_pkey_dispatch.close + )(pkey); +} + +static hal_error_t pkey_mixed_delete(const hal_pkey_handle_t pkey) +{ + return ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.delete + : hal_rpc_local_pkey_dispatch.delete + )(pkey); +} + +static hal_error_t pkey_mixed_get_key_type(const hal_pkey_handle_t pkey, + hal_key_type_t *key_type) +{ + return ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.get_key_type + : hal_rpc_local_pkey_dispatch.get_key_type + )(pkey, key_type); +} + +static hal_error_t pkey_mixed_get_key_flags(const hal_pkey_handle_t pkey, + hal_key_flags_t *flags) +{ + return ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.get_key_flags + : hal_rpc_local_pkey_dispatch.get_key_flags + )(pkey, flags); +} + +static size_t pkey_mixed_get_public_key_len(const hal_pkey_handle_t pkey) +{ + return ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.get_public_key_len + : hal_rpc_local_pkey_dispatch.get_public_key_len + )(pkey); +} + +static hal_error_t pkey_mixed_get_public_key(const hal_pkey_handle_t pkey, + uint8_t *der, size_t *der_len, const size_t der_max) +{ + return ((pkey.handle & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0 + ? hal_rpc_remote_pkey_dispatch.get_public_key + : hal_rpc_local_pkey_dispatch.get_public_key + )(pkey, der, der_len, der_max); +} + +static hal_error_t pkey_mixed_list(hal_pkey_info_t *result, + unsigned *result_len, + const unsigned result_max, + hal_key_flags_t flags) +{ + return ((flags & HAL_KEY_FLAG_PROXIMATE) == 0 + ? hal_rpc_remote_pkey_dispatch.list + : hal_rpc_local_pkey_dispatch.list + )(result, result_len, result_max, flags); } /* @@ -749,26 +884,54 @@ static hal_error_t pkey_mixed_verify(const hal_session_handle_t session, */ const hal_rpc_misc_dispatch_t hal_rpc_remote_misc_dispatch = { - set_pin, login, logout, logout_all, is_logged_in, get_random, get_version + set_pin, + login, + logout, + logout_all, + is_logged_in, + get_random, + get_version }; const hal_rpc_hash_dispatch_t hal_rpc_remote_hash_dispatch = { - hash_get_digest_len, hash_get_digest_algorithm_id, hash_get_algorithm, - hash_initialize, hash_update, hash_finalize + hash_get_digest_len, + hash_get_digest_algorithm_id, + hash_get_algorithm, + hash_initialize, + hash_update, + hash_finalize }; const hal_rpc_pkey_dispatch_t hal_rpc_remote_pkey_dispatch = { - pkey_load, pkey_find, pkey_generate_rsa, pkey_generate_ec, pkey_close, pkey_delete, - pkey_get_key_type, pkey_get_key_flags, pkey_get_public_key_len, pkey_get_public_key, - pkey_remote_sign, pkey_remote_verify, - pkey_list + pkey_remote_load, + pkey_remote_find, + pkey_remote_generate_rsa, + pkey_remote_generate_ec, + pkey_remote_close, + pkey_remote_delete, + pkey_remote_get_key_type, + pkey_remote_get_key_flags, + pkey_remote_get_public_key_len, + pkey_remote_get_public_key, + pkey_remote_sign, + pkey_remote_verify, + pkey_remote_list }; const hal_rpc_pkey_dispatch_t hal_rpc_mixed_pkey_dispatch = { - pkey_load, pkey_find, pkey_generate_rsa, pkey_generate_ec, pkey_close, pkey_delete, - pkey_get_key_type, pkey_get_key_flags, pkey_get_public_key_len, pkey_get_public_key, - pkey_mixed_sign, pkey_mixed_verify, - pkey_list + pkey_mixed_load, + pkey_mixed_find, + pkey_mixed_generate_rsa, + pkey_mixed_generate_ec, + pkey_mixed_close, + pkey_mixed_delete, + pkey_mixed_get_key_type, + pkey_mixed_get_key_flags, + pkey_mixed_get_public_key_len, + pkey_mixed_get_public_key, + pkey_mixed_sign, + pkey_mixed_verify, + pkey_mixed_list }; #endif /* RPC_CLIENT != RPC_CLIENT_LOCAL */ @@ -303,7 +303,12 @@ static hal_error_t finalize(const hal_hash_handle_t handle, } const hal_rpc_hash_dispatch_t hal_rpc_local_hash_dispatch = { - get_digest_length, get_digest_algorithm_id, get_algorithm, initialize, update, finalize + get_digest_length, + get_digest_algorithm_id, + get_algorithm, + initialize, + update, + finalize }; /* @@ -225,7 +225,13 @@ static hal_error_t logout_all(void) } const hal_rpc_misc_dispatch_t hal_rpc_local_misc_dispatch = { - set_pin, login, logout, logout_all, is_logged_in, get_random, get_version + set_pin, + login, + logout, + logout_all, + is_logged_in, + get_random, + get_version }; /* @@ -76,6 +76,10 @@ static pkey_slot_t pkey_handle[HAL_STATIC_PKEY_STATE_BLOCKS]; * handle consisting of the index into the table and a counter whose * sole purpose is to keep the same handle from reoccurring anytime * soon, to help identify use-after-free bugs in calling code. + * + * The high order bit of the pkey handle is left free for + * HAL_PKEY_HANDLE_PROXIMATE_FLAG, which is used by the mixed-mode + * handlers to route calls to the appropriate destination. */ static inline pkey_slot_t *alloc_slot(void) @@ -83,7 +87,9 @@ static inline pkey_slot_t *alloc_slot(void) #if HAL_STATIC_PKEY_STATE_BLOCKS > 0 static uint16_t next_glop = 0; uint32_t glop = ++next_glop << 16; - next_glop %= 0xFFFF; + next_glop %= 0x7FFF; + + assert((glop & HAL_PKEY_HANDLE_PROXIMATE_FLAG) == 0); for (int i = 0; i < sizeof(pkey_handle)/sizeof(*pkey_handle); i++) { if (pkey_handle[i].name_len > 0) @@ -243,7 +249,8 @@ static hal_error_t find(const hal_client_handle_t client, const hal_session_handle_t session, hal_pkey_handle_t *pkey, const hal_key_type_t type, - const uint8_t * const name, const size_t name_len) + const uint8_t * const name, const size_t name_len, + const hal_key_flags_t flags) { pkey_slot_t *slot; hal_error_t err; @@ -819,15 +826,26 @@ static hal_error_t verify(const hal_session_handle_t session, static hal_error_t list(hal_pkey_info_t *result, unsigned *result_len, - const unsigned result_max) + const unsigned result_max, + hal_key_flags_t flags) { return hal_ks_list(result, result_len, result_max); } const hal_rpc_pkey_dispatch_t hal_rpc_local_pkey_dispatch = { - load, find, generate_rsa, generate_ec, close, delete, - get_key_type, get_key_flags, get_public_key_len, get_public_key, - sign, verify, list + load, + find, + generate_rsa, + generate_ec, + close, + delete, + get_key_type, + get_key_flags, + get_public_key_len, + get_public_key, + sign, + verify, + list }; /* diff --git a/rpc_server.c b/rpc_server.c index 65f3dfc..d64603c 100644 --- a/rpc_server.c +++ b/rpc_server.c @@ -320,15 +320,17 @@ static hal_error_t pkey_find(uint8_t **iptr, const uint8_t * const ilimit, uint32_t type; uint8_t *name; uint32_t name_len; + hal_key_flags_t flags; hal_error_t ret; check(hal_xdr_decode_int(iptr, ilimit, &client.handle)); check(hal_xdr_decode_int(iptr, ilimit, &session.handle)); check(hal_xdr_decode_int(iptr, ilimit, &type)); check(hal_xdr_decode_buffer_in_place(iptr, ilimit, &name, &name_len)); + check(hal_xdr_decode_int(iptr, ilimit, &flags)); /* call the local function */ - ret = hal_rpc_local_pkey_dispatch.find(client, session, &pkey, type, name, name_len); + ret = hal_rpc_local_pkey_dispatch.find(client, session, &pkey, type, name, name_len, flags); if (ret == HAL_OK) check(hal_xdr_encode_int(optr, olimit, pkey.handle)); return ret; @@ -567,15 +569,17 @@ static hal_error_t pkey_list(uint8_t **iptr, const uint8_t * const ilimit, { uint8_t *optr_orig = *optr; uint32_t result_max; + hal_key_flags_t flags; hal_error_t ret; check(hal_xdr_decode_int(iptr, ilimit, &result_max)); + check(hal_xdr_decode_int(iptr, ilimit, &flags)); hal_pkey_info_t result[result_max]; unsigned result_len; /* call the local function */ - ret = hal_rpc_local_pkey_dispatch.list(result, &result_len, result_max); + ret = hal_rpc_local_pkey_dispatch.list(result, &result_len, result_max, flags); if (ret == HAL_OK) { int i; check(hal_xdr_encode_int(optr, olimit, result_len)); |