aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile14
-rw-r--r--aes_keywrap.c11
-rw-r--r--core.c13
-rw-r--r--cryptech/libhal.py35
-rwxr-xr-xcryptech_muxd12
-rw-r--r--hal.h176
-rw-r--r--hal_internal.h4
-rw-r--r--hal_io_fmc.c82
-rw-r--r--hashsig.c1135
-rw-r--r--hashsig.h118
-rw-r--r--ks.c10
-rw-r--r--mkm.c72
-rw-r--r--modexp.c103
-rw-r--r--rpc_api.c13
-rw-r--r--rpc_client.c73
-rw-r--r--rpc_client_daemon.c1
-rw-r--r--rpc_misc.c2
-rw-r--r--rpc_pkey.c227
-rw-r--r--rpc_server.c48
-rw-r--r--rsa.c301
-rw-r--r--tests/Makefile16
-rwxr-xr-xtests/parallel-signatures.py63
-rw-r--r--tests/test-rpc_hashsig.c524
-rw-r--r--tests/test-xdr.c4
-rw-r--r--unit-tests.py550
-rw-r--r--utils/Makefile16
-rw-r--r--utils/pkey-export.c187
-rw-r--r--utils/pkey-import.c168
-rw-r--r--utils/pkey.c1220
-rw-r--r--uuid.c28
-rw-r--r--verilog_constants.h50
-rw-r--r--xdr.c44
-rw-r--r--xdr_internal.h2
33 files changed, 3974 insertions, 1348 deletions
diff --git a/Makefile b/Makefile
index 6934f95..3e0f515 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2017, NORDUnet A/S
+# Copyright (c) 2015-2018, NORDUnet A/S
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
@@ -34,7 +34,7 @@ STATIC_CORE_STATE_BLOCKS = 32
STATIC_HASH_STATE_BLOCKS = 32
STATIC_HMAC_STATE_BLOCKS = 16
STATIC_PKEY_STATE_BLOCKS = 256
-STATIC_KS_VOLATILE_SLOTS = 1280
+STATIC_KS_VOLATILE_SLOTS = 4352
LIB = libhal.a
@@ -207,6 +207,8 @@ ifndef CRYPTECH_ROOT
CRYPTECH_ROOT := $(abspath ../..)
endif
+LIBHAL_SRC ?= ${CRYPTECH_ROOT}/sw/libhal
+LIBHAL_BLD ?= ${LIBHAL_SRC}
LIBTFM_SRC ?= ${CRYPTECH_ROOT}/sw/thirdparty/libtfm
LIBTFM_BLD ?= ${LIBTFM_SRC}
@@ -221,7 +223,7 @@ CFLAGS += -DHAL_STATIC_HASH_STATE_BLOCKS=${STATIC_HASH_STATE_BLOCKS}
CFLAGS += -DHAL_STATIC_HMAC_STATE_BLOCKS=${STATIC_HMAC_STATE_BLOCKS}
CFLAGS += -DHAL_STATIC_PKEY_STATE_BLOCKS=${STATIC_PKEY_STATE_BLOCKS}
CFLAGS += -DHAL_STATIC_KS_VOLATILE_SLOTS=${STATIC_KS_VOLATILE_SLOTS}
-CFLAGS += -I${CRYPTECH_ROOT}/sw/libhal
+CFLAGS += -I${LIBHAL_SRC}
CFLAGS += -I${LIBTFM_BLD}
# Enable software hash cores everywhere for now. In theory, there might be situations
@@ -239,6 +241,7 @@ CFLAGS += -DHAL_ENABLE_SOFTWARE_HASH_CORES=1
#export CFLAGS
export RPC_MODE
+export LIBHAL_SRC LIBHAL_BLD LIBTFM_BLD
all: ${LIB}
${MAKE} -C tests $@ CFLAGS='${CFLAGS}'
@@ -273,7 +276,6 @@ novena-eim.o hal_io_eim.o: novena-eim.h
slip.o rpc_client_serial.o rpc_server_serial.o: slip_internal.h
${OBJ}: verilog_constants.h
rpc_client.o rpc_server.o xdr.o: xdr_internal.h
-hashsig.o: hashsig.h
last_gasp_pin_internal.h:
./utils/last_gasp_default_pin >$@
@@ -283,8 +285,8 @@ test: all
clean:
rm -f *.o ${LIB}
- ${MAKE} -C tests $@ CFLAGS='${CFLAGS}'
- ${MAKE} -C utils $@ CFLAGS='${CFLAGS}'
+ ${MAKE} -C tests $@
+ ${MAKE} -C utils $@
distclean: clean
rm -f TAGS
diff --git a/aes_keywrap.c b/aes_keywrap.c
index a3e223f..b849304 100644
--- a/aes_keywrap.c
+++ b/aes_keywrap.c
@@ -4,8 +4,9 @@
* Implementation of RFC 5649 over Cryptech AES core.
*
* Authors: Rob Austein
- * Copyright (c) 2015-2018, NORDUnet A/S
- * All rights reserved.
+ * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved.
+ * Copyright: 2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -17,9 +18,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
diff --git a/core.c b/core.c
index 2b5d51a..7e49d25 100644
--- a/core.c
+++ b/core.c
@@ -4,7 +4,9 @@
* This module contains code to probe the FPGA for its installed cores.
*
* Author: Paul Selkirk, Rob Austein
- * Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
+ * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved.
+ * Copyright: 2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -16,9 +18,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -101,7 +103,8 @@ static inline hal_core_t *probe_cores(void)
{ "csprng", 11 * CORE_SIZE }, /* empty slots after csprng */
{ "modexps6", 3 * CORE_SIZE }, /* ModexpS6 uses four slots */
{ "modexpa7", 7 * CORE_SIZE }, /* ModexpA7 uses eight slots */
- { "key wrap",31 * CORE_SIZE }, /* keywrap uses 32 slots */
+ { "modexpng", 15 * CORE_SIZE }, /* ModexpNG uses 16 slots */
+ { "key wrap", 31 * CORE_SIZE }, /* keywrap uses 32 slots */
};
if (offsetof(hal_core_t, info) != 0)
diff --git a/cryptech/libhal.py b/cryptech/libhal.py
index 273a8a0..647dbd6 100644
--- a/cryptech/libhal.py
+++ b/cryptech/libhal.py
@@ -190,6 +190,7 @@ RPCFunc.define('''
RPC_FUNC_PKEY_GET_ATTRIBUTES,
RPC_FUNC_PKEY_EXPORT,
RPC_FUNC_PKEY_IMPORT,
+ RPC_FUNC_PKEY_GENERATE_HASHSIG,
''')
class HALDigestAlgorithm(Enum): pass
@@ -212,7 +213,11 @@ HALKeyType.define('''
HAL_KEY_TYPE_RSA_PRIVATE,
HAL_KEY_TYPE_RSA_PUBLIC,
HAL_KEY_TYPE_EC_PRIVATE,
- HAL_KEY_TYPE_EC_PUBLIC
+ HAL_KEY_TYPE_EC_PUBLIC,
+ HAL_KEY_TYPE_HASHSIG_PRIVATE,
+ HAL_KEY_TYPE_HASHSIG_PUBLIC,
+ HAL_KEY_TYPE_HASHSIG_LMS,
+ HAL_KEY_TYPE_HASHSIG_LMOTS
''')
class HALCurve(Enum): pass
@@ -233,6 +238,28 @@ HALUser.define('''
HAL_USER_WHEEL
''')
+class HALLmotsAlgorithm(Enum): pass
+
+HALLmotsAlgorithm.define('''
+ HAL_LMOTS_RESERVED = 0,
+ HAL_LMOTS_SHA256_N32_W1 = 1,
+ HAL_LMOTS_SHA256_N32_W2 = 2,
+ HAL_LMOTS_SHA256_N32_W4 = 3,
+ HAL_LMOTS_SHA256_N32_W8 = 4
+''')
+
+class HALLmsAlgorithm(Enum): pass
+
+HALLmsAlgorithm.define('''
+ HAL_LMS_RESERVED = 0,
+ HAL_LMS_SHA256_N32_H5 = 5,
+ HAL_LMS_SHA256_N32_H10 = 6,
+ HAL_LMS_SHA256_N32_H15 = 7,
+ HAL_LMS_SHA256_N32_H20 = 8,
+ HAL_LMS_SHA256_N32_H25 = 9
+''')
+
+
HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE = (1 << 0)
HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT = (1 << 1)
HAL_KEY_FLAG_USAGE_DATAENCIPHERMENT = (1 << 2)
@@ -585,6 +612,12 @@ class HSM(object):
logger.debug("Generated EC pkey %s", pkey.uuid)
return pkey
+ def pkey_generate_hashsig(self, L, lms, lmots, flags = 0, client = 0, session = 0):
+ with self.rpc(RPC_FUNC_PKEY_GENERATE_HASHSIG, session, L, lms, lmots, flags, client = client) as r:
+ pkey = PKey(self, r.unpack_uint(), UUID(bytes = r.unpack_bytes()))
+ logger.debug("Generated hashsig pkey %s", pkey.uuid)
+ return pkey
+
def pkey_close(self, pkey):
try:
logger.debug("Closing pkey %s", pkey.uuid)
diff --git a/cryptech_muxd b/cryptech_muxd
index 1aecb1e..ff40048 100755
--- a/cryptech_muxd
+++ b/cryptech_muxd
@@ -128,8 +128,16 @@ class SerialIOStream(tornado.iostream.BaseIOStream):
def write_to_fd(self, data):
return self.serial.write(data)
- def read_from_fd(self):
- return self.serial.read(self.read_chunk_size) or None
+ if tornado.version > "5":
+ # .. versionchanged:: 5.0
+ # Interface redesigned to take a buffer and return a number
+ # of bytes instead of a freshly-allocated object.
+ def read_from_fd(self, buf):
+ buf[:] = self.serial.read(len(buf))
+ return len(buf) or None
+ else:
+ def read_from_fd(self):
+ return self.serial.read(self.read_chunk_size) or None
class PFUnixServer(tornado.tcpserver.TCPServer):
diff --git a/hal.h b/hal.h
index 9986de7..be49f67 100644
--- a/hal.h
+++ b/hal.h
@@ -5,6 +5,8 @@
*
* Authors: Joachim Strombergson, Paul Selkirk, Rob Austein
* Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
+ * Copyright: 2019-2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -16,9 +18,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -55,7 +57,13 @@
* Should the versions be here even if the names should be?
*/
-#define NOVENA_BOARD_NAME "PVT1 "
+#define ALPHA_BOARD_NAME "ALPHA "
+#define ALPHA_BOARD_VERSION "0.20"
+
+#define FMC_INTERFACE_NAME "fmc "
+#define FMC_INTERFACE_VERSION "0.20"
+
+#define NOVENA_BOARD_NAME "PVT1 "
#define NOVENA_BOARD_VERSION "0.10"
#define EIM_INTERFACE_NAME "eim "
@@ -67,26 +75,29 @@
#define TRNG_NAME "trng "
#define TRNG_VERSION "0.51"
-#define AVALANCHE_ENTROPY_NAME "extnoise"
+#define AVALANCHE_ENTROPY_NAME "extnoise"
#define AVALANCHE_ENTROPY_VERSION "0.10"
#define ROSC_ENTROPY_NAME "rosc ent"
#define ROSC_ENTROPY_VERSION "0.10"
+#define RNG_MIXER_NAME "rngmixer"
+#define RNG_MIXER_VERSION "0.50"
+
#define CSPRNG_NAME "csprng "
#define CSPRNG_VERSION "0.50"
#define SHA1_NAME "sha1 "
-#define SHA1_VERSION "0.50"
+#define SHA1_VERSION "0.60"
#define SHA256_NAME "sha2-256"
-#define SHA256_VERSION "1.80"
+#define SHA256_VERSION "1.82"
#define SHA512_NAME "sha2-512"
-#define SHA512_VERSION "0.80"
+#define SHA512_VERSION "0.81"
#define AES_CORE_NAME "aes "
-#define AES_CORE_VERSION "0.80"
+#define AES_CORE_VERSION "0.70"
#define CHACHA_NAME "chacha "
#define CHACHA_VERSION "0.80"
@@ -98,16 +109,19 @@
#define MODEXPS6_VERSION "0.10"
#define MODEXPA7_NAME "modexpa7"
-#define MODEXPA7_VERSION "0.10"
+#define MODEXPA7_VERSION "0.25"
+
+#define MODEXPNG_NAME "modexpng"
+#define MODEXPNG_VERSION "0.10"
#define MKMIF_NAME "mkmif "
#define MKMIF_VERSION "0.10"
#define ECDSA256_NAME "ecdsa256"
-#define ECDSA256_VERSION "0.11"
+#define ECDSA256_VERSION "0.20"
#define ECDSA384_NAME "ecdsa384"
-#define ECDSA384_VERSION "0.11"
+#define ECDSA384_VERSION "0.20"
#define KEYWRAP_NAME "key wrap"
#define KEYWRAP_VERSION "0.70"
@@ -413,6 +427,37 @@ extern void hal_modexp_set_debug(const int onoff);
extern hal_error_t hal_modexp( const int precalc, hal_modexp_arg_t *args);
extern hal_error_t hal_modexp2(const int precalc, hal_modexp_arg_t *args1, hal_modexp_arg_t *args2);
+/* ModExpNG extensions */
+
+typedef struct {
+ hal_core_t *core;
+ const uint8_t *msg; size_t msg_len; /* Message */
+ const uint8_t *exp; size_t exp_len; /* Exponent */
+ const uint8_t *mod; size_t mod_len; /* Modulus */
+ uint8_t *result; size_t result_len; /* Result of exponentiation */
+ uint8_t *coeff; size_t coeff_len; /* Modulus coefficient (r/w) */
+ uint8_t *mont; size_t mont_len; /* Montgomery factor (r/w)*/
+
+ uint8_t *p; size_t p_len;
+ uint8_t *pC; size_t pC_len;
+ uint8_t *pF; size_t pF_len;
+
+ uint8_t *q; size_t q_len;
+ uint8_t *qC; size_t qC_len;
+ uint8_t *qF; size_t qF_len;
+
+ uint8_t *dP; size_t dP_len;
+ uint8_t *dQ; size_t dQ_len;
+ uint8_t *qInv; size_t qInv_len;
+
+ uint8_t *bf; size_t bf_len;
+ uint8_t *ubf; size_t ubf_len;
+} hal_modexpng_arg_t;
+
+extern hal_error_t hal_modexp_use_modexpng(const int onoff);
+extern int hal_modexp_using_modexpng(void);
+extern hal_error_t hal_modexpng(hal_modexpng_arg_t *a);
+
/*
* Master Key Memory Interface
*/
@@ -461,6 +506,10 @@ extern void hal_rsa_set_debug(const int onoff);
extern void hal_rsa_set_blinding(const int onoff);
+extern void hal_rsa_clear_blinding_cache(void);
+
+extern void hal_rsa_set_crt(const int onoff);
+
extern hal_error_t hal_rsa_key_load_private(hal_rsa_key_t **key,
void *keybuf, const size_t keybuf_len,
const uint8_t * const n, const size_t n_len,
@@ -820,16 +869,16 @@ extern hal_error_t hal_rpc_pkey_generate_ec(const hal_client_handle_t client,
const hal_curve_name_t curve,
const hal_key_flags_t flags);
-typedef enum lmots_algorithm_type lmots_algorithm_t;
-typedef enum lms_algorithm_type lms_algorithm_t;
+typedef enum hal_lmots_algorithm_type hal_lmots_algorithm_t;
+typedef enum hal_lms_algorithm_type hal_lms_algorithm_t;
extern hal_error_t hal_rpc_pkey_generate_hashsig(const hal_client_handle_t client,
const hal_session_handle_t session,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const size_t hss_levels,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
const hal_key_flags_t flags);
extern hal_error_t hal_rpc_pkey_close(const hal_pkey_handle_t pkey);
@@ -909,6 +958,101 @@ extern hal_error_t hal_rpc_server_close(void);
extern hal_error_t hal_rpc_server_dispatch(const uint8_t * const ibuf, const size_t ilen,
uint8_t * const obuf, size_t * const olen);
+/*
+ * Hash-Based Signatures.
+ *
+ * This really ought to be up with RSA and ECDSA, but it has forward
+ * references to hal_key_flags_t and hal_uuid_t.
+ */
+
+enum hal_lmots_algorithm_type {
+ HAL_LMOTS_RESERVED = 0,
+ HAL_LMOTS_SHA256_N32_W1 = 1,
+ HAL_LMOTS_SHA256_N32_W2 = 2,
+ HAL_LMOTS_SHA256_N32_W4 = 3,
+ HAL_LMOTS_SHA256_N32_W8 = 4
+};
+
+enum hal_lms_algorithm_type {
+ HAL_LMS_RESERVED = 0,
+ HAL_LMS_SHA256_N32_H5 = 5,
+ HAL_LMS_SHA256_N32_H10 = 6,
+ HAL_LMS_SHA256_N32_H15 = 7,
+ HAL_LMS_SHA256_N32_H20 = 8,
+ HAL_LMS_SHA256_N32_H25 = 9
+};
+
+typedef struct hal_hashsig_key hal_hashsig_key_t;
+
+extern const size_t hal_hashsig_key_t_size;
+
+extern hal_error_t hal_hashsig_key_gen(hal_core_t *core,
+ hal_hashsig_key_t **key_,
+ void *keybuf, const size_t keybuf_len,
+ const size_t hss_levels,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
+ const hal_key_flags_t flags);
+
+extern hal_error_t hal_hashsig_delete(const hal_uuid_t * const name);
+
+extern hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key,
+ uint8_t *der, size_t *der_len, const size_t der_max);
+
+extern size_t hal_hashsig_private_key_to_der_len(const hal_hashsig_key_t * const key);
+
+extern hal_error_t hal_hashsig_private_key_from_der(hal_hashsig_key_t **key_,
+ void *keybuf, const size_t keybuf_len,
+ const uint8_t *der, const size_t der_len);
+
+extern hal_error_t hal_hashsig_public_key_to_der(const hal_hashsig_key_t * const key,
+ uint8_t *der, size_t *der_len, const size_t der_max);
+
+extern size_t hal_hashsig_public_key_to_der_len(const hal_hashsig_key_t * const key);
+
+extern hal_error_t hal_hashsig_public_key_from_der(hal_hashsig_key_t **key,
+ void *keybuf, const size_t keybuf_len,
+ const uint8_t * const der, const size_t der_len);
+
+extern hal_error_t hal_hashsig_sign(hal_core_t *core,
+ const hal_hashsig_key_t * const key,
+ const uint8_t * const hash, const size_t hash_len,
+ uint8_t *sig, size_t *sig_len, const size_t sig_max);
+
+extern hal_error_t hal_hashsig_verify(hal_core_t *core,
+ const hal_hashsig_key_t * const key,
+ const uint8_t * const hash, const size_t hash_len,
+ const uint8_t * const sig, const size_t sig_len);
+
+extern hal_error_t hal_hashsig_key_load_public(hal_hashsig_key_t **key_,
+ void *keybuf, const size_t keybuf_len,
+ const size_t L,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
+ const uint8_t * const I, const size_t I_len,
+ const uint8_t * const T1, const size_t T1_len);
+
+extern hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_,
+ void *keybuf, const size_t keybuf_len,
+ const uint8_t * const xdr, const size_t xdr_len);
+
+extern size_t hal_hashsig_signature_len(const size_t L,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type);
+
+extern size_t hal_hashsig_lmots_private_key_len(const hal_lmots_algorithm_t lmots_type);
+
+extern hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len,
+ uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max);
+
+extern hal_error_t hal_hashsig_ks_init(void);
+
+extern hal_error_t hal_hashsig_export(const hal_uuid_t * const name,
+ uint8_t *der, size_t *der_len, const size_t der_max);
+
+extern hal_error_t hal_hashsig_import(const uint8_t *der, const size_t der_len,
+ const hal_key_flags_t flags);
+
#endif /* _HAL_H_ */
/*
diff --git a/hal_internal.h b/hal_internal.h
index 94546c3..15f4c79 100644
--- a/hal_internal.h
+++ b/hal_internal.h
@@ -310,8 +310,8 @@ typedef struct {
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const size_t hss_levels,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
const hal_key_flags_t flags);
hal_error_t (*close)(const hal_pkey_handle_t pkey);
diff --git a/hal_io_fmc.c b/hal_io_fmc.c
index 07f9352..25decd6 100644
--- a/hal_io_fmc.c
+++ b/hal_io_fmc.c
@@ -5,6 +5,8 @@
*
* Author: Paul Selkirk
* Copyright (c) 2014-2016, NORDUnet A/S All rights reserved.
+ * Copyright: 2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -16,9 +18,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -53,32 +55,15 @@
#define HAL_IO_FMC_DEBUG 0
#endif
-static int debug = 0;
-static int inited = 0;
-
-static inline hal_error_t init(void)
-{
- if (!inited) {
- fmc_init();
- inited = 1;
- }
- return HAL_OK;
-}
+#if HAL_IO_FMC_DEBUG
-/* Translate cryptech register number to FMC address.
- */
-static inline hal_addr_t fmc_offset(hal_addr_t offset)
-{
- return offset << 2;
-}
+static int debug = 0;
void hal_io_set_debug(int onoff)
{
debug = onoff;
}
-#if HAL_IO_FMC_DEBUG
-
static inline void dump(const char *label, const hal_addr_t offset, const uint8_t * const buf, const size_t len)
{
if (debug) {
@@ -95,56 +80,61 @@ static inline void dump(const char *label, const hal_addr_t offset, const uint8_
#endif
-hal_error_t hal_io_write(const hal_core_t *core, hal_addr_t offset, const uint8_t *buf, size_t len)
+/*
+ * Translate cryptech register number to FMC address.
+ */
+static inline hal_addr_t fmc_offset(hal_addr_t offset)
+{
+ return offset << 2;
+}
+
+/*
+ * Minimal version of memcpy, where we know the addresses and length are
+ * word-aligned.
+ */
+static inline void fmc_fpga_memcpy(uint32_t *dst, uint32_t *src, size_t nword)
{
- hal_error_t err;
+ while (nword >= 4) {
+ *dst++ = *src++;
+ *dst++ = *src++;
+ *dst++ = *src++;
+ *dst++ = *src++;
+ nword -= 4;
+ }
+ while (nword > 0) {
+ *dst++ = *src++;
+ nword--;
+ }
+}
+hal_error_t hal_io_write(const hal_core_t *core, hal_addr_t offset, const uint8_t *buf, size_t len)
+{
if (core == NULL)
return HAL_ERROR_CORE_NOT_FOUND;
if (len % 4 != 0)
return HAL_ERROR_IO_BAD_COUNT;
- if ((err = init()) != HAL_OK)
- return err;
-
dump("write ", offset + hal_core_base(core), buf, len);
offset = fmc_offset(offset + hal_core_base(core));
- for (; len > 0; offset += 4, buf += 4, len -= 4) {
- uint32_t val;
- val = htonl(*(uint32_t *)buf);
- if (fmc_write_32(offset, val) != 0)
- return HAL_ERROR_IO_TIMEOUT;
- }
+ fmc_fpga_memcpy((uint32_t *)fmc_fpga_addr(offset), (uint32_t *)buf, len/4);
return HAL_OK;
}
hal_error_t hal_io_read(const hal_core_t *core, hal_addr_t offset, uint8_t *buf, size_t len)
{
- uint8_t *rbuf = buf;
- int rlen = len;
- hal_error_t err;
-
if (core == NULL)
return HAL_ERROR_CORE_NOT_FOUND;
if (len % 4 != 0)
return HAL_ERROR_IO_BAD_COUNT;
- if ((err = init()) != HAL_OK)
- return err;
-
dump("read ", offset + hal_core_base(core), buf, len);
offset = fmc_offset(offset + hal_core_base(core));
- for (; rlen > 0; offset += 4, rbuf += 4, rlen -= 4) {
- uint32_t val;
- if (fmc_read_32(offset, &val) != 0)
- return HAL_ERROR_IO_TIMEOUT;
- *(uint32_t *)rbuf = ntohl(val);
- }
+ fmc_fpga_memcpy((uint32_t *)buf, (uint32_t *)fmc_fpga_addr(offset), len/4);
return HAL_OK;
}
diff --git a/hashsig.c b/hashsig.c
index 4060818..f55558d 100644
--- a/hashsig.c
+++ b/hashsig.c
@@ -1,7 +1,7 @@
/*
* hashsig.c
* ---------
- * Implementation of draft-mcgrew-hash-sigs-10.txt
+ * Implementation of draft-mcgrew-hash-sigs-15.txt
*
* Copyright (c) 2018, NORDUnet A/S All rights reserved.
*
@@ -33,13 +33,11 @@
*/
#include "hal.h"
-#include "hashsig.h"
#include "ks.h"
#include "asn1_internal.h"
#include "xdr_internal.h"
typedef struct { uint8_t bytes[32]; } bytestring32;
-typedef struct { uint8_t bytes[16]; } bytestring16;
#define D_PBLC 0x8080
#define D_MESG 0x8181
@@ -48,7 +46,7 @@ typedef struct { uint8_t bytes[16]; } bytestring16;
#define u32str(X) htonl(X)
#define u16str(X) htons(X)
-#define u8str(X) (X & 0xff)
+#define u8str(X) ((X) & 0xff)
#define check(op) do { hal_error_t _err = (op); if (_err != HAL_OK) return _err; } while (0)
@@ -73,19 +71,19 @@ static inline hal_error_t hal_xdr_decode_bytestring32(const uint8_t ** const inb
return hal_xdr_decode_fixed_opaque(inbuf, limit, (uint8_t * const)value, sizeof(bytestring32));
}
-static inline hal_error_t hal_xdr_encode_bytestring16(uint8_t ** const outbuf, const uint8_t * const limit, const bytestring16 *value)
+static inline hal_error_t hal_xdr_encode_uuid(uint8_t ** const outbuf, const uint8_t * const limit, const hal_uuid_t *value)
{
- return hal_xdr_encode_fixed_opaque(outbuf, limit, (const uint8_t *)value, sizeof(bytestring16));
+ return hal_xdr_encode_fixed_opaque(outbuf, limit, (const uint8_t *)value, sizeof(hal_uuid_t));
}
-static inline hal_error_t hal_xdr_decode_bytestring16_ptr(const uint8_t ** const inbuf, const uint8_t * const limit, bytestring16 **value)
+static inline hal_error_t hal_xdr_decode_uuid_ptr(const uint8_t ** const inbuf, const uint8_t * const limit, hal_uuid_t **value)
{
- return hal_xdr_decode_fixed_opaque_ptr(inbuf, limit, (const uint8_t ** const)value, sizeof(bytestring16));
+ return hal_xdr_decode_fixed_opaque_ptr(inbuf, limit, (const uint8_t ** const)value, sizeof(hal_uuid_t));
}
-static inline hal_error_t hal_xdr_decode_bytestring16(const uint8_t ** const inbuf, const uint8_t * const limit, bytestring16 * const value)
+static inline hal_error_t hal_xdr_decode_uuid(const uint8_t ** const inbuf, const uint8_t * const limit, hal_uuid_t * const value)
{
- return hal_xdr_decode_fixed_opaque(inbuf, limit, (uint8_t * const)value, sizeof(bytestring16));
+ return hal_xdr_decode_fixed_opaque(inbuf, limit, (uint8_t * const)value, sizeof(hal_uuid_t));
}
/* ---------------------------------------------------------------- */
@@ -116,34 +114,34 @@ static inline hal_error_t hal_asn1_decode_size_t(size_t *np, const uint8_t * con
}
}
-static inline hal_error_t hal_asn1_encode_lms_algorithm(const lms_algorithm_t type, uint8_t *der, size_t *der_len, const size_t der_max)
+static inline hal_error_t hal_asn1_encode_lms_algorithm(const hal_lms_algorithm_t type, uint8_t *der, size_t *der_len, const size_t der_max)
{
return hal_asn1_encode_uint32((const uint32_t)type, der, der_len, der_max);
}
-static inline hal_error_t hal_asn1_decode_lms_algorithm(lms_algorithm_t *type, const uint8_t * const der, size_t *der_len, const size_t der_max)
+static inline hal_error_t hal_asn1_decode_lms_algorithm(hal_lms_algorithm_t *type, const uint8_t * const der, size_t *der_len, const size_t der_max)
{
uint32_t n;
hal_error_t err;
if ((err = hal_asn1_decode_uint32(&n, der, der_len, der_max)) == HAL_OK)
- *type = (lms_algorithm_t)n;
+ *type = (hal_lms_algorithm_t)n;
return err;
}
-static inline hal_error_t hal_asn1_encode_lmots_algorithm(const lmots_algorithm_t type, uint8_t *der, size_t *der_len, const size_t der_max)
+static inline hal_error_t hal_asn1_encode_lmots_algorithm(const hal_lmots_algorithm_t type, uint8_t *der, size_t *der_len, const size_t der_max)
{
return hal_asn1_encode_uint32((const uint32_t)type, der, der_len, der_max);
}
-static inline hal_error_t hal_asn1_decode_lmots_algorithm(lmots_algorithm_t *type, const uint8_t * const der, size_t *der_len, const size_t der_max)
+static inline hal_error_t hal_asn1_decode_lmots_algorithm(hal_lmots_algorithm_t *type, const uint8_t * const der, size_t *der_len, const size_t der_max)
{
uint32_t n;
hal_error_t err;
if ((err = hal_asn1_decode_uint32(&n, der, der_len, der_max)) == HAL_OK)
- *type = (lmots_algorithm_t)n;
+ *type = (hal_lmots_algorithm_t)n;
return err;
}
@@ -158,16 +156,6 @@ static inline hal_error_t hal_asn1_decode_uuid(hal_uuid_t *data, const uint8_t *
return hal_asn1_decode_octet_string((uint8_t *)data, sizeof(hal_uuid_t), der, der_len, der_max);
}
-static inline hal_error_t hal_asn1_encode_bytestring16(const bytestring16 * const data, uint8_t *der, size_t *der_len, const size_t der_max)
-{
- return hal_asn1_encode_octet_string((const uint8_t * const)data, sizeof(bytestring16), der, der_len, der_max);
-}
-
-static inline hal_error_t hal_asn1_decode_bytestring16(bytestring16 *data, const uint8_t * const der, size_t *der_len, const size_t der_max)
-{
- return hal_asn1_decode_octet_string((uint8_t *)data, sizeof(bytestring16), der, der_len, der_max);
-}
-
static inline hal_error_t hal_asn1_encode_bytestring32(const bytestring32 * const data, uint8_t *der, size_t *der_len, const size_t der_max)
{
return hal_asn1_encode_octet_string((const uint8_t * const)data, sizeof(bytestring32), der, der_len, der_max);
@@ -185,44 +173,46 @@ static inline hal_error_t hal_asn1_decode_bytestring32(bytestring32 *data, const
*/
typedef const struct lmots_parameter_set {
- lmots_algorithm_t type;
- size_t n, w, p, ls;
+ hal_lmots_algorithm_t type;
+ size_t n, w, p, ls;
} lmots_parameter_t;
static lmots_parameter_t lmots_parameters[] = {
- { lmots_sha256_n32_w1, 32, 1, 265, 7 },
- { lmots_sha256_n32_w2, 32, 2, 133, 6 },
- { lmots_sha256_n32_w4, 32, 4, 67, 4 },
- { lmots_sha256_n32_w8, 32, 8, 34, 0 },
+ { HAL_LMOTS_SHA256_N32_W1, 32, 1, 265, 7 },
+ { HAL_LMOTS_SHA256_N32_W2, 32, 2, 133, 6 },
+ { HAL_LMOTS_SHA256_N32_W4, 32, 4, 67, 4 },
+ { HAL_LMOTS_SHA256_N32_W8, 32, 8, 34, 0 },
};
typedef struct lmots_key {
hal_key_type_t type;
lmots_parameter_t *lmots;
- bytestring16 I;
+ hal_uuid_t I;
size_t q;
bytestring32 * x;
bytestring32 K;
} lmots_key_t;
-static inline lmots_parameter_t *lmots_select_parameter_set(const lmots_algorithm_t lmots_type)
+static inline lmots_parameter_t *lmots_select_parameter_set(const hal_lmots_algorithm_t lmots_type)
{
- if (lmots_type < lmots_sha256_n32_w1 || lmots_type > lmots_sha256_n32_w8)
+ if (lmots_type < HAL_LMOTS_SHA256_N32_W1 || lmots_type > HAL_LMOTS_SHA256_N32_W8)
return NULL;
else
- return &lmots_parameters[lmots_type - lmots_sha256_n32_w1];
+ return &lmots_parameters[lmots_type - HAL_LMOTS_SHA256_N32_W1];
}
static inline size_t lmots_private_key_len(lmots_parameter_t * const lmots)
{
/* u32str(type) || I || u32str(q) || x[0] || x[1] || ... || x[p-1] */
- return 2 * sizeof(uint32_t) + sizeof(bytestring16) + (lmots->p * lmots->n);
+ return 2 * sizeof(uint32_t) + sizeof(hal_uuid_t) + (lmots->p * lmots->n);
}
+#if 0 /* currently unused */
static inline size_t lmots_public_key_len(lmots_parameter_t * const lmots)
{
/* u32str(type) || I || u32str(q) || K */
- return 2 * sizeof(uint32_t) + sizeof(bytestring16) + lmots->n;
+ return 2 * sizeof(uint32_t) + sizeof(hal_uuid_t) + lmots->n;
}
+#endif
static inline size_t lmots_signature_len(lmots_parameter_t * const lmots)
{
@@ -235,31 +225,44 @@ static inline size_t lmots_signature_len(lmots_parameter_t * const lmots)
* public key components (x and K).
* Let the caller worry about storage.
*/
-static hal_error_t lmots_generate(lmots_key_t * const key)
+static hal_error_t lmots_generate(lmots_key_t * const key, bytestring32 *seed)
{
if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMOTS || key->lmots == NULL || key->x == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
-// Algorithm 0: Generating a Private Key
-
-// 3. set n and p according to the typecode and Table 1
-
size_t n = key->lmots->n;
size_t p = key->lmots->p;
size_t w = key->lmots->w;
-// 4. compute the array x as follows:
-// for ( i = 0; i < p; i = i + 1 ) {
-// set x[i] to a uniformly random n-byte string
-// }
+ /* generate the private key */
- for (size_t i = 0; i < p; ++i)
- check(hal_rpc_get_random(&key->x[i], n));
+ if (seed == NULL) {
+ /* fill x[] with random goodness */
+ for (size_t i = 0; i < p; ++i)
+ check(hal_rpc_get_random(&key->x[i], n));
+ }
-// Algorithm 1: Generating a One Time Signature Public Key From a
-// Private Key
+ else {
+ /* use the pseudorandom key generation scheme */
+ for (size_t i = 0; i < p; ++i) {
+ uint8_t statebuf[512];
+ hal_hash_state_t *state = NULL;
+ uint32_t l;
+ uint16_t s;
+ uint8_t b;
-// 4. compute the string K as follows:
+ /* x_q[i] = H(I || u32str(q) || u16str(i) || u8str(0xff) || SEED) */
+ check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
+ check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
+ l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
+ s = u16str(i); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
+ b = u8str(0xff); check(hal_hash_update(state, (const uint8_t *)&b, sizeof(b)));
+ check(hal_hash_update(state, (const uint8_t *)seed, sizeof(bytestring32)));
+ check(hal_hash_finalize(state, (uint8_t *)&key->x[i], sizeof(bytestring32)));
+ }
+ }
+
+ /* generate the public key */
uint8_t statebuf[512];
hal_hash_state_t *state = NULL;
@@ -268,32 +271,21 @@ static hal_error_t lmots_generate(lmots_key_t * const key)
uint16_t s;
uint8_t b;
-// for ( i = 0; i < p; i = i + 1 ) {
for (size_t i = 0; i < p; ++i) {
-
-// tmp = x[i]
- bytestring32 tmp;
- memcpy(&tmp, &key->x[i], sizeof(tmp));
-
-// for ( j = 0; j < 2^w - 1; j = j + 1 ) {
+ y[i] = key->x[i];
for (size_t j = 0; j < (1U << w) - 1; ++j) {
-
-// tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp)
+ /* y[i] = H(I || u32str(q) || u16str(i) || u8str(j) || y[i]) */
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
s = u16str(i); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
b = u8str(j); check(hal_hash_update(state, (const uint8_t *)&b, sizeof(b)));
- check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp)));
- check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp)));
+ check(hal_hash_update(state, (const uint8_t *)&y[i], sizeof(y[i])));
+ check(hal_hash_finalize(state, (uint8_t *)&y[i], sizeof(y[i])));
}
-
-// y[i] = tmp
- memcpy(&y[i], &tmp, sizeof(tmp));
-// }
}
-// K = H(I || u32str(q) || u16str(D_PBLC) || y[0] || ... || y[p-1])
+ /* K = H(I || u32str(q) || u16str(D_PBLC) || y[0] || ... || y[p-1]) */
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
@@ -342,13 +334,6 @@ static hal_error_t lmots_sign(lmots_key_t *key,
if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMOTS || msg == NULL || sig == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
-// Algorithm 3: Generating a One Time Signature From a Private Key and a
-// Message
-
-// 1. set type to the typecode of the algorithm
-//
-// 2. set n, p, and w according to the typecode and Table 1
-
size_t n = key->lmots->n;
size_t p = key->lmots->p;
size_t w = key->lmots->w;
@@ -356,15 +341,9 @@ static hal_error_t lmots_sign(lmots_key_t *key,
if (sig_max < lmots_signature_len(key->lmots))
return HAL_ERROR_BAD_ARGUMENTS;
-// 3. determine x, I and q from the private key
-//
-// 4. set C to a uniformly random n-byte string
-
bytestring32 C;
check(hal_rpc_get_random(&C, n));
-// 5. compute the array y as follows:
-
uint8_t statebuf[512];
hal_hash_state_t *state = NULL;
uint8_t Q[n + 2]; /* hash || 16-bit checksum */
@@ -372,7 +351,7 @@ static hal_error_t lmots_sign(lmots_key_t *key,
uint16_t s;
uint8_t b;
-// Q = H(I || u32str(q) || u16str(D_MESG) || C || message)
+ /* Q = H(I || u32str(q) || u16str(D_MESG) || C || message) */
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
@@ -386,35 +365,22 @@ static hal_error_t lmots_sign(lmots_key_t *key,
bytestring32 y[p];
-// for ( i = 0; i < p; i = i + 1 ) {
for (size_t i = 0; i < p; ++i) {
-
-// a = coef(Q || Cksm(Q), i, w)
uint8_t a = coef(Q, i, w);
-
-// tmp = x[i]
- bytestring32 tmp;
- memcpy(&tmp, &key->x[i], sizeof(tmp));
-
-// for ( j = 0; j < a; j = j + 1 ) {
+ y[i] = key->x[i];
for (size_t j = 0; j < (size_t)a; ++j) {
-
-// tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp)
+ /* y[i] = H(I || u32str(q) || u16str(i) || u8str(j) || y[i]) */
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
s = u16str(i); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
b = u8str(j); check(hal_hash_update(state, (const uint8_t *)&b, sizeof(b)));
- check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp)));
- check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp)));
-// }
+ check(hal_hash_update(state, (const uint8_t *)&y[i], sizeof(y[i])));
+ check(hal_hash_finalize(state, (uint8_t *)&y[i], sizeof(y[i])));
}
-
-// y[i] = tmp
- memcpy(&y[i], &tmp, sizeof(tmp));
}
-// 6. return u32str(type) || C || y[0] || ... || y[p-1]
+ /* sig = u32str(type) || C || y[0] || ... || y[p-1] */
uint8_t *sigptr = sig;
const uint8_t * const siglim = sig + sig_max;
check(hal_xdr_encode_int(&sigptr, siglim, key->lmots->type));
@@ -440,45 +406,26 @@ static hal_error_t lmots_public_key_candidate(const lmots_key_t * const key,
* at the start of lms_verify.
*/
-// 1. if the signature is not at least four bytes long, return INVALID
-//
-// 2. parse sigtype, C, and y from the signature as follows:
-// a. sigtype = strTou32(first 4 bytes of signature)
-
const uint8_t *sigptr = sig;
const uint8_t * const siglim = sig + sig_len;
uint32_t sigtype;
check(hal_xdr_decode_int(&sigptr, siglim, &sigtype));
-// b. if sigtype is not equal to pubtype, return INVALID
-
- if ((lmots_algorithm_t)sigtype != key->lmots->type)
+ if ((hal_lmots_algorithm_t)sigtype != key->lmots->type)
return HAL_ERROR_INVALID_SIGNATURE;
-// c. set n and p according to the pubtype and Table 1; if the
-// signature is not exactly 4 + n * (p+1) bytes long, return INVALID
-
size_t n = key->lmots->n;
size_t p = key->lmots->p;
size_t w = key->lmots->w;
-// d. C = next n bytes of signature
-
bytestring32 C;
check(hal_xdr_decode_bytestring32(&sigptr, siglim, &C));
-// e. y[0] = next n bytes of signature
-// y[1] = next n bytes of signature
-// ...
-// y[p-1] = next n bytes of signature
-
bytestring32 y[p];
for (size_t i = 0; i < p; ++i)
check(hal_xdr_decode_bytestring32(&sigptr, siglim, &y[i]));
-// 3. compute the string Kc as follows
-
uint8_t statebuf[512];
hal_hash_state_t *state = NULL;
uint8_t Q[n + 2]; /* hash || 16-bit checksum */
@@ -486,7 +433,7 @@ static hal_error_t lmots_public_key_candidate(const lmots_key_t * const key,
uint16_t s;
uint8_t b;
-// Q = H(I || u32str(q) || u16str(D_MESG) || C || message)
+ /* Q = H(I || u32str(q) || u16str(D_MESG) || C || message) */
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
@@ -500,36 +447,22 @@ static hal_error_t lmots_public_key_candidate(const lmots_key_t * const key,
bytestring32 z[p];
-// for ( i = 0; i < p; i = i + 1 ) {
for (size_t i = 0; i < p; ++i) {
-
-// a = coef(Q || Cksm(Q), i, w)
uint8_t a = coef(Q, i, w);
-
-// tmp = y[i]
- bytestring32 tmp;
- memcpy(&tmp, &y[i], sizeof(tmp));
-
-// for ( j = a; j < 2^w - 1; j = j + 1 ) {
+ z[i] = y[i];
for (size_t j = (size_t)a; j < (1U << w) - 1; ++j) {
-
-// tmp = H(I || u32str(q) || u16str(i) || u8str(j) || tmp)
+ /* z[i] = H(I || u32str(q) || u16str(i) || u8str(j) || z[i]) */
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
s = u16str(i); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
b = u8str(j); check(hal_hash_update(state, (const uint8_t *)&b, sizeof(b)));
- check(hal_hash_update(state, (const uint8_t *)&tmp, sizeof(tmp)));
- check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp)));
-// }
+ check(hal_hash_update(state, (const uint8_t *)&z[i], sizeof(z[i])));
+ check(hal_hash_finalize(state, (uint8_t *)&z[i], sizeof(z[i])));
}
-
-// z[i] = tmp
- memcpy(&z[i], &tmp, sizeof(tmp));
-// }
}
-// Kc = H(I || u32str(q) || u16str(D_PBLC) || z[0] || z[1] || ... || z[p-1])
+ /* Kc = H(I || u32str(q) || u16str(D_PBLC) || z[] */
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
l = u32str(key->q); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
@@ -538,7 +471,6 @@ static hal_error_t lmots_public_key_candidate(const lmots_key_t * const key,
check(hal_hash_update(state, (const uint8_t *)&z[i], sizeof(z[i])));
check(hal_hash_finalize(state, (uint8_t *)&key->K, sizeof(key->K)));
-// 4. return Kc
return HAL_OK;
}
@@ -549,17 +481,15 @@ static hal_error_t lmots_private_key_to_der(const lmots_key_t * const key,
if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMOTS)
return HAL_ERROR_BAD_ARGUMENTS;
- // u32str(lmots_type) || I || u32str(q) || K || x[0] || x[1] || ... || x[p-1]
+ /* u32str(lmots_type) || I || u32str(q) || K || x[] */
/* K is not an integral part of the private key, but we store it to speed up restart */
- /*
- * Calculate data length.
- */
+ /* Calculate data length. */
size_t len, vlen = 0, hlen;
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len;
- check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_uuid(&key->I, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_size_t(key->q, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_bytestring32(&key->K, NULL, &len, 0)); vlen += len;
for (size_t i = 0; i < key->lmots->p; ++i) {
@@ -574,9 +504,7 @@ static hal_error_t lmots_private_key_to_der(const lmots_key_t * const key,
if (der == NULL)
return HAL_OK;
- /*
- * Encode data.
- */
+ /* Encode data. */
check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max));
@@ -584,7 +512,7 @@ static hal_error_t lmots_private_key_to_der(const lmots_key_t * const key,
memset(d, 0, vlen);
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, vlen)); d += len; vlen -= len;
- check(hal_asn1_encode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_encode_uuid(&key->I, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_encode_size_t(key->q, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_encode_bytestring32(&key->K, d, &len, vlen)); d += len; vlen -= len;
for (size_t i = 0; i < key->lmots->p; ++i) {
@@ -627,12 +555,12 @@ static hal_error_t lmots_private_key_from_der(lmots_key_t *key,
const uint8_t *d = privkey + hlen;
size_t len;
- // u32str(lmots_type) || I || u32str(q) || K || x[0] || x[1] || ... || x[p-1]
+ /* u32str(lmots_type) || I || u32str(q) || K || x[] */
- lmots_algorithm_t lmots_type;
+ hal_lmots_algorithm_t lmots_type;
check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, vlen)); d += len; vlen -= len;
key->lmots = lmots_select_parameter_set(lmots_type);
- check(hal_asn1_decode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_decode_uuid(&key->I, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_decode_size_t(&key->q, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_decode_bytestring32(&key->K, d, &len, vlen)); d += len; vlen -= len;
if (key->x != NULL) {
@@ -655,15 +583,15 @@ static hal_error_t lmots_private_key_from_der(lmots_key_t *key,
*/
typedef const struct lms_parameter_set {
- lms_algorithm_t type;
- size_t m, h;
+ hal_lms_algorithm_t type;
+ size_t m, h;
} lms_parameter_t;
static lms_parameter_t lms_parameters[] = {
- { lms_sha256_n32_h5, 32, 5 },
- { lms_sha256_n32_h10, 32, 10 },
- { lms_sha256_n32_h15, 32, 15 },
- { lms_sha256_n32_h20, 32, 20 },
- { lms_sha256_n32_h25, 32, 25 },
+ { HAL_LMS_SHA256_N32_H5, 32, 5 },
+ { HAL_LMS_SHA256_N32_H10, 32, 10 },
+ { HAL_LMS_SHA256_N32_H15, 32, 15 },
+ { HAL_LMS_SHA256_N32_H20, 32, 20 },
+ { HAL_LMS_SHA256_N32_H25, 32, 25 },
};
typedef struct lms_key {
@@ -671,8 +599,9 @@ typedef struct lms_key {
size_t level;
lms_parameter_t *lms;
lmots_parameter_t *lmots;
- bytestring16 I;
+ hal_uuid_t I;
size_t q; /* index of next lmots signing key */
+ size_t q_end;
hal_uuid_t *lmots_keys; /* private key components */
bytestring32 *T; /* public key components */
bytestring32 T1; /* copy of T[1] */
@@ -682,12 +611,12 @@ typedef struct lms_key {
size_t signature_len;
} lms_key_t;
-static inline lms_parameter_t *lms_select_parameter_set(const lms_algorithm_t lms_type)
+static inline lms_parameter_t *lms_select_parameter_set(const hal_lms_algorithm_t lms_type)
{
- if (lms_type < lms_sha256_n32_h5 || lms_type > lms_sha256_n32_h25)
+ if (lms_type < HAL_LMS_SHA256_N32_H5 || lms_type > HAL_LMS_SHA256_N32_H25)
return NULL;
else
- return &lms_parameters[lms_type - lms_sha256_n32_h5];
+ return &lms_parameters[lms_type - HAL_LMS_SHA256_N32_H5];
}
static inline size_t lms_public_key_len(lms_parameter_t * const lms)
@@ -703,46 +632,68 @@ static inline size_t lms_signature_len(lms_parameter_t * const lms, lmots_parame
}
#if RPC_CLIENT == RPC_CLIENT_LOCAL
-/* Given a key with most fields filled in, generate the lms private and
- * public key components.
- * Let the caller worry about storage.
- */
-static hal_error_t lms_generate(lms_key_t *key)
+static hal_error_t lms_compute_T_leaf(lms_key_t *key, lmots_key_t *lmots_key)
{
- if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMS || key->lms == NULL || key->lmots == NULL || key->lmots_keys == NULL || key->T == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
+ /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || K) */
+ size_t r = (1U << key->lms->h) + lmots_key->q;
+ uint8_t statebuf[512];
+ hal_hash_state_t *state = NULL;
+ check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
+ check(hal_hash_update(state, (const uint8_t *)&lmots_key->I, sizeof(lmots_key->I)));
+ uint32_t l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
+ uint16_t s = u16str(D_LEAF); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
+ check(hal_hash_update(state, (const uint8_t *)&lmots_key->K, sizeof(lmots_key->K)));
+ check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r])));
+
+ return HAL_OK;
+}
+
+static hal_error_t lms_compute_T_intr(lms_key_t *key)
+{
+ /* generate the rest of T[r] = H(I || u32str(r) || u16str(D_INTR) || T[2*r] || T[2*r+1]) */
+ for (size_t r = (1U << key->lms->h) - 1; r > 0; --r) {
+ uint8_t statebuf[512];
+ hal_hash_state_t *state = NULL;
+ check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
+ check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
+ uint32_t l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
+ uint16_t s = u16str(D_INTR); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
+ check(hal_hash_update(state, (const uint8_t *)&key->T[2*r], sizeof(key->T[r])));
+ check(hal_hash_update(state, (const uint8_t *)&key->T[2*r+1], sizeof(key->T[r])));
+ check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r])));
+ hal_task_yield_maybe();
+ }
- check(hal_uuid_gen((hal_uuid_t *)&key->I));
- key->q = 0;
+ return HAL_OK;
+}
+static hal_error_t lms_generate_lmots(lms_key_t *key, size_t q, bytestring32 *seed)
+{
bytestring32 x[key->lmots->p];
lmots_key_t lmots_key = {
.type = HAL_KEY_TYPE_HASHSIG_LMOTS,
.lmots = key->lmots,
+ .I = key->I,
+ .q = q,
.x = x
};
- memcpy(&lmots_key.I, &key->I, sizeof(key->I));
- hal_pkey_slot_t slot = {
- .type = HAL_KEY_TYPE_HASHSIG_LMOTS,
- .curve = HAL_CURVE_NONE,
- .flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | ((key->level == 0) ? HAL_KEY_FLAG_TOKEN: 0)
- };
- hal_ks_t *ks = (key->level == 0) ? hal_ks_token : hal_ks_volatile;
+ /* generate the lmots private and public key components */
+ check(lmots_generate(&lmots_key, seed));
- uint8_t statebuf[512];
- hal_hash_state_t *state = NULL;
- uint32_t l;
- uint16_t s;
- size_t h2 = (1 << key->lms->h);
-
- /* private key - array of lmots key names */
- for (size_t q = 0; q < h2; ++q) {
- /* generate the lmots private and public key components */
- lmots_key.q = q;
- check(lmots_generate(&lmots_key));
+ /* Note: we have to generate all the lmots keys, even if q > 0 or
+ * q_end < 2^h, because we need them to calculate T[].
+ * We just don't need to store the ones that are out of range.
+ */
+ if (q >= key->q && q < key->q_end) {
/* store the lmots key */
+ hal_ks_t *ks = (key->level == 0) ? hal_ks_token : hal_ks_volatile;
+ hal_pkey_slot_t slot = {
+ .type = HAL_KEY_TYPE_HASHSIG_LMOTS,
+ .curve = HAL_CURVE_NONE,
+ .flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | ((key->level == 0) ? HAL_KEY_FLAG_TOKEN: 0)
+ };
uint8_t der[lmots_private_key_to_der_len(&lmots_key)];
size_t der_len;
check(lmots_private_key_to_der(&lmots_key, der, &der_len, sizeof(der)));
@@ -753,42 +704,53 @@ static hal_error_t lms_generate(lms_key_t *key)
if (err != HAL_OK) return err;
/* record the lmots keystore name */
- memcpy(&key->lmots_keys[q], &slot.name, sizeof(slot.name));
+ key->lmots_keys[q] = slot.name;
+ }
+ else
+ memset(&x, 0, sizeof(x));
- /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || OTS_PUB_HASH[r-2^h]) */
- size_t r = h2 + q;
- check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
- check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
- l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
- s = u16str(D_LEAF); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
- check(hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K)));
- check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r])));
+ /* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || K) */
+ check(lms_compute_T_leaf(key, &lmots_key));
+
+ return HAL_OK;
+}
+
+/* Given a key with most fields filled in, generate the lms private and
+ * public key components.
+ * Let the caller worry about storage.
+ */
+static hal_error_t lms_generate(lms_key_t *key, bytestring32 *seed)
+{
+ if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMS ||
+ key->lms == NULL || key->lmots == NULL ||
+ key->lmots_keys == NULL || key->T == NULL)
+ return HAL_ERROR_BAD_ARGUMENTS;
+
+ hal_uuid_t I_0 = {{0}};
+ if (hal_uuid_cmp(&key->I, &I_0) == 0)
+ check(hal_uuid_gen(&key->I));
+
+ /* private key - array of lmots key names */
+ for (size_t q = 0; q < (1U << key->lms->h); ++q) {
+ check(lms_generate_lmots(key, q, seed));
hal_task_yield_maybe();
}
/* generate the rest of T[r] = H(I || u32str(r) || u16str(D_INTR) || T[2*r] || T[2*r+1]) */
- for (size_t r = h2 - 1; r > 0; --r) {
- check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
- check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
- l = u32str(r); check(hal_hash_update(state, (const uint8_t *)&l, sizeof(l)));
- s = u16str(D_INTR); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
- check(hal_hash_update(state, (const uint8_t *)&key->T[2*r], sizeof(key->T[r])));
- check(hal_hash_update(state, (const uint8_t *)&key->T[2*r+1], sizeof(key->T[r])));
- check(hal_hash_finalize(state, (uint8_t *)&key->T[r], sizeof(key->T[r])));
- hal_task_yield_maybe();
- }
+ check(lms_compute_T_intr(key));
- memcpy(&key->T1, &key->T[1], sizeof(key->T1));
+ key->T1 = key->T[1];
/* generate the XDR encoding of the public key, which will be signed
* by the previous lms key
*/
uint8_t *pubkey = key->pubkey;
const uint8_t * const publim = key->pubkey + key->pubkey_len;
- // u32str(lms_type) || u32str(lmots_type) || I || T[1]
+
+ /* u32str(lms_type) || u32str(lmots_type) || I || T[1] */
check(hal_xdr_encode_int(&pubkey, publim, key->lms->type));
check(hal_xdr_encode_int(&pubkey, publim, key->lmots->type));
- check(hal_xdr_encode_bytestring16(&pubkey, publim, &key->I));
+ check(hal_xdr_encode_uuid(&pubkey, publim, &key->I));
check(hal_xdr_encode_bytestring32(&pubkey, publim, &key->T1));
return HAL_OK;
@@ -796,18 +758,21 @@ static hal_error_t lms_generate(lms_key_t *key)
static hal_error_t lms_delete(const lms_key_t * const key)
{
- hal_pkey_slot_t slot = {0};
hal_ks_t *ks = (key->level == 0) ? hal_ks_token : hal_ks_volatile;
+ hal_pkey_slot_t slot = {{0}};
+ hal_uuid_t uuid_0 = {{0}};
/* delete the lmots keys */
for (size_t i = 0; i < (1U << key->lms->h); ++i) {
- memcpy(&slot.name, &key->lmots_keys[i], sizeof(slot.name));
- check(hal_ks_delete(ks, &slot));
- hal_task_yield_maybe();
+ if (hal_uuid_cmp(&key->lmots_keys[i], &uuid_0) != 0) {
+ slot.name = key->lmots_keys[i];
+ (void)hal_ks_delete(ks, &slot);
+ hal_task_yield_maybe();
+ }
}
/* delete the lms key */
- memcpy(&slot.name, &key->I, sizeof(slot.name));
+ slot.name = key->I;
return hal_ks_delete(ks, &slot);
}
@@ -821,7 +786,7 @@ static hal_error_t lms_sign(lms_key_t * const key,
if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMS || msg == NULL || sig == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
- if (key->q >= (1U << key->lms->h))
+ if (key->q >= key->q_end)
return HAL_ERROR_HASHSIG_KEY_EXHAUSTED;
if (sig_max < lms_signature_len(key->lms, key->lmots))
@@ -834,9 +799,9 @@ static hal_error_t lms_sign(lms_key_t * const key,
check(hal_xdr_encode_int(&sigptr, siglim, key->q));
/* fetch and decode the lmots signing key from the keystore */
- hal_pkey_slot_t slot;
- memset(&slot, 0, sizeof(slot));
- memcpy(&slot.name, &key->lmots_keys[key->q], sizeof(slot.name));
+ hal_pkey_slot_t slot = {
+ .name = key->lmots_keys[key->q]
+ };
lmots_key_t lmots_key;
memset(&lmots_key, 0, sizeof(lmots_key));
@@ -851,7 +816,7 @@ static hal_error_t lms_sign(lms_key_t * const key,
check(lmots_private_key_from_der(&lmots_key, der, der_len));
memset(&der, 0, sizeof(der));
- //? check lmots_type and I vs. lms key?
+ /* check lmots_type and I vs. lms key? */
/* generate the lmots signature */
size_t lmots_sig_len;
@@ -873,7 +838,7 @@ static hal_error_t lms_sign(lms_key_t * const key,
check(lms_private_key_to_der(key, der, &der_len, sizeof(der)));
slot.type = HAL_KEY_TYPE_HASHSIG_LMS;
slot.flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | ((key->level == 0) ? HAL_KEY_FLAG_TOKEN : 0);
- memcpy(&slot.name, &key->I, sizeof(slot.name));
+ slot.name = key->I;
check(hal_ks_rewrite_der(ks, &slot, der, der_len));
return HAL_OK;
@@ -899,34 +864,9 @@ static hal_error_t lms_verify(const lms_key_t * const key,
if (sig_len != lms_signature_len(key->lms, key->lmots))
return HAL_ERROR_INVALID_SIGNATURE;
-// Algorithm 6: LMS Signature Verification
-//
-// 1. if the public key is not at least eight bytes long, return
-// INVALID
-//
-// 2. parse pubtype, I, and T[1] from the public key as follows:
-//
-// a. pubtype = strTou32(first 4 bytes of public key)
-//
-// b. ots_typecode = strTou32(next 4 bytes of public key)
-//
-// c. set m according to pubtype, based on Table 2
-//
-// d. if the public key is not exactly 24 + m bytes
-// long, return INVALID
-//
-// e. I = next 16 bytes of the public key
-//
-// f. T[1] = next m bytes of the public key
-//
-// 3. compute the candidate LMS root value Tc from the signature,
-// message, identifier and pubtype using Algorithm 6b.
-
bytestring32 Tc;
check(lms_public_key_candidate(key, msg, msg_len, sig, sig_len, &Tc));
-// 4. if Tc is equal to T[1], return VALID; otherwise, return INVALID
-
return (memcmp(&Tc, &key->T1, sizeof(Tc)) ? HAL_ERROR_INVALID_SIGNATURE : HAL_OK);
}
@@ -935,100 +875,54 @@ static hal_error_t lms_public_key_candidate(const lms_key_t * const key,
const uint8_t * const sig, const size_t sig_len,
bytestring32 * Tc)
{
-// Algorithm 6b: Computing an LMS Public Key Candidate from a Signature,
-// Message, Identifier, and algorithm typecode
- /* XXX and pubotstype */
-
-// 1. if the signature is not at least eight bytes long, return INVALID
-//
-// 2. parse sigtype, q, ots_signature, and path from the signature as
-// follows:
-//
-// a. q = strTou32(first 4 bytes of signature)
-
const uint8_t *sigptr = sig;
const uint8_t * const siglim = sig + sig_len;
uint32_t q;
check(hal_xdr_decode_int(&sigptr, siglim, &q));
-// b. otssigtype = strTou32(next 4 bytes of signature)
-
uint32_t otssigtype;
check(hal_xdr_decode_int_peek(&sigptr, siglim, &otssigtype));
-// c. if otssigtype is not the OTS typecode from the public key, return INVALID
-
- if ((lmots_algorithm_t)otssigtype != key->lmots->type)
+ if ((hal_lmots_algorithm_t)otssigtype != key->lmots->type)
return HAL_ERROR_INVALID_SIGNATURE;
-// d. set n, p according to otssigtype and Table 1; if the
-// signature is not at least 12 + n * (p + 1) bytes long, return INVALID
-//
-// e. ots_signature = bytes 8 through 8 + n * (p + 1) - 1 of signature
-
- /* XXX Technically, this is also wrong - this is the remainder of
- * ots_signature after otssigtype. The full ots_signature would be
- * bytes 4 through 8 + n * (p + 1) - 1.
- */
-
const uint8_t * const ots_signature = sigptr;
sigptr += lmots_signature_len(key->lmots);
-// f. sigtype = strTou32(4 bytes of signature at location 8 + n * (p + 1))
-
uint32_t sigtype;
check(hal_xdr_decode_int(&sigptr, siglim, &sigtype));
-// f. if sigtype is not the LM typecode from the public key, return INVALID
-
- if ((lms_algorithm_t)sigtype != key->lms->type)
+ if ((hal_lms_algorithm_t)sigtype != key->lms->type)
return HAL_ERROR_INVALID_SIGNATURE;
-// g. set m, h according to sigtype and Table 2
-
size_t m = key->lms->m;
size_t h = key->lms->h;
size_t h2 = (1 << key->lms->h);
-// h. if q >= 2^h or the signature is not exactly 12 + n * (p + 1) + m * h bytes long, return INVALID
-
if (q >= h2)
return HAL_ERROR_INVALID_SIGNATURE;
-// i. set path as follows:
-// path[0] = next m bytes of signature
-// path[1] = next m bytes of signature
-// ...
-// path[h-1] = next m bytes of signature
-
bytestring32 path[h];
for (size_t i = 0; i < h; ++i)
check(hal_xdr_decode_bytestring32(&sigptr, siglim, &path[i]));
-// 3. Kc = candidate public key computed by applying Algorithm 4b
-// to the signature ots_signature, the message, and the
-// identifiers I, q
-
lmots_key_t lmots_key = {
.type = HAL_KEY_TYPE_HASHSIG_LMOTS,
.lmots = key->lmots,
+ .I = key->I,
.q = q
};
- memcpy(&lmots_key.I, &key->I, sizeof(lmots_key.I));
check(lmots_public_key_candidate(&lmots_key, msg, msg_len, ots_signature, lmots_signature_len(key->lmots)));
-// 4. compute the candidate LMS root value Tc as follows:
-
uint8_t statebuf[512];
hal_hash_state_t *state = NULL;
uint32_t l;
uint16_t s;
-// node_num = 2^h + q
size_t r = h2 + q;
-// tmp = H(I || u32str(node_num) || u16str(D_LEAF) || Kc)
+ /* tmp = H(I || u32str(node_num) || u16str(D_LEAF) || Kc) */
bytestring32 tmp;
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&lmots_key.I, sizeof(lmots_key.I)));
@@ -1037,15 +931,8 @@ static hal_error_t lms_public_key_candidate(const lms_key_t * const key,
check(hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K)));
check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp)));
-// i = 0
-// while (node_num > 1) {
-// if (node_num is odd):
-// tmp = H(I || u32str(node_num/2) || u16str(D_INTR) || path[i] || tmp)
-// else:
-// tmp = H(I || u32str(node_num/2) || u16str(D_INTR) || tmp || path[i])
-// node_num = node_num/2
-// i = i + 1
-// }
+ /* odd nodes: tmp = H(I || u32str(node_num/2) || u16str(D_INTR) || path[i] || tmp) */
+ /* even nodes: tmp = H(I || u32str(node_num/2) || u16str(D_INTR) || tmp || path[i]) */
for (size_t i = 0; r > 1; r /= 2, ++i) {
check(hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf)));
check(hal_hash_update(state, (const uint8_t *)&key->I, sizeof(key->I)));
@@ -1062,8 +949,7 @@ static hal_error_t lms_public_key_candidate(const lms_key_t * const key,
check(hal_hash_finalize(state, (uint8_t *)&tmp, sizeof(tmp)));
}
-// Tc = tmp
- memcpy(Tc, &tmp, sizeof(*Tc));
+ *Tc = tmp;
return HAL_OK;
}
@@ -1075,18 +961,17 @@ static hal_error_t lms_private_key_to_der(const lms_key_t * const key,
if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_LMS)
return HAL_ERROR_BAD_ARGUMENTS;
- /*
- * Calculate data length.
- */
+ /* u32str(lms_type) || u32str(lmots_type) || I || q || q_end */
- // u32str(lms_type) || u32str(lmots_type) || I || q
+ /* Calculate data length. */
size_t len, vlen = 0, hlen;
check(hal_asn1_encode_lms_algorithm(key->lms->type, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len;
- check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_uuid(&key->I, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_size_t(key->q, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_size_t(key->q_end, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, NULL, &hlen, 0));
@@ -1096,9 +981,7 @@ static hal_error_t lms_private_key_to_der(const lms_key_t * const key,
if (der == NULL)
return HAL_OK;
- /*
- * Encode data.
- */
+ /* Encode data. */
check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max));
@@ -1107,8 +990,9 @@ static hal_error_t lms_private_key_to_der(const lms_key_t * const key,
check(hal_asn1_encode_lms_algorithm(key->lms->type, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, vlen)); d += len; vlen -= len;
- check(hal_asn1_encode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_encode_uuid(&key->I, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_encode_size_t(key->q, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_encode_size_t(key->q_end, d, &len, vlen)); d += len; vlen -= len;
return hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len,
NULL, 0, der, d - der, der, der_len, der_max);
@@ -1126,6 +1010,8 @@ static hal_error_t lms_private_key_from_der(lms_key_t *key,
if (key == NULL || der == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
+ memset(key, 0, sizeof(*key));
+
key->type = HAL_KEY_TYPE_HASHSIG_LMS;
size_t hlen, vlen, alg_oid_len, curve_oid_len, privkey_len;
@@ -1146,16 +1032,17 @@ static hal_error_t lms_private_key_from_der(lms_key_t *key,
const uint8_t *d = privkey + hlen;
size_t n;
- // u32str(lms_type) || u32str(lmots_type) || I || q
+ /* u32str(lms_type) || u32str(lmots_type) || I || q || q_end */
- lms_algorithm_t lms_type;
+ hal_lms_algorithm_t lms_type;
check(hal_asn1_decode_lms_algorithm(&lms_type, d, &n, vlen)); d += n; vlen -= n;
key->lms = lms_select_parameter_set(lms_type);
- lmots_algorithm_t lmots_type;
+ hal_lmots_algorithm_t lmots_type;
check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &n, vlen)); d += n; vlen -= n;
key->lmots = lmots_select_parameter_set(lmots_type);
- check(hal_asn1_decode_bytestring16(&key->I, d, &n, vlen)); d += n; vlen -= n;
+ check(hal_asn1_decode_uuid(&key->I, d, &n, vlen)); d += n; vlen -= n;
check(hal_asn1_decode_size_t(&key->q, d, &n, vlen)); d += n; vlen -= n;
+ check(hal_asn1_decode_size_t(&key->q_end, d, &n, vlen)); d += n; vlen -= n;
if (d != privkey + privkey_len)
return HAL_ERROR_ASN1_PARSE_FAILED;
@@ -1183,8 +1070,10 @@ struct hal_hashsig_key {
size_t L;
lms_parameter_t *lms;
lmots_parameter_t *lmots;
- bytestring16 I;
+ hal_uuid_t I;
+ size_t q_start, q_end;
bytestring32 T1;
+ bytestring32 seed;
lms_key_t *lms_keys;
};
@@ -1192,11 +1081,23 @@ const size_t hal_hashsig_key_t_size = sizeof(hss_key_t);
static hss_key_t *hss_keys = NULL;
+static hss_key_t *hss_find(hal_uuid_t *I)
+{
+ for (hss_key_t *key = hss_keys; key != NULL; key = key->next) {
+ if (memcmp(&key->I, I, sizeof(*I)) == 0)
+ return key;
+ }
+
+ return NULL;
+}
+
+#if 0 /* currently unused */
static inline size_t hss_public_key_len(lms_parameter_t * const lms)
{
/* L || pub[0] */
return sizeof(uint32_t) + lms_public_key_len(lms);
}
+#endif
static inline size_t hss_signature_len(const size_t L, lms_parameter_t * const lms, lmots_parameter_t * const lmots)
{
@@ -1205,8 +1106,8 @@ static inline size_t hss_signature_len(const size_t L, lms_parameter_t * const l
}
size_t hal_hashsig_signature_len(const size_t L,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type)
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type)
{
lms_parameter_t * const lms = lms_select_parameter_set(lms_type);
if (lms == NULL)
@@ -1219,7 +1120,7 @@ size_t hal_hashsig_signature_len(const size_t L,
return hss_signature_len(L, lms, lmots);
}
-size_t hal_hashsig_lmots_private_key_len(const lmots_algorithm_t lmots_type)
+size_t hal_hashsig_lmots_private_key_len(const hal_lmots_algorithm_t lmots_type)
{
lmots_parameter_t * const lmots = lmots_select_parameter_set(lmots_type);
if (lmots == NULL)
@@ -1241,25 +1142,18 @@ static inline void *gnaw(uint8_t **mem, size_t *len, const size_t size)
return ret;
}
-static hal_error_t hss_alloc(hal_hashsig_key_t **key_,
- const size_t L,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type)
+static hal_error_t hss_alloc(hal_hashsig_key_t **key_)
{
- if (key_ == NULL)
+ if (key_ == NULL || *key_ == NULL ||
+ (*key_)->type != HAL_KEY_TYPE_HASHSIG_PRIVATE ||
+ (*key_)->L == 0 || (*key_)->L > 8 ||
+ (*key_)->lms == NULL || (*key_)->lmots == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
- if (L == 0 || L > 8)
- return HAL_ERROR_BAD_ARGUMENTS;
-
- lms_parameter_t *lms = lms_select_parameter_set(lms_type);
- if (lms == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
- size_t h2 = (1 << lms->h);
-
- lmots_parameter_t *lmots = lmots_select_parameter_set(lmots_type);
- if (lmots == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
+ size_t L = (*key_)->L;
+ lms_parameter_t *lms = (*key_)->lms;
+ lmots_parameter_t *lmots = (*key_)->lmots;
+ size_t h2 = (1U << lms->h);
/* w=1 fails on the Alpha, because the key exceeds the keystore block
* size. The XDR encoding of the key is going to differ from the DER
@@ -1294,114 +1188,163 @@ static hal_error_t hss_alloc(hal_hashsig_key_t **key_,
memset(mem, 0, len);
/* allocate the key that will stay in working memory */
- hss_key_t *key = gnaw(&mem, &len, sizeof(hss_key_t));
+ hss_key_t *key = gnaw(&mem, &len, sizeof(*key));
+
+ /* initialize it from the transitory key */
+ *key = **key_;
*key_ = key;
- key->type = HAL_KEY_TYPE_HASHSIG_PRIVATE;
- key->L = L;
- key->lms = lms;
- key->lmots = lmots;
- /* add to the list of active keys */
+ /* add the in-memory key to the list of active keys */
key->next = hss_keys;
hss_keys = key;
/* allocate the list of lms trees */
key->lms_keys = gnaw(&mem, &len, L * sizeof(lms_key_t));
for (size_t i = 0; i < L; ++i) {
- /* XXX some of this is redundant to lms_private_key_from_der */
lms_key_t * lms_key = &key->lms_keys[i];
lms_key->type = HAL_KEY_TYPE_HASHSIG_LMS;
lms_key->lms = lms;
lms_key->lmots = lmots;
lms_key->level = i;
- lms_key->lmots_keys = (hal_uuid_t *)gnaw(&mem, &len, h2 * sizeof(hal_uuid_t));
+ lms_key->lmots_keys = gnaw(&mem, &len, h2 * sizeof(hal_uuid_t));
lms_key->T = gnaw(&mem, &len, (2 * h2) * sizeof(bytestring32));
lms_key->signature = gnaw(&mem, &len, lms_sig_len);
lms_key->signature_len = lms_sig_len;
lms_key->pubkey = gnaw(&mem, &len, lms_pub_len);
lms_key->pubkey_len = lms_pub_len;
+ lms_key->q_end = h2;
}
return HAL_OK;
}
-/* called from pkey_local_generate_hashsig */
-hal_error_t hal_hashsig_key_gen(hal_core_t *core,
- hal_hashsig_key_t **key_,
- const size_t L,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type)
+static hal_error_t hss_generate(hss_key_t **key_, const hal_key_flags_t flags)
{
- /* hss_alloc does most of the checks */
-
- if (restart_in_progress)
- return HAL_ERROR_NOT_READY;
+ /* Hashsig keys can only be used for signing, so it makes sense to check
+ * that now, rather than waiting until the user tries to sign.
+ *
+ * Also, the top-level tree must be stored in the token (flash) keystore.
+ * I experimented with allowing keys to be stored in the volatile
+ * keystore, but that had some ugly consequences around the fact that
+ * volatile keys are automatically deleted when the user logs out. I'm
+ * also not sure there's a good use case for volatile hashsig keys.
+ */
+ if (!(flags & HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE) ||
+ !(flags & HAL_KEY_FLAG_TOKEN))
+ return HAL_ERROR_FORBIDDEN;
- /* check flash keystore for space to store the root tree */
- lms_parameter_t *lms = lms_select_parameter_set(lms_type);
- if (lms == NULL)
+ if (key_ == NULL || *key_ == NULL || (*key_)->lms == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
+
+ /* hss_alloc does most of the sanity checks */
+
+ /* check flash keystore for space to store the root tree:
+ * 2^h lmots keys + 1 lms key + 1 hss key
+ */
size_t available;
check(hal_ks_available(hal_ks_token, &available));
- if (available < (1U << lms->h) + 2)
+ if (available < (*key_)->q_end - (*key_)->q_start + 2)
return HAL_ERROR_NO_KEY_INDEX_SLOTS;
- check(hss_alloc(key_, L, lms_type, lmots_type));
+ check(hss_alloc(key_));
hss_key_t *key = *key_;
+ hal_error_t err;
/* generate the lms trees */
- for (size_t i = 0; i < L; ++i) {
+ for (size_t i = 0; i < key->L; ++i) {
lms_key_t * lms_key = &key->lms_keys[i];
+ bytestring32 *seed = NULL;
+
+ if (i == 0) {
+ lms_key->I = key->I;
+ lms_key->q = key->q_start;
+ lms_key->q_end = key->q_end;
+
+ /* If we're called from import, seed will be filled in.
+ * If called from key_gen, seed will be 0, and we may need to
+ * generate it.
+ */
+ bytestring32 seed_0 = {{0}};
+ if (memcmp(&key->seed, &seed_0, sizeof(seed_0)) != 0) {
+ seed = &key->seed;
+ }
+ else if (flags & HAL_KEY_FLAG_EXPORTABLE) {
+ seed = &key->seed;
+ if ((err = hal_rpc_get_random(seed, sizeof(*seed))) != HAL_OK)
+ goto err_out;
+ }
+ }
- check(lms_generate(lms_key));
+ if ((err = lms_generate(lms_key, seed)) != HAL_OK)
+ goto err_out;
if (i > 0)
/* sign this tree with the previous */
- check(lms_sign(&key->lms_keys[i-1],
- (const uint8_t * const)lms_key->pubkey, lms_public_key_len(key->lms),
- lms_key->signature, NULL, lms_signature_len(key->lms, key->lmots)));
+ if ((err = lms_sign(&key->lms_keys[i-1],
+ (const uint8_t * const)lms_key->pubkey,
+ lms_public_key_len(key->lms),
+ lms_key->signature, NULL,
+ lms_signature_len(key->lms, key->lmots))) != HAL_OK)
+ goto err_out;
/* store the lms key */
+ hal_ks_t *ks = (i == 0) ? hal_ks_token : hal_ks_volatile;
hal_pkey_slot_t slot = {
.type = HAL_KEY_TYPE_HASHSIG_LMS,
- .curve = HAL_CURVE_NONE,
+ .name = lms_key->I,
.flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | ((i == 0) ? HAL_KEY_FLAG_TOKEN: 0)
};
- hal_ks_t *ks = (i == 0) ? hal_ks_token : hal_ks_volatile;
uint8_t der[lms_private_key_to_der_len(lms_key)];
size_t der_len;
- memcpy(&slot.name, &lms_key->I, sizeof(slot.name));
- check(lms_private_key_to_der(lms_key, der, &der_len, sizeof(der)));
- check(hal_ks_store(ks, &slot, der, der_len));
+ if ((err = lms_private_key_to_der(lms_key, der, &der_len, sizeof(der))) != HAL_OK ||
+ (err = hal_ks_store(ks, &slot, der, der_len)) != HAL_OK)
+ goto err_out;
}
- memcpy(&key->I, &key->lms_keys[0].I, sizeof(key->I));
- memcpy(&key->T1, &key->lms_keys[0].T1, sizeof(key->T1));
+ key->I = key->lms_keys[0].I;
+ key->T1 = key->lms_keys[0].T1;
/* pkey_local_generate_hashsig stores the key */
return HAL_OK;
+
+err_out:
+ (void)hal_free_static_memory(key);
+ return err;
}
-/* caller will delete the hss key from the keystore */
-hal_error_t hal_hashsig_key_delete(const hal_hashsig_key_t * const key)
-{
+/* called from pkey_local_generate_hashsig
+ * caller will store the key
+ */
+hal_error_t hal_hashsig_key_gen(hal_core_t *core,
+ hal_hashsig_key_t **key_,
+ void *keybuf, const size_t keybuf_len,
+ const size_t L,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
+ const hal_key_flags_t flags)
+{
+ if (key_ == NULL || keybuf == NULL || keybuf_len < sizeof(hss_key_t))
+ return HAL_ERROR_BAD_ARGUMENTS;
+
if (restart_in_progress)
return HAL_ERROR_NOT_READY;
- if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_PRIVATE)
- return HAL_ERROR_BAD_ARGUMENTS;
-
- /* delete the lms trees and their lmots keys */
- for (size_t level = 0; level < key->L; ++level)
- check(lms_delete(&key->lms_keys[level]));
+ hss_key_t *key = *key_ = keybuf;
+ memset(key, 0, sizeof(*key));
+ key->type = HAL_KEY_TYPE_HASHSIG_PRIVATE;
+ key->L = L;
+ key->lms = lms_select_parameter_set(lms_type);
+ key->lmots = lmots_select_parameter_set(lmots_type);
+ key->q_end = (1U << key->lms->h);
- /* XXX free memory, if supported */
- (void)hal_free_static_memory(key);
+ return hss_generate(key_, flags);
+}
- /* remove from global hss_keys linked list */
- /* XXX or mark it unused, for possible re-use */
+static void hss_delete(hss_key_t *key)
+{
+ /* remove key from global hss_keys linked list */
if (hss_keys == key) {
hss_keys = key->next;
}
@@ -1414,6 +1357,41 @@ hal_error_t hal_hashsig_key_delete(const hal_hashsig_key_t * const key)
}
}
+ /* delete the lms trees and their lmots keys */
+ for (size_t level = 0; level < key->L; ++level)
+ (void)lms_delete(&key->lms_keys[level]);
+
+ /* free memory, if possible */
+ (void)hal_free_static_memory(key);
+}
+
+/* caller will delete the hss key from the keystore */
+hal_error_t hal_hashsig_delete(const hal_uuid_t * const name)
+{
+ if (restart_in_progress)
+ return HAL_ERROR_NOT_READY;
+
+ hal_pkey_slot_t slot = { .name = *name };
+ uint8_t der[HAL_KS_WRAPPED_KEYSIZE];
+ size_t der_len;
+ check(hal_ks_fetch(hal_ks_token, &slot, der, &der_len, sizeof(der)));
+
+ hal_hashsig_key_t keybuf, *key;
+ check(hal_hashsig_private_key_from_der(&key, &keybuf, sizeof(keybuf), der, der_len));
+
+ /* hal_hashsig_private_key_from_der returns the key in the list of
+ * active hashsig keys, so we don't need this temporary key.
+ */
+ memset(der, 0, sizeof(der));
+ memset(&keybuf, 0, sizeof(keybuf));
+
+ /* OTOH, if we found the key in the keystore, but not in the list of
+ * active hashsig keys, that's Bad.
+ */
+ if (key == &keybuf)
+ return HAL_ERROR_KEY_NOT_FOUND;
+
+ hss_delete(key);
return HAL_OK;
}
@@ -1431,24 +1409,10 @@ hal_error_t hal_hashsig_sign(hal_core_t *core,
if (sig_max < hss_signature_len(key->L, key->lms, key->lmots))
return HAL_ERROR_RESULT_TOO_LONG;
-// To sign a message using the private key prv, the following steps are
-// performed:
-//
-// If prv[L-1] is exhausted, then determine the smallest integer d
-// such that all of the private keys prv[d], prv[d+1], ... , prv[L-1]
-// are exhausted. If d is equal to zero, then the HSS key pair is
-// exhausted, and it MUST NOT generate any more signatures.
-// Otherwise, the key pairs for levels d through L-1 must be
-// regenerated during the signature generation process, as follows.
-// For i from d to L-1, a new LMS public and private key pair with a
-// new identifier is generated, pub[i] and prv[i] are set to those
-// values, then the public key pub[i] is signed with prv[i-1], and
-// sig[i-1] is set to the resulting value.
-
- size_t h2 = (1 << key->lms->h);
- if (key->lms_keys[key->L-1].q >= h2) {
+ /* if the signing key is exhausted, try to regenerate it */
+ if (key->lms_keys[key->L-1].q >= key->lms_keys[key->L-1].q_end) {
size_t d;
- for (d = key->L-1; d > 0 && key->lms_keys[d-1].q >= h2; --d) {
+ for (d = key->L-1; d > 0 && key->lms_keys[d-1].q >= key->lms_keys[d-1].q_end; --d) {
}
if (d == 0)
return HAL_ERROR_HASHSIG_KEY_EXHAUSTED;
@@ -1461,36 +1425,26 @@ hal_error_t hal_hashsig_sign(hal_core_t *core,
* any additional memory.
*/
check(lms_delete(lms_key));
- check(lms_generate(lms_key));
+ lms_key->q = 0;
+ check(lms_generate(lms_key, NULL));
check(lms_sign(&key->lms_keys[d-1],
(const uint8_t * const)lms_key->pubkey, lms_key->pubkey_len,
lms_key->signature, NULL, lms_key->signature_len));
hal_pkey_slot_t slot = {
.type = HAL_KEY_TYPE_HASHSIG_LMS,
- .curve = HAL_CURVE_NONE,
- .flags = (lms_key->level == 0) ? HAL_KEY_FLAG_TOKEN: 0
+ .name = lms_key->I,
+ .flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | (lms_key->level == 0) ? HAL_KEY_FLAG_TOKEN: 0
};
- hal_ks_t *ks = (lms_key->level == 0) ? hal_ks_token : hal_ks_volatile;
uint8_t der[lms_private_key_to_der_len(lms_key)];
size_t der_len;
- memcpy(&slot.name, &lms_key->I, sizeof(slot.name));
check(lms_private_key_to_der(lms_key, der, &der_len, sizeof(der)));
- check(hal_ks_store(ks, &slot, der, der_len));
+ check(hal_ks_store(hal_ks_volatile, &slot, der, der_len));
}
}
-// The message is signed with prv[L-1], and the value sig[L-1] is set
-// to that result.
-//
-// The value of the HSS signature is set as follows. We let
-// signed_pub_key denote an array of octet strings, where
-// signed_pub_key[i] = sig[i] || pub[i+1], for i between 0 and Nspk-
-// 1, inclusive, where Nspk = L-1 denotes the number of signed public
-// keys. Then the HSS signature is u32str(Nspk) ||
-// signed_pub_key[0] || ... || signed_pub_key[Nspk-1] || sig[Nspk].
-
+ /* sig = u32str(Nspk) || signed_pub_key[0] || ... || signed_pub_key[Nspk-1] || sig[Nspk] */
uint8_t *sigptr = sig;
const uint8_t * const siglim = sig + sig_max;
check(hal_xdr_encode_int(&sigptr, siglim, key->L - 1));
@@ -1517,19 +1471,10 @@ hal_error_t hal_hashsig_verify(hal_core_t *core,
const uint8_t * const msg, const size_t msg_len,
const uint8_t * const sig, const size_t sig_len)
{
- if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_PUBLIC || msg == NULL || sig == NULL)
+ if (key == NULL || (key->type != HAL_KEY_TYPE_HASHSIG_PRIVATE && key->type != HAL_KEY_TYPE_HASHSIG_PUBLIC) || msg == NULL || sig == NULL)
return HAL_ERROR_BAD_ARGUMENTS;
- core = core;
-
-// To verify a signature sig and message using the public key pub, the
-// following steps are performed:
-//
-// The signature S is parsed into its components as follows:
-//
-// Nspk = strTou32(first four bytes of S)
-// if Nspk+1 is not equal to the number of levels L in pub:
-// return INVALID
+ /* sig = u32str(Nspk) || signed_pub_key[0] || ... || signed_pub_key[Nspk-1] || sig[Nspk] */
const uint8_t *sigptr = sig;
const uint8_t * const siglim = sig + sig_len;
@@ -1539,22 +1484,13 @@ hal_error_t hal_hashsig_verify(hal_core_t *core,
if (Nspk + 1 != key->L)
return HAL_ERROR_INVALID_SIGNATURE;
-// key = pub
-// for (i = 0; i < Nspk; i = i + 1) {
-// sig = next LMS signature parsed from S
-// msg = next LMS public key parsed from S
-// if (lms_verify(msg, key, sig) != VALID):
-// return INVALID
-// key = msg
-// }
-
lms_key_t pub = {
.type = HAL_KEY_TYPE_HASHSIG_LMS,
.lms = key->lms,
- .lmots = key->lmots
+ .lmots = key->lmots,
+ .I = key->I,
+ .T1 = key->T1
};
- memcpy(&pub.I, &key->I, sizeof(pub.I));
- memcpy(&pub.T1, &key->T1, sizeof(pub.T1));
for (size_t i = 0; i < Nspk; ++i) {
const uint8_t * const lms_sig = sigptr;
@@ -1567,7 +1503,7 @@ hal_error_t hal_hashsig_verify(hal_core_t *core,
/* read lmots_type out of the ots_signature */
uint32_t lmots_type;
check(hal_xdr_decode_int_peek(&sigptr, siglim, &lmots_type));
- lmots_parameter_t *lmots = lmots_select_parameter_set((lmots_algorithm_t)lmots_type);
+ lmots_parameter_t *lmots = lmots_select_parameter_set((hal_lmots_algorithm_t)lmots_type);
if (lmots == NULL)
return HAL_ERROR_INVALID_SIGNATURE;
/* skip over ots_signature */
@@ -1575,7 +1511,7 @@ hal_error_t hal_hashsig_verify(hal_core_t *core,
/* read lms_type after ots_signature */
uint32_t lms_type;
check(hal_xdr_decode_int(&sigptr, siglim, &lms_type));
- lms_parameter_t *lms = lms_select_parameter_set((lms_algorithm_t)lms_type);
+ lms_parameter_t *lms = lms_select_parameter_set((hal_lms_algorithm_t)lms_type);
if (lms == NULL)
return HAL_ERROR_INVALID_SIGNATURE;
/* skip over the path elements of the lms signature */
@@ -1587,14 +1523,14 @@ hal_error_t hal_hashsig_verify(hal_core_t *core,
/* parse the signed public key */
check(hal_xdr_decode_int(&sigptr, siglim, &lms_type));
- pub.lms = lms_select_parameter_set((lmots_algorithm_t)lms_type);
+ pub.lms = lms_select_parameter_set((hal_lms_algorithm_t)lms_type);
if (pub.lms == NULL)
return HAL_ERROR_INVALID_SIGNATURE;
check(hal_xdr_decode_int(&sigptr, siglim, &lmots_type));
- pub.lmots = lmots_select_parameter_set((lmots_algorithm_t)lmots_type);
+ pub.lmots = lmots_select_parameter_set((hal_lmots_algorithm_t)lmots_type);
if (pub.lmots == NULL)
return HAL_ERROR_INVALID_SIGNATURE;
- check(hal_xdr_decode_bytestring16(&sigptr, siglim, &pub.I));
+ check(hal_xdr_decode_uuid(&sigptr, siglim, &pub.I));
check(hal_xdr_decode_bytestring32(&sigptr, siglim, &pub.T1));
}
@@ -1608,17 +1544,18 @@ hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key,
if (key == NULL || key->type != HAL_KEY_TYPE_HASHSIG_PRIVATE)
return HAL_ERROR_BAD_ARGUMENTS;
- /*
- * Calculate data length.
- */
+ /* Calculate data length. */
size_t len, vlen = 0, hlen;
check(hal_asn1_encode_size_t(key->L, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_lms_algorithm(key->lms->type, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len;
- check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_uuid(&key->I, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_bytestring32(&key->T1, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_bytestring32(&key->seed, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_size_t(key->q_start, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_size_t(key->q_end, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, NULL, &hlen, 0));
@@ -1628,9 +1565,7 @@ hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key,
if (der == NULL)
return HAL_OK;
- /*
- * Encode data.
- */
+ /* Encode data. */
check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max));
@@ -1640,8 +1575,11 @@ hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key,
check(hal_asn1_encode_size_t(key->L, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_encode_lms_algorithm(key->lms->type, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, vlen)); d += len; vlen -= len;
- check(hal_asn1_encode_bytestring16(&key->I, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_encode_uuid(&key->I, d, &len, vlen)); d += len; vlen -= len;
check(hal_asn1_encode_bytestring32(&key->T1, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_encode_bytestring32(&key->seed, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_encode_size_t(key->q_start, d, &len, vlen)); d += len; vlen -= len;
+ check(hal_asn1_encode_size_t(key->q_end, d, &len, vlen)); d += len; vlen -= len;
return hal_asn1_encode_pkcs8_privatekeyinfo(hal_asn1_oid_mts_hashsig, hal_asn1_oid_mts_hashsig_len,
NULL, 0, der, d - der, der, der_len, der_max);
@@ -1688,14 +1626,17 @@ hal_error_t hal_hashsig_private_key_from_der(hal_hashsig_key_t **key_,
size_t n;
check(hal_asn1_decode_size_t(&key->L, d, &n, vlen)); d += n; vlen -= n;
- lms_algorithm_t lms_type;
+ hal_lms_algorithm_t lms_type;
check(hal_asn1_decode_lms_algorithm(&lms_type, d, &n, vlen)); d += n; vlen -= n;
key->lms = lms_select_parameter_set(lms_type);
- lmots_algorithm_t lmots_type;
+ hal_lmots_algorithm_t lmots_type;
check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &n, vlen)); d += n; vlen -= n;
key->lmots = lmots_select_parameter_set(lmots_type);
- check(hal_asn1_decode_bytestring16(&key->I, d, &n, vlen)); d += n; vlen -= n;
+ check(hal_asn1_decode_uuid(&key->I, d, &n, vlen)); d += n; vlen -= n;
check(hal_asn1_decode_bytestring32(&key->T1, d, &n, vlen)); d += n; vlen -= n;
+ check(hal_asn1_decode_bytestring32(&key->seed, d, &n, vlen)); d += n; vlen -= n;
+ check(hal_asn1_decode_size_t(&key->q_start, d, &n, vlen)); d += n; vlen -= n;
+ check(hal_asn1_decode_size_t(&key->q_end, d, &n, vlen)); d += n; vlen -= n;
if (d != privkey + privkey_len)
return HAL_ERROR_ASN1_PARSE_FAILED;
@@ -1705,11 +1646,9 @@ hal_error_t hal_hashsig_private_key_from_der(hal_hashsig_key_t **key_,
* structure. (The caller will wipe his own key structure when done,
* and not molest ours.)
*/
- for (hss_key_t *hss_key = hss_keys; hss_key != NULL; hss_key = hss_key->next) {
- if (memcmp(&key->I, &hss_key->lms_keys[0].I, sizeof(key->I)) == 0) {
- *key_ = hss_key;
- }
- }
+ hss_key_t *hss_key = hss_find(&key->I);
+ if (hss_key != NULL)
+ *key_ = hss_key;
return HAL_OK;
}
@@ -1721,14 +1660,14 @@ hal_error_t hal_hashsig_public_key_to_der(const hal_hashsig_key_t * const key,
key->type != HAL_KEY_TYPE_HASHSIG_PUBLIC))
return HAL_ERROR_BAD_ARGUMENTS;
- // L || u32str(lms_type) || u32str(lmots_type) || I || T[1]
+ /* L || u32str(lms_type) || u32str(lmots_type) || I || T[1] */
size_t len, vlen = 0, hlen;
check(hal_asn1_encode_size_t(key->L, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_lms_algorithm(key->lms->type, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, NULL, &len, 0)); vlen += len;
- check(hal_asn1_encode_bytestring16(&key->I, NULL, &len, 0)); vlen += len;
+ check(hal_asn1_encode_uuid(&key->I, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_bytestring32(&key->T1, NULL, &len, 0)); vlen += len;
check(hal_asn1_encode_header(ASN1_SEQUENCE, vlen, der, &hlen, der_max));
@@ -1741,7 +1680,7 @@ hal_error_t hal_hashsig_public_key_to_der(const hal_hashsig_key_t * const key,
check(hal_asn1_encode_size_t(key->L, d, &len, dlen)); d += len; dlen -= len;
check(hal_asn1_encode_lms_algorithm(key->lms->type, d, &len, dlen)); d += len; dlen -= len;
check(hal_asn1_encode_lmots_algorithm(key->lmots->type, d, &len, dlen)); d += len; dlen -= len;
- check(hal_asn1_encode_bytestring16(&key->I, d, &len, dlen)); d += len; dlen -= len;
+ check(hal_asn1_encode_uuid(&key->I, d, &len, dlen)); d += len; dlen -= len;
check(hal_asn1_encode_bytestring32(&key->T1, d, &len, dlen)); d += len; dlen -= len;
}
@@ -1787,17 +1726,17 @@ hal_error_t hal_hashsig_public_key_from_der(hal_hashsig_key_t **key_,
const uint8_t * const pubkey_end = pubkey + hlen + vlen;
const uint8_t *d = pubkey + hlen;
- // L || u32str(lms_type) || u32str(lmots_type) || I || T[1]
+ /* L || u32str(lms_type) || u32str(lmots_type) || I || T[1] */
- lms_algorithm_t lms_type;
- lmots_algorithm_t lmots_type;
+ hal_lms_algorithm_t lms_type;
+ hal_lmots_algorithm_t lmots_type;
check(hal_asn1_decode_size_t(&key->L, d, &len, pubkey_end - d)); d += len;
check(hal_asn1_decode_lms_algorithm(&lms_type, d, &len, pubkey_end - d)); d += len;
key->lms = lms_select_parameter_set(lms_type);
check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, pubkey_end - d)); d += len;
key->lmots = lmots_select_parameter_set(lmots_type);
- check(hal_asn1_decode_bytestring16(&key->I, d, &len, pubkey_end - d)); d += len;
+ check(hal_asn1_decode_uuid(&key->I, d, &len, pubkey_end - d)); d += len;
check(hal_asn1_decode_bytestring32(&key->T1, d, &len, pubkey_end - d)); d += len;
if (d != pubkey_end)
@@ -1810,13 +1749,13 @@ hal_error_t hal_hashsig_public_key_from_der(hal_hashsig_key_t **key_,
hal_error_t hal_hashsig_key_load_public(hal_hashsig_key_t **key_,
void *keybuf, const size_t keybuf_len,
const size_t L,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
const uint8_t * const I, const size_t I_len,
const uint8_t * const T1, const size_t T1_len)
{
if (key_ == NULL || keybuf == NULL || keybuf_len < sizeof(hal_hashsig_key_t) ||
- I == NULL || I_len != sizeof(bytestring16) ||
+ I == NULL || I_len != sizeof(hal_uuid_t) ||
T1 == NULL || T1_len != sizeof(bytestring32))
return HAL_ERROR_BAD_ARGUMENTS;
@@ -1851,17 +1790,17 @@ hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_,
/* L || u32str(lms_type) || u32str(lmots_type) || I || T[1] */
uint32_t L, lms_type, lmots_type;
- bytestring16 *I;
+ hal_uuid_t *I;
bytestring32 *T1;
check(hal_xdr_decode_int(&xdrptr, xdrlim, &L));
check(hal_xdr_decode_int(&xdrptr, xdrlim, &lms_type));
check(hal_xdr_decode_int(&xdrptr, xdrlim, &lmots_type));
- check(hal_xdr_decode_bytestring16_ptr(&xdrptr, xdrlim, &I));
+ check(hal_xdr_decode_uuid_ptr(&xdrptr, xdrlim, &I));
check(hal_xdr_decode_bytestring32_ptr(&xdrptr, xdrlim, &T1));
return hal_hashsig_key_load_public(key_, keybuf, keybuf_len, L, lms_type, lmots_type,
- (const uint8_t * const)I, sizeof(bytestring16),
+ (const uint8_t * const)I, sizeof(hal_uuid_t),
(const uint8_t * const)T1, sizeof(bytestring32));
}
@@ -1887,18 +1826,18 @@ hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const s
const uint8_t * const pubkey_end = pubkey + hlen + vlen;
const uint8_t *d = pubkey + hlen;
- // L || u32str(lms_type) || u32str(lmots_type) || I || T[1]
+ /* L || u32str(lms_type) || u32str(lmots_type) || I || T[1] */
size_t L;
- lms_algorithm_t lms_type;
- lmots_algorithm_t lmots_type;
- bytestring16 I;
+ hal_lms_algorithm_t lms_type;
+ hal_lmots_algorithm_t lmots_type;
+ hal_uuid_t I;
bytestring32 T1;
check(hal_asn1_decode_size_t(&L, d, &len, pubkey_end - d)); d += len;
check(hal_asn1_decode_lms_algorithm(&lms_type, d, &len, pubkey_end - d)); d += len;
check(hal_asn1_decode_lmots_algorithm(&lmots_type, d, &len, pubkey_end - d)); d += len;
- check(hal_asn1_decode_bytestring16(&I, d, &len, pubkey_end - d)); d += len;
+ check(hal_asn1_decode_uuid(&I, d, &len, pubkey_end - d)); d += len;
check(hal_asn1_decode_bytestring32(&T1, d, &len, pubkey_end - d)); d += len;
if (d != pubkey_end)
@@ -1910,7 +1849,7 @@ hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const s
check(hal_xdr_encode_int(&xdrptr, xdrlim, L));
check(hal_xdr_encode_int(&xdrptr, xdrlim, lms_type));
check(hal_xdr_encode_int(&xdrptr, xdrlim, lmots_type));
- check(hal_xdr_encode_bytestring16(&xdrptr, xdrlim, &I));
+ check(hal_xdr_encode_uuid(&xdrptr, xdrlim, &I));
check(hal_xdr_encode_bytestring32(&xdrptr, xdrlim, &T1));
if (xdr_len != NULL)
@@ -1927,7 +1866,7 @@ hal_error_t hal_hashsig_ks_init(void)
const hal_session_handle_t session = { HAL_HANDLE_NONE };
hal_uuid_t prev_name = {{0}};
unsigned len;
- hal_pkey_slot_t slot = {0};
+ hal_pkey_slot_t slot = {{0}};
uint8_t der[HAL_KS_WRAPPED_KEYSIZE];
size_t der_len;
@@ -1941,36 +1880,47 @@ hal_error_t hal_hashsig_ks_init(void)
if (hal_ks_fetch(hal_ks_token, &slot, der, &der_len, sizeof(der)) != HAL_OK ||
hal_hashsig_private_key_from_der(&key, (void *)&keybuf, sizeof(keybuf), der, der_len) != HAL_OK) {
(void)hal_ks_delete(hal_ks_token, &slot);
+ memset(der, 0, sizeof(der));
+ memset(&keybuf, 0, sizeof(keybuf));
+ key = NULL;
continue;
}
/* Make sure we have the lms key */
- hal_pkey_slot_t lms_slot = {0};
+ hal_pkey_slot_t lms_slot = {
+ .name = key->I
+ };
lms_key_t lms_key;
- memcpy(&lms_slot.name, &key->I, sizeof(lms_slot.name));
if (hal_ks_fetch(hal_ks_token, &lms_slot, der, &der_len, sizeof(der)) != HAL_OK ||
lms_private_key_from_der(&lms_key, der, der_len) != HAL_OK ||
/* check keys for consistency */
lms_key.lms != key->lms ||
lms_key.lmots != key->lmots ||
memcmp(&lms_key.I, &key->I, sizeof(lms_key.I)) != 0 ||
+ /* check that key isn't exhausted */
+ lms_key.q >= lms_key.q_end ||
/* optimistically allocate the full hss key structure */
- hss_alloc(&key, key->L, key->lms->type, key->lmots->type) != HAL_OK) {
+ hss_alloc(&key) != HAL_OK) {
(void)hal_ks_delete(hal_ks_token, &slot);
(void)hal_ks_delete(hal_ks_token, &lms_slot);
+ memset(der, 0, sizeof(der));
+ memset(&lms_key, 0, sizeof(lms_key));
+ memset(&keybuf, 0, sizeof(keybuf));
+ key = NULL;
continue;
}
- /* hss_alloc redefines key, so copy fields from the old version of the key */
- memcpy(&key->I, &keybuf.I, sizeof(key->I));
- memcpy(&key->T1, &keybuf.T1, sizeof(key->T1));
- key->name = slot.name;
-
/* initialize top-level lms key (beyond what hss_alloc did) */
- memcpy(&key->lms_keys[0].I, &lms_key.I, sizeof(lms_key.I));
+ key->lms_keys[0].I = lms_key.I;
key->lms_keys[0].q = lms_key.q;
+ key->lms_keys[0].q_end = key->q_end;
- prev_name = slot.name;
+ prev_name = key->name = slot.name;
+ memset(der, 0, sizeof(der));
+ memset(&lms_key, 0, sizeof(lms_key));
+ memset(&keybuf, 0, sizeof(keybuf));
+ key = NULL;
+ hal_task_yield_maybe();
}
/* Delete orphaned lms keys */
@@ -1978,17 +1928,13 @@ hal_error_t hal_hashsig_ks_init(void)
while ((hal_ks_match(hal_ks_token, client, session,
HAL_KEY_TYPE_HASHSIG_LMS, HAL_CURVE_NONE, 0, 0, NULL, 0,
&slot.name, &len, 1, &prev_name) == HAL_OK) && (len > 0)) {
- hss_key_t *hss_key;
- for (hss_key = hss_keys; hss_key != NULL; hss_key = hss_key->next) {
- if (memcmp(&slot.name, &hss_key->I, sizeof(slot.name)) == 0)
- break;
- }
- if (hss_key == NULL) {
+ if (hss_find(&slot.name) == NULL) {
(void)hal_ks_delete(hal_ks_token, &slot);
continue;
}
prev_name = slot.name;
+ hal_task_yield_maybe();
}
/* Find all lmots keys */
@@ -2006,35 +1952,31 @@ hal_error_t hal_hashsig_ks_init(void)
if (hal_ks_fetch(hal_ks_token, &slot, der, &der_len, sizeof(der)) != HAL_OK ||
lmots_private_key_from_der(&lmots_key, der, der_len) != HAL_OK) {
(void)hal_ks_delete(hal_ks_token, &slot);
+ memset(&lmots_key, 0, sizeof(lmots_key));
continue;
}
- hss_key_t *hss_key;
- for (hss_key = hss_keys; hss_key != NULL; hss_key = hss_key->next) {
- if (memcmp(&hss_key->I, &lmots_key.I, sizeof(lmots_key.I)) == 0)
- break;
- }
+ hss_key_t *hss_key = hss_find(&lmots_key.I);
if (hss_key == NULL) {
/* delete orphaned key */
(void)hal_ks_delete(hal_ks_token, &slot);
+ memset(&lmots_key, 0, sizeof(lmots_key));
continue;
}
/* record this lmots key in the top-level lms key */
- memcpy(&hss_key->lms_keys[0].lmots_keys[lmots_key.q], &slot.name, sizeof(slot.name));
+ hss_key->lms_keys[0].lmots_keys[lmots_key.q] = slot.name;
/* compute T[r] = H(I || u32str(r) || u16str(D_LEAF) || K) */
- size_t r = (1U << hss_key->lms->h) + lmots_key.q;
- uint8_t statebuf[512];
- hal_hash_state_t *state = NULL;
- hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf));
- hal_hash_update(state, (const uint8_t *)&hss_key->I, sizeof(hss_key->I));
- uint32_t l = u32str(r); hal_hash_update(state, (const uint8_t *)&l, sizeof(l));
- uint16_t s = u16str(D_LEAF); hal_hash_update(state, (const uint8_t *)&s, sizeof(s));
- hal_hash_update(state, (const uint8_t *)&lmots_key.K, sizeof(lmots_key.K));
- hal_hash_finalize(state, (uint8_t *)&hss_key->lms_keys[0].T[r], sizeof(hss_key->lms_keys[0].T[r]));
+ if (lms_compute_T_leaf(&hss_key->lms_keys[0], &lmots_key) != HAL_OK) {
+ (void)hal_ks_delete(hal_ks_token, &slot);
+ memset(&lmots_key, 0, sizeof(lmots_key));
+ continue;
+ }
prev_name = slot.name;
+ memset(&lmots_key, 0, sizeof(lmots_key));
+ hal_task_yield_maybe();
}
/* After all keys have been read, scan for completeness. */
@@ -2043,69 +1985,49 @@ hal_error_t hal_hashsig_ks_init(void)
for (hss_key = hss_keys; hss_key != NULL; hss_key = hss_next) {
hss_next = hss_key->next;
int fail = 0;
- for (size_t i = 0; i < (1U << hss_key->lms->h); ++i) {
- if (hal_uuid_cmp(&hss_key->lms_keys[0].lmots_keys[i], &uuid_0) == 0) {
- fail = 1;
- break;
+ lms_key_t *lms_key = hss_key->lms_keys;
+ for (size_t q = 0; q < (1U << hss_key->lms->h); ++q) {
+ if (hal_uuid_cmp(&lms_key->lmots_keys[q], &uuid_0) == 0) {
+ bytestring32 seed_0 = {{0}};
+ if (memcmp(&hss_key->seed, &seed_0, sizeof(seed_0)) == 0) {
+ /* lms key is incomplete, give up on it */
+ fail = 1;
+ break;
+ }
+ else {
+ /* This key was generated with the pseudo-random method,
+ * and can be regenerated.
+ */
+ check(lms_generate_lmots(lms_key, q, &hss_key->seed));
+ hal_task_yield_maybe();
+ }
}
}
if (fail) {
fail:
- /* lms key is incomplete, give up on it */
- /* delete lmots keys */
- for (size_t i = 0; i < (1U << hss_key->lms->h); ++i) {
- if (hal_uuid_cmp(&hss_key->lms_keys[0].lmots_keys[i], &uuid_0) != 0) {
- memcpy(&slot.name, &hss_key->lms_keys[0].lmots_keys[i], sizeof(slot.name));
- (void)hal_ks_delete(hal_ks_token, &slot);
- }
- }
- /* delete lms key */
- memcpy(&slot.name, &hss_key->I, sizeof(slot.name));
- (void)hal_ks_delete(hal_ks_token, &slot);
/* delete hss key */
+ hss_delete(hss_key);
slot.name = hss_key->name;
(void)hal_ks_delete(hal_ks_token, &slot);
- /* remove the hss key from the key list */
- if (hss_keys == hss_key) {
- hss_keys = hss_key->next;
- }
- else {
- for (hss_key_t *prev = hss_keys; prev != NULL; prev = prev->next) {
- if (prev->next == hss_key) {
- prev->next = hss_key->next;
- break;
- }
- }
- }
- (void)hal_free_static_memory(hss_key);
+ hal_task_yield_maybe();
continue;
}
/* generate the rest of T[] */
- for (size_t r = (1U << hss_key->lms->h) - 1; r > 0; --r) {
- uint8_t statebuf[512];
- hal_hash_state_t *state = NULL;
- hal_hash_initialize(NULL, hal_hash_sha256, &state, statebuf, sizeof(statebuf));
- hal_hash_update(state, (const uint8_t *)&hss_key->I, sizeof(hss_key->I));
- uint32_t l = u32str(r); hal_hash_update(state, (const uint8_t *)&l, sizeof(l));
- uint16_t s = u16str(D_INTR); check(hal_hash_update(state, (const uint8_t *)&s, sizeof(s)));
- hal_hash_update(state, (const uint8_t *)&hss_key->lms_keys[0].T[2*r], sizeof(hss_key->lms_keys[0].T[r]));
- hal_hash_update(state, (const uint8_t *)&hss_key->lms_keys[0].T[2*r+1], sizeof(hss_key->lms_keys[0].T[r]));
- hal_hash_finalize(state, (uint8_t *)&hss_key->lms_keys[0].T[r], sizeof(hss_key->lms_keys[0].T[r]));
- }
- if (memcmp(&hss_key->lms_keys[0].T[1], &hss_key->T1, sizeof(hss_key->lms_keys[0].T[1])) != 0)
+ lms_compute_T_intr(lms_key);
+ if (memcmp(&lms_key->T[1], &hss_key->T1, sizeof(lms_key->T[1])) != 0)
goto fail;
/* generate the lower-level lms keys */
for (size_t i = 1; i < hss_key->L; ++i) {
- lms_key_t * lms_key = &hss_key->lms_keys[i];
- if (lms_generate(lms_key) != HAL_OK)
+ lms_key = &hss_key->lms_keys[i];
+ if (lms_generate(lms_key, NULL) != HAL_OK)
goto fail;
/* store the lms key */
slot.type = HAL_KEY_TYPE_HASHSIG_LMS;
slot.flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE;
- memcpy(&slot.name, &lms_key->I, sizeof(slot.name));
+ slot.name = lms_key->I;
if (lms_private_key_to_der(lms_key, der, &der_len, sizeof(der)) != HAL_OK ||
hal_ks_store(hal_ks_volatile, &slot, der, der_len) != HAL_OK ||
/* sign this lms key with the previous */
@@ -2113,10 +2035,99 @@ hal_error_t hal_hashsig_ks_init(void)
(const uint8_t * const)lms_key->pubkey, lms_key->pubkey_len,
lms_key->signature, NULL, lms_key->signature_len) != HAL_OK)
goto fail;
+ hal_task_yield_maybe();
}
}
restart_in_progress = 0;
return HAL_OK;
}
+
+hal_error_t hal_hashsig_export(const hal_uuid_t * const name, uint8_t *der, size_t *der_len, const size_t der_max)
+{
+ hal_error_t err;
+ hal_hashsig_key_t keybuf, *tmp_key = &keybuf, *hss_key;
+
+ if ((err = hal_hashsig_private_key_from_der(&hss_key, &keybuf, sizeof(keybuf), der, *der_len)) != HAL_OK)
+ goto err_out;
+ if (hss_key == tmp_key) {
+ err = HAL_ERROR_KEY_NOT_FOUND; /* or IMPOSSIBLE? */
+ goto err_out;
+ }
+
+ /* adjust hss_key->end and tmp_key->start */
+ size_t new_end = (hss_key->lms_keys[0].q + hss_key->lms_keys[0].q_end) / 2;
+ if (new_end == hss_key->lms_keys[0].q) {
+ err = HAL_ERROR_HASHSIG_KEY_EXHAUSTED;
+ goto err_out;
+ }
+ hss_key->q_end = hss_key->lms_keys[0].q_end = tmp_key->q_start = new_end;
+
+ /* store updated hss_key */
+ hal_pkey_slot_t slot = {
+ .type = HAL_KEY_TYPE_HASHSIG_PRIVATE,
+ .name = *name,
+ .flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN | HAL_KEY_FLAG_EXPORTABLE
+ };
+ if ((err = hal_hashsig_private_key_to_der(hss_key, der, der_len, der_max)) != HAL_OK ||
+ (err = hal_ks_rewrite_der(hal_ks_token, &slot, der, *der_len)) != HAL_OK)
+ goto err_out;
+
+ /* store updated lms_key */
+ lms_key_t *lms_key = &hss_key->lms_keys[0];
+ uint8_t lms_der[HAL_KS_WRAPPED_KEYSIZE];
+ size_t lms_der_len;
+ if ((err = lms_private_key_to_der(lms_key, lms_der, &lms_der_len, sizeof(lms_der))) != HAL_OK)
+ goto err_out;
+
+ hal_pkey_slot_t lms_slot = {
+ .type = HAL_KEY_TYPE_HASHSIG_LMS,
+ .name = lms_key->I,
+ .flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN
+ };
+ if ((err = hal_ks_rewrite_der(hal_ks_token, &lms_slot, lms_der, lms_der_len)) != HAL_OK)
+ goto err_out;
+
+ /* re-encode tmp_key to der */
+ if ((err = hal_hashsig_private_key_to_der(tmp_key, der, der_len, der_max)) != HAL_OK)
+ goto err_out;
+
+ /* delete unused lmots keys? */
+
+err_out:
+ memset(&keybuf, 0, sizeof(keybuf));
+ hss_key = NULL;
+ return err;
+}
+
+hal_error_t hal_hashsig_import(const uint8_t *der, const size_t der_len,
+ const hal_key_flags_t flags)
+{
+ if (restart_in_progress)
+ return HAL_ERROR_NOT_READY;
+
+ hss_key_t keybuf, *key;
+ hal_error_t err;
+
+ if ((err = hal_hashsig_private_key_from_der(&key, &keybuf, sizeof(keybuf), der, der_len)) != HAL_OK)
+ goto err_out;
+
+ /* If the key already exists, it could be that the user is attempting to
+ * return an exported key to its origin, and we could consolidate them,
+ * but then we have to deal with the possibility of disjoint partitions of
+ * the keyspace (or worse, overlapping or duplicate partitions, which is
+ * always an error). In any case, it's easier just to disallow it.
+ */
+ if (hss_find(&key->I) != NULL) {
+ err = HAL_ERROR_KEY_NAME_IN_USE;
+ goto err_out;
+ }
+
+ err = hss_generate(&key, flags);
+
+err_out:
+ memset(&keybuf, 0, sizeof(keybuf));
+ key = NULL;
+ return err;
+}
#endif
diff --git a/hashsig.h b/hashsig.h
deleted file mode 100644
index 3753496..0000000
--- a/hashsig.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * hashsig.h
- * ---------
- * Implementation of draft-mcgrew-hash-sigs-08.txt
- *
- * Copyright (c) 2018, NORDUnet A/S All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- * - Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _HAL_HASHSIG_H_
-#define _HAL_HASHSIG_H_
-
-typedef enum lmots_algorithm_type {
- lmots_reserved = 0,
- lmots_sha256_n32_w1 = 1,
- lmots_sha256_n32_w2 = 2,
- lmots_sha256_n32_w4 = 3,
- lmots_sha256_n32_w8 = 4
-} lmots_algorithm_t;
-
-typedef enum lms_algorithm_type {
- lms_reserved = 0,
- lms_sha256_n32_h5 = 5,
- lms_sha256_n32_h10 = 6,
- lms_sha256_n32_h15 = 7,
- lms_sha256_n32_h20 = 8,
- lms_sha256_n32_h25 = 9
-} lms_algorithm_t;
-
-typedef struct hal_hashsig_key hal_hashsig_key_t;
-
-extern const size_t hal_hashsig_key_t_size;
-
-extern hal_error_t hal_hashsig_key_gen(hal_core_t *core,
- hal_hashsig_key_t **key_,
- const size_t hss_levels,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type);
-
-extern hal_error_t hal_hashsig_key_delete(const hal_hashsig_key_t * const key);
-
-extern hal_error_t hal_hashsig_private_key_to_der(const hal_hashsig_key_t * const key,
- uint8_t *der, size_t *der_len, const size_t der_max);
-
-extern size_t hal_hashsig_private_key_to_der_len(const hal_hashsig_key_t * const key);
-
-extern hal_error_t hal_hashsig_private_key_from_der(hal_hashsig_key_t **key_,
- void *keybuf, const size_t keybuf_len,
- const uint8_t *der, const size_t der_len);
-
-extern hal_error_t hal_hashsig_public_key_to_der(const hal_hashsig_key_t * const key,
- uint8_t *der, size_t *der_len, const size_t der_max);
-
-extern size_t hal_hashsig_public_key_to_der_len(const hal_hashsig_key_t * const key);
-
-extern hal_error_t hal_hashsig_public_key_from_der(hal_hashsig_key_t **key,
- void *keybuf, const size_t keybuf_len,
- const uint8_t * const der, const size_t der_len);
-
-extern hal_error_t hal_hashsig_sign(hal_core_t *core,
- const hal_hashsig_key_t * const key,
- const uint8_t * const hash, const size_t hash_len,
- uint8_t *signature, size_t *signature_len, const size_t signature_max);
-
-extern hal_error_t hal_hashsig_verify(hal_core_t *core,
- const hal_hashsig_key_t * const key,
- const uint8_t * const hash, const size_t hash_len,
- const uint8_t * const signature, const size_t signature_len);
-
-extern hal_error_t hal_hashsig_key_load_public(hal_hashsig_key_t **key_,
- void *keybuf, const size_t keybuf_len,
- const size_t L,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
- const uint8_t * const I, const size_t I_len,
- const uint8_t * const T1, const size_t T1_len);
-
-extern hal_error_t hal_hashsig_key_load_public_xdr(hal_hashsig_key_t **key_,
- void *keybuf, const size_t keybuf_len,
- const uint8_t * const xdr, const size_t xdr_len);
-
-extern size_t hal_hashsig_signature_len(const size_t L,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type);
-
-extern size_t hal_hashsig_lmots_private_key_len(const lmots_algorithm_t lmots_type);
-
-extern hal_error_t hal_hashsig_public_key_der_to_xdr(const uint8_t * const der, const size_t der_len,
- uint8_t * const xdr, size_t * const xdr_len , const size_t xdr_max);
-
-extern hal_error_t hal_hashsig_ks_init(void);
-
-#endif /* _HAL_HASHSIG_H_ */
diff --git a/ks.c b/ks.c
index a682cd2..72bb0fe 100644
--- a/ks.c
+++ b/ks.c
@@ -3,7 +3,9 @@
* ----
* Keystore, generic parts anyway. This is internal within libhal.
*
- * Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
+ * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved.
+ * Copyright: 2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -15,9 +17,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
diff --git a/mkm.c b/mkm.c
index 05c733d..46abe69 100644
--- a/mkm.c
+++ b/mkm.c
@@ -3,7 +3,7 @@
* -----
* Master Key Memory functions.
*
- * Copyright (c) 2016, NORDUnet A/S All rights reserved.
+ * Copyright (c) 2016-2019, NORDUnet A/S All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -49,22 +49,12 @@
* Master Key.
*/
-#define HAL_OK CMIS_HAL_OK
-#include "stm-init.h"
-#include "stm-keystore.h"
-#undef HAL_OK
-
-#define HAL_OK LIBHAL_OK
#include "hal.h"
#include "hal_internal.h"
-#undef HAL_OK
#include <string.h>
-static int volatile_init = 0;
-static hal_core_t *core = NULL;
-
#define MKM_VOLATILE_STATUS_ADDRESS 0
#define MKM_VOLATILE_SCLK_DIV 0x20
#define MKM_FLASH_STATUS_ADDRESS (KEYSTORE_SECTOR_SIZE * (KEYSTORE_NUM_SECTORS - 1))
@@ -81,33 +71,39 @@ static hal_core_t *core = NULL;
static hal_error_t hal_mkm_volatile_init(void)
{
+ static int volatile_init = 0;
+
if (volatile_init)
- return LIBHAL_OK;
+ return HAL_OK;
hal_error_t err;
uint32_t status;
+ hal_core_t *core = NULL;
- if ((core = hal_core_find(MKMIF_NAME, NULL)) == NULL)
- return HAL_ERROR_CORE_NOT_FOUND;
-
- if ((err = hal_mkmif_set_clockspeed(core, MKM_VOLATILE_SCLK_DIV)) != LIBHAL_OK ||
- (err = hal_mkmif_init(core)) != LIBHAL_OK ||
- (err = hal_mkmif_read_word(core, MKM_VOLATILE_STATUS_ADDRESS, &status)) != LIBHAL_OK)
+ if ((err = hal_core_alloc(MKMIF_NAME, &core, NULL)) != HAL_OK)
return err;
+ if ((err = hal_mkmif_set_clockspeed(core, MKM_VOLATILE_SCLK_DIV)) != HAL_OK ||
+ (err = hal_mkmif_init(core)) != HAL_OK ||
+ (err = hal_mkmif_read_word(core, MKM_VOLATILE_STATUS_ADDRESS, &status)) != HAL_OK)
+ goto out;
+
if (status != MKM_STATUS_SET && status != MKM_STATUS_NOT_SET) {
/*
* XXX Something is a bit fishy here. If we just write the status word, it reads back wrong sometimes,
* while if we write the full buf too it is consistently right afterwards.
*/
uint8_t buf[KEK_LENGTH] = {0};
- if ((err = hal_mkmif_write(core, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, sizeof(buf))) != LIBHAL_OK ||
- (err = hal_mkmif_write_word(core, MKM_VOLATILE_STATUS_ADDRESS, MKM_STATUS_NOT_SET)) != LIBHAL_OK)
- return err;
+ if ((err = hal_mkmif_write(core, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, sizeof(buf))) != HAL_OK ||
+ (err = hal_mkmif_write_word(core, MKM_VOLATILE_STATUS_ADDRESS, MKM_STATUS_NOT_SET)) != HAL_OK)
+ goto out;
}
volatile_init = 1;
- return LIBHAL_OK;
+
+out:
+ hal_core_free(core);
+ return err;
}
hal_error_t hal_mkm_volatile_read(uint8_t *buf, const size_t len)
@@ -118,8 +114,8 @@ hal_error_t hal_mkm_volatile_read(uint8_t *buf, const size_t len)
if (len && len != KEK_LENGTH)
return HAL_ERROR_MASTERKEY_BAD_LENGTH;
- if ((err = hal_mkm_volatile_init()) != LIBHAL_OK ||
- (err = hal_mkmif_read_word(core, MKM_VOLATILE_STATUS_ADDRESS, &status)) != LIBHAL_OK)
+ if ((err = hal_mkm_volatile_init()) != HAL_OK ||
+ (err = hal_mkmif_read_word(NULL, MKM_VOLATILE_STATUS_ADDRESS, &status)) != HAL_OK)
return err;
if (buf != NULL && len) {
@@ -129,12 +125,12 @@ hal_error_t hal_mkm_volatile_read(uint8_t *buf, const size_t len)
*/
if (status != MKM_STATUS_SET)
memset(buf, 0x0, len);
- else if ((err = hal_mkmif_read(core, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, len)) != LIBHAL_OK)
+ else if ((err = hal_mkmif_read(NULL, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, len)) != HAL_OK)
return err;
}
if (status == MKM_STATUS_SET)
- return LIBHAL_OK;
+ return HAL_OK;
if (status == MKM_STATUS_NOT_SET)
return HAL_ERROR_MASTERKEY_NOT_SET;
@@ -152,12 +148,12 @@ hal_error_t hal_mkm_volatile_write(const uint8_t * const buf, const size_t len)
if (buf == NULL)
return HAL_ERROR_MASTERKEY_FAIL;
- if ((err = hal_mkm_volatile_init()) != LIBHAL_OK ||
- (err = hal_mkmif_write(core, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, len)) != LIBHAL_OK ||
- (err = hal_mkmif_write_word(core, MKM_VOLATILE_STATUS_ADDRESS, MKM_STATUS_SET)) != LIBHAL_OK)
+ if ((err = hal_mkm_volatile_init()) != HAL_OK ||
+ (err = hal_mkmif_write(NULL, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, len)) != HAL_OK ||
+ (err = hal_mkmif_write_word(NULL, MKM_VOLATILE_STATUS_ADDRESS, MKM_STATUS_SET)) != HAL_OK)
return err;
- return LIBHAL_OK;
+ return HAL_OK;
}
hal_error_t hal_mkm_volatile_erase(const size_t len)
@@ -168,12 +164,12 @@ hal_error_t hal_mkm_volatile_erase(const size_t len)
if (len != KEK_LENGTH)
return HAL_ERROR_MASTERKEY_BAD_LENGTH;
- if ((err = hal_mkm_volatile_init()) != LIBHAL_OK ||
- (err = hal_mkmif_write(core, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, sizeof(buf))) != LIBHAL_OK ||
- (err = hal_mkmif_write_word(core, MKM_VOLATILE_STATUS_ADDRESS, MKM_STATUS_NOT_SET)) != LIBHAL_OK)
+ if ((err = hal_mkm_volatile_init()) != HAL_OK ||
+ (err = hal_mkmif_write(NULL, MKM_VOLATILE_STATUS_ADDRESS + 4, buf, sizeof(buf))) != HAL_OK ||
+ (err = hal_mkmif_write_word(NULL, MKM_VOLATILE_STATUS_ADDRESS, MKM_STATUS_NOT_SET)) != HAL_OK)
return err;
- return LIBHAL_OK;
+ return HAL_OK;
}
/*
@@ -194,9 +190,9 @@ hal_error_t hal_mkm_get_kek(uint8_t *kek,
hal_error_t err = hal_mkm_volatile_read(kek, len);
- if (err == LIBHAL_OK) {
+ if (err == HAL_OK) {
*kek_len = len;
- return LIBHAL_OK;
+ return HAL_OK;
}
#if HAL_MKM_FLASH_BACKUP_KLUDGE
@@ -209,9 +205,9 @@ hal_error_t hal_mkm_get_kek(uint8_t *kek,
* hal_mkm_volatile_read() returns HAL_ERROR_CORE_BUSY. Whee!
*/
- if (hal_mkm_flash_read_no_lock(kek, len) == LIBHAL_OK) {
+ if (hal_mkm_flash_read_no_lock(kek, len) == HAL_OK) {
*kek_len = len;
- return LIBHAL_OK;
+ return HAL_OK;
}
#endif
diff --git a/modexp.c b/modexp.c
index a5172ee..d8e2904 100644
--- a/modexp.c
+++ b/modexp.c
@@ -1,7 +1,7 @@
/*
* modexp.c
* ----------
- * Wrapper around Cryptech ModExp core.
+ * Wrapper around Cryptech ModExp cores.
*
* This doesn't do full RSA, that's another module. This module's job
* is just the I/O to get bits in and out of the ModExp core, including
@@ -11,8 +11,9 @@
* enough that this module is no longer needed, it will go away.
*
* Authors: Rob Austein
- * Copyright (c) 2015-2017, NORDUnet A/S
- * All rights reserved.
+ * Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
+ * Copyright: 2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -24,9 +25,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -48,6 +49,26 @@
#include "hal_internal.h"
/*
+ * Whether we want to use the new ModExpNG core.
+ */
+
+static int use_modexpng = 0;
+
+hal_error_t hal_modexp_use_modexpng(const int onoff)
+{
+ if (onoff && (hal_core_find(MODEXPNG_NAME, NULL) == NULL))
+ return HAL_ERROR_CORE_NOT_FOUND;
+
+ use_modexpng = onoff;
+ return HAL_OK;
+}
+
+int hal_modexp_using_modexpng(void)
+{
+ return use_modexpng;
+}
+
+/*
* Whether we want debug output.
*/
@@ -182,7 +203,7 @@ static inline hal_error_t check_args(hal_modexp_arg_t *a)
a->exp == NULL || a->exp_len > MODEXPA7_OPERAND_BYTES || a->exp_len > a->mod_len ||
a->mod == NULL || a->mod_len > MODEXPA7_OPERAND_BYTES ||
a->result == NULL || a->result_len > MODEXPA7_OPERAND_BYTES || a->result_len < a->mod_len ||
- a->coeff == NULL || a->coeff_len > MODEXPA7_OPERAND_BYTES ||
+ a->coeff == NULL || a->coeff_len > MODEXPA7_OPERAND_BYTES + 4 ||
a->mont == NULL || a->mont_len > MODEXPA7_OPERAND_BYTES ||
((a->msg_len | a->exp_len | a->mod_len) & 3) != 0)
return HAL_ERROR_BAD_ARGUMENTS;
@@ -247,7 +268,7 @@ static inline hal_error_t setup_calc(const int precalc, hal_modexp_arg_t *a)
if ((precalc &&
(err = get_buffer(a->core, MODEXPA7_ADDR_MODULUS_COEFF_OUT, a->coeff, a->coeff_len)) != HAL_OK) ||
(precalc &&
- (err = get_buffer(a->core, MODEXPA7_ADDR_MONTGOMERY_FACTOR_OUT, a->mont, a->mont_len)) != HAL_OK) ||
+ (err = get_buffer(a->core, MODEXPA7_ADDR_MONTGOMERY_FACTOR_OUT, a->mont, a->mont_len)) != HAL_OK) ||
(err = set_buffer(a->core, MODEXPA7_ADDR_MODULUS_COEFF_IN, a->coeff, a->coeff_len)) != HAL_OK ||
(err = set_buffer(a->core, MODEXPA7_ADDR_MONTGOMERY_FACTOR_IN, a->mont, a->mont_len)) != HAL_OK ||
(err = set_register(a->core, MODEXPA7_ADDR_MODE, mode)) != HAL_OK ||
@@ -342,6 +363,72 @@ hal_error_t hal_modexp2(const int precalc, hal_modexp_arg_t *a1, hal_modexp_arg_
return err;
}
+hal_error_t hal_modexpng(hal_modexpng_arg_t *a)
+{
+ hal_error_t err;
+
+ if ((err = check_args((hal_modexp_arg_t *)a)) != HAL_OK)
+ return err;
+
+ const int free_core = a->core == NULL;
+ const uint32_t mode = (a->p == NULL) ? MODEXPNG_MODE_PLAIN : MODEXPNG_MODE_CRT;
+
+ if ((free_core &&
+ (err = hal_core_alloc(MODEXPNG_NAME, &a->core, NULL)) != HAL_OK) ||
+ (err = hal_io_zero(a->core)) != HAL_OK || // <<<<
+ (err = set_register(a->core, MODEXPNG_ADDR_MODE, mode)) != HAL_OK ||
+ (err = set_register(a->core, MODEXPNG_ADDR_MODULUS_BITS, a->mod_len * 8)) != HAL_OK ||
+ (err = set_register(a->core, MODEXPNG_ADDR_EXPONENT_BITS, a->exp_len * 8)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_M, a->msg, a->msg_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_N, a->mod, a->mod_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_N_FACTOR, a->mont, a->mont_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_N_COEFF, a->coeff, a->coeff_len)) != HAL_OK)
+ goto fail;
+
+ if (a->bf != NULL && a->ubf != NULL) {
+ if ((err = set_buffer(a->core, MODEXPNG_ADDR_BANK_X, a->ubf, a->ubf_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_Y, a->bf, a->bf_len)) != HAL_OK)
+ goto fail;
+ }
+ else {
+ uint8_t one[a->mod_len]; memset(one, 0, sizeof(one)); one[sizeof(one) - 1] = 1;
+ if ((err = set_buffer(a->core, MODEXPNG_ADDR_BANK_X, one, sizeof(one))) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_Y, one, sizeof(one))) != HAL_OK)
+ goto fail;
+ }
+
+ if (mode == MODEXPNG_MODE_PLAIN) {
+ if ((err = set_buffer(a->core, MODEXPNG_ADDR_BANK_D, a->exp, a->exp_len)) != HAL_OK)
+ goto fail;
+ }
+ else {
+ if ((err = set_buffer(a->core, MODEXPNG_ADDR_BANK_P, a->p, a->p_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_DP, a->dP, a->dP_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_P_FACTOR, a->pF, a->pF_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_P_COEFF, a->pC, a->pC_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_Q, a->q, a->q_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_DQ, a->dQ, a->dQ_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_Q_FACTOR, a->qF, a->qF_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_Q_COEFF, a->qC, a->qC_len)) != HAL_OK ||
+ (err = set_buffer(a->core, MODEXPNG_ADDR_BANK_QINV, a->qInv, a->qInv_len)) != HAL_OK)
+ goto fail;
+ }
+
+ if ((err = hal_io_zero(a->core)) != HAL_OK ||
+ (err = hal_io_next(a->core)) != HAL_OK ||
+ (err = hal_io_wait_valid(a->core)) != HAL_OK ||
+ (err = get_buffer(a->core, MODEXPNG_ADDR_BANK_S, a->result, a->result_len)) != HAL_OK)
+ goto fail;
+
+fail:
+ if (free_core) {
+ hal_core_free(a->core);
+ a->core = NULL;
+ }
+
+ return err;
+}
+
/*
* Local variables:
* indent-tabs-mode: nil
diff --git a/rpc_api.c b/rpc_api.c
index b75043a..97c8e99 100644
--- a/rpc_api.c
+++ b/rpc_api.c
@@ -35,7 +35,6 @@
#include "hal.h"
#include "hal_internal.h"
-#include "hashsig.h"
const hal_hash_handle_t hal_hash_handle_none = {HAL_HANDLE_NONE};
@@ -121,6 +120,8 @@ static inline int check_pkey_type_curve_flags(const hal_key_type_t type,
hal_error_t hal_rpc_get_version(uint32_t *version)
{
+ if (version == NULL)
+ return HAL_ERROR_BAD_ARGUMENTS;
return hal_rpc_misc_dispatch->get_version(version);
}
@@ -185,6 +186,8 @@ hal_error_t hal_rpc_hash_get_digest_length(const hal_digest_algorithm_t alg, siz
hal_error_t hal_rpc_hash_get_digest_algorithm_id(const hal_digest_algorithm_t alg,
uint8_t *id, size_t *len, const size_t len_max)
{
+ if (id == NULL && len_max != 0)
+ return HAL_ERROR_BAD_ARGUMENTS;
return hal_rpc_hash_dispatch->get_digest_algorithm_id(alg, id, len, len_max);
}
@@ -201,7 +204,7 @@ hal_error_t hal_rpc_hash_initialize(const hal_client_handle_t client,
const hal_digest_algorithm_t alg,
const uint8_t * const key, const size_t key_len)
{
- if (hash == NULL)
+ if (hash == NULL || (key == NULL && key_len != 0))
return HAL_ERROR_BAD_ARGUMENTS;
return hal_rpc_hash_dispatch->initialize(client, session, hash, alg, key, key_len);
}
@@ -278,8 +281,8 @@ hal_error_t hal_rpc_pkey_generate_hashsig(const hal_client_handle_t client,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const size_t hss_levels,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
const hal_key_flags_t flags)
{
if (pkey == NULL || name == NULL || !check_pkey_flags(flags))
@@ -329,7 +332,7 @@ size_t hal_rpc_pkey_get_public_key_len(const hal_pkey_handle_t pkey)
hal_error_t hal_rpc_pkey_get_public_key(const hal_pkey_handle_t pkey,
uint8_t *der, size_t *der_len, const size_t der_max)
{
- if (der == NULL || der_len == NULL || der_max == 0)
+ if (der == NULL && der_max != 0)
return HAL_ERROR_BAD_ARGUMENTS;
return hal_rpc_pkey_dispatch->get_public_key(pkey, der, der_len, der_max);
}
diff --git a/rpc_client.c b/rpc_client.c
index e97289e..c9ac9b7 100644
--- a/rpc_client.c
+++ b/rpc_client.c
@@ -36,7 +36,6 @@
#include "hal.h"
#include "hal_internal.h"
#include "xdr_internal.h"
-#include "hashsig.h"
#ifndef HAL_RPC_CLIENT_DEBUG
#define HAL_RPC_CLIENT_DEBUG 0
@@ -138,7 +137,7 @@ static hal_error_t get_random(void *buffer, const size_t length)
uint8_t outbuf[nargs(3)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
uint8_t inbuf[nargs(4) + pad(length)];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t rcvlen = length;
+ size_t rcvlen;
hal_client_handle_t dummy_client = {0};
hal_error_t rpc_ret;
@@ -151,7 +150,7 @@ static hal_error_t get_random(void *buffer, const size_t length)
check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
if (rpc_ret == HAL_OK) {
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, buffer, &rcvlen));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, buffer, &rcvlen, length));
// XXX check rcvlen vs length
}
return rpc_ret;
@@ -311,8 +310,12 @@ static hal_error_t hash_get_digest_algorithm_id(const hal_digest_algorithm_t alg
check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
if (rpc_ret == HAL_OK) {
- *len = len_max;
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, id, len));
+ uint32_t len32;
+ check(hal_xdr_decode_int(&iptr, ilimit, &len32));
+ if (len != NULL)
+ *len = len32;
+ if (id != NULL)
+ check(hal_xdr_decode_fixed_opaque(&iptr, ilimit, id, len32));
}
return rpc_ret;
}
@@ -395,7 +398,7 @@ static hal_error_t hash_finalize(const hal_hash_handle_t hash,
uint8_t outbuf[nargs(4)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
uint8_t inbuf[nargs(4) + pad(length)];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t digest_len = length;
+ size_t digest_len;
hal_client_handle_t dummy_client = {0};
hal_error_t rpc_ret;
@@ -409,7 +412,7 @@ static hal_error_t hash_finalize(const hal_hash_handle_t hash,
check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
if (rpc_ret == HAL_OK) {
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, digest, &digest_len));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, digest, &digest_len, length));
/* XXX check digest_len vs length */
}
return rpc_ret;
@@ -425,7 +428,7 @@ static hal_error_t pkey_remote_load(const hal_client_handle_t client,
uint8_t outbuf[nargs(5) + pad(der_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t name_len = sizeof(name->uuid);
+ size_t name_len;
hal_error_t rpc_ret;
check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_LOAD));
@@ -440,7 +443,7 @@ static hal_error_t pkey_remote_load(const hal_client_handle_t client,
check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
if (rpc_ret == HAL_OK) {
check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid)));
if (name_len != sizeof(name->uuid))
return HAL_ERROR_KEY_NAME_TOO_LONG;
}
@@ -484,7 +487,7 @@ static hal_error_t pkey_remote_generate_rsa(const hal_client_handle_t client,
uint8_t outbuf[nargs(6) + pad(exp_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t name_len = sizeof(name->uuid);
+ size_t name_len;
hal_error_t rpc_ret;
check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_GENERATE_RSA));
@@ -501,7 +504,7 @@ static hal_error_t pkey_remote_generate_rsa(const hal_client_handle_t client,
if (rpc_ret == HAL_OK) {
check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid)));
if (name_len != sizeof(name->uuid))
return HAL_ERROR_KEY_NAME_TOO_LONG;
}
@@ -519,7 +522,7 @@ static hal_error_t pkey_remote_generate_ec(const hal_client_handle_t client,
uint8_t outbuf[nargs(5)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t name_len = sizeof(name->uuid);
+ size_t name_len;
hal_error_t rpc_ret;
check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_GENERATE_EC));
@@ -535,7 +538,7 @@ static hal_error_t pkey_remote_generate_ec(const hal_client_handle_t client,
if (rpc_ret == HAL_OK) {
check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid)));
if (name_len != sizeof(name->uuid))
return HAL_ERROR_KEY_NAME_TOO_LONG;
}
@@ -548,14 +551,14 @@ static hal_error_t pkey_remote_generate_hashsig(const hal_client_handle_t client
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const size_t hss_levels,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
const hal_key_flags_t flags)
{
uint8_t outbuf[nargs(7)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t name_len = sizeof(name->uuid);
+ size_t name_len;
hal_error_t rpc_ret;
check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_GENERATE_HASHSIG));
@@ -573,7 +576,7 @@ static hal_error_t pkey_remote_generate_hashsig(const hal_client_handle_t client
if (rpc_ret == HAL_OK) {
check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid)));
if (name_len != sizeof(name->uuid))
return HAL_ERROR_KEY_NAME_TOO_LONG;
}
@@ -737,8 +740,12 @@ static hal_error_t pkey_remote_get_public_key(const hal_pkey_handle_t pkey,
check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
if (rpc_ret == HAL_OK) {
- *der_len = der_max;
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, der, der_len));
+ uint32_t len32;
+ check(hal_xdr_decode_int(&iptr, ilimit, &len32));
+ if (der_len != NULL)
+ *der_len = len32;
+ if (der != NULL)
+ check(hal_xdr_decode_fixed_opaque(&iptr, ilimit, der, len32));
}
return rpc_ret;
}
@@ -765,10 +772,8 @@ static hal_error_t pkey_remote_sign(const hal_pkey_handle_t pkey,
check(read_matching_packet(RPC_FUNC_PKEY_SIGN, inbuf, sizeof(inbuf), &iptr, &ilimit));
check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
- if (rpc_ret == HAL_OK) {
- *signature_len = signature_max;
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, signature, signature_len));
- }
+ if (rpc_ret == HAL_OK)
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, signature, signature_len, signature_max));
return rpc_ret;
}
@@ -851,8 +856,8 @@ static hal_error_t pkey_remote_match(const hal_client_handle_t client,
*state = ustate;
check(hal_xdr_decode_int(&iptr, ilimit, &array_len));
for (int i = 0; i < array_len; ++i) {
- size_t uuid_len = sizeof(result[i].uuid);
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, result[i].uuid, &uuid_len));
+ size_t uuid_len;
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, result[i].uuid, &uuid_len, sizeof(result[i].uuid)));
if (uuid_len != sizeof(result[i].uuid))
return HAL_ERROR_KEY_NAME_TOO_LONG;
}
@@ -902,7 +907,7 @@ static hal_error_t pkey_remote_get_attributes(const hal_pkey_handle_t pkey,
{
/* inbuf[] here includes one extra word per attribute for padding */
uint8_t outbuf[nargs(5 + attributes_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
- uint8_t inbuf[nargs(3 + 3 * attributes_len) + attributes_buffer_len];
+ uint8_t inbuf[nargs(4 + 3 * attributes_len) + attributes_buffer_len];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
hal_client_handle_t dummy_client = {0};
hal_error_t rpc_ret;
@@ -935,11 +940,11 @@ static hal_error_t pkey_remote_get_attributes(const hal_pkey_handle_t pkey,
attributes[i].length = u32;
}
else {
- size_t len = attributes_buffer + attributes_buffer_len - abuf;
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, abuf, &len));
+ size_t len;
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, abuf, &len, attributes_buffer + attributes_buffer_len - abuf));
attributes[i].value = abuf;
attributes[i].length = len;
- abuf += u32;
+ abuf += len;
}
}
}
@@ -969,10 +974,8 @@ static hal_error_t pkey_remote_export(const hal_pkey_handle_t pkey,
check(hal_xdr_decode_int(&iptr, ilimit, &rpc_ret));
if (rpc_ret == HAL_OK) {
- *pkcs8_len = pkcs8_max;
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, pkcs8, pkcs8_len));
- *kek_len = kek_max;
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, kek, kek_len));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, pkcs8, pkcs8_len, pkcs8_max));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, kek, kek_len, kek_max));
}
return rpc_ret;
}
@@ -989,7 +992,7 @@ static hal_error_t pkey_remote_import(const hal_client_handle_t client,
uint8_t outbuf[nargs(7) + pad(pkcs8_len) + pad(kek_len)], *optr = outbuf, *olimit = outbuf + sizeof(outbuf);
uint8_t inbuf[nargs(5) + pad(sizeof(name->uuid))];
const uint8_t *iptr = inbuf, *ilimit = inbuf + sizeof(inbuf);
- size_t name_len = sizeof(name->uuid);
+ size_t name_len;
hal_error_t rpc_ret;
check(hal_xdr_encode_int(&optr, olimit, RPC_FUNC_PKEY_IMPORT));
@@ -1007,7 +1010,7 @@ static hal_error_t pkey_remote_import(const hal_client_handle_t client,
if (rpc_ret == HAL_OK) {
check(hal_xdr_decode_int(&iptr, ilimit, &pkey->handle));
- check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len));
+ check(hal_xdr_decode_variable_opaque(&iptr, ilimit, name->uuid, &name_len, sizeof(name->uuid)));
if (name_len != sizeof(name->uuid))
return HAL_ERROR_KEY_NAME_TOO_LONG;
}
diff --git a/rpc_client_daemon.c b/rpc_client_daemon.c
index 1c506eb..d47ac7d 100644
--- a/rpc_client_daemon.c
+++ b/rpc_client_daemon.c
@@ -37,6 +37,7 @@
#include <netinet/in.h>
#include <unistd.h>
#include <sys/un.h>
+#include <sys/socket.h>
#include "hal.h"
#include "hal_internal.h"
diff --git a/rpc_misc.c b/rpc_misc.c
index c27913c..50ee3ac 100644
--- a/rpc_misc.c
+++ b/rpc_misc.c
@@ -44,7 +44,7 @@ static hal_error_t get_version(uint32_t *version)
static hal_error_t get_random(void *buffer, const size_t length)
{
- if (buffer == NULL || length == 0)
+ if (buffer == NULL)
return HAL_ERROR_IMPOSSIBLE;
return hal_get_random(NULL, buffer, length);
diff --git a/rpc_pkey.c b/rpc_pkey.c
index e1521af..84e506d 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -3,8 +3,10 @@
* ----------
* Remote procedure call server-side public key implementation.
*
- * Authors: Rob Austein
- * Copyright (c) 2015, NORDUnet A/S All rights reserved.
+ * Authors: Rob Austein, Paul Selkirk
+ * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved.
+ * Copyright: 2019-2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -16,9 +18,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -38,7 +40,6 @@
#include "hal.h"
#include "hal_internal.h"
#include "asn1_internal.h"
-#include "hashsig.h"
#ifndef HAL_STATIC_PKEY_STATE_BLOCKS
#define HAL_STATIC_PKEY_STATE_BLOCKS 0
@@ -530,12 +531,13 @@ static hal_error_t pkey_local_generate_hashsig(const hal_client_handle_t client,
hal_pkey_handle_t *pkey,
hal_uuid_t *name,
const size_t hss_levels,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
const hal_key_flags_t flags)
{
hal_assert(pkey != NULL && name != NULL);
+ uint8_t keybuf[hal_hashsig_key_t_size];
hal_hashsig_key_t *key = NULL;
hal_pkey_slot_t *slot;
hal_error_t err;
@@ -555,7 +557,7 @@ static hal_error_t pkey_local_generate_hashsig(const hal_client_handle_t client,
slot->curve = HAL_CURVE_NONE;
slot->flags = flags;
- if ((err = hal_hashsig_key_gen(NULL, &key, hss_levels, lms_type, lmots_type)) != HAL_OK) {
+ if ((err = hal_hashsig_key_gen(NULL, &key, keybuf, sizeof(keybuf), hss_levels, lms_type, lmots_type, flags)) != HAL_OK) {
slot->type = HAL_KEY_TYPE_NONE;
return err;
}
@@ -566,11 +568,8 @@ static hal_error_t pkey_local_generate_hashsig(const hal_client_handle_t client,
if ((err = hal_hashsig_private_key_to_der(key, der, &der_len, sizeof(der))) == HAL_OK)
err = hal_ks_store(ks_from_flags(flags), slot, der, der_len);
- /* There's nothing sensitive in the top-level private key, but we wipe
- * the der anyway, for symmetry with other key types. The actual key buf
- * is allocated internally and stays in memory, because everything else
- * is linked off of it.
- */
+ key = NULL;
+ memset(keybuf, 0, sizeof(keybuf));
memset(der, 0, sizeof(der));
if (err != HAL_OK) {
@@ -602,8 +601,6 @@ static hal_error_t pkey_local_close(const hal_pkey_handle_t pkey)
/*
* Delete a key from the store, given its key handle.
*/
-static hal_error_t pkey_local_get_key_type(const hal_pkey_handle_t pkey, hal_key_type_t *type);
-
static hal_error_t pkey_local_delete(const hal_pkey_handle_t pkey)
{
hal_pkey_slot_t *slot = find_handle(pkey);
@@ -616,20 +613,9 @@ static hal_error_t pkey_local_delete(const hal_pkey_handle_t pkey)
if ((err = check_writable(slot->client, slot->flags)) != HAL_OK)
return err;
- hal_key_type_t key_type;
- if ((err = pkey_local_get_key_type(pkey, &key_type)) != HAL_OK)
- return err;
-
- if (key_type == HAL_KEY_TYPE_HASHSIG_PRIVATE) {
- hal_hashsig_key_t *key;
- uint8_t keybuf[hal_hashsig_key_t_size];
- uint8_t der[HAL_KS_WRAPPED_KEYSIZE];
- size_t der_len;
- if ((err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der))) != HAL_OK ||
- (err = hal_hashsig_private_key_from_der(&key, keybuf, sizeof(keybuf), der, der_len)) != HAL_OK ||
- (err = hal_hashsig_key_delete(key)) != HAL_OK)
- return err;
- }
+ if (slot->type == HAL_KEY_TYPE_HASHSIG_PRIVATE &&
+ (err = hal_hashsig_delete(&slot->name)) != HAL_OK)
+ return err;
err = hal_ks_delete(ks_from_flags(slot->flags), slot);
@@ -700,127 +686,98 @@ static hal_error_t pkey_local_get_key_flags(const hal_pkey_handle_t pkey,
}
/*
- * Get length of public key associated with handle.
+ * Get public key associated with handle.
*/
-static size_t pkey_local_get_public_key_len(const hal_pkey_handle_t pkey)
+static hal_error_t pkey_local_get_public_key(const hal_pkey_handle_t pkey,
+ uint8_t *der, size_t *der_len, const size_t der_max)
{
hal_pkey_slot_t *slot = find_handle(pkey);
if (slot == NULL)
- return 0;
-
- size_t result = 0;
+ return HAL_ERROR_KEY_NOT_FOUND;
-#ifndef max
-#define max(a, b) ((a) >= (b) ? (a) : (b))
-#endif
- size_t keybuf_size = max(hal_rsa_key_t_size, hal_ecdsa_key_t_size);
- keybuf_size = max(keybuf_size, hal_hashsig_key_t_size);
- uint8_t keybuf[keybuf_size];
- hal_rsa_key_t *rsa_key = NULL;
- hal_ecdsa_key_t *ecdsa_key = NULL;
- hal_hashsig_key_t *hashsig_key = NULL;
- uint8_t der[HAL_KS_WRAPPED_KEYSIZE];
- size_t der_len;
+ uint8_t buf[HAL_KS_WRAPPED_KEYSIZE];
+ size_t buf_len;
hal_error_t err;
- if ((err = ks_fetch_from_flags(slot, der, &der_len, sizeof(der))) == HAL_OK) {
+ if ((err = ks_fetch_from_flags(slot, buf, &buf_len, sizeof(buf))) == HAL_OK) {
switch (slot->type) {
case HAL_KEY_TYPE_RSA_PUBLIC:
case HAL_KEY_TYPE_EC_PUBLIC:
case HAL_KEY_TYPE_HASHSIG_PUBLIC:
- result = der_len;
+ if (der_len != NULL)
+ *der_len = buf_len;
+ if (der != NULL) {
+ if (der_max < buf_len)
+ err = HAL_ERROR_RESULT_TOO_LONG;
+ else
+ memcpy(der, buf, buf_len);
+ }
break;
case HAL_KEY_TYPE_RSA_PRIVATE:
- if (hal_rsa_private_key_from_der(&rsa_key, keybuf, sizeof(keybuf), der, der_len) == HAL_OK)
- result = hal_rsa_public_key_to_der_len(rsa_key);
- break;
+ {
+ uint8_t keybuf[hal_rsa_key_t_size];
+ hal_rsa_key_t *key;
+ if ((err = hal_rsa_private_key_from_der(&key, keybuf, sizeof(keybuf), buf, buf_len)) == HAL_OK)
+ err = hal_rsa_public_key_to_der(key, der, der_len, der_max);
+ memset(keybuf, 0, sizeof(keybuf));
+ }
+ break;
case HAL_KEY_TYPE_EC_PRIVATE:
- if (hal_ecdsa_private_key_from_der(&ecdsa_key, keybuf, sizeof(keybuf), der, der_len) == HAL_OK)
- result = hal_ecdsa_public_key_to_der_len(ecdsa_key);
- break;
+ {
+ uint8_t keybuf[hal_ecdsa_key_t_size];
+ hal_ecdsa_key_t *key;
+ if ((err = hal_ecdsa_private_key_from_der(&key, keybuf, sizeof(keybuf), buf, buf_len)) == HAL_OK)
+ err = hal_ecdsa_public_key_to_der(key, der, der_len, der_max);
+ memset(keybuf, 0, sizeof(keybuf));
+ }
+ break;
case HAL_KEY_TYPE_HASHSIG_PRIVATE:
- if (hal_hashsig_private_key_from_der(&hashsig_key, keybuf, sizeof(keybuf), der, der_len) == HAL_OK)
- result = hal_hashsig_public_key_to_der_len(hashsig_key);
- break;
+ {
+ uint8_t keybuf[hal_hashsig_key_t_size];
+ hal_hashsig_key_t *key;
+ if ((err = hal_hashsig_private_key_from_der(&key, keybuf, sizeof(keybuf), buf, buf_len)) == HAL_OK) {
+ err = hal_hashsig_public_key_to_der(key, der, der_len, der_max);
+ key = NULL;
+ }
+ memset(keybuf, 0, sizeof(keybuf));
+ }
+ break;
default:
+ err = HAL_ERROR_UNSUPPORTED_KEY;
break;
}
}
- memset(keybuf, 0, sizeof(keybuf));
- memset(der, 0, sizeof(der));
+ memset(buf, 0, sizeof(buf));
- return result;
+ return err;
}
/*
- * Get public key associated with handle.
+ * Get length of public key associated with handle.
*/
-static hal_error_t pkey_local_get_public_key(const hal_pkey_handle_t pkey,
- uint8_t *der, size_t *der_len, const size_t der_max)
+static size_t pkey_local_get_public_key_len(const hal_pkey_handle_t pkey)
{
hal_pkey_slot_t *slot = find_handle(pkey);
if (slot == NULL)
- return HAL_ERROR_KEY_NOT_FOUND;
+ return 0;
- size_t keybuf_size = max(hal_rsa_key_t_size, hal_ecdsa_key_t_size);
- keybuf_size = max(keybuf_size, hal_hashsig_key_t_size);
- uint8_t keybuf[keybuf_size];
- hal_rsa_key_t *rsa_key = NULL;
- hal_ecdsa_key_t *ecdsa_key = NULL;
- hal_hashsig_key_t *hashsig_key = NULL;
- uint8_t buf[HAL_KS_WRAPPED_KEYSIZE];
- size_t buf_len;
+ size_t der_len;
hal_error_t err;
- if ((err = ks_fetch_from_flags(slot, buf, &buf_len, sizeof(buf))) == HAL_OK) {
- switch (slot->type) {
-
- case HAL_KEY_TYPE_RSA_PUBLIC:
- case HAL_KEY_TYPE_EC_PUBLIC:
- case HAL_KEY_TYPE_HASHSIG_PUBLIC:
- if (der_len != NULL)
- *der_len = buf_len;
- if (der != NULL && der_max < buf_len)
- err = HAL_ERROR_RESULT_TOO_LONG;
- else if (der != NULL)
- memcpy(der, buf, buf_len);
- break;
-
- case HAL_KEY_TYPE_RSA_PRIVATE:
- if ((err = hal_rsa_private_key_from_der(&rsa_key, keybuf, sizeof(keybuf), buf, buf_len)) == HAL_OK)
- err = hal_rsa_public_key_to_der(rsa_key, der, der_len, der_max);
- break;
-
- case HAL_KEY_TYPE_EC_PRIVATE:
- if ((err = hal_ecdsa_private_key_from_der(&ecdsa_key, keybuf, sizeof(keybuf), buf, buf_len)) == HAL_OK)
- err = hal_ecdsa_public_key_to_der(ecdsa_key, der, der_len, der_max);
- break;
-
- case HAL_KEY_TYPE_HASHSIG_PRIVATE:
- if ((err = hal_hashsig_private_key_from_der(&hashsig_key, keybuf, sizeof(keybuf), buf, buf_len)) == HAL_OK)
- err = hal_hashsig_public_key_to_der(hashsig_key, der, der_len, der_max);
- break;
-
- default:
- err = HAL_ERROR_UNSUPPORTED_KEY;
- break;
- }
- }
-
- memset(keybuf, 0, sizeof(keybuf));
- memset(buf, 0, sizeof(buf));
-
- return err;
+ if ((err = pkey_local_get_public_key(pkey, NULL, &der_len, 0)) == HAL_OK)
+ return der_len;
+ else
+ return 0;
}
/*
@@ -929,24 +886,28 @@ static hal_error_t pkey_local_sign_hashsig(hal_pkey_slot_t *slot,
if (input == NULL || input_len == 0) {
hal_digest_algorithm_t alg;
+ size_t digest_len;
if ((err = hal_rpc_hash_get_algorithm(hash, &alg)) != HAL_OK ||
- (err = hal_rpc_hash_get_digest_length(alg, &input_len)) != HAL_OK)
+ (err = hal_rpc_hash_get_digest_length(alg, &digest_len)) != HAL_OK)
return err;
- if (input_len > signature_max)
+ if (digest_len > signature_max)
return HAL_ERROR_RESULT_TOO_LONG;
- if ((err = hal_rpc_hash_finalize(hash, signature, input_len)) != HAL_OK)
+ uint8_t digest[digest_len];
+
+ if ((err = hal_rpc_hash_finalize(hash, digest, digest_len)) != HAL_OK)
return err;
- input = signature;
+ err = hal_hashsig_sign(NULL, key, digest, digest_len, signature, signature_len, signature_max);
}
- if ((err = hal_hashsig_sign(NULL, key, input, input_len, signature, signature_len, signature_max)) != HAL_OK)
- return err;
+ else
+ err = hal_hashsig_sign(NULL, key, input, input_len, signature, signature_len, signature_max);
- return HAL_OK;
+ key = NULL;
+ return err;
}
static hal_error_t pkey_local_sign(const hal_pkey_handle_t pkey,
@@ -1113,13 +1074,23 @@ static hal_error_t pkey_local_verify_hashsig(uint8_t *keybuf, const size_t keybu
hal_assert(signature != NULL && signature_len > 0);
hal_assert((hash.handle == HAL_HANDLE_NONE) != (input == NULL || input_len == 0));
- if ((err = hal_hashsig_public_key_from_der(&key, keybuf, keybuf_len, der, der_len)) != HAL_OK)
+ switch (type) {
+ case HAL_KEY_TYPE_HASHSIG_PRIVATE:
+ err = hal_hashsig_private_key_from_der(&key, keybuf, keybuf_len, der, der_len);
+ break;
+ case HAL_KEY_TYPE_HASHSIG_PUBLIC:
+ err = hal_hashsig_public_key_from_der(&key, keybuf, keybuf_len, der, der_len);
+ break;
+ default:
+ err = HAL_ERROR_IMPOSSIBLE;
+ }
+
+ if (err != HAL_OK)
return err;
if (input == NULL || input_len == 0) {
hal_digest_algorithm_t alg;
- // ???
if ((err = hal_rpc_hash_get_algorithm(hash, &alg)) != HAL_OK ||
(err = hal_rpc_hash_get_digest_length(alg, &input_len)) != HAL_OK ||
(err = hal_rpc_hash_finalize(hash, digest, sizeof(digest))) != HAL_OK)
@@ -1162,6 +1133,7 @@ static hal_error_t pkey_local_verify(const hal_pkey_handle_t pkey,
verifier = pkey_local_verify_ecdsa;
keybuf_size = hal_ecdsa_key_t_size;
break;
+ case HAL_KEY_TYPE_HASHSIG_PRIVATE:
case HAL_KEY_TYPE_HASHSIG_PUBLIC:
verifier = pkey_local_verify_hashsig;
keybuf_size = hal_hashsig_key_t_size;
@@ -1255,6 +1227,7 @@ static hal_error_t pkey_local_match(const hal_client_handle_t client,
case MATCH_STATE_START:
prev = uuid_zero;
++*state;
+ /* fall through */
case MATCH_STATE_TOKEN:
if (((mask & HAL_KEY_FLAG_TOKEN) == 0 || (mask & flags & HAL_KEY_FLAG_TOKEN) != 0) &&
@@ -1266,6 +1239,7 @@ static hal_error_t pkey_local_match(const hal_client_handle_t client,
return HAL_OK;
prev = uuid_zero;
++*state;
+ /* fall through */
case MATCH_STATE_VOLATILE:
if (((mask & HAL_KEY_FLAG_TOKEN) == 0 || (mask & flags & HAL_KEY_FLAG_TOKEN) == 0) &&
@@ -1276,6 +1250,7 @@ static hal_error_t pkey_local_match(const hal_client_handle_t client,
if (*result_len == result_max)
return HAL_OK;
++*state;
+ /* fall through */
case MATCH_STATE_DONE:
return HAL_OK;
@@ -1374,6 +1349,11 @@ static hal_error_t pkey_local_export(const hal_pkey_handle_t pkey_handle,
if ((err = ks_fetch_from_flags(pkey, pkcs8, &len, pkcs8_max)) != HAL_OK)
goto fail;
+ /* hashsig export partitions the keyspace, so needs to update the stored key */
+ if (pkey->type == HAL_KEY_TYPE_HASHSIG_PRIVATE &&
+ (err = hal_hashsig_export(&pkey->name, pkcs8, &len, pkcs8_max)) != HAL_OK)
+ goto fail;
+
if ((err = hal_get_random(NULL, kek, KEK_LENGTH)) != HAL_OK)
goto fail;
@@ -1483,6 +1463,13 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
if ((err = hal_aes_keyunwrap(NULL, kek, sizeof(kek), data, data_len, der, &der_len)) != HAL_OK)
goto fail;
+ hal_key_type_t type;
+ hal_curve_name_t curve;
+ if ((err = hal_asn1_guess_key_type(&type, &curve, der, der_len)) == HAL_OK &&
+ type == HAL_KEY_TYPE_HASHSIG_PRIVATE &&
+ (err = hal_hashsig_import(der, der_len, flags)) != HAL_OK)
+ goto fail;
+
err = hal_rpc_pkey_load(client, session, pkey, name, der, der_len, flags);
fail:
diff --git a/rpc_server.c b/rpc_server.c
index 5a06e37..9598413 100644
--- a/rpc_server.c
+++ b/rpc_server.c
@@ -35,7 +35,6 @@
#include "hal.h"
#include "hal_internal.h"
#include "xdr_internal.h"
-#include "hashsig.h"
/*
* RPC calls.
@@ -68,7 +67,7 @@ static hal_error_t get_random(const uint8_t **iptr, const uint8_t * const ilimit
check(hal_xdr_decode_int(iptr, ilimit, &length));
/* sanity check length */
- if (length == 0 || length > (uint32_t)(olimit - *optr - nargs(1)))
+ if (nargs(1) + pad(length) > (uint32_t)(olimit - *optr))
return HAL_ERROR_RPC_PACKET_OVERFLOW;
/* get the data directly into the output buffer */
@@ -168,13 +167,19 @@ static hal_error_t hash_get_digest_algorithm_id(const uint8_t **iptr, const uint
check(hal_xdr_decode_int(iptr, ilimit, &alg));
check(hal_xdr_decode_int(iptr, ilimit, &len_max));
/* sanity check len_max */
- if (len_max > (uint32_t)(olimit - *optr - nargs(1)))
+ if (nargs(1) + pad(len_max) > (uint32_t)(olimit - *optr))
return HAL_ERROR_RPC_PACKET_OVERFLOW;
- /* get the data directly into the output buffer */
- if ((err = hal_rpc_hash_get_digest_algorithm_id(alg, *optr + nargs(1), &len, (size_t)len_max)) == HAL_OK) {
- check(hal_xdr_encode_int(optr, olimit, len));
- *optr += pad(len);
+ if (len_max == 0) {
+ if ((err = hal_rpc_hash_get_digest_algorithm_id(alg, NULL, &len, 0)) == HAL_OK)
+ check(hal_xdr_encode_int(optr, olimit, len));
+ }
+ else {
+ /* get the data directly into the output buffer */
+ if ((err = hal_rpc_hash_get_digest_algorithm_id(alg, *optr + nargs(1), &len, (size_t)len_max)) == HAL_OK) {
+ check(hal_xdr_encode_int(optr, olimit, len));
+ *optr += pad(len);
+ }
}
return err;
@@ -210,6 +215,8 @@ static hal_error_t hash_initialize(const uint8_t **iptr, const uint8_t * const i
check(hal_xdr_decode_int(iptr, ilimit, &session.handle));
check(hal_xdr_decode_int(iptr, ilimit, &alg));
check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &key, &key_len));
+ if (key_len == 0)
+ key = NULL;
check(hal_rpc_hash_initialize(client, session, &hash, (hal_digest_algorithm_t)alg, key, (size_t)key_len));
@@ -245,7 +252,7 @@ static hal_error_t hash_finalize(const uint8_t **iptr, const uint8_t * const ili
check(hal_xdr_decode_int(iptr, ilimit, &hash.handle));
check(hal_xdr_decode_int(iptr, ilimit, &length));
/* sanity check length */
- if (length > (uint32_t)(olimit - *optr - nargs(1)))
+ if (nargs(1) + pad(length) > (uint32_t)(olimit - *optr))
return HAL_ERROR_RPC_PACKET_OVERFLOW;
/* get the data directly into the output buffer */
@@ -493,7 +500,7 @@ static hal_error_t pkey_get_public_key(const uint8_t **iptr, const uint8_t * con
check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle));
check(hal_xdr_decode_int(iptr, ilimit, &len_max));
/* sanity check len_max */
- if (len_max > (uint32_t)(olimit - *optr - nargs(1)))
+ if (nargs(1) + pad(len_max) > (uint32_t)(olimit - *optr))
return HAL_ERROR_RPC_PACKET_OVERFLOW;
/* get the data directly into the output buffer */
@@ -523,7 +530,7 @@ static hal_error_t pkey_sign(const uint8_t **iptr, const uint8_t * const ilimit,
check(hal_xdr_decode_variable_opaque_ptr(iptr, ilimit, &input, &input_len));
check(hal_xdr_decode_int(iptr, ilimit, &sig_max));
/* sanity check sig_max */
- if (sig_max > (uint32_t)(olimit - *optr - nargs(1)))
+ if (nargs(1) + pad(sig_max) > (uint32_t)(olimit - *optr))
return HAL_ERROR_RPC_PACKET_OVERFLOW;
/* get the data directly into the output buffer */
@@ -576,6 +583,9 @@ static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit
check(hal_xdr_decode_int(iptr, ilimit, &flags));
check(hal_xdr_decode_int(iptr, ilimit, &attributes_len));
+ if (nargs(2 * attributes_len) > (uint32_t)(ilimit - *iptr))
+ return HAL_ERROR_RPC_PACKET_OVERFLOW;
+
hal_pkey_attribute_t attributes[attributes_len > 0 ? attributes_len : 1];
for (size_t i = 0; i < attributes_len; i++) {
@@ -597,6 +607,9 @@ static hal_error_t pkey_match(const uint8_t **iptr, const uint8_t * const ilimit
const hal_uuid_t * const previous_uuid = (const void *) previous_uuid_ptr;
+ if (nargs(2) + result_max * (nargs(1) + sizeof(hal_uuid_t)) > (uint32_t)(olimit - *optr))
+ return HAL_ERROR_RPC_PACKET_OVERFLOW;
+
hal_uuid_t result[result_max];
unsigned result_len, ustate = state;
@@ -628,6 +641,9 @@ static hal_error_t pkey_set_attributes(const uint8_t **iptr, const uint8_t * con
check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle));
check(hal_xdr_decode_int(iptr, ilimit, &attributes_len));
+ if (nargs(2 * attributes_len) > (uint32_t)(ilimit - *iptr))
+ return HAL_ERROR_RPC_PACKET_OVERFLOW;
+
hal_pkey_attribute_t attributes[attributes_len > 0 ? attributes_len : 1];
for (size_t i = 0; i < attributes_len; i++) {
@@ -656,7 +672,7 @@ static hal_error_t pkey_get_attributes(const uint8_t **iptr, const uint8_t * con
{
hal_client_handle_t client;
hal_pkey_handle_t pkey;
- uint32_t attributes_len, u32;
+ uint32_t attributes_len, attributes_buffer_len;
uint8_t *optr_orig = *optr;
hal_error_t err;
@@ -664,14 +680,15 @@ static hal_error_t pkey_get_attributes(const uint8_t **iptr, const uint8_t * con
check(hal_xdr_decode_int(iptr, ilimit, &pkey.handle));
check(hal_xdr_decode_int(iptr, ilimit, &attributes_len));
+ if (nargs(1 + attributes_len) > (uint32_t)(ilimit - *iptr))
+ return HAL_ERROR_RPC_PACKET_OVERFLOW;
+
hal_pkey_attribute_t attributes[attributes_len > 0 ? attributes_len : 1];
for (size_t i = 0; i < attributes_len; i++)
check(hal_xdr_decode_int(iptr, ilimit, &attributes[i].type));
- check(hal_xdr_decode_int(iptr, ilimit, &u32));
-
- const size_t attributes_buffer_len = u32;
+ check(hal_xdr_decode_int(iptr, ilimit, &attributes_buffer_len));
if (nargs(1 + 2 * attributes_len) + attributes_buffer_len > (uint32_t)(olimit - *optr))
return HAL_ERROR_RPC_PACKET_OVERFLOW;
@@ -715,6 +732,9 @@ static hal_error_t pkey_export(const uint8_t **iptr, const uint8_t * const ilimi
check(hal_xdr_decode_int(iptr, ilimit, &pkcs8_max));
check(hal_xdr_decode_int(iptr, ilimit, &kek_max));
+ if (nargs(2) + pad(pkcs8_max) + pad(kek_max) > (uint32_t)(olimit - *optr))
+ return HAL_ERROR_RPC_PACKET_OVERFLOW;
+
uint8_t pkcs8[pkcs8_max], kek[kek_max];
check(hal_rpc_pkey_export(pkey, kekek, pkcs8, &pkcs8_len, sizeof(pkcs8), kek, &kek_len, sizeof(kek)));
diff --git a/rsa.c b/rsa.c
index 1b5de7d..3adbd49 100644
--- a/rsa.c
+++ b/rsa.c
@@ -12,8 +12,9 @@
* St Denis's libtomcrypt code.
*
* Authors: Rob Austein
- * Copyright (c) 2015-2018, NORDUnet A/S
- * All rights reserved.
+ * Copyright (c) 2015-2018, NORDUnet A/S All rights reserved.
+ * Copyright: 2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -25,9 +26,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -121,6 +122,13 @@ void hal_rsa_set_debug(const int onoff)
debug = onoff;
}
+static int do_crt = 1;
+
+void hal_rsa_set_crt(const int onoff)
+{
+ do_crt = onoff;
+}
+
/*
* Whether we want RSA blinding.
*/
@@ -146,6 +154,13 @@ static struct {
#endif
+void hal_rsa_clear_blinding_cache(void)
+{
+#if HAL_RSA_BLINDING_CACHE_SIZE > 0
+ memset(&bfc, 0, sizeof(bfc));
+#endif
+}
+
/*
* RSA key implementation. This structure type is private to this
* module, anything else that needs to touch one of these just gets a
@@ -165,9 +180,9 @@ struct hal_rsa_key {
fp_int dQ[1]; /* d mod (q - 1) */
unsigned flags; /* Internal key flags */
uint8_t /* ModExpA7 speedup factors */
- nC[HAL_RSA_MAX_OPERAND_LENGTH], nF[HAL_RSA_MAX_OPERAND_LENGTH],
- pC[HAL_RSA_MAX_OPERAND_LENGTH/2], pF[HAL_RSA_MAX_OPERAND_LENGTH/2],
- qC[HAL_RSA_MAX_OPERAND_LENGTH/2], qF[HAL_RSA_MAX_OPERAND_LENGTH/2];
+ nC[HAL_RSA_MAX_OPERAND_LENGTH+4], nF[HAL_RSA_MAX_OPERAND_LENGTH],
+ pC[HAL_RSA_MAX_OPERAND_LENGTH/2+4], pF[HAL_RSA_MAX_OPERAND_LENGTH/2],
+ qC[HAL_RSA_MAX_OPERAND_LENGTH/2+4], qF[HAL_RSA_MAX_OPERAND_LENGTH/2];
};
#define RSA_FLAG_NEEDS_SAVING (1 << 0)
@@ -228,6 +243,26 @@ static hal_error_t unpack_fp(const fp_int * const bn, uint8_t *buffer, const siz
#if HAL_RSA_SIGN_USE_MODEXP
+static hal_error_t modexpng_precalc(const fp_int *modulus, uint8_t *coeff, size_t coeff_len, uint8_t *factor, size_t factor_len)
+{
+ const size_t keylen = ((fp_unsigned_bin_size(unconst_fp_int(modulus)) + 3) & ~3) * 8;
+ hal_error_t err;
+
+ /* factor = (2 ** (2 * (keylen + 16))) % modulus */
+ fp_int fp_result[1];
+ fp_2expt(fp_result, 2 * (keylen + 16));
+ fp_mod(fp_result, unconst_fp_int(modulus), fp_result);
+ if ((err = unpack_fp(fp_result, factor, factor_len)) != HAL_OK)
+ return err;
+
+ /* coeff = (-modulus ** -1) % (2 ** (keylen + 16)) */
+ fp_int pwr[1];
+ fp_2expt(pwr, keylen + 16);
+ fp_neg(unconst_fp_int(modulus), fp_result);
+ fp_invmod(fp_result, pwr, fp_result);
+ return unpack_fp(fp_result, coeff, coeff_len);
+}
+
/*
* Unwrap bignums into byte arrays, feed them into hal_modexp(), and
* wrap result back up as a bignum.
@@ -248,14 +283,34 @@ static hal_error_t modexp(hal_core_t *core,
return HAL_ERROR_IMPOSSIBLE;
const size_t msg_len = (fp_unsigned_bin_size(unconst_fp_int(msg)) + 3) & ~3;
- const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3;
- const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3;
+ const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3;
+ const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3;
uint8_t msgbuf[msg_len];
uint8_t expbuf[exp_len];
uint8_t modbuf[mod_len];
uint8_t resbuf[mod_len];
+ if (hal_modexp_using_modexpng()) {
+ hal_modexpng_arg_t args = {
+ .core = core,
+ .msg = msgbuf, .msg_len = sizeof(msgbuf),
+ .exp = expbuf, .exp_len = sizeof(expbuf),
+ .mod = modbuf, .mod_len = sizeof(modbuf),
+ .result = resbuf, .result_len = sizeof(resbuf),
+ .coeff = coeff, .coeff_len = coeff_len,
+ .mont = mont, .mont_len = mont_len
+ };
+
+ if ((precalc &&
+ (err = modexpng_precalc(mod, coeff, coeff_len, mont, mont_len)) != HAL_OK) ||
+ (err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
+ (err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||
+ (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK ||
+ (err = hal_modexpng(&args)) != HAL_OK)
+ goto fail;
+ }
+ else {
hal_modexp_arg_t args = {
.core = core,
.msg = msgbuf, .msg_len = sizeof(msgbuf),
@@ -266,11 +321,12 @@ static hal_error_t modexp(hal_core_t *core,
.mont = mont, .mont_len = mont_len
};
- if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
- (err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||
- (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK ||
- (err = hal_modexp(precalc, &args)) != HAL_OK)
+ if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
+ (err = unpack_fp(exp, expbuf, sizeof(expbuf))) != HAL_OK ||
+ (err = unpack_fp(mod, modbuf, sizeof(modbuf))) != HAL_OK ||
+ (err = hal_modexp(precalc, &args)) != HAL_OK)
goto fail;
+ }
fp_read_unsigned_bin(res, resbuf, sizeof(resbuf));
@@ -279,7 +335,6 @@ static hal_error_t modexp(hal_core_t *core,
memset(expbuf, 0, sizeof(expbuf));
memset(modbuf, 0, sizeof(modbuf));
memset(resbuf, 0, sizeof(resbuf));
- memset(&args, 0, sizeof(args));
return err;
}
@@ -306,34 +361,34 @@ static hal_error_t modexp2(const int precalc,
return HAL_ERROR_IMPOSSIBLE;
const size_t msg_len = (fp_unsigned_bin_size(unconst_fp_int(msg)) + 3) & ~3;
- const size_t exp1_len = (fp_unsigned_bin_size(unconst_fp_int(exp1)) + 3) & ~3;
- const size_t mod1_len = (fp_unsigned_bin_size(unconst_fp_int(mod1)) + 3) & ~3;
- const size_t exp2_len = (fp_unsigned_bin_size(unconst_fp_int(exp2)) + 3) & ~3;
- const size_t mod2_len = (fp_unsigned_bin_size(unconst_fp_int(mod2)) + 3) & ~3;
+ const size_t exp1_len = (fp_unsigned_bin_size(unconst_fp_int(exp1)) + 3) & ~3;
+ const size_t mod1_len = (fp_unsigned_bin_size(unconst_fp_int(mod1)) + 3) & ~3;
+ const size_t exp2_len = (fp_unsigned_bin_size(unconst_fp_int(exp2)) + 3) & ~3;
+ const size_t mod2_len = (fp_unsigned_bin_size(unconst_fp_int(mod2)) + 3) & ~3;
uint8_t msgbuf[msg_len];
uint8_t expbuf1[exp1_len], modbuf1[mod1_len], resbuf1[mod1_len];
uint8_t expbuf2[exp2_len], modbuf2[mod2_len], resbuf2[mod2_len];
- hal_modexp_arg_t args1 = {
- .core = core1,
- .msg = msgbuf, .msg_len = sizeof(msgbuf),
- .exp = expbuf1, .exp_len = sizeof(expbuf1),
- .mod = modbuf1, .mod_len = sizeof(modbuf1),
- .result = resbuf1, .result_len = sizeof(resbuf1),
- .coeff = coeff1, .coeff_len = coeff1_len,
- .mont = mont1, .mont_len = mont1_len
- };
-
- hal_modexp_arg_t args2 = {
- .core = core2,
- .msg = msgbuf, .msg_len = sizeof(msgbuf),
- .exp = expbuf2, .exp_len = sizeof(expbuf2),
- .mod = modbuf2, .mod_len = sizeof(modbuf2),
- .result = resbuf2, .result_len = sizeof(resbuf2),
- .coeff = coeff2, .coeff_len = coeff2_len,
- .mont = mont2, .mont_len = mont2_len
- };
+ hal_modexp_arg_t args1 = {
+ .core = core1,
+ .msg = msgbuf, .msg_len = sizeof(msgbuf),
+ .exp = expbuf1, .exp_len = sizeof(expbuf1),
+ .mod = modbuf1, .mod_len = sizeof(modbuf1),
+ .result = resbuf1, .result_len = sizeof(resbuf1),
+ .coeff = coeff1, .coeff_len = coeff1_len,
+ .mont = mont1, .mont_len = mont1_len
+ };
+
+ hal_modexp_arg_t args2 = {
+ .core = core2,
+ .msg = msgbuf, .msg_len = sizeof(msgbuf),
+ .exp = expbuf2, .exp_len = sizeof(expbuf2),
+ .mod = modbuf2, .mod_len = sizeof(modbuf2),
+ .result = resbuf2, .result_len = sizeof(resbuf2),
+ .coeff = coeff2, .coeff_len = coeff2_len,
+ .mont = mont2, .mont_len = mont2_len
+ };
if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
(err = unpack_fp(exp1, expbuf1, sizeof(expbuf1))) != HAL_OK ||
@@ -341,7 +396,7 @@ static hal_error_t modexp2(const int precalc,
(err = unpack_fp(exp2, expbuf2, sizeof(expbuf2))) != HAL_OK ||
(err = unpack_fp(mod2, modbuf2, sizeof(modbuf2))) != HAL_OK ||
(err = hal_modexp2(precalc, &args1, &args2)) != HAL_OK)
- goto fail;
+ goto fail;
fp_read_unsigned_bin(res1, resbuf1, sizeof(resbuf1));
fp_read_unsigned_bin(res2, resbuf2, sizeof(resbuf2));
@@ -359,6 +414,113 @@ static hal_error_t modexp2(const int precalc,
return err;
}
+static hal_error_t modexpng(hal_core_t *core,
+ const fp_int * const msg,
+ hal_rsa_key_t *key,
+ fp_int *bf,
+ fp_int *ubf,
+ fp_int *res)
+{
+ hal_error_t err = HAL_OK;
+
+ if (msg == NULL || key == NULL || res == NULL)
+ return HAL_ERROR_IMPOSSIBLE;
+
+ if (!(key->flags & RSA_FLAG_PRECALC_N_DONE)) {
+ if ((err = modexpng_precalc(key->n, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF))) != HAL_OK)
+ return err;
+ key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_NEEDS_SAVING;
+ }
+
+ if (key->p && !(key->flags & RSA_FLAG_PRECALC_PQ_DONE)) {
+ if ((err = modexpng_precalc(key->p, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF))) != HAL_OK ||
+ (err = modexpng_precalc(key->q, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF))) != HAL_OK)
+ return err;
+ key->flags |= RSA_FLAG_PRECALC_PQ_DONE | RSA_FLAG_NEEDS_SAVING;
+ }
+
+/* number of significant bytes in an fp_int, rounded to a multiple of 4 */
+#define fp_len(x) (fp_unsigned_bin_size(unconst_fp_int(x)) + 3) & ~3
+
+ const size_t mod_len = fp_len(key->n);
+
+ uint8_t msgbuf[fp_len(msg)];
+ uint8_t expbuf[fp_len(key->d)];
+ uint8_t modbuf[mod_len];
+ uint8_t resbuf[mod_len];
+ uint8_t p_buf[mod_len/2];
+ uint8_t q_buf[mod_len/2];
+ uint8_t u_buf[mod_len/2];
+ uint8_t dP_buf[mod_len/2];
+ uint8_t dQ_buf[mod_len/2];
+ uint8_t bf_buf[mod_len];
+ uint8_t ubf_buf[mod_len];
+
+ hal_modexpng_arg_t args = {
+ .core = core,
+ .msg = msgbuf, .msg_len = sizeof(msgbuf),
+ .exp = expbuf, .exp_len = sizeof(expbuf),
+ .mod = modbuf, .mod_len = sizeof(modbuf),
+ .result = resbuf, .result_len = sizeof(resbuf),
+ .coeff = key->nC, .coeff_len = sizeof(key->nC),
+ .mont = key->nF, .mont_len = sizeof(key->nF),
+ .p = p_buf, .p_len = sizeof(p_buf),
+ .pC = key->pC, .pC_len = sizeof(key->pC),
+ .pF = key->pF, .pF_len = sizeof(key->pF),
+ .q = q_buf, .q_len = sizeof(q_buf),
+ .qC = key->qC, .qC_len = sizeof(key->qC),
+ .qF = key->qF, .qF_len = sizeof(key->qF),
+ .dP = dP_buf, .dP_len = sizeof(dP_buf),
+ .dQ = dQ_buf, .dQ_len = sizeof(dQ_buf),
+ .qInv = u_buf, .qInv_len = sizeof(u_buf),
+ .bf = bf_buf, .bf_len = sizeof(bf_buf),
+ .ubf = ubf_buf, .ubf_len = sizeof(ubf_buf),
+ };
+
+ if (bf) {
+ if ((err = unpack_fp(bf, bf_buf, sizeof(bf_buf))) != HAL_OK ||
+ (err = unpack_fp(ubf, ubf_buf, sizeof(ubf_buf))) != HAL_OK)
+ goto fail;
+ }
+ else {
+ /* set blinding factors to (1,1) */
+ memset(bf_buf, 0, sizeof(bf_buf)); bf_buf[sizeof(bf_buf) - 1] = 1;
+ memset(ubf_buf, 0, sizeof(ubf_buf)); ubf_buf[sizeof(ubf_buf) - 1] = 1;
+ }
+
+ if ((err = unpack_fp(msg, msgbuf, sizeof(msgbuf))) != HAL_OK ||
+ (err = unpack_fp(key->d, expbuf, sizeof(expbuf))) != HAL_OK ||
+ (err = unpack_fp(key->n, modbuf, sizeof(modbuf))) != HAL_OK ||
+ (err = unpack_fp(key->p, p_buf, sizeof(p_buf))) != HAL_OK ||
+ (err = unpack_fp(key->q, q_buf, sizeof(q_buf))) != HAL_OK ||
+ (err = unpack_fp(key->u, u_buf, sizeof(u_buf))) != HAL_OK ||
+ (err = unpack_fp(key->dP, dP_buf, sizeof(dP_buf))) != HAL_OK ||
+ (err = unpack_fp(key->dQ, dQ_buf, sizeof(dQ_buf))) != HAL_OK ||
+ (err = hal_modexpng(&args)) != HAL_OK)
+ goto fail;
+
+ fp_read_unsigned_bin(res, resbuf, sizeof(resbuf));
+ /* we do the blinding factor mutation in create_blinding_factors,
+ * so we don't need to read them back from the core
+ */
+
+ fail:
+ memset(msgbuf, 0, sizeof(msgbuf));
+ memset(expbuf, 0, sizeof(expbuf));
+ memset(modbuf, 0, sizeof(modbuf));
+ memset(resbuf, 0, sizeof(resbuf));
+ memset(p_buf, 0, sizeof(p_buf));
+ memset(q_buf, 0, sizeof(q_buf));
+ memset(u_buf, 0, sizeof(u_buf));
+ memset(dP_buf, 0, sizeof(dP_buf));
+ memset(dQ_buf, 0, sizeof(dQ_buf));
+ memset(bf_buf, 0, sizeof(bf_buf));
+ memset(ubf_buf, 0, sizeof(ubf_buf));
+ memset(&args, 0, sizeof(args));
+ return err;
+}
+
+
#else /* HAL_RSA_SIGN_USE_MODEXP */
/*
@@ -406,6 +568,25 @@ static hal_error_t modexp2(const int precalc, /* ignored */
return err;
}
+int hal_modexp_using_modexpng(void)
+{
+ return 0;
+}
+
+static hal_error_t modexpng(hal_core_t *core,
+ const fp_int * const msg,
+ hal_rsa_key_t *key,
+ fp_int *bf,
+ fp_int *ubf,
+ fp_int *res)
+{
+ return HAL_ERROR_FORBIDDEN;
+}
+
+static hal_error_t modexpng_precalc(const fp_int *modulus, uint8_t *coeff, const size_t coeff_len, uint8_t *factor, const size_t factor_len)
+{
+ return HAL_ERROR_FORBIDDEN;
+}
#endif /* HAL_RSA_SIGN_USE_MODEXP */
/*
@@ -482,6 +663,7 @@ static hal_error_t create_blinding_factors(hal_rsa_key_t *key, fp_int *bf, fp_in
fp_read_unsigned_bin(bf, rnd, sizeof(rnd));
fp_copy(bf, ubf);
+ /* bf = ubf ** e mod n */
if ((err = modexp(NULL, precalc, bf, key->e, key->n, bf,
key->nC, sizeof(key->nC), key->nF, sizeof(key->nF))) != HAL_OK)
goto fail;
@@ -516,13 +698,25 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
if (key == NULL || msg == NULL || sig == NULL)
return HAL_ERROR_IMPOSSIBLE;
- const int precalc = !(key->flags & RSA_FLAG_PRECALC_PQ_DONE);
hal_error_t err = HAL_OK;
+ fp_int bf[1] = INIT_FP_INT;
+ fp_int ubf[1] = INIT_FP_INT;
+
+ if (hal_modexp_using_modexpng()) {
+ if (blinding) {
+ if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK)
+ return err;
+ return modexpng(core1, msg, key, bf, ubf, sig);
+ }
+ else {
+ return modexpng(core1, msg, key, NULL, NULL, sig);
+ }
+ }
+
+ const int precalc = !(key->flags & RSA_FLAG_PRECALC_PQ_DONE);
fp_int t[1] = INIT_FP_INT;
fp_int m1[1] = INIT_FP_INT;
fp_int m2[1] = INIT_FP_INT;
- fp_int bf[1] = INIT_FP_INT;
- fp_int ubf[1] = INIT_FP_INT;
/*
* Handle blinding if requested.
@@ -530,6 +724,7 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
if (blinding) {
if ((err = create_blinding_factors(key, bf, ubf)) != HAL_OK)
goto fail;
+ /* msg = (msg * bf) % modulus */
FP_CHECK(fp_mulmod(msg, bf, unconst_fp_int(key->n), msg));
}
@@ -571,6 +766,7 @@ static hal_error_t rsa_crt(hal_core_t *core1, hal_core_t *core2, hal_rsa_key_t *
/*
* Unblind if necessary.
*/
+ /* sig = (sig * ubf) % modulus */
if (blinding)
FP_CHECK(fp_mulmod(sig, ubf, unconst_fp_int(key->n), sig));
@@ -604,6 +800,7 @@ hal_error_t hal_rsa_encrypt(hal_core_t *core,
fp_read_unsigned_bin(i, unconst_uint8_t(input), input_len);
+ /* o = i ** e % n */
err = modexp(core, precalc, i, key->e, key->n, o,
key->nC, sizeof(key->nC), key->nF, sizeof(key->nF));
@@ -639,12 +836,18 @@ hal_error_t hal_rsa_decrypt(hal_core_t *core1,
* just do brute force ModExp.
*/
- if (!fp_iszero(key->p) && !fp_iszero(key->q) && !fp_iszero(key->u) &&
- !fp_iszero(key->dP) && !fp_iszero(key->dQ))
+ /* These should all be set if we generated the key, and we'll reject an
+ * externally generated key if it doesn't have all the components, so I'm
+ * not sure what the point is.
+ */
+ if (do_crt && !fp_iszero(key->p) && !fp_iszero(key->q) && !fp_iszero(key->u) &&
+ !fp_iszero(key->dP) && !fp_iszero(key->dQ)) {
err = rsa_crt(core1, core2, key, i, o);
+ }
else {
const int precalc = !(key->flags & RSA_FLAG_PRECALC_N_DONE);
+ /* o = i ** d % n */
err = modexp(core1, precalc, i, key->d, key->n, o, key->nC, sizeof(key->nC),
key->nF, sizeof(key->nF));
if (err == HAL_OK && precalc)
@@ -706,6 +909,7 @@ static hal_error_t load_key(const hal_key_type_t type,
switch (type) {
case HAL_KEY_TYPE_RSA_PRIVATE:
_(d); _(p); _(q); _(u); _(dP); _(dQ);
+ /* fall through */
case HAL_KEY_TYPE_RSA_PUBLIC:
_(n); _(e);
*key_ = key;
@@ -977,6 +1181,15 @@ hal_error_t hal_rsa_key_gen(hal_core_t *core,
key->flags |= RSA_FLAG_NEEDS_SAVING;
+#if 0
+ if (hal_modexp_using_modexpng()) {
+ modexpng_precalc(key->n, key->nC, sizeof(key->nC), key->nF, sizeof(key->nF));
+ modexpng_precalc(key->p, key->pC, sizeof(key->pC), key->pF, sizeof(key->pF));
+ modexpng_precalc(key->q, key->qC, sizeof(key->qC), key->qF, sizeof(key->qF));
+ key->flags |= RSA_FLAG_PRECALC_N_DONE | RSA_FLAG_PRECALC_PQ_DONE;
+ }
+#endif
+
*key_ = key;
/* Fall through to cleanup */
diff --git a/tests/Makefile b/tests/Makefile
index d186000..515c662 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015, NORDUnet A/S
+# Copyright (c) 2015-2018, NORDUnet A/S
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
@@ -27,15 +27,9 @@
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-ifndef CRYPTECH_ROOT
- CRYPTECH_ROOT := $(abspath ../../..)
-endif
-
-LIBTFM_SRC ?= ${CRYPTECH_ROOT}/sw/thirdparty/libtfm
-LIBTFM_BLD ?= ${LIBTFM_SRC}
-
-LIBHAL_SRC ?= ${CRYPTECH_ROOT}/sw/libhal
+LIBHAL_SRC ?= ..
LIBHAL_BLD ?= ${LIBHAL_SRC}
+LIBTFM_BLD ?= ../../thirdparty/libtfm
LIBS = ${LIBHAL_BLD}/libhal.a ${LIBTFM_BLD}/libtfm.a
@@ -63,8 +57,6 @@ else
endif
-$(info Building libhal with configuration IO_BUS=${IO_BUS} RPC_MODE=${RPC_MODE} KS=${KS} RPC_TRANSPORT=${RPC_TRANSPORT} MODEXP_CORE=${MODEXP_CORE})
-
all: ${BIN}
test: all
@@ -76,7 +68,7 @@ clean distclean:
${BIN}: %: %.o ${LIBS}
${CC} ${CFLAGS} -o $@ $^ ${LDFLAGS}
-%.o: %.c ${LBHAL_SRC}/*.h ${LIBTFM_BLD}/tfm.h
+%.o: %.c ${LIBHAL_SRC}/*.h ${LIBTFM_BLD}/tfm.h
${CC} ${CFLAGS} -c -o $@ $<
test-rpc_hashsig.o: test-hashsig.h
diff --git a/tests/parallel-signatures.py b/tests/parallel-signatures.py
index 8d98460..980f759 100755
--- a/tests/parallel-signatures.py
+++ b/tests/parallel-signatures.py
@@ -64,6 +64,12 @@ from Crypto.Hash.SHA256 import SHA256Hash as SHA256
from Crypto.Hash.SHA384 import SHA384Hash as SHA384
from Crypto.Hash.SHA512 import SHA512Hash as SHA512
+try:
+ import statistics
+ statistics_loaded = True
+except ImportError:
+ statistics_loaded = False
+
logger = logging.getLogger(__name__)
@@ -254,6 +260,8 @@ class Result(object):
self.args = args
self.name = name
self.sum = datetime.timedelta(seconds = 0)
+ if statistics_loaded:
+ self.readings = [None] * args.iterations
self.t0 = None
self.t1 = None
self.n = 0
@@ -264,14 +272,32 @@ class Result(object):
self.t1 = t1
delta = t1 - t0
self.sum += delta
+ if statistics_loaded:
+ self.readings[self.n] = delta.total_seconds()
self.n += 1
if not self.args.quiet:
sys.stdout.write("\r{:4d} {}".format(self.n, delta))
sys.stdout.flush()
- @property
- def mean(self):
- return self.sum / self.n
+ if statistics_loaded:
+
+ @property
+ def mean(self):
+ return statistics.mean(self.readings)
+
+ @property
+ def median(self):
+ return statistics.median(self.readings)
+
+ @property
+ def stdev(self):
+ return statistics.pstdev(self.readings)
+
+ else:
+
+ @property
+ def mean(self):
+ return self.sum / self.n
@property
def secs_per_sig(self):
@@ -286,15 +312,28 @@ class Result(object):
return self.sum.total_seconds() / (self.t1 - self.t0).total_seconds()
def report(self):
- sys.stdout.write(("\r{0.name} "
- "sigs/sec {0.sigs_per_sec} "
- "secs/sig {0.secs_per_sig} "
- "mean {0.mean} "
- "speedup {0.speedup} "
- "(n {0.n}, "
- "c {0.args.clients} "
- "t0 {0.t0} "
- "t1 {0.t1})\n").format(self))
+ if statistics_loaded:
+ sys.stdout.write(("\r{0.name} "
+ "sigs/sec {0.sigs_per_sec} "
+ "secs/sig {0.secs_per_sig} "
+ "mean {0.mean} "
+ "median {0.median} "
+ "stdev {0.stdev} "
+ "speedup {0.speedup} "
+ "(n {0.n}, "
+ "c {0.args.clients} "
+ "t0 {0.t0} "
+ "t1 {0.t1})\n").format(self))
+ else:
+ sys.stdout.write(("\r{0.name} "
+ "sigs/sec {0.sigs_per_sec} "
+ "secs/sig {0.secs_per_sig} "
+ "mean {0.mean} "
+ "speedup {0.speedup} "
+ "(n {0.n}, "
+ "c {0.args.clients} "
+ "t0 {0.t0} "
+ "t1 {0.t1})\n").format(self))
sys.stdout.flush()
diff --git a/tests/test-rpc_hashsig.c b/tests/test-rpc_hashsig.c
index 00728c3..1c5765b 100644
--- a/tests/test-rpc_hashsig.c
+++ b/tests/test-rpc_hashsig.c
@@ -48,26 +48,22 @@
#include <unistd.h>
#include <hal.h>
-#include <hashsig.h>
#include "test-hashsig.h"
#include <sys/time.h>
-/* not included in my glibc, sigh... */
-void timersub(struct timeval *a, struct timeval *b, struct timeval *res)
-{
- res->tv_sec = a->tv_sec - b->tv_sec;
- res->tv_usec = a->tv_usec - b->tv_usec;
- if (res->tv_usec < 0) {
- res->tv_usec += 1000000;
- --res->tv_sec;
- }
- if (res->tv_usec > 1000000) {
- res->tv_usec -= 1000000;
- ++res->tv_sec;
- }
-}
-static int debug = 0;
+#ifndef timersub
+#define timersub(a, b, res) \
+ do { \
+ (res)->tv_sec = (a)->tv_sec - (b)->tv_sec; \
+ (res)->tv_usec = (a)->tv_usec - (b)->tv_usec; \
+ if ((res)->tv_usec < 0) { \
+ (res)->tv_usec += 1000000; \
+ --(res)->tv_sec; \
+ } \
+ } while (0)
+#endif
+
static int info = 0;
#define lose(...) do { printf(__VA_ARGS__); goto fail; } while (0)
@@ -86,10 +82,10 @@ static int test_hashsig_testvec_local(const hashsig_tc_t * const tc, hal_key_fla
if ((err = hal_hashsig_key_load_public_xdr(&tc_key,
tc_keybuf, sizeof(tc_keybuf),
tc->key.val, tc->key.len)) != HAL_OK)
- lose("Could not load public key from test vector: %s\n", hal_error_string(err));
+ lose("Error loading public key from test vector: %s\n", hal_error_string(err));
if ((err = hal_hashsig_verify(NULL, tc_key, tc->msg.val, tc->msg.len, tc->sig.val, tc->sig.len)) != HAL_OK)
- lose("Verify failed: %s\n", hal_error_string(err));
+ lose("Error verifying: %s\n", hal_error_string(err));
printf("OK\n");
return 1;
@@ -119,27 +115,27 @@ static int test_hashsig_testvec_remote(const hashsig_tc_t * const tc, hal_key_fl
if ((err = hal_hashsig_key_load_public_xdr(&tc_key,
tc_keybuf, sizeof(tc_keybuf),
tc->key.val, tc->key.len)) != HAL_OK)
- lose("Could not load public key from test vector: %s\n", hal_error_string(err));
+ lose("Error loading public key from test vector: %s\n", hal_error_string(err));
hal_uuid_t public_name;
uint8_t public_der[hal_hashsig_public_key_to_der_len(tc_key)];
if ((err = hal_hashsig_public_key_to_der(tc_key, public_der, &len, sizeof(public_der))) != HAL_OK)
- lose("Could not DER encode public key from test vector: %s\n", hal_error_string(err));
+ lose("Error DER encoding public key from test vector: %s\n", hal_error_string(err));
assert(len == sizeof(public_der));
if ((err = hal_rpc_pkey_load(client, session, &public_key, &public_name,
public_der, sizeof(public_der), flags)) != HAL_OK)
- lose("Could not load public key into RPC: %s\n", hal_error_string(err));
+ lose("Error loading public key: %s\n", hal_error_string(err));
if ((err = hal_rpc_pkey_verify(public_key, hal_hash_handle_none,
tc->msg.val, tc->msg.len, tc->sig.val, tc->sig.len)) != HAL_OK)
- lose("Could not verify: %s\n", hal_error_string(err));
+ lose("Error verifying: %s\n", hal_error_string(err));
if ((err = hal_rpc_pkey_delete(public_key)) != HAL_OK)
- lose("Could not delete public key: %s\n", hal_error_string(err));
+ goto fail_out;
printf("OK\n");
return 1;
@@ -148,7 +144,8 @@ static int test_hashsig_testvec_remote(const hashsig_tc_t * const tc, hal_key_fl
fail:
if (public_key.handle != HAL_HANDLE_NONE &&
(err = hal_rpc_pkey_delete(public_key)) != HAL_OK)
- printf("Warning: could not delete public key: %s\n", hal_error_string(err));
+ fail_out:
+ printf("Error deleting public key: %s\n", hal_error_string(err));
return 0;
}
@@ -169,36 +166,36 @@ static void hexdump(const char * const label, const uint8_t * const buf, const s
printf("\n");
}
-static inline size_t lms_type_to_h(const lms_algorithm_t lms_type)
+static inline size_t lms_type_to_h(const hal_lms_algorithm_t lms_type)
{
switch (lms_type) {
- case lms_sha256_n32_h5: return 5;
- case lms_sha256_n32_h10: return 10;
- case lms_sha256_n32_h15: return 15;
- case lms_sha256_n32_h20: return 20;
- case lms_sha256_n32_h25: return 25;
+ case HAL_LMS_SHA256_N32_H5: return 5;
+ case HAL_LMS_SHA256_N32_H10: return 10;
+ case HAL_LMS_SHA256_N32_H15: return 15;
+ case HAL_LMS_SHA256_N32_H20: return 20;
+ case HAL_LMS_SHA256_N32_H25: return 25;
default: return 0;
}
}
-static inline size_t lmots_type_to_w(const lmots_algorithm_t lmots_type)
+static inline size_t lmots_type_to_w(const hal_lmots_algorithm_t lmots_type)
{
switch (lmots_type) {
- case lmots_sha256_n32_w1: return 1;
- case lmots_sha256_n32_w2: return 2;
- case lmots_sha256_n32_w4: return 4;
- case lmots_sha256_n32_w8: return 8;
+ case HAL_LMOTS_SHA256_N32_W1: return 1;
+ case HAL_LMOTS_SHA256_N32_W2: return 2;
+ case HAL_LMOTS_SHA256_N32_W4: return 4;
+ case HAL_LMOTS_SHA256_N32_W8: return 8;
default: return 0;
}
}
-static inline size_t lmots_type_to_p(const lmots_algorithm_t lmots_type)
+static inline size_t lmots_type_to_p(const hal_lmots_algorithm_t lmots_type)
{
switch (lmots_type) {
- case lmots_sha256_n32_w1: return 265;
- case lmots_sha256_n32_w2: return 133;
- case lmots_sha256_n32_w4: return 67;
- case lmots_sha256_n32_w8: return 34;
+ case HAL_LMOTS_SHA256_N32_W1: return 265;
+ case HAL_LMOTS_SHA256_N32_W2: return 133;
+ case HAL_LMOTS_SHA256_N32_W4: return 67;
+ case HAL_LMOTS_SHA256_N32_W8: return 34;
default: return 0;
}
}
@@ -224,7 +221,7 @@ static hal_error_t dump_hss_signature(const uint8_t * const sig, const size_t le
uint32_t lmots_type;
if ((err = hal_xdr_decode_int(&sigptr, siglim, &lmots_type)) != HAL_OK) return err;
hexdump("C", sigptr, 32); sigptr += 32;
- size_t p = lmots_type_to_p((const lmots_algorithm_t)lmots_type);
+ size_t p = lmots_type_to_p((const hal_lmots_algorithm_t)lmots_type);
for (size_t j = 0; j < p; ++j) {
char label[16];
sprintf(label, "y[%lu]", j);
@@ -235,7 +232,7 @@ static hal_error_t dump_hss_signature(const uint8_t * const sig, const size_t le
hexdump("lms type", sigptr, 4);
uint32_t lms_type;
if ((err = hal_xdr_decode_int(&sigptr, siglim, &lms_type)) != HAL_OK) return err;
- size_t h = lms_type_to_h((const lms_algorithm_t)lms_type);
+ size_t h = lms_type_to_h((const hal_lms_algorithm_t)lms_type);
for (size_t j = 0; j < h; ++j) {
char label[16];
sprintf(label, "path[%lu]", j);
@@ -260,166 +257,176 @@ static hal_error_t dump_hss_signature(const uint8_t * const sig, const size_t le
return HAL_OK;
}
-static int test_hashsig_sign(const size_t L,
- const lms_algorithm_t lms_type,
- const lmots_algorithm_t lmots_type,
- size_t iterations,
- int save, int keep)
+static int test_hashsig_generate(const size_t L,
+ const hal_lms_algorithm_t lms_type,
+ const hal_lmots_algorithm_t lmots_type,
+ hal_key_flags_t flags,
+ const int keep,
+ hal_pkey_handle_t *handle)
{
const hal_client_handle_t client = {HAL_HANDLE_NONE};
const hal_session_handle_t session = {HAL_HANDLE_NONE};
hal_pkey_handle_t private_key = {HAL_HANDLE_NONE};
- hal_pkey_handle_t public_key = {HAL_HANDLE_NONE};
hal_error_t err;
- size_t len;
-
- {
- char save_name[16];
- if (save) {
- sprintf(save_name, "L%d.lms%d.ots%d", (int)L, (int)lms_type, (int)lmots_type);
- FILE *fp;
- if ((fp = fopen(save_name, "wb")) == NULL)
- lose("Error opening %s: %s\n", save_name, strerror(errno));
- size_t len1;
- if ((len1 = fwrite(tc1_msg, 1, sizeof(tc1_msg), fp)) != sizeof(tc1_msg))
- lose("Wrote %lu bytes to %s, expected %lu\n", len1, save_name, sizeof(tc1_msg));
- if (fclose(fp) != 0)
- lose("Error closing %s: %s\n", save_name, strerror(errno));
- }
+ hal_uuid_t private_name;
+ struct timeval tv_start, tv_end, tv_diff;
+
+ if (info) {
+ printf("Info: signature length %lu, lmots private key length %lu\n",
+ hal_hashsig_signature_len(L, lms_type, lmots_type),
+ hal_hashsig_lmots_private_key_len(lmots_type));
+ gettimeofday(&tv_start, NULL);
+ }
- hal_key_flags_t flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN;
-
- printf("Starting hashsig key test: L %lu, lms type %u (h=%lu), lmots type %u (w=%lu)\n",
- L, lms_type, lms_type_to_h(lms_type), lmots_type, lmots_type_to_w(lmots_type));
-
- if (info)
- printf("Info: signature length %lu, lmots private key length %lu\n",
- hal_hashsig_signature_len(L, lms_type, lmots_type),
- hal_hashsig_lmots_private_key_len(lmots_type));
-
- hal_uuid_t private_name, public_name;
- struct timeval tv_start, tv_end, tv_diff;
-
- size_t h = lms_type_to_h(lms_type);
-
- if (info)
- gettimeofday(&tv_start, NULL);
- if ((err = hal_rpc_pkey_generate_hashsig(client, session, &private_key, &private_name,
- L, lms_type, lmots_type, flags)) != HAL_OK)
- lose("Could not generate hashsig private key: %s\n", hal_error_string(err));
- if (info) {
- gettimeofday(&tv_end, NULL);
- timersub(&tv_end, &tv_start, &tv_diff);
- long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * (1 << h));
- printf("Info: %ldm%ld.%03lds to generate key (%ld.%03lds per lmots key)\n",
- tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000,
- per_key / 1000000, (per_key % 1000000) / 1000);
- }
+ if ((err = hal_rpc_pkey_generate_hashsig(client, session, &private_key, &private_name,
+ L, lms_type, lmots_type, flags)) != HAL_OK)
+ lose("Error generating private key: %s\n", hal_error_string(err));
+
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * (1 << lms_type_to_h(lms_type)));
+ printf("Info: %ldm%ld.%03lds to generate key (%ld.%03lds per lmots key)\n",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000,
+ (long)per_key / 1000000, ((long)per_key % 1000000) / 1000);
+ }
- uint8_t public_der[hal_rpc_pkey_get_public_key_len(private_key)];
+ if (keep) {
+ char name_str[HAL_UUID_TEXT_SIZE];
+ if ((err = hal_uuid_format(&private_name, name_str, sizeof(name_str))) != HAL_OK)
+ lose("Error formatting private key name: %s\n", hal_error_string(err));
+ printf("Private key name: %s\n", name_str);
+ }
- if ((err = hal_rpc_pkey_get_public_key(private_key, public_der, &len, sizeof(public_der))) != HAL_OK)
- lose("Could not DER encode public key from private key: %s\n", hal_error_string(err));
+ *handle = private_key;
+ printf("OK\n");
+ return 1;
- assert(len == sizeof(public_der));
+fail:
+ if (private_key.handle != HAL_HANDLE_NONE &&
+ (err = hal_rpc_pkey_delete(private_key)) != HAL_OK)
+ printf("Error deleting private key: %s\n", hal_error_string(err));
- if ((err = hal_rpc_pkey_load(client, session, &public_key, &public_name,
- public_der, sizeof(public_der), flags)) != HAL_OK)
- lose("Could not load public key into RPC: %s\n", hal_error_string(err));
+ handle->handle = HAL_HANDLE_NONE;
+ return 0;
+}
- if (save) {
- char fn[strlen(save_name) + 5];
- sprintf(fn, "%s.pub", save_name);
- FILE *fp;
- if ((fp = fopen(fn, "wb")) == NULL)
- lose("Error opening %s: %s\n", fn, strerror(errno));
- uint8_t pub[60];
- if ((err = hal_hashsig_public_key_der_to_xdr(public_der, sizeof(public_der), pub, &len, sizeof(pub))) != HAL_OK)
- lose("Could not XDR encode public key: %s\n", hal_error_string(err));
- size_t len1;
- if ((len1 = fwrite(pub, 1, len, fp)) != len)
- lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len);
- if (fclose(fp) != 0)
- lose("Error closing %s: %s\n", fn, strerror(errno));
+static int test_hashsig_sign(const hal_pkey_handle_t private_key,
+ const uint8_t * const msg, const size_t msg_len,
+ const size_t iterations,
+ const char * const save_name,
+ uint8_t *sig, size_t *sig_len, const size_t sig_max)
+{
+ hal_error_t err;
+ struct timeval tv_start, tv_end, tv_diff;
+ int i;
+
+ if (info)
+ gettimeofday(&tv_start, NULL);
+
+ for (i = 0; i < iterations; ++i) {
+ if ((err = hal_rpc_pkey_sign(private_key, hal_hash_handle_none,
+ msg, msg_len,
+ sig, sig_len, sig_max)) != HAL_OK) {
+ if (i > 0 && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED)
+ break;
+ else
+ lose("Error signing (%d): %s\n", i, hal_error_string(err));
}
+ }
- if (iterations > 0) {
- uint8_t sig[hal_hashsig_signature_len(L, lms_type, lmots_type)];
-
- if (info)
- gettimeofday(&tv_start, NULL);
- int i;
- for (i = 0; i < iterations; ++i) {
- if ((err = hal_rpc_pkey_sign(private_key, hal_hash_handle_none,
- tc1_msg, sizeof(tc1_msg), sig, &len, sizeof(sig))) == HAL_OK) {
- assert(len == sizeof(sig));
- if (debug) {
- printf("Debug: received signature:\n");
- dump_hss_signature(sig, len);
- }
- }
- else {
- if (i == (1 << (L * h)) && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED)
- break;
- else
- lose("Could not sign (%d): %s\n", i, hal_error_string(err));
- }
- if (save) {
- char fn[strlen(save_name) + 16];
- sprintf(fn, "%s.%d.sig", save_name, i);
- FILE *fp;
- if ((fp = fopen(fn, "wb")) == NULL)
- lose("Error opening %s: %s\n", fn, strerror(errno));
- size_t len1;
- if ((len1 = fwrite(sig, 1, len, fp)) != len)
- lose("Wrote %lu bytes to %s, expected %lu\n", len1, fn, len);
- if (fclose(fp) != 0)
- lose("Error closing %s: %s\n", fn, strerror(errno));
- }
- }
- if (info) {
- gettimeofday(&tv_end, NULL);
- timersub(&tv_end, &tv_start, &tv_diff);
- long per_sig = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / i;
- printf("Info: %ldm%ld.%03lds to generate %d signatures (%ld.%03lds per signature)\n",
- tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000, i,
- per_sig / 1000000, (per_sig % 1000000) / 1000);
- }
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ long per_sig = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / i;
+ printf("Info: %ldm%ld.%03lds to generate %d signatures (%ld.%03lds per signature)\n",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000, i,
+ (long)per_sig / 1000000, ((long)per_sig % 1000000) / 1000);
+ }
- if (info)
- gettimeofday(&tv_start, NULL);
- if ((err = hal_rpc_pkey_verify(public_key, hal_hash_handle_none,
- tc1_msg, sizeof(tc1_msg), sig, len)) != HAL_OK)
- lose("Could not verify: %s\n", hal_error_string(err));
- if (info) {
- gettimeofday(&tv_end, NULL);
- timersub(&tv_end, &tv_start, &tv_diff);
- printf("Info: %ldm%ld.%03lds to verify 1 signature\n",
- tv_diff.tv_sec / 60, tv_diff.tv_sec % 60, tv_diff.tv_usec / 1000);
- }
- }
+ if (*save_name) {
+ /* save the signature for interop verification */
+ char fn[strlen(save_name) + 5];
+ sprintf(fn, "%s.sig", save_name);
+ FILE *fp;
+ if ((fp = fopen(fn, "wb")) == NULL)
+ lose("Error opening %s: %s\n", fn, strerror(errno));
+ size_t len;
+ if ((len = fwrite(sig, 1, *sig_len, fp)) != *sig_len)
+ lose("Error: wrote %lu bytes to %s, expected %lu\n", len, fn, *sig_len);
+ if (fclose(fp) != 0)
+ lose("Error closing %s: %s\n", fn, strerror(errno));
+ }
- if (!keep) {
- if ((err = hal_rpc_pkey_delete(private_key)) != HAL_OK)
- lose("Could not delete private key: %s\n", hal_error_string(err));
- }
+ printf("OK\n");
+ return 1;
- if ((err = hal_rpc_pkey_delete(public_key)) != HAL_OK)
- lose("Could not delete public key: %s\n", hal_error_string(err));
+fail:
+ return 0;
+}
- printf("OK\n");
- return 1;
+static int test_hashsig_verify(const hal_pkey_handle_t private_key,
+ const uint8_t * const msg, const size_t msg_len,
+ const char * const save_name,
+ uint8_t *sig, size_t sig_len)
+{
+ const hal_client_handle_t client = {HAL_HANDLE_NONE};
+ const hal_session_handle_t session = {HAL_HANDLE_NONE};
+ hal_error_t err;
+
+ hal_pkey_handle_t public_key = {HAL_HANDLE_NONE};
+ hal_uuid_t public_name;
+ uint8_t public_der[hal_rpc_pkey_get_public_key_len(private_key)];
+ size_t der_len;
+
+ if ((err = hal_rpc_pkey_get_public_key(private_key, public_der, &der_len, sizeof(public_der))) != HAL_OK)
+ lose("Error DER encoding public key from private key: %s\n", hal_error_string(err));
+ assert(der_len == sizeof(public_der));
+
+ if ((err = hal_rpc_pkey_load(client, session, &public_key, &public_name,
+ public_der, sizeof(public_der), HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE)) != HAL_OK)
+ lose("Error loading public key: %s\n", hal_error_string(err));
+
+ if (*save_name) {
+ /* save the public key for interop verification */
+ char fn[strlen(save_name) + 5];
+ sprintf(fn, "%s.pub", save_name);
+ FILE *fp;
+ if ((fp = fopen(fn, "wb")) == NULL)
+ lose("Error opening %s: %s\n", fn, strerror(errno));
+ uint8_t pub[60];
+ size_t xdr_len;
+ if ((err = hal_hashsig_public_key_der_to_xdr(public_der, sizeof(public_der), pub, &xdr_len, sizeof(pub))) != HAL_OK)
+ lose("Error XDR encoding public key: %s\n", hal_error_string(err));
+ size_t write_len;
+ if ((write_len = fwrite(pub, 1, xdr_len, fp)) != xdr_len)
+ lose("Wrote %lu bytes to %s, expected %lu\n", write_len, fn, xdr_len);
+ if (fclose(fp) != 0)
+ lose("Error closing %s: %s\n", fn, strerror(errno));
}
-fail:
- if (private_key.handle != HAL_HANDLE_NONE &&
- (err = hal_rpc_pkey_delete(private_key)) != HAL_OK)
- printf("Warning: could not delete private key: %s\n", hal_error_string(err));
+ struct timeval tv_start, tv_end, tv_diff;
+ if (info)
+ gettimeofday(&tv_start, NULL);
- if (public_key.handle != HAL_HANDLE_NONE &&
- (err = hal_rpc_pkey_delete(public_key)) != HAL_OK)
- printf("Warning: could not delete public key: %s\n", hal_error_string(err));
+ if ((err = hal_rpc_pkey_verify(public_key, hal_hash_handle_none,
+ msg, msg_len, sig, sig_len)) != HAL_OK)
+ lose("Error verifying: %s\n", hal_error_string(err));
+
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ printf("Info: %ldm%ld.%03lds to verify 1 signature\n",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000);
+ }
+ if ((err = hal_rpc_pkey_delete(public_key)) != HAL_OK)
+ lose("Error deleting public key: %s\n", hal_error_string(err));
+
+ printf("OK\n");
+ return 1;
+
+fail:
return 0;
}
@@ -437,7 +444,7 @@ static int read_sig(char *fn)
uint8_t sig[statbuf.st_size];
size_t len;
if ((len = fread(sig, 1, sizeof(sig), fp)) != sizeof(sig))
- lose("Read %lu bytes from %s, expected %lu\n", len, fn, sizeof(sig));
+ lose("Error: read %lu bytes from %s, expected %lu\n", len, fn, sizeof(sig));
if (fclose(fp) != 0)
lose("Error closing %s: %s\n", fn, strerror(errno));
@@ -455,21 +462,24 @@ fail:
int main(int argc, char *argv[])
{
const hal_client_handle_t client = {HAL_HANDLE_NONE};
+ const hal_session_handle_t session = {HAL_HANDLE_NONE};
char *pin = "fnord";
- int do_default = 1;
int do_testvec = 0;
- size_t iterations = 1;
+ size_t iterations = 0;
size_t L_lo = 0, L_hi = 0;
size_t lms_lo = 5, lms_hi = 0;
size_t lmots_lo = 3, lmots_hi = 0;
- int save = 0, keep = 0;
+ int save = 0, keep = 0, verify = 0;
+ char *name = NULL;
+ hal_key_flags_t flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN;
char *p;
hal_error_t err;
int ok = 1;
+ uint8_t *msg = tc1_msg;
+ size_t msg_len = sizeof(tc1_msg);
char usage[] = "\
-Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n] [-s] [-r file]\n\
- -d: enable debugging - hexdump signatures\n\
+Usage: %s [-i] [-p pin] [-t] [-L #] [-l #] [-o #] [-n #] [-s] [-r file] [-m file] [-x] [-v]\n\
-i: enable informational messages - runtimes and signature lengths\n\
-p: user PIN\n\
-t: verify test vectors\n\
@@ -477,23 +487,23 @@ Usage: %s [-d] [-i] [-p pin] [-t] [-L n] [-l n] [-o n] [-n n] [-s] [-r file]\n\
-l: LMS type (5..9)\n\
-o: LM-OTS type (1..4)\n\
-n: number of signatures to generate (0..'max')\n\
- -s: save generated public key and signatures\n\
-k: keep (don't delete) the generated keys on the hsm\n\
+ -K: use named key for signing (don't generate)\n\
+ -s: save generated public key and signatures for interop verification\n\
-r: read and pretty-print a saved signature file\n\
+ -m: use file as message to be signed\n\
+ -x: mark key as exportable\n\
+ -v: verify generated signature\n\
Numeric arguments can be a single number or a range, e.g. '1..4'\n";
int opt;
- while ((opt = getopt(argc, argv, "ditp:L:l:o:n:skr:h?")) != -1) {
+ while ((opt = getopt(argc, argv, "itp:L:l:o:n:skK:r:xvm:h?")) != -1) {
switch (opt) {
- case 'd':
- debug = 1;
- break;
case 'i':
info = 1;
break;
case 't':
do_testvec = 1;
- do_default = 0;
break;
case 'p':
pin = optarg;
@@ -503,28 +513,24 @@ Numeric arguments can be a single number or a range, e.g. '1..4'\n";
iterations = (size_t)-1;
else
iterations = (size_t)atoi(optarg);
- do_default = 0;
break;
case 'L':
if ((p = strtok(optarg, ".")) != NULL)
L_lo = (size_t)atoi(p);
if ((p = strtok(NULL, ".")) != NULL)
L_hi = (size_t)atoi(p);
- do_default = 0;
break;
case 'l':
if ((p = strtok(optarg, ".")) != NULL)
lms_lo = (size_t)atoi(p);
if ((p = strtok(NULL, ".")) != NULL)
lms_hi = (size_t)atoi(p);
- do_default = 0;
break;
case 'o':
if ((p = strtok(optarg, ".")) != NULL)
lmots_lo = (size_t)atoi(p);
if ((p = strtok(NULL, ".")) != NULL)
lmots_hi = (size_t)atoi(p);
- do_default = 0;
break;
case's':
save = 1;
@@ -532,34 +538,57 @@ Numeric arguments can be a single number or a range, e.g. '1..4'\n";
case 'k':
keep = 1;
break;
+ case 'K':
+ name = optarg;
+ break;
case 'r':
ok &= read_sig(optarg);
- do_default = 0;
break;
+ case 'x':
+ flags |= HAL_KEY_FLAG_EXPORTABLE;
+ break;
+ case 'v':
+ verify = 1;
+ if (iterations == 0)
+ iterations = 1;
+ break;
+ case 'm':
+ {
+ FILE *fp;
+ struct stat statbuf;
+ if (stat(optarg, &statbuf) != 0)
+ lose("Error statting %s: %s\n", optarg, strerror(errno));
+ msg_len = statbuf.st_size;
+ if ((msg = malloc(msg_len)) == NULL)
+ lose("Error allocating message buffer: %s\n", strerror(errno));
+ if ((fp = fopen(optarg, "rb")) == NULL)
+ lose("Error opening %s: %s\n", optarg, strerror(errno));
+ size_t len;
+ if ((len = fread(msg, 1, msg_len, fp)) != msg_len)
+ lose("Error: read %lu bytes from %s, expected %lu\n", len, optarg, msg_len);
+ if (fclose(fp) != 0)
+ lose("Error closing %s: %s\n", optarg, strerror(errno));
+ break;
+ }
case 'h':
case '?':
fprintf(stdout, usage, argv[0]);
- exit(EXIT_SUCCESS);
+ return EXIT_SUCCESS;
default:
fprintf(stderr, usage, argv[0]);
- exit(EXIT_FAILURE);
+ return EXIT_FAILURE;
}
}
- if (do_default) {
- do_testvec = 1;
- L_lo = 1;
- }
-
if (L_hi < L_lo) L_hi = L_lo;
if (lms_hi < lms_lo) lms_hi = lms_lo;
if (lmots_hi < lmots_lo) lmots_hi = lmots_lo;
if ((err = hal_rpc_client_init()) != HAL_OK)
- printf("Warning: Trouble initializing RPC client: %s\n", hal_error_string(err));
+ lose("Error initializing RPC client: %s\n", hal_error_string(err));
if ((err = hal_rpc_login(client, HAL_USER_NORMAL, pin, strlen(pin))) != HAL_OK)
- printf("Warning: Trouble logging into HSM: %s\n", hal_error_string(err));
+ lose("Error logging into HSM: %s\n", hal_error_string(err));
if (do_testvec) {
for (int i = 0; i < (sizeof(hashsig_tc)/sizeof(*hashsig_tc)); i++)
@@ -574,21 +603,88 @@ Numeric arguments can be a single number or a range, e.g. '1..4'\n";
/* A single test would be of the form '-L 2 -l 5 -o 3 -n 1' */
/* A range test of just keygen would be of the form '-o 1..4 -n 0' */
/* A test to key exhaustion would be of the form '-n max' */
- if (L_lo > 0) {
- for (size_t L = L_lo; L <= L_hi; ++L) {
- for (lms_algorithm_t lms_type = lms_lo; lms_type <= lms_hi; ++lms_type) {
- for (lmots_algorithm_t lmots_type = lmots_lo; lmots_type <= lmots_hi; ++lmots_type) {
- ok &= test_hashsig_sign(L, lms_type, lmots_type, iterations, save, keep);
+
+ if (name != NULL) {
+ hal_uuid_t uuid;
+ hal_pkey_handle_t private_key = {HAL_HANDLE_NONE};
+
+ if ((err = hal_uuid_parse(&uuid, name)) != HAL_OK)
+ lose("Error parsing private key name: %s\n", hal_error_string(err));
+
+ else if ((err = hal_rpc_pkey_open(client, session, &private_key, &uuid)) != HAL_OK)
+ lose("Error opening private key: %s\n", hal_error_string(err));
+
+ if (save) {
+ /* save the message for interop verification */
+ FILE *fp;
+ if ((fp = fopen(name, "wb")) == NULL)
+ lose("Error opening %s: %s\n", name, strerror(errno));
+ size_t write_len;
+ if ((write_len = fwrite(msg, 1, msg_len, fp)) != msg_len)
+ lose("Error: wrote %lu bytes to %s, expected %lu\n", write_len, name, msg_len);
+ if (fclose(fp) != 0)
+ lose("Error closing %s: %s\n", name, strerror(errno));
+ }
+
+ uint8_t sig[16000];
+ size_t sig_len;
+ if (iterations > 0)
+ ok &= test_hashsig_sign(private_key, msg, msg_len, iterations,
+ save ? name : "", sig, &sig_len, sizeof(sig));
+
+ if (ok && verify)
+ ok &= test_hashsig_verify(private_key, msg, msg_len, save ? name : "", sig, sig_len);
+
+ /* implicitly keep the key */
+ }
+
+ else {
+ if (L_lo) {
+ for (size_t L = L_lo; L <= L_hi; ++L) {
+ for (hal_lms_algorithm_t lms_type = lms_lo; lms_type <= lms_hi; ++lms_type) {
+ for (hal_lmots_algorithm_t lmots_type = lmots_lo; lmots_type <= lmots_hi; ++lmots_type) {
+ printf("Starting hashsig key test: L %lu, lms type %u (h=%lu), lmots type %u (w=%lu)\n",
+ L, lms_type, lms_type_to_h(lms_type), lmots_type, lmots_type_to_w(lmots_type));
+
+ char save_name[16] = "";
+ if (save) {
+ /* save the message for interop verification */
+ sprintf(save_name, "L%d.lms%d.ots%d", (int)L, (int)lms_type, (int)lmots_type);
+ FILE *fp;
+ if ((fp = fopen(save_name, "wb")) == NULL)
+ lose("Error opening %s: %s\n", save_name, strerror(errno));
+ size_t write_len;
+ if ((write_len = fwrite(msg, 1, msg_len, fp)) != msg_len)
+ lose("Error: wrote %lu bytes to %s, expected %lu\n", write_len, save_name, msg_len);
+ if (fclose(fp) != 0)
+ lose("Error closing %s: %s\n", save_name, strerror(errno));
+ }
+
+ hal_pkey_handle_t private_key = {HAL_HANDLE_NONE};
+ ok &= test_hashsig_generate(L, lms_type, lmots_type, flags, keep, &private_key);
+
+ uint8_t sig[hal_hashsig_signature_len(L, lms_type, lmots_type)];
+ size_t sig_len;
+ if (ok && iterations > 0)
+ ok &= test_hashsig_sign(private_key, msg, msg_len, iterations, save_name, sig, &sig_len, sizeof(sig));
+
+ if (ok && verify)
+ ok &= test_hashsig_verify(private_key, msg, msg_len, save_name, sig, sig_len);
+
+ if (!keep && ((err = hal_rpc_pkey_delete(private_key)) != HAL_OK))
+ lose("Error deleting private key: %s\n", hal_error_string(err));
+ }
}
}
}
}
if ((err = hal_rpc_logout(client)) != HAL_OK)
- printf("Warning: Trouble logging out of HSM: %s\n", hal_error_string(err));
+ lose("Error logging out of HSM: %s\n", hal_error_string(err));
if ((err = hal_rpc_client_close()) != HAL_OK)
- printf("Warning: Trouble shutting down RPC client: %s\n", hal_error_string(err));
+ lose("Error shutting down RPC client: %s\n", hal_error_string(err));
+fail:
return !ok;
}
diff --git a/tests/test-xdr.c b/tests/test-xdr.c
index eedf48d..f084e01 100644
--- a/tests/test-xdr.c
+++ b/tests/test-xdr.c
@@ -95,8 +95,8 @@ int main(int argc, char *argv[])
printf("\nhal_xdr_decode_variable_opaque:\n");
readptr = buf;
while (readptr < bufptr) {
- size_t len = bufptr - readptr;
- if ((ret = hal_xdr_decode_variable_opaque(&readptr, limit, readbuf, &len)) != HAL_OK) {
+ size_t len;
+ if ((ret = hal_xdr_decode_variable_opaque(&readptr, limit, readbuf, &len, bufptr - readptr)) != HAL_OK) {
printf("%s\n", hal_error_string(ret));
break;
}
diff --git a/unit-tests.py b/unit-tests.py
index 514aace..6419b27 100644
--- a/unit-tests.py
+++ b/unit-tests.py
@@ -860,11 +860,11 @@ class TestPKeyGen(TestCaseLoggedIn):
Tests involving key generation.
"""
- def sign_verify(self, hashalg, k1, k2):
+ def sign_verify(self, hashalg, k1, k2, length = 1024):
h = hsm.hash_initialize(hashalg)
h.update("Your mother was a hamster")
data = h.finalize()
- sig = k1.sign(data = data)
+ sig = k1.sign(data = data, length = length)
k1.verify(signature = sig, data = data)
k2.verify(signature = sig, data = data)
@@ -882,6 +882,13 @@ class TestPKeyGen(TestCaseLoggedIn):
self.addCleanup(k2.delete)
self.sign_verify(hashalg, k1, k2)
+ def gen_sign_verify_hashsig(self, L, lms, lmots, length):
+ k1 = hsm.pkey_generate_hashsig(L, lms, lmots, HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN)
+ self.addCleanup(k1.delete)
+ k2 = hsm.pkey_load(k1.public_key, HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN)
+ self.addCleanup(k2.delete)
+ self.sign_verify(HAL_DIGEST_ALGORITHM_SHA256, k1, k2, length)
+
def test_gen_sign_verify_ecdsa_p256_sha256(self):
self.gen_sign_verify_ecdsa(HAL_DIGEST_ALGORITHM_SHA256, HAL_CURVE_P256)
@@ -906,6 +913,12 @@ class TestPKeyGen(TestCaseLoggedIn):
with self.assertRaises(HAL_ERROR_BAD_ARGUMENTS):
hsm.pkey_generate_rsa(1028).delete()
+ def test_gen_sign_verify_hashsig_L1_h5_w4(self):
+ self.gen_sign_verify_hashsig(1, HAL_LMS_SHA256_N32_H5, HAL_LMOTS_SHA256_N32_W4, 2352)
+
+ def test_gen_sign_verify_hashsig_L2_h5_w2(self):
+ self.gen_sign_verify_hashsig(2, HAL_LMS_SHA256_N32_H5, HAL_LMOTS_SHA256_N32_W2, 8980)
+
class TestPKeyHashing(TestCaseLoggedIn):
"""
@@ -930,35 +943,42 @@ class TestPKeyHashing(TestCaseLoggedIn):
self.addCleanup(k2.delete)
method(alg, k1, k2)
+ def gen_sign_verify_hashsig(self, L, lms, lmots, length, method):
+ k1 = hsm.pkey_generate_hashsig(L, lms, lmots, HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN)
+ self.addCleanup(k1.delete)
+ k2 = hsm.pkey_load(k1.public_key, HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN)
+ self.addCleanup(k2.delete)
+ method(HAL_DIGEST_ALGORITHM_SHA256, k1, k2, length)
+
@staticmethod
def h(alg, mixed_mode = False):
h = hsm.hash_initialize(alg, mixed_mode = mixed_mode)
h.update("Your mother was a hamster")
return h
- def sign_verify_data(self, alg, k1, k2):
+ def sign_verify_data(self, alg, k1, k2, length = 1024):
data = self.h(alg, mixed_mode = True).finalize()
- sig = k1.sign(data = data)
+ sig = k1.sign(data = data, length = length)
k1.verify(signature = sig, data = data)
k2.verify(signature = sig, data = data)
- def sign_verify_remote_remote(self, alg, k1, k2):
- sig = k1.sign(hash = self.h(alg, mixed_mode = False))
+ def sign_verify_remote_remote(self, alg, k1, k2, length = 1024):
+ sig = k1.sign(hash = self.h(alg, mixed_mode = False), length = length)
k1.verify(signature = sig, hash = self.h(alg, mixed_mode = False))
k2.verify(signature = sig, hash = self.h(alg, mixed_mode = False))
- def sign_verify_remote_local(self, alg, k1, k2):
- sig = k1.sign(hash = self.h(alg, mixed_mode = False))
+ def sign_verify_remote_local(self, alg, k1, k2, length = 1024):
+ sig = k1.sign(hash = self.h(alg, mixed_mode = False), length = length)
k1.verify(signature = sig, hash = self.h(alg, mixed_mode = True))
k2.verify(signature = sig, hash = self.h(alg, mixed_mode = True))
- def sign_verify_local_remote(self, alg, k1, k2):
- sig = k1.sign(hash = self.h(alg, mixed_mode = True))
+ def sign_verify_local_remote(self, alg, k1, k2, length = 1024):
+ sig = k1.sign(hash = self.h(alg, mixed_mode = True), length = length)
k1.verify(signature = sig, hash = self.h(alg, mixed_mode = False))
k2.verify(signature = sig, hash = self.h(alg, mixed_mode = False))
- def sign_verify_local_local(self, alg, k1, k2):
- sig = k1.sign(hash = self.h(alg, mixed_mode = True))
+ def sign_verify_local_local(self, alg, k1, k2, length = 1024):
+ sig = k1.sign(hash = self.h(alg, mixed_mode = True), length = length)
k1.verify(signature = sig, hash = self.h(alg, mixed_mode = True))
k2.verify(signature = sig, hash = self.h(alg, mixed_mode = True))
@@ -1082,6 +1102,18 @@ class TestPKeyHashing(TestCaseLoggedIn):
def test_load_sign_verify_ecdsa_p521_sha512_local_local(self):
self.load_sign_verify_ecdsa(HAL_DIGEST_ALGORITHM_SHA512, HAL_CURVE_P521, self.sign_verify_local_local)
+ def test_gen_sign_verify_hashsig_L1_h5_w4_remote_remote(self):
+ self.gen_sign_verify_hashsig(1, HAL_LMS_SHA256_N32_H5, HAL_LMOTS_SHA256_N32_W4, 2352, self.sign_verify_remote_remote)
+
+ def test_gen_sign_verify_hashsig_L1_h5_w4_remote_local(self):
+ self.gen_sign_verify_hashsig(1, HAL_LMS_SHA256_N32_H5, HAL_LMOTS_SHA256_N32_W4, 2352, self.sign_verify_remote_local)
+
+ def test_gen_sign_verify_hashsig_L1_h5_w4_local_remote(self):
+ self.gen_sign_verify_hashsig(1, HAL_LMS_SHA256_N32_H5, HAL_LMOTS_SHA256_N32_W4, 2352, self.sign_verify_local_remote)
+
+ def test_gen_sign_verify_hashsig_L1_h5_w4_local_local(self):
+ self.gen_sign_verify_hashsig(1, HAL_LMS_SHA256_N32_H5, HAL_LMOTS_SHA256_N32_W4, 2352, self.sign_verify_local_local)
+
@unittest.skipUnless(pycrypto_loaded, "Requires Python Crypto package")
class TestPKeyRSAInterop(TestCaseLoggedIn):
@@ -1151,6 +1183,20 @@ class TestPKeyECDSAInterop(TestCaseLoggedIn):
self.load_sign_verify_ecdsa(HAL_DIGEST_ALGORITHM_SHA512, SHA512, HAL_CURVE_P521)
+class TestPKeyHashsigInterop(TestCaseLoggedIn):
+
+ def load_verify_hashsig(self, key, msg, sig):
+ k = hsm.pkey_load(key, HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE)
+ self.addCleanup(k.delete)
+ k.verify(signature = sig, data = msg)
+
+ def test_interop_hashsig_tc1(self):
+ self.load_verify_hashsig(hashsig_tc1_key, hashsig_tc1_msg, hashsig_tc1_sig)
+
+ def test_interop_hashsig_tc2(self):
+ self.load_verify_hashsig(hashsig_tc2_key, hashsig_tc2_msg, hashsig_tc2_sig)
+
+
class TestPKeyMatch(TestCaseLoggedIn):
"""
Tests involving PKey list and match functions.
@@ -1272,40 +1318,32 @@ class TestPKeyAttribute(TestCaseLoggedIn):
for j in xrange(n_attrs)))
pinwheel()
- # These sizes work with a 4096-byte keystore block; if you tweak
- # the undelrying block size, you may need to tweak these tests too.
+ # These sizes work with a 8192-byte keystore block; if you tweak
+ # the underlying block size, you may need to tweak these tests too.
def test_attribute_svelt_volatile_many(self):
self.load_and_fill(0, n_attrs = 64)
def test_attribute_bloat_volatile_many(self):
- self.skipUnlessAll("bloat tests with large flash blocks exceed XDR limits, sigh")
- with self.assertRaises(HAL_ERROR_RESULT_TOO_LONG):
- self.load_and_fill(0, n_attrs = 128)
+ self.load_and_fill(0, n_attrs = 128)
def test_attribute_svelt_volatile_big(self):
self.load_and_fill(0, n_attrs = 6, n_fill = 256)
def test_attribute_bloat_volatile_big(self):
- self.skipUnlessAll("bloat tests with large flash blocks exceed XDR limits, sigh")
- with self.assertRaises(HAL_ERROR_RESULT_TOO_LONG):
- self.load_and_fill(0, n_attrs = 6, n_fill = 512)
+ self.load_and_fill(0, n_attrs = 6, n_fill = 512)
def test_attribute_svelt_token_many(self):
self.load_and_fill(HAL_KEY_FLAG_TOKEN, n_attrs = 64)
def test_attribute_bloat_token_many(self):
- self.skipUnlessAll("bloat tests with large flash blocks exceed XDR limits, sigh")
- with self.assertRaises(HAL_ERROR_RESULT_TOO_LONG):
- self.load_and_fill(HAL_KEY_FLAG_TOKEN, n_attrs = 128)
+ self.load_and_fill(HAL_KEY_FLAG_TOKEN, n_attrs = 128)
def test_attribute_svelt_token_big(self):
self.load_and_fill(HAL_KEY_FLAG_TOKEN, n_attrs = 6, n_fill = 256)
def test_attribute_bloat_token_big(self):
- self.skipUnlessAll("bloat tests with large flash blocks exceed XDR limits, sigh")
- with self.assertRaises(HAL_ERROR_RESULT_TOO_LONG):
- self.load_and_fill(HAL_KEY_FLAG_TOKEN, n_attrs = 6, n_fill = 512)
+ self.load_and_fill(HAL_KEY_FLAG_TOKEN, n_attrs = 6, n_fill = 512)
@unittest.skipUnless(ecdsa_loaded, "Requires Python ECDSA package")
@@ -1931,6 +1969,466 @@ eA==
-----END PRIVATE KEY-----
''')
+# Hashsig test cases. There's no Python version of hashsig, so we're just
+# verifying pre-generated signatures from the draft.
+#
+# I could define a container class for these, but it doesn't really add value.
+
+# draft-mcgrew Test Case 1
+hashsig_tc1_key = b'''\
+\x30\x53\x30\x0f\x06\x0b\x2a\x86\x48\x86\xf7\x0d\x01\x09\x10\x03\
+\x11\x05\x00\x03\x40\x00\x30\x3d\x02\x01\x02\x02\x01\x05\x02\x01\
+\x04\x04\x10\x61\xa5\xd5\x7d\x37\xf5\xe4\x6b\xfb\x75\x20\x80\x6b\
+\x07\xa1\xb8\x04\x20\x50\x65\x0e\x3b\x31\xfe\x4a\x77\x3e\xa2\x9a\
+\x07\xf0\x9c\xf2\xea\x30\xe5\x79\xf0\xdf\x58\xef\x8e\x29\x8d\xa0\
+\x43\x4c\xb2\xb8\x78\
+'''
+hashsig_tc1_msg = b'''\
+\x54\x68\x65\x20\x70\x6f\x77\x65\x72\x73\x20\x6e\x6f\x74\x20\x64\
+\x65\x6c\x65\x67\x61\x74\x65\x64\x20\x74\x6f\x20\x74\x68\x65\x20\
+\x55\x6e\x69\x74\x65\x64\x20\x53\x74\x61\x74\x65\x73\x20\x62\x79\
+\x20\x74\x68\x65\x20\x43\x6f\x6e\x73\x74\x69\x74\x75\x74\x69\x6f\
+\x6e\x2c\x20\x6e\x6f\x72\x20\x70\x72\x6f\x68\x69\x62\x69\x74\x65\
+\x64\x20\x62\x79\x20\x69\x74\x20\x74\x6f\x20\x74\x68\x65\x20\x53\
+\x74\x61\x74\x65\x73\x2c\x20\x61\x72\x65\x20\x72\x65\x73\x65\x72\
+\x76\x65\x64\x20\x74\x6f\x20\x74\x68\x65\x20\x53\x74\x61\x74\x65\
+\x73\x20\x72\x65\x73\x70\x65\x63\x74\x69\x76\x65\x6c\x79\x2c\x20\
+\x6f\x72\x20\x74\x6f\x20\x74\x68\x65\x20\x70\x65\x6f\x70\x6c\x65\
+\x2e\x0a\
+'''
+hashsig_tc1_sig = b'''\
+\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x04\xd3\x2b\x56\x67\
+\x1d\x7e\xb9\x88\x33\xc4\x9b\x43\x3c\x27\x25\x86\xbc\x4a\x1c\x8a\
+\x89\x70\x52\x8f\xfa\x04\xb9\x66\xf9\x42\x6e\xb9\x96\x5a\x25\xbf\
+\xd3\x7f\x19\x6b\x90\x73\xf3\xd4\xa2\x32\xfe\xb6\x91\x28\xec\x45\
+\x14\x6f\x86\x29\x2f\x9d\xff\x96\x10\xa7\xbf\x95\xa6\x4c\x7f\x60\
+\xf6\x26\x1a\x62\x04\x3f\x86\xc7\x03\x24\xb7\x70\x7f\x5b\x4a\x8a\
+\x6e\x19\xc1\x14\xc7\xbe\x86\x6d\x48\x87\x78\xa0\xe0\x5f\xd5\xc6\
+\x50\x9a\x6e\x61\xd5\x59\xcf\x1a\x77\xa9\x70\xde\x92\x7d\x60\xc7\
+\x0d\x3d\xe3\x1a\x7f\xa0\x10\x09\x94\xe1\x62\xa2\x58\x2e\x8f\xf1\
+\xb1\x0c\xd9\x9d\x4e\x8e\x41\x3e\xf4\x69\x55\x9f\x7d\x7e\xd1\x2c\
+\x83\x83\x42\xf9\xb9\xc9\x6b\x83\xa4\x94\x3d\x16\x81\xd8\x4b\x15\
+\x35\x7f\xf4\x8c\xa5\x79\xf1\x9f\x5e\x71\xf1\x84\x66\xf2\xbb\xef\
+\x4b\xf6\x60\xc2\x51\x8e\xb2\x0d\xe2\xf6\x6e\x3b\x14\x78\x42\x69\
+\xd7\xd8\x76\xf5\xd3\x5d\x3f\xbf\xc7\x03\x9a\x46\x2c\x71\x6b\xb9\
+\xf6\x89\x1a\x7f\x41\xad\x13\x3e\x9e\x1f\x6d\x95\x60\xb9\x60\xe7\
+\x77\x7c\x52\xf0\x60\x49\x2f\x2d\x7c\x66\x0e\x14\x71\xe0\x7e\x72\
+\x65\x55\x62\x03\x5a\xbc\x9a\x70\x1b\x47\x3e\xcb\xc3\x94\x3c\x6b\
+\x9c\x4f\x24\x05\xa3\xcb\x8b\xf8\xa6\x91\xca\x51\xd3\xf6\xad\x2f\
+\x42\x8b\xab\x6f\x3a\x30\xf5\x5d\xd9\x62\x55\x63\xf0\xa7\x5e\xe3\
+\x90\xe3\x85\xe3\xae\x0b\x90\x69\x61\xec\xf4\x1a\xe0\x73\xa0\x59\
+\x0c\x2e\xb6\x20\x4f\x44\x83\x1c\x26\xdd\x76\x8c\x35\xb1\x67\xb2\
+\x8c\xe8\xdc\x98\x8a\x37\x48\x25\x52\x30\xce\xf9\x9e\xbf\x14\xe7\
+\x30\x63\x2f\x27\x41\x44\x89\x80\x8a\xfa\xb1\xd1\xe7\x83\xed\x04\
+\x51\x6d\xe0\x12\x49\x86\x82\x21\x2b\x07\x81\x05\x79\xb2\x50\x36\
+\x59\x41\xbc\xc9\x81\x42\xda\x13\x60\x9e\x97\x68\xaa\xf6\x5d\xe7\
+\x62\x0d\xab\xec\x29\xeb\x82\xa1\x7f\xde\x35\xaf\x15\xad\x23\x8c\
+\x73\xf8\x1b\xdb\x8d\xec\x2f\xc0\xe7\xf9\x32\x70\x10\x99\x76\x2b\
+\x37\xf4\x3c\x4a\x3c\x20\x01\x0a\x3d\x72\xe2\xf6\x06\xbe\x10\x8d\
+\x31\x0e\x63\x9f\x09\xce\x72\x86\x80\x0d\x9e\xf8\xa1\xa4\x02\x81\
+\xcc\x5a\x7e\xa9\x8d\x2a\xdc\x7c\x74\x00\xc2\xfe\x5a\x10\x15\x52\
+\xdf\x4e\x3c\xcc\xfd\x0c\xbf\x2d\xdf\x5d\xc6\x77\x9c\xbb\xc6\x8f\
+\xee\x0c\x3e\xfe\x4e\xc2\x2b\x83\xa2\xca\xa3\xe4\x8e\x08\x09\xa0\
+\xa7\x50\xb7\x3c\xcd\xcf\x3c\x79\xe6\x58\x0c\x15\x4f\x8a\x58\xf7\
+\xf2\x43\x35\xee\xc5\xc5\xeb\x5e\x0c\xf0\x1d\xcf\x44\x39\x42\x40\
+\x95\xfc\xeb\x07\x7f\x66\xde\xd5\xbe\xc7\x3b\x27\xc5\xb9\xf6\x4a\
+\x2a\x9a\xf2\xf0\x7c\x05\xe9\x9e\x5c\xf8\x0f\x00\x25\x2e\x39\xdb\
+\x32\xf6\xc1\x96\x74\xf1\x90\xc9\xfb\xc5\x06\xd8\x26\x85\x77\x13\
+\xaf\xd2\xca\x6b\xb8\x5c\xd8\xc1\x07\x34\x75\x52\xf3\x05\x75\xa5\
+\x41\x78\x16\xab\x4d\xb3\xf6\x03\xf2\xdf\x56\xfb\xc4\x13\xe7\xd0\
+\xac\xd8\xbd\xd8\x13\x52\xb2\x47\x1f\xc1\xbc\x4f\x1e\xf2\x96\xfe\
+\xa1\x22\x04\x03\x46\x6b\x1a\xfe\x78\xb9\x4f\x7e\xcf\x7c\xc6\x2f\
+\xb9\x2b\xe1\x4f\x18\xc2\x19\x23\x84\xeb\xce\xaf\x88\x01\xaf\xdf\
+\x94\x7f\x69\x8c\xe9\xc6\xce\xb6\x96\xed\x70\xe9\xe8\x7b\x01\x44\
+\x41\x7e\x8d\x7b\xaf\x25\xeb\x5f\x70\xf0\x9f\x01\x6f\xc9\x25\xb4\
+\xdb\x04\x8a\xb8\xd8\xcb\x2a\x66\x1c\xe3\xb5\x7a\xda\x67\x57\x1f\
+\x5d\xd5\x46\xfc\x22\xcb\x1f\x97\xe0\xeb\xd1\xa6\x59\x26\xb1\x23\
+\x4f\xd0\x4f\x17\x1c\xf4\x69\xc7\x6b\x88\x4c\xf3\x11\x5c\xce\x6f\
+\x79\x2c\xc8\x4e\x36\xda\x58\x96\x0c\x5f\x1d\x76\x0f\x32\xc1\x2f\
+\xae\xf4\x77\xe9\x4c\x92\xeb\x75\x62\x5b\x6a\x37\x1e\xfc\x72\xd6\
+\x0c\xa5\xe9\x08\xb3\xa7\xdd\x69\xfe\xf0\x24\x91\x50\xe3\xee\xbd\
+\xfe\xd3\x9c\xbd\xc3\xce\x97\x04\x88\x2a\x20\x72\xc7\x5e\x13\x52\
+\x7b\x7a\x58\x1a\x55\x61\x68\x78\x3d\xc1\xe9\x75\x45\xe3\x18\x65\
+\xdd\xc4\x6b\x3c\x95\x78\x35\xda\x25\x2b\xb7\x32\x8d\x3e\xe2\x06\
+\x24\x45\xdf\xb8\x5e\xf8\xc3\x5f\x8e\x1f\x33\x71\xaf\x34\x02\x3c\
+\xef\x62\x6e\x0a\xf1\xe0\xbc\x01\x73\x51\xaa\xe2\xab\x8f\x5c\x61\
+\x2e\xad\x0b\x72\x9a\x1d\x05\x9d\x02\xbf\xe1\x8e\xfa\x97\x1b\x73\
+\x00\xe8\x82\x36\x0a\x93\xb0\x25\xff\x97\xe9\xe0\xee\xc0\xf3\xf3\
+\xf1\x30\x39\xa1\x7f\x88\xb0\xcf\x80\x8f\x48\x84\x31\x60\x6c\xb1\
+\x3f\x92\x41\xf4\x0f\x44\xe5\x37\xd3\x02\xc6\x4a\x4f\x1f\x4a\xb9\
+\x49\xb9\xfe\xef\xad\xcb\x71\xab\x50\xef\x27\xd6\xd6\xca\x85\x10\
+\xf1\x50\xc8\x5f\xb5\x25\xbf\x25\x70\x3d\xf7\x20\x9b\x60\x66\xf0\
+\x9c\x37\x28\x0d\x59\x12\x8d\x2f\x0f\x63\x7c\x7d\x7d\x7f\xad\x4e\
+\xd1\xc1\xea\x04\xe6\x28\xd2\x21\xe3\xd8\xdb\x77\xb7\xc8\x78\xc9\
+\x41\x1c\xaf\xc5\x07\x1a\x34\xa0\x0f\x4c\xf0\x77\x38\x91\x27\x53\
+\xdf\xce\x48\xf0\x75\x76\xf0\xd4\xf9\x4f\x42\xc6\xd7\x6f\x7c\xe9\
+\x73\xe9\x36\x70\x95\xba\x7e\x9a\x36\x49\xb7\xf4\x61\xd9\xf9\xac\
+\x13\x32\xa4\xd1\x04\x4c\x96\xae\xfe\xe6\x76\x76\x40\x1b\x64\x45\
+\x7c\x54\xd6\x5f\xef\x65\x00\xc5\x9c\xdf\xb6\x9a\xf7\xb6\xdd\xdf\
+\xcb\x0f\x08\x62\x78\xdd\x8a\xd0\x68\x60\x78\xdf\xb0\xf3\xf7\x9c\
+\xd8\x93\xd3\x14\x16\x86\x48\x49\x98\x98\xfb\xc0\xce\xd5\xf9\x5b\
+\x74\xe8\xff\x14\xd7\x35\xcd\xea\x96\x8b\xee\x74\x00\x00\x00\x05\
+\xd8\xb8\x11\x2f\x92\x00\xa5\xe5\x0c\x4a\x26\x21\x65\xbd\x34\x2c\
+\xd8\x00\xb8\x49\x68\x10\xbc\x71\x62\x77\x43\x5a\xc3\x76\x72\x8d\
+\x12\x9a\xc6\xed\xa8\x39\xa6\xf3\x57\xb5\xa0\x43\x87\xc5\xce\x97\
+\x38\x2a\x78\xf2\xa4\x37\x29\x17\xee\xfc\xbf\x93\xf6\x3b\xb5\x91\
+\x12\xf5\xdb\xe4\x00\xbd\x49\xe4\x50\x1e\x85\x9f\x88\x5b\xf0\x73\
+\x6e\x90\xa5\x09\xb3\x0a\x26\xbf\xac\x8c\x17\xb5\x99\x1c\x15\x7e\
+\xb5\x97\x11\x15\xaa\x39\xef\xd8\xd5\x64\xa6\xb9\x02\x82\xc3\x16\
+\x8a\xf2\xd3\x0e\xf8\x9d\x51\xbf\x14\x65\x45\x10\xa1\x2b\x8a\x14\
+\x4c\xca\x18\x48\xcf\x7d\xa5\x9c\xc2\xb3\xd9\xd0\x69\x2d\xd2\xa2\
+\x0b\xa3\x86\x34\x80\xe2\x5b\x1b\x85\xee\x86\x0c\x62\xbf\x51\x36\
+\x00\x00\x00\x05\x00\x00\x00\x04\xd2\xf1\x4f\xf6\x34\x6a\xf9\x64\
+\x56\x9f\x7d\x6c\xb8\x80\xa1\xb6\x6c\x50\x04\x91\x7d\xa6\xea\xfe\
+\x4d\x9e\xf6\xc6\x40\x7b\x3d\xb0\xe5\x48\x5b\x12\x2d\x9e\xbe\x15\
+\xcd\xa9\x3c\xfe\xc5\x82\xd7\xab\x00\x00\x00\x0a\x00\x00\x00\x04\
+\x07\x03\xc4\x91\xe7\x55\x8b\x35\x01\x1e\xce\x35\x92\xea\xa5\xda\
+\x4d\x91\x87\x86\x77\x12\x33\xe8\x35\x3b\xc4\xf6\x23\x23\x18\x5c\
+\x95\xca\xe0\x5b\x89\x9e\x35\xdf\xfd\x71\x70\x54\x70\x62\x09\x98\
+\x8e\xbf\xdf\x6e\x37\x96\x0b\xb5\xc3\x8d\x76\x57\xe8\xbf\xfe\xef\
+\x9b\xc0\x42\xda\x4b\x45\x25\x65\x04\x85\xc6\x6d\x0c\xe1\x9b\x31\
+\x75\x87\xc6\xba\x4b\xff\xcc\x42\x8e\x25\xd0\x89\x31\xe7\x2d\xfb\
+\x6a\x12\x0c\x56\x12\x34\x42\x58\xb8\x5e\xfd\xb7\xdb\x1d\xb9\xe1\
+\x86\x5a\x73\xca\xf9\x65\x57\xeb\x39\xed\x3e\x3f\x42\x69\x33\xac\
+\x9e\xed\xdb\x03\xa1\xd2\x37\x4a\xf7\xbf\x77\x18\x55\x77\x45\x62\
+\x37\xf9\xde\x2d\x60\x11\x3c\x23\xf8\x46\xdf\x26\xfa\x94\x20\x08\
+\xa6\x98\x99\x4c\x08\x27\xd9\x0e\x86\xd4\x3e\x0d\xf7\xf4\xbf\xcd\
+\xb0\x9b\x86\xa3\x73\xb9\x82\x88\xb7\x09\x4a\xd8\x1a\x01\x85\xac\
+\x10\x0e\x4f\x2c\x5f\xc3\x8c\x00\x3c\x1a\xb6\xfe\xa4\x79\xeb\x2f\
+\x5e\xbe\x48\xf5\x84\xd7\x15\x9b\x8a\xda\x03\x58\x6e\x65\xad\x9c\
+\x96\x9f\x6a\xec\xbf\xe4\x4c\xf3\x56\x88\x8a\x7b\x15\xa3\xff\x07\
+\x4f\x77\x17\x60\xb2\x6f\x9c\x04\x88\x4e\xe1\xfa\xa3\x29\xfb\xf4\
+\xe6\x1a\xf2\x3a\xee\x7f\xa5\xd4\xd9\xa5\xdf\xcf\x43\xc4\xc2\x6c\
+\xe8\xae\xa2\xce\x8a\x29\x90\xd7\xba\x7b\x57\x10\x8b\x47\xda\xbf\
+\xbe\xad\xb2\xb2\x5b\x3c\xac\xc1\xac\x0c\xef\x34\x6c\xbb\x90\xfb\
+\x04\x4b\xee\xe4\xfa\xc2\x60\x3a\x44\x2b\xdf\x7e\x50\x72\x43\xb7\
+\x31\x9c\x99\x44\xb1\x58\x6e\x89\x9d\x43\x1c\x7f\x91\xbc\xcc\xc8\
+\x69\x0d\xbf\x59\xb2\x83\x86\xb2\x31\x5f\x3d\x36\xef\x2e\xaa\x3c\
+\xf3\x0b\x2b\x51\xf4\x8b\x71\xb0\x03\xdf\xb0\x82\x49\x48\x42\x01\
+\x04\x3f\x65\xf5\xa3\xef\x6b\xbd\x61\xdd\xfe\xe8\x1a\xca\x9c\xe6\
+\x00\x81\x26\x2a\x00\x00\x04\x80\xdc\xbc\x9a\x3d\xa6\xfb\xef\x5c\
+\x1c\x0a\x55\xe4\x8a\x0e\x72\x9f\x91\x84\xfc\xb1\x40\x7c\x31\x52\
+\x9d\xb2\x68\xf6\xfe\x50\x03\x2a\x36\x3c\x98\x01\x30\x68\x37\xfa\
+\xfa\xbd\xf9\x57\xfd\x97\xea\xfc\x80\xdb\xd1\x65\xe4\x35\xd0\xe2\
+\xdf\xd8\x36\xa2\x8b\x35\x40\x23\x92\x4b\x6f\xb7\xe4\x8b\xc0\xb3\
+\xed\x95\xee\xa6\x4c\x2d\x40\x2f\x4d\x73\x4c\x8d\xc2\x6f\x3a\xc5\
+\x91\x82\x5d\xae\xf0\x1e\xae\x3c\x38\xe3\x32\x8d\x00\xa7\x7d\xc6\
+\x57\x03\x4f\x28\x7c\xcb\x0f\x0e\x1c\x9a\x7c\xbd\xc8\x28\xf6\x27\
+\x20\x5e\x47\x37\xb8\x4b\x58\x37\x65\x51\xd4\x4c\x12\xc3\xc2\x15\
+\xc8\x12\xa0\x97\x07\x89\xc8\x3d\xe5\x1d\x6a\xd7\x87\x27\x19\x63\
+\x32\x7f\x0a\x5f\xbb\x6b\x59\x07\xde\xc0\x2c\x9a\x90\x93\x4a\xf5\
+\xa1\xc6\x3b\x72\xc8\x26\x53\x60\x5d\x1d\xcc\xe5\x15\x96\xb3\xc2\
+\xb4\x56\x96\x68\x9f\x2e\xb3\x82\x00\x74\x97\x55\x76\x92\xca\xac\
+\x4d\x57\xb5\xde\x9f\x55\x69\xbc\x2a\xd0\x13\x7f\xd4\x7f\xb4\x7e\
+\x66\x4f\xcb\x6d\xb4\x97\x1f\x5b\x3e\x07\xac\xed\xa9\xac\x13\x0e\
+\x9f\x38\x18\x2d\xe9\x94\xcf\xf1\x92\xec\x0e\x82\xfd\x6d\x4c\xb7\
+\xf3\xfe\x00\x81\x25\x89\xb7\xa7\xce\x51\x54\x40\x45\x64\x33\x01\
+\x6b\x84\xa5\x9b\xec\x66\x19\xa1\xc6\xc0\xb3\x7d\xd1\x45\x0e\xd4\
+\xf2\xd8\xb5\x84\x41\x0c\xed\xa8\x02\x5f\x5d\x2d\x8d\xd0\xd2\x17\
+\x6f\xc1\xcf\x2c\xc0\x6f\xa8\xc8\x2b\xed\x4d\x94\x4e\x71\x33\x9e\
+\xce\x78\x0f\xd0\x25\xbd\x41\xec\x34\xeb\xff\x9d\x42\x70\xa3\x22\
+\x4e\x01\x9f\xcb\x44\x44\x74\xd4\x82\xfd\x2d\xbe\x75\xef\xb2\x03\
+\x89\xcc\x10\xcd\x60\x0a\xbb\x54\xc4\x7e\xde\x93\xe0\x8c\x11\x4e\
+\xdb\x04\x11\x7d\x71\x4d\xc1\xd5\x25\xe1\x1b\xed\x87\x56\x19\x2f\
+\x92\x9d\x15\x46\x2b\x93\x9f\xf3\xf5\x2f\x22\x52\xda\x2e\xd6\x4d\
+\x8f\xae\x88\x81\x8b\x1e\xfa\x2c\x7b\x08\xc8\x79\x4f\xb1\xb2\x14\
+\xaa\x23\x3d\xb3\x16\x28\x33\x14\x1e\xa4\x38\x3f\x1a\x6f\x12\x0b\
+\xe1\xdb\x82\xce\x36\x30\xb3\x42\x91\x14\x46\x31\x57\xa6\x4e\x91\
+\x23\x4d\x47\x5e\x2f\x79\xcb\xf0\x5e\x4d\xb6\xa9\x40\x7d\x72\xc6\
+\xbf\xf7\xd1\x19\x8b\x5c\x4d\x6a\xad\x28\x31\xdb\x61\x27\x49\x93\
+\x71\x5a\x01\x82\xc7\xdc\x80\x89\xe3\x2c\x85\x31\xde\xed\x4f\x74\
+\x31\xc0\x7c\x02\x19\x5e\xba\x2e\xf9\x1e\xfb\x56\x13\xc3\x7a\xf7\
+\xae\x0c\x06\x6b\xab\xc6\x93\x69\x70\x0e\x1d\xd2\x6e\xdd\xc0\xd2\
+\x16\xc7\x81\xd5\x6e\x4c\xe4\x7e\x33\x03\xfa\x73\x00\x7f\xf7\xb9\
+\x49\xef\x23\xbe\x2a\xa4\xdb\xf2\x52\x06\xfe\x45\xc2\x0d\xd8\x88\
+\x39\x5b\x25\x26\x39\x1a\x72\x49\x96\xa4\x41\x56\xbe\xac\x80\x82\
+\x12\x85\x87\x92\xbf\x8e\x74\xcb\xa4\x9d\xee\x5e\x88\x12\xe0\x19\
+\xda\x87\x45\x4b\xff\x9e\x84\x7e\xd8\x3d\xb0\x7a\xf3\x13\x74\x30\
+\x82\xf8\x80\xa2\x78\xf6\x82\xc2\xbd\x0a\xd6\x88\x7c\xb5\x9f\x65\
+\x2e\x15\x59\x87\xd6\x1b\xbf\x6a\x88\xd3\x6e\xe9\x3b\x60\x72\xe6\
+\x65\x6d\x9c\xcb\xaa\xe3\xd6\x55\x85\x2e\x38\xde\xb3\xa2\xdc\xf8\
+\x05\x8d\xc9\xfb\x6f\x2a\xb3\xd3\xb3\x53\x9e\xb7\x7b\x24\x8a\x66\
+\x10\x91\xd0\x5e\xb6\xe2\xf2\x97\x77\x4f\xe6\x05\x35\x98\x45\x7c\
+\xc6\x19\x08\x31\x8d\xe4\xb8\x26\xf0\xfc\x86\xd4\xbb\x11\x7d\x33\
+\xe8\x65\xaa\x80\x50\x09\xcc\x29\x18\xd9\xc2\xf8\x40\xc4\xda\x43\
+\xa7\x03\xad\x9f\x5b\x58\x06\x16\x3d\x71\x61\x69\x6b\x5a\x0a\xdc\
+\x00\x00\x00\x05\xd5\xc0\xd1\xbe\xbb\x06\x04\x8e\xd6\xfe\x2e\xf2\
+\xc6\xce\xf3\x05\xb3\xed\x63\x39\x41\xeb\xc8\xb3\xbe\xc9\x73\x87\
+\x54\xcd\xdd\x60\xe1\x92\x0a\xda\x52\xf4\x3d\x05\x5b\x50\x31\xce\
+\xe6\x19\x25\x20\xd6\xa5\x11\x55\x14\x85\x1c\xe7\xfd\x44\x8d\x4a\
+\x39\xfa\xe2\xab\x23\x35\xb5\x25\xf4\x84\xe9\xb4\x0d\x6a\x4a\x96\
+\x93\x94\x84\x3b\xdc\xf6\xd1\x4c\x48\xe8\x01\x5e\x08\xab\x92\x66\
+\x2c\x05\xc6\xe9\xf9\x0b\x65\xa7\xa6\x20\x16\x89\x99\x9f\x32\xbf\
+\xd3\x68\xe5\xe3\xec\x9c\xb7\x0a\xc7\xb8\x39\x90\x03\xf1\x75\xc4\
+\x08\x85\x08\x1a\x09\xab\x30\x34\x91\x1f\xe1\x25\x63\x10\x51\xdf\
+\x04\x08\xb3\x94\x6b\x0b\xde\x79\x09\x11\xe8\x97\x8b\xa0\x7d\xd5\
+\x6c\x73\xe7\xee\
+'''
+
+# draft-mcgrew Test Case 2
+hashsig_tc2_key = b'''\
+\x30\x53\x30\x0f\x06\x0b\x2a\x86\x48\x86\xf7\x0d\x01\x09\x10\x03\
+\x11\x05\x00\x03\x40\x00\x30\x3d\x02\x01\x02\x02\x01\x06\x02\x01\
+\x03\x04\x10\xd0\x8f\xab\xd4\xa2\x09\x1f\xf0\xa8\xcb\x4e\xd8\x34\
+\xe7\x45\x34\x04\x20\x32\xa5\x88\x85\xcd\x9b\xa0\x43\x12\x35\x46\
+\x6b\xff\x96\x51\xc6\xc9\x21\x24\x40\x4d\x45\xfa\x53\xcf\x16\x1c\
+\x28\xf1\xad\x5a\x8e\
+'''
+hashsig_tc2_msg = b'''\
+\x54\x68\x65\x20\x65\x6e\x75\x6d\x65\x72\x61\x74\x69\x6f\x6e\x20\
+\x69\x6e\x20\x74\x68\x65\x20\x43\x6f\x6e\x73\x74\x69\x74\x75\x74\
+\x69\x6f\x6e\x2c\x20\x6f\x66\x20\x63\x65\x72\x74\x61\x69\x6e\x20\
+\x72\x69\x67\x68\x74\x73\x2c\x20\x73\x68\x61\x6c\x6c\x20\x6e\x6f\
+\x74\x20\x62\x65\x20\x63\x6f\x6e\x73\x74\x72\x75\x65\x64\x20\x74\
+\x6f\x20\x64\x65\x6e\x79\x20\x6f\x72\x20\x64\x69\x73\x70\x61\x72\
+\x61\x67\x65\x20\x6f\x74\x68\x65\x72\x73\x20\x72\x65\x74\x61\x69\
+\x6e\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x70\x65\x6f\x70\x6c\
+\x65\x2e\x0a\
+'''
+hashsig_tc2_sig = b'''\
+\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x03\x3d\x46\xbe\xe8\
+\x66\x0f\x8f\x21\x5d\x3f\x96\x40\x8a\x7a\x64\xcf\x1c\x4d\xa0\x2b\
+\x63\xa5\x5f\x62\xc6\x66\xef\x57\x07\xa9\x14\xce\x06\x74\xe8\xcb\
+\x7a\x55\xf0\xc4\x8d\x48\x4f\x31\xf3\xaa\x4a\xf9\x71\x9a\x74\xf2\
+\x2c\xf8\x23\xb9\x44\x31\xd0\x1c\x92\x6e\x2a\x76\xbb\x71\x22\x6d\
+\x27\x97\x00\xec\x81\xc9\xe9\x5f\xb1\x1a\x0d\x10\xd0\x65\x27\x9a\
+\x57\x96\xe2\x65\xae\x17\x73\x7c\x44\xeb\x8c\x59\x45\x08\xe1\x26\
+\xa9\xa7\x87\x0b\xf4\x36\x08\x20\xbd\xeb\x9a\x01\xd9\x69\x37\x79\
+\xe4\x16\x82\x8e\x75\xbd\xdd\x7d\x8c\x70\xd5\x0a\x0a\xc8\xba\x39\
+\x81\x09\x09\xd4\x45\xf4\x4c\xb5\xbb\x58\xde\x73\x7e\x60\xcb\x43\
+\x45\x30\x27\x86\xef\x2c\x6b\x14\xaf\x21\x2c\xa1\x9e\xde\xaa\x3b\
+\xfc\xfe\x8b\xaa\x66\x21\xce\x88\x48\x0d\xf2\x37\x1d\xd3\x7a\xdd\
+\x73\x2c\x9d\xe4\xea\x2c\xe0\xdf\xfa\x53\xc9\x26\x49\xa1\x8d\x39\
+\xa5\x07\x88\xf4\x65\x29\x87\xf2\x26\xa1\xd4\x81\x68\x20\x5d\xf6\
+\xae\x7c\x58\xe0\x49\xa2\x5d\x49\x07\xed\xc1\xaa\x90\xda\x8a\xa5\
+\xe5\xf7\x67\x17\x73\xe9\x41\xd8\x05\x53\x60\x21\x5c\x6b\x60\xdd\
+\x35\x46\x3c\xf2\x24\x0a\x9c\x06\xd6\x94\xe9\xcb\x54\xe7\xb1\xe1\
+\xbf\x49\x4d\x0d\x1a\x28\xc0\xd3\x1a\xcc\x75\x16\x1f\x4f\x48\x5d\
+\xfd\x3c\xb9\x57\x8e\x83\x6e\xc2\xdc\x72\x2f\x37\xed\x30\x87\x2e\
+\x07\xf2\xb8\xbd\x03\x74\xeb\x57\xd2\x2c\x61\x4e\x09\x15\x0f\x6c\
+\x0d\x87\x74\xa3\x9a\x6e\x16\x82\x11\x03\x5d\xc5\x29\x88\xab\x46\
+\xea\xca\x9e\xc5\x97\xfb\x18\xb4\x93\x6e\x66\xef\x2f\x0d\xf2\x6e\
+\x8d\x1e\x34\xda\x28\xcb\xb3\xaf\x75\x23\x13\x72\x0c\x7b\x34\x54\
+\x34\xf7\x2d\x65\x31\x43\x28\xbb\xb0\x30\xd0\xf0\xf6\xd5\xe4\x7b\
+\x28\xea\x91\x00\x8f\xb1\x1b\x05\x01\x77\x05\xa8\xbe\x3b\x2a\xdb\
+\x83\xc6\x0a\x54\xf9\xd1\xd1\xb2\xf4\x76\xf9\xe3\x93\xeb\x56\x95\
+\x20\x3d\x2b\xa6\xad\x81\x5e\x6a\x11\x1e\xa2\x93\xdc\xc2\x10\x33\
+\xf9\x45\x3d\x49\xc8\xe5\xa6\x38\x7f\x58\x8b\x1e\xa4\xf7\x06\x21\
+\x7c\x15\x1e\x05\xf5\x5a\x6e\xb7\x99\x7b\xe0\x9d\x56\xa3\x26\xa3\
+\x2f\x9c\xba\x1f\xbe\x1c\x07\xbb\x49\xfa\x04\xce\xcf\x9d\xf1\xa1\
+\xb8\x15\x48\x3c\x75\xd7\xa2\x7c\xc8\x8a\xd1\xb1\x23\x8e\x5e\xa9\
+\x86\xb5\x3e\x08\x70\x45\x72\x3c\xe1\x61\x87\xed\xa2\x2e\x33\xb2\
+\xc7\x07\x09\xe5\x32\x51\x02\x5a\xbd\xe8\x93\x96\x45\xfc\x8c\x06\
+\x93\xe9\x77\x63\x92\x8f\x00\xb2\xe3\xc7\x5a\xf3\x94\x2d\x8d\xda\
+\xee\x81\xb5\x9a\x6f\x1f\x67\xef\xda\x0e\xf8\x1d\x11\x87\x3b\x59\
+\x13\x7f\x67\x80\x0b\x35\xe8\x1b\x01\x56\x3d\x18\x7c\x4a\x15\x75\
+\xa1\xac\xb9\x2d\x08\x7b\x51\x7a\x88\x33\x38\x3f\x05\xd3\x57\xef\
+\x46\x78\xde\x0c\x57\xff\x9f\x1b\x2d\xa6\x1d\xfd\xe5\xd8\x83\x18\
+\xbc\xdd\xe4\xd9\x06\x1c\xc7\x5c\x2d\xe3\xcd\x47\x40\xdd\x77\x39\
+\xca\x3e\xf6\x6f\x19\x30\x02\x6f\x47\xd9\xeb\xaa\x71\x3b\x07\x17\
+\x6f\x76\xf9\x53\xe1\xc2\xe7\xf8\xf2\x71\xa6\xca\x37\x5d\xbf\xb8\
+\x3d\x71\x9b\x16\x35\xa7\xd8\xa1\x38\x91\x95\x79\x44\xb1\xc2\x9b\
+\xb1\x01\x91\x3e\x16\x6e\x11\xbd\x5f\x34\x18\x6f\xa6\xc0\xa5\x55\
+\xc9\x02\x6b\x25\x6a\x68\x60\xf4\x86\x6b\xd6\xd0\xb5\xbf\x90\x62\
+\x70\x86\xc6\x14\x91\x33\xf8\x28\x2c\xe6\xc9\xb3\x62\x24\x42\x44\
+\x3d\x5e\xca\x95\x9d\x6c\x14\xca\x83\x89\xd1\x2c\x40\x68\xb5\x03\
+\xe4\xe3\xc3\x9b\x63\x5b\xea\x24\x5d\x9d\x05\xa2\x55\x8f\x24\x9c\
+\x96\x61\xc0\x42\x7d\x2e\x48\x9c\xa5\xb5\xdd\xe2\x20\xa9\x03\x33\
+\xf4\x86\x2a\xec\x79\x32\x23\xc7\x81\x99\x7d\xa9\x82\x66\xc1\x2c\
+\x50\xea\x28\xb2\xc4\x38\xe7\xa3\x79\xeb\x10\x6e\xca\x0c\x7f\xd6\
+\x00\x6e\x9b\xf6\x12\xf3\xea\x0a\x45\x4b\xa3\xbd\xb7\x6e\x80\x27\
+\x99\x2e\x60\xde\x01\xe9\x09\x4f\xdd\xeb\x33\x49\x88\x39\x14\xfb\
+\x17\xa9\x62\x1a\xb9\x29\xd9\x70\xd1\x01\xe4\x5f\x82\x78\xc1\x4b\
+\x03\x2b\xca\xb0\x2b\xd1\x56\x92\xd2\x1b\x6c\x5c\x20\x4a\xbb\xf0\
+\x77\xd4\x65\x55\x3b\xd6\xed\xa6\x45\xe6\xc3\x06\x5d\x33\xb1\x0d\
+\x51\x8a\x61\xe1\x5e\xd0\xf0\x92\xc3\x22\x26\x28\x1a\x29\xc8\xa0\
+\xf5\x0c\xde\x0a\x8c\x66\x23\x6e\x29\xc2\xf3\x10\xa3\x75\xce\xbd\
+\xa1\xdc\x6b\xb9\xa1\xa0\x1d\xae\x6c\x7a\xba\x8e\xbe\xdc\x63\x71\
+\xa7\xd5\x2a\xac\xb9\x55\xf8\x3b\xd6\xe4\xf8\x4d\x29\x49\xdc\xc1\
+\x98\xfb\x77\xc7\xe5\xcd\xf6\x04\x0b\x0f\x84\xfa\xf8\x28\x08\xbf\
+\x98\x55\x77\xf0\xa2\xac\xf2\xec\x7e\xd7\xc0\xb0\xae\x8a\x27\x0e\
+\x95\x17\x43\xff\x23\xe0\xb2\xdd\x12\xe9\xc3\xc8\x28\xfb\x55\x98\
+\xa2\x24\x61\xaf\x94\xd5\x68\xf2\x92\x40\xba\x28\x20\xc4\x59\x1f\
+\x71\xc0\x88\xf9\x6e\x09\x5d\xd9\x8b\xea\xe4\x56\x57\x9e\xbb\xba\
+\x36\xf6\xd9\xca\x26\x13\xd1\xc2\x6e\xee\x4d\x8c\x73\x21\x7a\xc5\
+\x96\x2b\x5f\x31\x47\xb4\x92\xe8\x83\x15\x97\xfd\x89\xb6\x4a\xa7\
+\xfd\xe8\x2e\x19\x74\xd2\xf6\x77\x95\x04\xdc\x21\x43\x5e\xb3\x10\
+\x93\x50\x75\x6b\x9f\xda\xbe\x1c\x6f\x36\x80\x81\xbd\x40\xb2\x7e\
+\xbc\xb9\x81\x9a\x75\xd7\xdf\x8b\xb0\x7b\xb0\x5d\xb1\xba\xb7\x05\
+\xa4\xb7\xe3\x71\x25\x18\x63\x39\x46\x4a\xd8\xfa\xaa\x4f\x05\x2c\
+\xc1\x27\x29\x19\xfd\xe3\xe0\x25\xbb\x64\xaa\x8e\x0e\xb1\xfc\xbf\
+\xcc\x25\xac\xb5\xf7\x18\xce\x4f\x7c\x21\x82\xfb\x39\x3a\x18\x14\
+\xb0\xe9\x42\x49\x0e\x52\xd3\xbc\xa8\x17\xb2\xb2\x6e\x90\xd4\xc9\
+\xb0\xcc\x38\x60\x8a\x6c\xef\x5e\xb1\x53\xaf\x08\x58\xac\xc8\x67\
+\xc9\x92\x2a\xed\x43\xbb\x67\xd7\xb3\x3a\xcc\x51\x93\x13\xd2\x8d\
+\x41\xa5\xc6\xfe\x6c\xf3\x59\x5d\xd5\xee\x63\xf0\xa4\xc4\x06\x5a\
+\x08\x35\x90\xb2\x75\x78\x8b\xee\x7a\xd8\x75\xa7\xf8\x8d\xd7\x37\
+\x20\x70\x8c\x6c\x6c\x0e\xcf\x1f\x43\xbb\xaa\xda\xe6\xf2\x08\x55\
+\x7f\xdc\x07\xbd\x4e\xd9\x1f\x88\xce\x4c\x0d\xe8\x42\x76\x1c\x70\
+\xc1\x86\xbf\xda\xfa\xfc\x44\x48\x34\xbd\x34\x18\xbe\x42\x53\xa7\
+\x1e\xaf\x41\xd7\x18\x75\x3a\xd0\x77\x54\xca\x3e\xff\xd5\x96\x0b\
+\x03\x36\x98\x17\x95\x72\x14\x26\x80\x35\x99\xed\x5b\x2b\x75\x16\
+\x92\x0e\xfc\xbe\x32\xad\xa4\xbc\xf6\xc7\x3b\xd2\x9e\x3f\xa1\x52\
+\xd9\xad\xec\xa3\x60\x20\xfd\xee\xee\x1b\x73\x95\x21\xd3\xea\x8c\
+\x0d\xa4\x97\x00\x3d\xf1\x51\x38\x97\xb0\xf5\x47\x94\xa8\x73\x67\
+\x0b\x8d\x93\xbc\xca\x2a\xe4\x7e\x64\x42\x4b\x74\x23\xe1\xf0\x78\
+\xd9\x55\x4b\xb5\x23\x2c\xc6\xde\x8a\xae\x9b\x83\xfa\x5b\x95\x10\
+\xbe\xb3\x9c\xcf\x4b\x4e\x1d\x9c\x0f\x19\xd5\xe1\x7f\x58\xe5\xb8\
+\x70\x5d\x9a\x68\x37\xa7\xd9\xbf\x99\xcd\x13\x38\x7a\xf2\x56\xa8\
+\x49\x16\x71\xf1\xf2\xf2\x2a\xf2\x53\xbc\xff\x54\xb6\x73\x19\x9b\
+\xdb\x7d\x05\xd8\x10\x64\xef\x05\xf8\x0f\x01\x53\xd0\xbe\x79\x19\
+\x68\x4b\x23\xda\x8d\x42\xff\x3e\xff\xdb\x7c\xa0\x98\x50\x33\xf3\
+\x89\x18\x1f\x47\x65\x91\x38\x00\x3d\x71\x2b\x5e\xc0\xa6\x14\xd3\
+\x1c\xc7\x48\x7f\x52\xde\x86\x64\x91\x6a\xf7\x9c\x98\x45\x6b\x2c\
+\x94\xa8\x03\x80\x83\xdb\x55\x39\x1e\x34\x75\x86\x22\x50\x27\x4a\
+\x1d\xe2\x58\x4f\xec\x97\x5f\xb0\x95\x36\x79\x2c\xfb\xfc\xf6\x19\
+\x28\x56\xcc\x76\xeb\x5b\x13\xdc\x47\x09\xe2\xf7\x30\x1d\xdf\xf2\
+\x6e\xc1\xb2\x3d\xe2\xd1\x88\xc9\x99\x16\x6c\x74\xe1\xe1\x4b\xbc\
+\x15\xf4\x57\xcf\x4e\x47\x1a\xe1\x3d\xcb\xdd\x9c\x50\xf4\xd6\x46\
+\xfc\x62\x78\xe8\xfe\x7e\xb6\xcb\x5c\x94\x10\x0f\xa8\x70\x18\x73\
+\x80\xb7\x77\xed\x19\xd7\x86\x8f\xd8\xca\x7c\xeb\x7f\xa7\xd5\xcc\
+\x86\x1c\x5b\xda\xc9\x8e\x74\x95\xeb\x0a\x2c\xee\xc1\x92\x4a\xe9\
+\x79\xf4\x4c\x53\x90\xeb\xed\xdd\xc6\x5d\x6e\xc1\x12\x87\xd9\x78\
+\xb8\xdf\x06\x42\x19\xbc\x56\x79\xf7\xd7\xb2\x64\xa7\x6f\xf2\x72\
+\xb2\xac\x9f\x2f\x7c\xfc\x9f\xdc\xfb\x6a\x51\x42\x82\x40\x02\x7a\
+\xfd\x9d\x52\xa7\x9b\x64\x7c\x90\xc2\x70\x9e\x06\x0e\xd7\x0f\x87\
+\x29\x9d\xd7\x98\xd6\x8f\x4f\xad\xd3\xda\x6c\x51\xd8\x39\xf8\x51\
+\xf9\x8f\x67\x84\x0b\x96\x4e\xbe\x73\xf8\xce\xc4\x15\x72\x53\x8e\
+\xc6\xbc\x13\x10\x34\xca\x28\x94\xeb\x73\x6b\x3b\xda\x93\xd9\xf5\
+\xf6\xfa\x6f\x6c\x0f\x03\xce\x43\x36\x2b\x84\x14\x94\x03\x55\xfb\
+\x54\xd3\xdf\xdd\x03\x63\x3a\xe1\x08\xf3\xde\x3e\xbc\x85\xa3\xff\
+\x51\xef\xee\xa3\xbc\x2c\xf2\x7e\x16\x58\xf1\x78\x9e\xe6\x12\xc8\
+\x3d\x0f\x5f\xd5\x6f\x7c\xd0\x71\x93\x0e\x29\x46\xbe\xee\xca\xa0\
+\x4d\xcc\xea\x9f\x97\x78\x60\x01\x47\x5e\x02\x94\xbc\x28\x52\xf6\
+\x2e\xb5\xd3\x9b\xb9\xfb\xee\xf7\x59\x16\xef\xe4\x4a\x66\x2e\xca\
+\xe3\x7e\xde\x27\xe9\xd6\xea\xdf\xde\xb8\xf8\xb2\xb2\xdb\xcc\xbf\
+\x96\xfa\x6d\xba\xf7\x32\x1f\xb0\xe7\x01\xf4\xd4\x29\xc2\xf4\xdc\
+\xd1\x53\xa2\x74\x25\x74\x12\x6e\x5e\xac\xcc\x77\x68\x6a\xcf\x6e\
+\x3e\xe4\x8f\x42\x37\x66\xe0\xfc\x46\x68\x10\xa9\x05\xff\x54\x53\
+\xec\x99\x89\x7b\x56\xbc\x55\xdd\x49\xb9\x91\x14\x2f\x65\x04\x3f\
+\x2d\x74\x4e\xeb\x93\x5b\xa7\xf4\xef\x23\xcf\x80\xcc\x5a\x8a\x33\
+\x5d\x36\x19\xd7\x81\xe7\x45\x48\x26\xdf\x72\x0e\xec\x82\xe0\x60\
+\x34\xc4\x46\x99\xb5\xf0\xc4\x4a\x87\x87\x75\x2e\x05\x7f\xa3\x41\
+\x9b\x5b\xb0\xe2\x5d\x30\x98\x1e\x41\xcb\x13\x61\x32\x2d\xba\x8f\
+\x69\x93\x1c\xf4\x2f\xad\x3f\x3b\xce\x6d\xed\x5b\x8b\xfc\x3d\x20\
+\xa2\x14\x88\x61\xb2\xaf\xc1\x45\x62\xdd\xd2\x7f\x12\x89\x7a\xbf\
+\x06\x85\x28\x8d\xcc\x5c\x49\x82\xf8\x26\x02\x68\x46\xa2\x4b\xf7\
+\x7e\x38\x3c\x7a\xac\xab\x1a\xb6\x92\xb2\x9e\xd8\xc0\x18\xa6\x5f\
+\x3d\xc2\xb8\x7f\xf6\x19\xa6\x33\xc4\x1b\x4f\xad\xb1\xc7\x87\x25\
+\xc1\xf8\xf9\x22\xf6\x00\x97\x87\xb1\x96\x42\x47\xdf\x01\x36\xb1\
+\xbc\x61\x4a\xb5\x75\xc5\x9a\x16\xd0\x89\x91\x7b\xd4\xa8\xb6\xf0\
+\x4d\x95\xc5\x81\x27\x9a\x13\x9b\xe0\x9f\xcf\x6e\x98\xa4\x70\xa0\
+\xbc\xec\xa1\x91\xfc\xe4\x76\xf9\x37\x00\x21\xcb\xc0\x55\x18\xa7\
+\xef\xd3\x5d\x89\xd8\x57\x7c\x99\x0a\x5e\x19\x96\x1b\xa1\x62\x03\
+\xc9\x59\xc9\x18\x29\xba\x74\x97\xcf\xfc\xbb\x4b\x29\x45\x46\x45\
+\x4f\xa5\x38\x8a\x23\xa2\x2e\x80\x5a\x5c\xa3\x5f\x95\x65\x98\x84\
+\x8b\xda\x67\x86\x15\xfe\xc2\x8a\xfd\x5d\xa6\x1a\x00\x00\x00\x06\
+\xb3\x26\x49\x33\x13\x05\x3c\xed\x38\x76\xdb\x9d\x23\x71\x48\x18\
+\x1b\x71\x73\xbc\x7d\x04\x2c\xef\xb4\xdb\xe9\x4d\x2e\x58\xcd\x21\
+\xa7\x69\xdb\x46\x57\xa1\x03\x27\x9b\xa8\xef\x3a\x62\x9c\xa8\x4e\
+\xe8\x36\x17\x2a\x9c\x50\xe5\x1f\x45\x58\x17\x41\xcf\x80\x83\x15\
+\x0b\x49\x1c\xb4\xec\xbb\xab\xec\x12\x8e\x7c\x81\xa4\x6e\x62\xa6\
+\x7b\x57\x64\x0a\x0a\x78\xbe\x1c\xbf\x7d\xd9\xd4\x19\xa1\x0c\xd8\
+\x68\x6d\x16\x62\x1a\x80\x81\x6b\xfd\xb5\xbd\xc5\x62\x11\xd7\x2c\
+\xa7\x0b\x81\xf1\x11\x7d\x12\x95\x29\xa7\x57\x0c\xf7\x9c\xf5\x2a\
+\x70\x28\xa4\x85\x38\xec\xdd\x3b\x38\xd3\xd5\xd6\x2d\x26\x24\x65\
+\x95\xc4\xfb\x73\xa5\x25\xa5\xed\x2c\x30\x52\x4e\xbb\x1d\x8c\xc8\
+\x2e\x0c\x19\xbc\x49\x77\xc6\x89\x8f\xf9\x5f\xd3\xd3\x10\xb0\xba\
+\xe7\x16\x96\xce\xf9\x3c\x6a\x55\x24\x56\xbf\x96\xe9\xd0\x75\xe3\
+\x83\xbb\x75\x43\xc6\x75\x84\x2b\xaf\xbf\xc7\xcd\xb8\x84\x83\xb3\
+\x27\x6c\x29\xd4\xf0\xa3\x41\xc2\xd4\x06\xe4\x0d\x46\x53\xb7\xe4\
+\xd0\x45\x85\x1a\xcf\x6a\x0a\x0e\xa9\xc7\x10\xb8\x05\xcc\xed\x46\
+\x35\xee\x8c\x10\x73\x62\xf0\xfc\x8d\x80\xc1\x4d\x0a\xc4\x9c\x51\
+\x67\x03\xd2\x6d\x14\x75\x2f\x34\xc1\xc0\xd2\xc4\x24\x75\x81\xc1\
+\x8c\x2c\xf4\xde\x48\xe9\xce\x94\x9b\xe7\xc8\x88\xe9\xca\xeb\xe4\
+\xa4\x15\xe2\x91\xfd\x10\x7d\x21\xdc\x1f\x08\x4b\x11\x58\x20\x82\
+\x49\xf2\x8f\x4f\x7c\x7e\x93\x1b\xa7\xb3\xbd\x0d\x82\x4a\x45\x70\
+\x00\x00\x00\x05\x00\x00\x00\x04\x21\x5f\x83\xb7\xcc\xb9\xac\xbc\
+\xd0\x8d\xb9\x7b\x0d\x04\xdc\x2b\xa1\xcd\x03\x58\x33\xe0\xe9\x00\
+\x59\x60\x3f\x26\xe0\x7a\xd2\xaa\xd1\x52\x33\x8e\x7a\x5e\x59\x84\
+\xbc\xd5\xf7\xbb\x4e\xba\x40\xb7\x00\x00\x00\x04\x00\x00\x00\x04\
+\x0e\xb1\xed\x54\xa2\x46\x0d\x51\x23\x88\xca\xd5\x33\x13\x8d\x24\
+\x05\x34\xe9\x7b\x1e\x82\xd3\x3b\xd9\x27\xd2\x01\xdf\xc2\x4e\xbb\
+\x11\xb3\x64\x90\x23\x69\x6f\x85\x15\x0b\x18\x9e\x50\xc0\x0e\x98\
+\x85\x0a\xc3\x43\xa7\x7b\x36\x38\x31\x9c\x34\x7d\x73\x10\x26\x9d\
+\x3b\x77\x14\xfa\x40\x6b\x8c\x35\xb0\x21\xd5\x4d\x4f\xda\xda\x7b\
+\x9c\xe5\xd4\xba\x5b\x06\x71\x9e\x72\xaa\xf5\x8c\x5a\xae\x7a\xca\
+\x05\x7a\xa0\xe2\xe7\x4e\x7d\xcf\xd1\x7a\x08\x23\x42\x9d\xb6\x29\
+\x65\xb7\xd5\x63\xc5\x7b\x4c\xec\x94\x2c\xc8\x65\xe2\x9c\x1d\xad\
+\x83\xca\xc8\xb4\xd6\x1a\xac\xc4\x57\xf3\x36\xe6\xa1\x0b\x66\x32\
+\x3f\x58\x87\xbf\x35\x23\xdf\xca\xde\xe1\x58\x50\x3b\xfa\xa8\x9d\
+\xc6\xbf\x59\xda\xa8\x2a\xfd\x2b\x5e\xbb\x2a\x9c\xa6\x57\x2a\x60\
+\x67\xce\xe7\xc3\x27\xe9\x03\x9b\x3b\x6e\xa6\xa1\xed\xc7\xfd\xc3\
+\xdf\x92\x7a\xad\xe1\x0c\x1c\x9f\x2d\x5f\xf4\x46\x45\x0d\x2a\x39\
+\x98\xd0\xf9\xf6\x20\x2b\x5e\x07\xc3\xf9\x7d\x24\x58\xc6\x9d\x3c\
+\x81\x90\x64\x39\x78\xd7\xa7\xf4\xd6\x4e\x97\xe3\xf1\xc4\xa0\x8a\
+\x7c\x5b\xc0\x3f\xd5\x56\x82\xc0\x17\xe2\x90\x7e\xab\x07\xe5\xbb\
+\x2f\x19\x01\x43\x47\x5a\x60\x43\xd5\xe6\xd5\x26\x34\x71\xf4\xee\
+\xcf\x6e\x25\x75\xfb\xc6\xff\x37\xed\xfa\x24\x9d\x6c\xda\x1a\x09\
+\xf7\x97\xfd\x5a\x3c\xd5\x3a\x06\x67\x00\xf4\x58\x63\xf0\x4b\x6c\
+\x8a\x58\xcf\xd3\x41\x24\x1e\x00\x2d\x0d\x2c\x02\x17\x47\x2b\xf1\
+\x8b\x63\x6a\xe5\x47\xc1\x77\x13\x68\xd9\xf3\x17\x83\x5c\x9b\x0e\
+\xf4\x30\xb3\xdf\x40\x34\xf6\xaf\x00\xd0\xda\x44\xf4\xaf\x78\x00\
+\xbc\x7a\x5c\xf8\xa5\xab\xdb\x12\xdc\x71\x8b\x55\x9b\x74\xca\xb9\
+\x09\x0e\x33\xcc\x58\xa9\x55\x30\x09\x81\xc4\x20\xc4\xda\x8f\xfd\
+\x67\xdf\x54\x08\x90\xa0\x62\xfe\x40\xdb\xa8\xb2\xc1\xc5\x48\xce\
+\xd2\x24\x73\x21\x9c\x53\x49\x11\xd4\x8c\xca\xab\xfb\x71\xbc\x71\
+\x86\x2f\x4a\x24\xeb\xd3\x76\xd2\x88\xfd\x4e\x6f\xb0\x6e\xd8\x70\
+\x57\x87\xc5\xfe\xdc\x81\x3c\xd2\x69\x7e\x5b\x1a\xac\x1c\xed\x45\
+\x76\x7b\x14\xce\x88\x40\x9e\xae\xbb\x60\x1a\x93\x55\x9a\xae\x89\
+\x3e\x14\x3d\x1c\x39\x5b\xc3\x26\xda\x82\x1d\x79\xa9\xed\x41\xdc\
+\xfb\xe5\x49\x14\x7f\x71\xc0\x92\xf4\xf3\xac\x52\x2b\x5c\xc5\x72\
+\x90\x70\x66\x50\x48\x7b\xae\x9b\xb5\x67\x1e\xcc\x9c\xcc\x2c\xe5\
+\x1e\xad\x87\xac\x01\x98\x52\x68\x52\x12\x22\xfb\x90\x57\xdf\x7e\
+\xd4\x18\x10\xb5\xef\x0d\x4f\x7c\xc6\x73\x68\xc9\x0f\x57\x3b\x1a\
+\xc2\xce\x95\x6c\x36\x5e\xd3\x8e\x89\x3c\xe7\xb2\xfa\xe1\x5d\x36\
+\x85\xa3\xdf\x2f\xa3\xd4\xcc\x09\x8f\xa5\x7d\xd6\x0d\x2c\x97\x54\
+\xa8\xad\xe9\x80\xad\x0f\x93\xf6\x78\x70\x75\xc3\xf6\x80\xa2\xba\
+\x19\x36\xa8\xc6\x1d\x1a\xf5\x2a\xb7\xe2\x1f\x41\x6b\xe0\x9d\x2a\
+\x8d\x64\xc3\xd3\xd8\x58\x29\x68\xc2\x83\x99\x02\x22\x9f\x85\xae\
+\xe2\x97\xe7\x17\xc0\x94\xc8\xdf\x4a\x23\xbb\x5d\xb6\x58\xdd\x37\
+\x7b\xf0\xf4\xff\x3f\xfd\x8f\xba\x5e\x38\x3a\x48\x57\x48\x02\xed\
+\x54\x5b\xbe\x7a\x6b\x47\x53\x53\x33\x53\xd7\x37\x06\x06\x76\x40\
+\x13\x5a\x7c\xe5\x17\x27\x9c\xd6\x83\x03\x97\x47\xd2\x18\x64\x7c\
+\x86\xe0\x97\xb0\xda\xa2\x87\x2d\x54\xb8\xf3\xe5\x08\x59\x87\x62\
+\x95\x47\xb8\x30\xd8\x11\x81\x61\xb6\x50\x79\xfe\x7b\xc5\x9a\x99\
+\xe9\xc3\xc7\x38\x0e\x3e\x70\xb7\x13\x8f\xe5\xd9\xbe\x25\x51\x50\
+\x2b\x69\x8d\x09\xae\x19\x39\x72\xf2\x7d\x40\xf3\x8d\xea\x26\x4a\
+\x01\x26\xe6\x37\xd7\x4a\xe4\xc9\x2a\x62\x49\xfa\x10\x34\x36\xd3\
+\xeb\x0d\x40\x29\xac\x71\x2b\xfc\x7a\x5e\xac\xbd\xd7\x51\x8d\x6d\
+\x4f\xe9\x03\xa5\xae\x65\x52\x7c\xd6\x5b\xb0\xd4\xe9\x92\x5c\xa2\
+\x4f\xd7\x21\x4d\xc6\x17\xc1\x50\x54\x4e\x42\x3f\x45\x0c\x99\xce\
+\x51\xac\x80\x05\xd3\x3a\xcd\x74\xf1\xbe\xd3\xb1\x7b\x72\x66\xa4\
+\xa3\xbb\x86\xda\x7e\xba\x80\xb1\x01\xe1\x5c\xb7\x9d\xe9\xa2\x07\
+\x85\x2c\xf9\x12\x49\xef\x48\x06\x19\xff\x2a\xf8\xca\xbc\xa8\x31\
+\x25\xd1\xfa\xa9\x4c\xbb\x0a\x03\xa9\x06\xf6\x83\xb3\xf4\x7a\x97\
+\xc8\x71\xfd\x51\x3e\x51\x0a\x7a\x25\xf2\x83\xb1\x96\x07\x57\x78\
+\x49\x61\x52\xa9\x1c\x2b\xf9\xda\x76\xeb\xe0\x89\xf4\x65\x48\x77\
+\xf2\xd5\x86\xae\x71\x49\xc4\x06\xe6\x63\xea\xde\xb2\xb5\xc7\xe8\
+\x24\x29\xb9\xe8\xcb\x48\x34\xc8\x34\x64\xf0\x79\x99\x53\x32\xe4\
+\xb3\xc8\xf5\xa7\x2b\xb4\xb8\xc6\xf7\x4b\x0d\x45\xdc\x6c\x1f\x79\
+\x95\x2c\x0b\x74\x20\xdf\x52\x5e\x37\xc1\x53\x77\xb5\xf0\x98\x43\
+\x19\xc3\x99\x39\x21\xe5\xcc\xd9\x7e\x09\x75\x92\x06\x45\x30\xd3\
+\x3d\xe3\xaf\xad\x57\x33\xcb\xe7\x70\x3c\x52\x96\x26\x3f\x77\x34\
+\x2e\xfb\xf5\xa0\x47\x55\xb0\xb3\xc9\x97\xc4\x32\x84\x63\xe8\x4c\
+\xaa\x2d\xe3\xff\xdc\xd2\x97\xba\xaa\xac\xd7\xae\x64\x6e\x44\xb5\
+\xc0\xf1\x60\x44\xdf\x38\xfa\xbd\x29\x6a\x47\xb3\xa8\x38\xa9\x13\
+\x98\x2f\xb2\xe3\x70\xc0\x78\xed\xb0\x42\xc8\x4d\xb3\x4c\xe3\x6b\
+\x46\xcc\xb7\x64\x60\xa6\x90\xcc\x86\xc3\x02\x45\x7d\xd1\xcd\xe1\
+\x97\xec\x80\x75\xe8\x2b\x39\x3d\x54\x20\x75\x13\x4e\x2a\x17\xee\
+\x70\xa5\xe1\x87\x07\x5d\x03\xae\x3c\x85\x3c\xff\x60\x72\x9b\xa4\
+\x00\x00\x00\x05\x4d\xe1\xf6\x96\x5b\xda\xbc\x67\x6c\x5a\x4d\xc7\
+\xc3\x5f\x97\xf8\x2c\xb0\xe3\x1c\x68\xd0\x4f\x1d\xad\x96\x31\x4f\
+\xf0\x9e\x6b\x3d\xe9\x6a\xee\xe3\x00\xd1\xf6\x8b\xf1\xbc\xa9\xfc\
+\x58\xe4\x03\x23\x36\xcd\x81\x9a\xaf\x57\x87\x44\xe5\x0d\x13\x57\
+\xa0\xe4\x28\x67\x04\xd3\x41\xaa\x0a\x33\x7b\x19\xfe\x4b\xc4\x3c\
+\x2e\x79\x96\x4d\x4f\x35\x10\x89\xf2\xe0\xe4\x1c\x7c\x43\xae\x0d\
+\x49\xe7\xf4\x04\xb0\xf7\x5b\xe8\x0e\xa3\xaf\x09\x8c\x97\x52\x42\
+\x0a\x8a\xc0\xea\x2b\xbb\x1f\x4e\xeb\xa0\x52\x38\xae\xf0\xd8\xce\
+\x63\xf0\xc6\xe5\xe4\x04\x1d\x95\x39\x8a\x6f\x7f\x3e\x0e\xe9\x7c\
+\xc1\x59\x18\x49\xd4\xed\x23\x63\x38\xb1\x47\xab\xde\x9f\x51\xef\
+\x9f\xd4\xe1\xc1\
+'''
if __name__ == "__main__":
main()
diff --git a/utils/Makefile b/utils/Makefile
index ce36d4c..799bf94 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2016, NORDUnet A/S
+# Copyright (c) 2015-2018, NORDUnet A/S
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
@@ -27,23 +27,17 @@
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-ifndef CRYPTECH_ROOT
- CRYPTECH_ROOT := $(abspath ../../..)
-endif
-
-LIBTFM_SRC ?= ${CRYPTECH_ROOT}/sw/thirdparty/libtfm
-LIBTFM_BLD ?= ${LIBTFM_SRC}
-
-LIBHAL_SRC ?= ${CRYPTECH_ROOT}/sw/libhal
+LIBHAL_SRC ?= ..
LIBHAL_BLD ?= ${LIBHAL_SRC}
+LIBTFM_BLD ?= ../../thirdparty/libtfm
LIBS = ${LIBHAL_BLD}/libhal.a ${LIBTFM_BLD}/libtfm.a
CFLAGS ?= -g3 -Wall -fPIC -std=c99 -I${LIBHAL_SRC} -I${LIBTFM_BLD}
-BIN = eim_peek_poke cores
+BIN = $(if $(wildcard ${LIBHAL_BLD}/hal_io_eim.o),eim_peek_poke) $(if $(wildcard ${LIBHAL_BLD}/core.o),cores) pkey-export pkey-import pkey
-all: $(if $(wildcard ${LIBHAL_BLD}/hal_io_eim.o),eim_peek_poke) $(if $(wildcard ${LIBHAL_BLD}/core.o),cores)
+all: ${BIN}
clean:
rm -f *.o ${BIN}
diff --git a/utils/pkey-export.c b/utils/pkey-export.c
new file mode 100644
index 0000000..660052e
--- /dev/null
+++ b/utils/pkey-export.c
@@ -0,0 +1,187 @@
+/*
+ * pkey-export.c
+ * -------------
+ * Export a key.
+ *
+ * Copyright (c) 2018, NORDUnet A/S
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of the NORDUnet nor the names of its contributors may
+ * be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <getopt.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <hal.h>
+
+#define HAL_KS_WRAPPED_KEYSIZE ((2373 + 6 * 4096 / 8 + 6 * 4 + 15) & ~7)
+
+#define lose(...) do { printf(__VA_ARGS__); goto fail; } while (0)
+
+static int read_file(const char * const fn, uint8_t * const buf, size_t *buf_len, const size_t buf_max)
+{
+ int fd;
+ if ((fd = open(fn, O_RDONLY)) == -1)
+ lose("Error opening %s: %s\n", fn, strerror(errno));
+
+ size_t nread;
+ if ((nread = read(fd, buf, buf_max)) == -1)
+ lose("Error reading %s: %s\n", fn, strerror(errno));
+
+ *buf_len = nread;
+
+ if (close(fd) != 0)
+ lose("Error closing %s: %s\n", fn, strerror(errno));
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int write_buf(const char * const name, const char * const ext, const uint8_t * const buf, const size_t buf_len)
+{
+ char fn[strlen(name) + strlen(ext) + 1];
+ strcpy(fn, name);
+ strcat(fn, ext);
+
+ int fd = creat(fn, S_IRUSR);
+ if (fd == -1)
+ lose("Error opening %s: %s\n", fn, strerror(errno));
+
+ ssize_t nwrite;
+ if ((nwrite = write(fd, buf, buf_len)) != buf_len)
+ lose("Error writing %s: wrote %lu, expected %lu\n", fn, nwrite, buf_len);
+
+ if (close(fd) != 0)
+ lose("Error closing %s: %s\n", fn, strerror(errno));
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+#define lose_usage(...) do { printf(__VA_ARGS__); printf(usage, argv[0]); goto fail; } while (0)
+
+int main(int argc, char *argv[])
+{
+ hal_error_t err;
+ const hal_client_handle_t client = {HAL_HANDLE_NONE};
+ const hal_session_handle_t session = {HAL_HANDLE_NONE};
+ char *pin = "fnord";
+ char *kekek_fn = NULL;
+ char *save_fn = NULL;
+ char *keyname = NULL;
+
+char usage[] = "\
+Usage: %s [-p pin] <-k kekek> [-o outfile] keyname\n\
+";
+
+ int opt;
+ while ((opt = getopt(argc, argv, "p:k:o:")) != -1) {
+ switch (opt) {
+ case 'p':
+ pin = optarg;
+ break;
+ case 'k':
+ kekek_fn = optarg;
+ break;
+ case 'o':
+ save_fn = optarg;
+ break;
+ case 'h':
+ case '?':
+ printf(usage, argv[0]);
+ return 0;
+ }
+ }
+ keyname = argv[optind];
+
+ if (kekek_fn == NULL)
+ lose_usage("Error: missing option -k\n");
+ if (save_fn == NULL)
+ save_fn = keyname;
+ if (keyname == NULL)
+ lose_usage("Error: missing keyname\n");
+
+ uint8_t kekek_der[HAL_KS_WRAPPED_KEYSIZE]; size_t kekek_der_len;
+ if (read_file(kekek_fn, kekek_der, &kekek_der_len, sizeof(kekek_der)) != 0)
+ goto fail;
+
+ hal_uuid_t pkey_name;
+
+ if ((err = hal_uuid_parse(&pkey_name, keyname)) != HAL_OK)
+ lose("Error parsing private key name: %s\n", hal_error_string(err));
+
+
+ if ((err = hal_rpc_client_init()) != HAL_OK)
+ lose("Error initializing RPC client: %s\n", hal_error_string(err));
+
+ if ((err = hal_rpc_login(client, HAL_USER_NORMAL, pin, strlen(pin))) != HAL_OK)
+ lose("Error logging into HSM: %s\n", hal_error_string(err));
+
+ hal_pkey_handle_t pkey = {HAL_HANDLE_NONE};
+
+ if ((err = hal_rpc_pkey_open(client, session, &pkey, &pkey_name)) != HAL_OK)
+ lose("Error opening private key: %s\n", hal_error_string(err));
+
+ hal_pkey_handle_t kekek = {HAL_HANDLE_NONE};
+ hal_uuid_t kekek_name;
+
+ if ((err = hal_rpc_pkey_load(client, session, &kekek, &kekek_name,
+ kekek_der, kekek_der_len,
+ HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT)) != HAL_OK)
+ lose("Error loading export key: %s\n", hal_error_string(err));
+
+ uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
+ uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len;
+
+ if ((err = hal_rpc_pkey_export(pkey, kekek,
+ der, &der_len, sizeof(der),
+ kek, &kek_len, sizeof(kek))) != HAL_OK)
+ lose("Error exporting private key: %s\n", hal_error_string(err));
+
+ if (write_buf(save_fn, ".der", der, der_len) != 0 ||
+ write_buf(save_fn, ".kek", kek, kek_len) != 0)
+ goto fail;
+
+ if ((err = hal_rpc_logout(client)) != HAL_OK)
+ lose("Error logging out of HSM: %s\n", hal_error_string(err));
+
+ if ((err = hal_rpc_client_close()) != HAL_OK)
+ lose("Error shutting down RPC client: %s\n", hal_error_string(err));
+
+ return 0;
+
+fail:
+ return -1;
+}
diff --git a/utils/pkey-import.c b/utils/pkey-import.c
new file mode 100644
index 0000000..611448f
--- /dev/null
+++ b/utils/pkey-import.c
@@ -0,0 +1,168 @@
+/*
+ * pkey-import.c
+ * -------------
+ * Import a key.
+ *
+ * Copyright (c) 2018, NORDUnet A/S
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of the NORDUnet nor the names of its contributors may
+ * be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <getopt.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <hal.h>
+
+#define HAL_KS_WRAPPED_KEYSIZE ((2373 + 6 * 4096 / 8 + 6 * 4 + 15) & ~7)
+
+#define lose(...) do { printf(__VA_ARGS__); goto fail; } while (0)
+
+static int read_file(const char * const fn, uint8_t * const buf, size_t *buf_len, const size_t buf_max)
+{
+ int fd;
+ if ((fd = open(fn, O_RDONLY)) == -1)
+ lose("Error opening %s: %s\n", fn, strerror(errno));
+
+ size_t nread;
+ if ((nread = read(fd, buf, buf_max)) == -1)
+ lose("Error reading %s: %s\n", fn, strerror(errno));
+
+ *buf_len = nread;
+
+ if (close(fd) != 0)
+ lose("Error closing %s: %s\n", fn, strerror(errno));
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int read_buf(const char * const name, const char * const ext, uint8_t * const buf, size_t *buf_len, const size_t buf_max)
+{
+ char fn[strlen(name) + strlen(ext) + 1];
+ strcpy(fn, name);
+ strcat(fn, ext);
+
+ return read_file(fn, buf, buf_len, buf_max);
+}
+
+#define lose_usage(...) do { printf(__VA_ARGS__); printf(usage, argv[0]); goto fail; } while (0)
+
+int main(int argc, char *argv[])
+{
+ hal_error_t err;
+ const hal_client_handle_t client = {HAL_HANDLE_NONE};
+ const hal_session_handle_t session = {HAL_HANDLE_NONE};
+ char *pin = "fnord";
+ char *kekek_fn = NULL;
+ char *key_fn = NULL;
+
+char usage[] = "\
+Usage: %s [-p pin] <-k kekek> keyfile\n\
+";
+
+ int opt;
+ while ((opt = getopt(argc, argv, "p:k:")) != -1) {
+ switch (opt) {
+ case 'p':
+ pin = optarg;
+ break;
+ case 'k':
+ kekek_fn = optarg;
+ break;
+ case 'h':
+ case '?':
+ printf(usage, argv[0]);
+ return 0;
+ }
+ }
+ key_fn = argv[optind];
+
+ if (kekek_fn == NULL)
+ lose_usage("Error: missing option -k\n");
+ if (key_fn == NULL)
+ lose_usage("Error: missing keyfile\n");
+
+ uint8_t kekek_der[HAL_KS_WRAPPED_KEYSIZE]; size_t kekek_der_len;
+
+ if (read_file(kekek_fn, kekek_der, &kekek_der_len, sizeof(kekek_der)) != 0)
+ goto fail;
+
+ uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
+ uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len;
+
+ if (read_buf(key_fn, ".der", der, &der_len, sizeof(der)) != 0 ||
+ read_buf(key_fn, ".kek", kek, &kek_len, sizeof(kek)) != 0)
+ goto fail;
+
+ if ((err = hal_rpc_client_init()) != HAL_OK)
+ lose("Error initializing RPC client: %s\n", hal_error_string(err));
+
+ if ((err = hal_rpc_login(client, HAL_USER_NORMAL, pin, strlen(pin))) != HAL_OK)
+ lose("Error logging into HSM: %s\n", hal_error_string(err));
+
+ hal_pkey_handle_t kekek = {HAL_HANDLE_NONE};
+ hal_uuid_t kekek_name;
+
+ if ((err = hal_rpc_pkey_load(client, session, &kekek, &kekek_name,
+ kekek_der, kekek_der_len,
+ HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT)) != HAL_OK)
+ lose("Error loading import key: %s\n", hal_error_string(err));
+
+ hal_pkey_handle_t private_key = {HAL_HANDLE_NONE};
+ hal_uuid_t private_name;
+
+ if ((err = hal_rpc_pkey_import(client, session,
+ &private_key, &private_name,
+ kekek,
+ der, der_len,
+ kek, kek_len,
+ HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN | HAL_KEY_FLAG_EXPORTABLE)) != HAL_OK)
+ lose("Error importing private key: %s\n", hal_error_string(err));
+
+ char name_str[HAL_UUID_TEXT_SIZE];
+
+ if ((err = hal_uuid_format(&private_name, name_str, sizeof(name_str))) != HAL_OK)
+ lose("Error formatting private key name: %s\n", hal_error_string(err));
+ printf("New private key name: %s\n", name_str);
+
+ if ((err = hal_rpc_logout(client)) != HAL_OK)
+ lose("Error logging out of HSM: %s\n", hal_error_string(err));
+
+ if ((err = hal_rpc_client_close()) != HAL_OK)
+ lose("Error shutting down RPC client: %s\n", hal_error_string(err));
+
+ return 0;
+
+fail:
+ return -1;
+}
diff --git a/utils/pkey.c b/utils/pkey.c
new file mode 100644
index 0000000..76c1bf7
--- /dev/null
+++ b/utils/pkey.c
@@ -0,0 +1,1220 @@
+/*
+ * pkey.c
+ * ------
+ * Fully-featured key management app
+ *
+ * Copyright (c) 2018, NORDUnet A/S All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither the name of the NORDUnet nor the names of its contributors may
+ * be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <string.h>
+#include <strings.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+
+#include <hal.h>
+
+/*
+ * The all-singing, all-dancing key management app.
+ * This is designed so that commands can be concatenated, e.g.
+ *
+ * pkey generate rsa sign -h -n 100 verify -h delete
+ *
+ * i.e. Generate an RSA key with default parameters, hash the default message
+ * and sign it 100 times, verify the signature, and delete the key.
+ *
+ * [-i (info)] [-p pin]
+ * generate [-x (exportable)] [-v (volatile keystore)]
+ * rsa [-l keylen-in-bits] [-e exponent]
+ * ec [-c curve]
+ * hashsig [-L levels] [-h height] [-w Winternitz factor]
+ * list [-t type]
+ * sign [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile] [-n iterations]
+ * verify [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile]
+ * export [-k keyname] [-K kekekfile] [-o outfile]
+ * import [-K kekekfile] [-i infile] [-x (exportable)] [-v (volatile keystore)]
+ * delete [-k keyname] ...
+ */
+
+/*
+ * By default, GNU getopt() permutes the arguments to put all options first,
+ * followed by non-options. Adding a dash at the start of the option string
+ * preserves argument ordering by treating any non-option as an option with
+ * character code 1.
+ *
+ * In contrast, BSD getopt() does not permute the arguments, but returns -1 on
+ * the first non-option it sees (and ignores a leading dash in the option
+ * string, thank god).
+ *
+ * We can't predict or detect which version of getopt() we get linked with, so
+ * we do this weird hybrid, where option value 1 causes the parser to back up
+ * one and drop out.
+ */
+
+#define HAL_KS_WRAPPED_KEYSIZE ((2373 + 6 * 4096 / 8 + 6 * 4 + 15) & ~7)
+
+#define lose(...) do { printf(__VA_ARGS__); goto fail; } while (0)
+
+#ifndef timersub
+#define timersub(a, b, res) \
+ do { \
+ (res)->tv_sec = (a)->tv_sec - (b)->tv_sec; \
+ (res)->tv_usec = (a)->tv_usec - (b)->tv_usec; \
+ if ((res)->tv_usec < 0) { \
+ (res)->tv_usec += 1000000; \
+ --(res)->tv_sec; \
+ } \
+ } while (0)
+#endif
+
+static int info = 0;
+static char *pin = "fnord";
+
+static hal_pkey_handle_t key_handle = {HAL_HANDLE_NONE};
+static hal_uuid_t key_uuid = {{0}};
+
+#define DFLT_MSG "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum."
+static uint8_t msg[16000] = DFLT_MSG;
+static size_t msg_len = sizeof(DFLT_MSG);
+
+static uint8_t sig[16000] = "";
+static size_t sig_len = 0;
+
+static hal_key_flags_t flags = HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE | HAL_KEY_FLAG_TOKEN;
+
+static const hal_client_handle_t client = {HAL_HANDLE_NONE};
+static const hal_session_handle_t session = {HAL_HANDLE_NONE};
+
+static size_t file_size(const char * const fn)
+{
+ struct stat statbuf;
+ if (stat(fn, &statbuf) != 0) {
+ printf("%s: %s\n", fn, strerror(errno));
+ return SIZE_MAX;
+ }
+
+ return statbuf.st_size;
+}
+
+static int file_read(const char * const fn, void *buf, size_t *buf_len, const size_t buf_max)
+{
+ size_t fsize = file_size(fn);
+ if (fsize == SIZE_MAX)
+ return -1;
+ if (fsize > buf_max)
+ lose("Error: %s (%lu bytes) is too big for buffer (%lu bytes)\n", fn, fsize, buf_max);
+
+ FILE *fp;
+ if ((fp = fopen(fn, "rb")) == NULL)
+ lose("Error opening %s: %s\n", fn, strerror(errno));
+
+ size_t len;
+ if ((len = fread(buf, 1, fsize, fp)) != fsize)
+ lose("Error: read %lu bytes from %s, expected %lu\n", len, fn, fsize);
+
+ if (fclose(fp) != 0)
+ lose("Error closing %s: %s\n", fn, strerror(errno));
+
+ *buf_len = len;
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int file_write(const char * const fn, const void * const buf, const size_t buf_len, int secret)
+{
+ FILE *fp;
+ if ((fp = fopen(fn, "wb")) == NULL)
+ lose("Error opening %s: %s\n", fn, strerror(errno));
+
+ size_t nwrite;
+ if ((nwrite = fwrite(buf, 1, buf_len, fp)) != buf_len)
+ lose("Error writing %s: wrote %lu, expected %lu\n", fn, nwrite, buf_len);
+
+ if (fclose(fp) != 0)
+ lose("Error closing %s: %s\n", fn, strerror(errno));
+
+ if (secret && chmod(fn, S_IRUSR) != 0)
+ lose("Error chmod'ing %s: %s\n", fn, strerror(errno));
+
+ return 0;
+
+fail:
+ (void)unlink(fn);
+ return -1;
+}
+
+static int logged_in = 0;
+static int pkey_login(void)
+{
+ if (!logged_in) {
+ hal_error_t err = HAL_OK;
+
+ if ((err = hal_rpc_client_init()) != HAL_OK)
+ lose("Error initializing RPC client: %s\n", hal_error_string(err));
+
+ if ((err = hal_rpc_login(client, HAL_USER_NORMAL, pin, strlen(pin))) != HAL_OK)
+ lose("Error logging into HSM: %s\n", hal_error_string(err));
+
+ logged_in = 1;
+ }
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int pkey_logout(void)
+{
+ if (logged_in) {
+ hal_error_t err = HAL_OK;
+
+ if ((err = hal_rpc_logout(client)) != HAL_OK)
+ lose("Error logging out of HSM: %s\n", hal_error_string(err));
+
+ if ((err = hal_rpc_client_close()) != HAL_OK)
+ lose("Error shutting down RPC client: %s\n", hal_error_string(err));
+
+ logged_in = 0;
+ }
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int pkey_open(const char * const key_name)
+{
+ hal_error_t err;
+ if (key_handle.handle == HAL_HANDLE_NONE) {
+ if ((err = hal_uuid_parse(&key_uuid, key_name)) != HAL_OK)
+ lose("Error parsing key name: %s\n", hal_error_string(err));
+ if ((err = hal_rpc_pkey_open(client, session, &key_handle, &key_uuid)) != HAL_OK)
+ lose("Error opening key: %s\n", hal_error_string(err));
+ }
+ return 0;
+
+fail:
+ key_handle.handle = HAL_HANDLE_NONE;
+ return -1;
+}
+
+static int pkey_load(const char * const fn, hal_pkey_handle_t *key_handle)
+{
+ size_t der_len = file_size(fn);
+ if (der_len == SIZE_MAX)
+ return -1;
+ uint8_t der[der_len];
+ if (file_read(fn, der, &der_len, sizeof(der)) == -1)
+ return -1;
+
+ hal_pkey_handle_t handle = {HAL_HANDLE_NONE};
+ hal_uuid_t uuid;
+ hal_error_t err;
+ if ((err = hal_rpc_pkey_load(client, session, &handle, &uuid,
+ der, der_len,
+ HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT)) != HAL_OK)
+ lose("Error loading key: %s\n", hal_error_string(err));
+
+ *key_handle = handle;
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int pkey_gen_rsa(int argc, char *argv[])
+{
+ char usage[] = "Usage: generate rsa [-l keylen-in-bits] [-e exponent]";
+
+ unsigned keylen = 1024;
+ unsigned long exponent = 0x010001; /* default exponent, and the only one accepted by hal_rsa_key_gen */
+ uint8_t exp[sizeof(exponent)];
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-l:e:xv")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ case 'l':
+ keylen = atoi(optarg);
+ break;
+ case 'e':
+ {
+ char *endptr;
+ exponent = (uint32_t)strtoul(optarg, &endptr, 0);
+ if (endptr == optarg || errno == ERANGE) {
+ printf("invalid exponent %s\n", optarg);
+ puts(usage);
+ return -1;
+ }
+ break;
+ }
+ case 'x':
+ flags |= HAL_KEY_FLAG_EXPORTABLE;
+ break;
+ case 'v':
+ flags &= ~HAL_KEY_FLAG_TOKEN;
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ for (int i = sizeof(exp) - 1; i >= 0; --i) {
+ exp[i] = exponent & 0xff;
+ exponent >>= 8;
+ }
+
+ struct timeval tv_start, tv_end, tv_diff;
+ if (info)
+ gettimeofday(&tv_start, NULL);
+
+ hal_error_t err;
+ if ((err = hal_rpc_pkey_generate_rsa(client, session, &key_handle, &key_uuid,
+ keylen, exp, sizeof(exp), flags)) != HAL_OK)
+ lose("Could not generate RSA private key: %s\n", hal_error_string(err));
+
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ printf("Info: %ldm%ld.%03lds to generate key\n",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000);
+ }
+
+ char key_name[HAL_UUID_TEXT_SIZE];
+ if ((err = hal_uuid_format(&key_uuid, key_name, sizeof(key_name))) != HAL_OK)
+ lose("Error formatting private key name: %s\n", hal_error_string(err));
+ if (info)
+ printf("Private key name: %s\n", key_name);
+
+ return 0;
+
+fail:
+ if (key_handle.handle != HAL_HANDLE_NONE &&
+ (err = hal_rpc_pkey_delete(key_handle)) != HAL_OK)
+ printf("Error deleting private key: %s\n", hal_error_string(err));
+
+ key_handle.handle = HAL_HANDLE_NONE;
+
+ return -1;
+}
+
+static int pkey_gen_ec(int argc, char *argv[])
+{
+ char usage[] = "Usage: generate ec [-c curve]";
+
+ hal_curve_name_t curve = HAL_CURVE_P256;
+ hal_error_t err;
+ struct timeval tv_start, tv_end, tv_diff;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-c:xv")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ case 'c':
+ if (strcasecmp(optarg, "P256") == 0)
+ curve = HAL_CURVE_P256;
+ else if (strcasecmp(optarg, "P384") == 0)
+ curve = HAL_CURVE_P384;
+ else if (strcasecmp(optarg, "P521") == 0)
+ curve = HAL_CURVE_P521;
+ else {
+ printf("generate ec: invalid curve %s - must be one of P256, P384, P521\n", optarg);
+ return -1;
+ }
+ break;
+ case 'x':
+ flags |= HAL_KEY_FLAG_EXPORTABLE;
+ break;
+ case 'v':
+ flags &= ~HAL_KEY_FLAG_TOKEN;
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (info)
+ gettimeofday(&tv_start, NULL);
+
+ if ((err = hal_rpc_pkey_generate_ec(client, session, &key_handle, &key_uuid,
+ curve, flags)) != HAL_OK)
+ lose("Could not generate EC private key: %s\n", hal_error_string(err));
+
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ printf("Info: %ldm%ld.%03lds to generate key\n",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000);
+ }
+
+ char key_name[HAL_UUID_TEXT_SIZE];
+ if ((err = hal_uuid_format(&key_uuid, key_name, sizeof(key_name))) != HAL_OK)
+ lose("Error formatting private key name: %s\n", hal_error_string(err));
+ if (info)
+ printf("Private key name: %s\n", key_name);
+
+ return 0;
+
+fail:
+ if (key_handle.handle != HAL_HANDLE_NONE &&
+ (err = hal_rpc_pkey_delete(key_handle)) != HAL_OK)
+ printf("Error deleting private key: %s\n", hal_error_string(err));
+
+ key_handle.handle = HAL_HANDLE_NONE;
+
+ return -1;
+}
+
+static int pkey_gen_hashsig(int argc, char *argv[])
+{
+ char usage[] = "Usage: generate hashsig [-L levels] [-h height] [-w Winternitz factor]";
+
+ unsigned L = 1, h = 5, w = 2;
+ hal_lms_algorithm_t lms_type;
+ hal_lmots_algorithm_t lmots_type;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-L:h:w:xv")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ case 'L':
+ L = atoi(optarg);
+ break;
+ case 'h':
+ h = atoi(optarg);
+ break;
+ case 'w':
+ w = atoi(optarg);
+ break;
+ case 'x':
+ flags |= HAL_KEY_FLAG_EXPORTABLE;
+ break;
+ case 'v':
+ flags &= ~HAL_KEY_FLAG_TOKEN;
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ switch (h) {
+ case 5:
+ lms_type = HAL_LMS_SHA256_N32_H5;
+ break;
+ case 10:
+ lms_type = HAL_LMS_SHA256_N32_H10;
+ break;
+ default:
+ printf("generate hashsig: invalid/unsupported h value %u\n", h);
+ return -1;
+ }
+
+ switch (w) {
+ case 1:
+ lmots_type = HAL_LMOTS_SHA256_N32_W1;
+ break;
+ case 2:
+ lmots_type = HAL_LMOTS_SHA256_N32_W2;
+ break;
+ case 4:
+ lmots_type = HAL_LMOTS_SHA256_N32_W4;
+ break;
+ case 8:
+ lmots_type = HAL_LMOTS_SHA256_N32_W8;
+ break;
+ default:
+ printf("generate hashsig: invalid w value %u\n", w);
+ return -1;
+ }
+
+ hal_error_t err;
+ struct timeval tv_start, tv_end, tv_diff;
+
+ if (info) {
+ printf("Info: signature length %lu, lmots private key length %lu\n",
+ hal_hashsig_signature_len(L, lms_type, lmots_type),
+ hal_hashsig_lmots_private_key_len(lmots_type));
+ gettimeofday(&tv_start, NULL);
+ }
+
+ if ((err = hal_rpc_pkey_generate_hashsig(client, session, &key_handle, &key_uuid,
+ L, lms_type, lmots_type, flags)) != HAL_OK)
+ lose("Error generating private key: %s\n", hal_error_string(err));
+
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ long per_key = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / (L * (1 << h));
+ printf("Info: %ldm%ld.%03lds to generate key (%ld.%03lds per lmots key)\n",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000,
+ (long)per_key / 1000000, ((long)per_key % 1000000) / 1000);
+ }
+
+ char key_name[HAL_UUID_TEXT_SIZE];
+ if ((err = hal_uuid_format(&key_uuid, key_name, sizeof(key_name))) != HAL_OK)
+ lose("Error formatting private key name: %s\n", hal_error_string(err));
+ if (info)
+ printf("Private key name: %s\n", key_name);
+
+ return 0;
+
+fail:
+ if (key_handle.handle != HAL_HANDLE_NONE &&
+ (err = hal_rpc_pkey_delete(key_handle)) != HAL_OK)
+ printf("Error deleting private key: %s\n", hal_error_string(err));
+
+ key_handle.handle = HAL_HANDLE_NONE;
+
+ return -1;
+}
+
+static int pkey_generate(int argc, char *argv[])
+{
+ char usage[] = "Usage: generate [-x (exportable)] [-v (volatile keystore)] rsa|ec|hashsig";
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-xv")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the keytype argument */
+ --optind;
+ goto done;
+ case 'x':
+ flags |= HAL_KEY_FLAG_EXPORTABLE;
+ break;
+ case 'v':
+ flags &= ~HAL_KEY_FLAG_TOKEN;
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (optind < argc) {
+ optarg = argv[optind++];
+ if (strcmp(optarg, "rsa") == 0)
+ return pkey_gen_rsa(argc, argv);
+ else if (strcmp(optarg, "ec") == 0)
+ return pkey_gen_ec(argc, argv);
+ else if (strcmp(optarg, "hashsig") == 0)
+ return pkey_gen_hashsig(argc, argv);
+ else {
+ printf("generate: unknown key type %s\n", optarg);
+ puts(usage);
+ return -1;
+ }
+ }
+ else {
+ printf("generate: missing key type\n");
+ puts(usage);
+ return -1;
+ }
+}
+
+static int pkey_list(int argc, char *argv[])
+{
+ char usage[] = "Usage: list [-t type] [-c curve] [-y keystore]";
+
+ int type_rsa = 0, type_ec = 0, type_hashsig = 0;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-t:")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ case 't':
+ if (strcasecmp(optarg, "rsa") == 0)
+ type_rsa = 1;
+ else if (strcasecmp(optarg, "ec") == 0)
+ type_ec = 1;
+ else if (strcasecmp(optarg, "hashsig") == 0)
+ type_hashsig = 1;
+ else
+ lose("unsupported key type %s, expected 'rsa', 'ec', or 'hashsig'\n", optarg);
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (type_rsa == 0 && type_ec == 0 && type_hashsig == 0)
+ type_rsa = type_ec = type_hashsig = 1;
+
+ char key_name[HAL_UUID_TEXT_SIZE];
+ hal_uuid_t previous_uuid = {{0}};
+ hal_pkey_handle_t pkey;
+ hal_curve_name_t curve;
+ hal_key_flags_t flags;
+ unsigned n, state = 0;
+ hal_uuid_t uuids[50];
+ hal_key_type_t type;
+ hal_error_t err;
+ int done = 0;
+
+ while (!done) {
+
+ if ((err = hal_rpc_pkey_match(client, session, HAL_KEY_TYPE_NONE, HAL_CURVE_NONE,
+ 0, 0, NULL, 0, &state, uuids, &n,
+ sizeof(uuids)/sizeof(*uuids),
+ &previous_uuid)) != HAL_OK) {
+ printf("Could not fetch UUID list: %s\n", hal_error_string(err));
+ return -1;
+ }
+
+ done = n < sizeof(uuids)/sizeof(*uuids);
+
+ if (!done)
+ previous_uuid = uuids[sizeof(uuids)/sizeof(*uuids) - 1];
+
+ for (unsigned i = 0; i < n; i++) {
+
+ if ((err = hal_uuid_format(&uuids[i], key_name, sizeof(key_name))) != HAL_OK) {
+ printf("Could not convert key name, skipping: %s\n",
+ hal_error_string(err));
+ continue;
+ }
+
+ if ((err = hal_rpc_pkey_open(client, session, &pkey, &uuids[i])) != HAL_OK) {
+ printf("Could not open key %s, skipping: %s\n",
+ key_name, hal_error_string(err));
+ continue;
+ }
+
+ if ((err = hal_rpc_pkey_get_key_type(pkey, &type)) != HAL_OK ||
+ (err = hal_rpc_pkey_get_key_curve(pkey, &curve)) != HAL_OK ||
+ (err = hal_rpc_pkey_get_key_flags(pkey, &flags)) != HAL_OK)
+ printf("Could not fetch metadata for key %s, skipping: %s\n",
+ key_name, hal_error_string(err));
+
+ if (err == HAL_OK)
+ err = hal_rpc_pkey_close(pkey);
+ else
+ (void) hal_rpc_pkey_close(pkey);
+
+ if (err != HAL_OK)
+ continue;
+
+ const char *type_name = "unknown";
+ switch (type) {
+ case HAL_KEY_TYPE_RSA_PRIVATE:
+ if (!type_rsa) continue;
+ type_name = "RSA private";
+ break;
+ case HAL_KEY_TYPE_RSA_PUBLIC:
+ if (!type_rsa) continue;
+ type_name = "RSA public";
+ break;
+ case HAL_KEY_TYPE_EC_PRIVATE:
+ if (!type_ec) continue;
+ type_name = "EC private";
+ break;
+ case HAL_KEY_TYPE_EC_PUBLIC:
+ if (!type_hashsig) continue;
+ type_name = "EC public";
+ break;
+ case HAL_KEY_TYPE_HASHSIG_PRIVATE:
+ if (!type_hashsig) continue;
+ type_name = "hashsig private";
+ break;
+ case HAL_KEY_TYPE_HASHSIG_PUBLIC:
+ if (!type_hashsig) continue;
+ type_name = "hashsig public";
+ break;
+ default:
+ continue;
+ }
+
+ const char *curve_name = "unknown";
+ switch (curve) {
+ case HAL_CURVE_NONE: curve_name = "none"; break;
+ case HAL_CURVE_P256: curve_name = "P-256"; break;
+ case HAL_CURVE_P384: curve_name = "P-384"; break;
+ case HAL_CURVE_P521: curve_name = "P-521"; break;
+ }
+
+ printf("name %s, type %s, ", key_name, type_name);
+ if (curve != HAL_CURVE_NONE)
+ printf("curve %s, ", curve_name);
+ printf("flags 0x%lx\n", (unsigned long) flags);
+ }
+ }
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+/* Hash and PKCS #1 encode a message, because that's what RSA and ECDSA(?)
+ * expect to sign, rather than plaintext.
+ *
+ * Also, do the full hashing here, rather than passing a hash handle to
+ * sign/verify, because we may want to sign/verify repeatedly to get
+ * performance numbers.
+ */
+static int hash_message(uint8_t *digest, size_t *digest_len, const size_t digest_max)
+{
+ hal_error_t err;
+ hal_hash_handle_t hash;
+
+ if ((err = hal_rpc_hash_initialize(client, session, &hash, HAL_DIGEST_ALGORITHM_SHA256, NULL, 0)) != HAL_OK)
+ lose("sign: Error initializing hash: %s\n", hal_error_string(err));
+
+ if ((err = hal_rpc_hash_update(hash, msg, msg_len)) != HAL_OK)
+ lose("sign: Error updating hash: %s\n", hal_error_string(err));
+
+ extern hal_error_t hal_rpc_pkcs1_construct_digestinfo(const hal_hash_handle_t handle,
+ uint8_t *digest_info,
+ size_t *digest_info_len,
+ const size_t digest_info_max);
+ if ((err = hal_rpc_pkcs1_construct_digestinfo(hash, digest, digest_len, digest_max)) != HAL_OK)
+ lose("sign: Error constructing PKCS #1 DigestInfo: %s\n", hal_error_string(err));
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int pkey_sign(int argc, char *argv[])
+{
+ char usage[] = "Usage: sign [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile] [-n iterations]";
+
+ char *sig_fn = NULL;
+ unsigned n = 1;
+ int hash_msg = 0;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-hk:m:s:n:")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ case 'h':
+ hash_msg = 1;
+ break;
+ case 'k':
+ if (pkey_open(optarg) != 0)
+ return -1;
+ break;
+ case 'm':
+ if (file_read(optarg, msg, &msg_len, sizeof(msg)) != 0)
+ return -1;
+ break;
+ case 's':
+ sig_fn = optarg;
+ break;
+ case 'n':
+ n = atoi(optarg);
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (key_handle.handle == HAL_HANDLE_NONE) {
+ printf("sign: missing key\n");
+ puts(usage);
+ return -1;
+ }
+
+ if (msg_len == 0) {
+ printf("sign: missing message\n");
+ puts(usage);
+ return -1;
+ }
+
+ uint8_t *m = msg;
+ size_t mlen = msg_len;
+ uint8_t digest[128];
+ if (hash_msg && hash_message(m = digest, &mlen, sizeof(digest)) != 0)
+ goto fail;
+
+ struct timeval tv_start, tv_end, tv_diff;
+ if (info)
+ gettimeofday(&tv_start, NULL);
+
+ unsigned i;
+ for (i = 0; i < n; ++i) {
+ hal_error_t err;
+ if ((err = hal_rpc_pkey_sign(key_handle, hal_hash_handle_none,
+ m, mlen, sig, &sig_len, sizeof(sig))) != HAL_OK) {
+ if (i > 0 && err == HAL_ERROR_HASHSIG_KEY_EXHAUSTED)
+ break;
+ else
+ lose("Error signing (%d): %s\n", i, hal_error_string(err));
+ }
+ }
+
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ printf("Info: %ldm%ld.%03lds to generate %d signature%s of length %lu",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000, i, ((i > 1) ? "s" : ""), sig_len);
+ if (i > 1) {
+ long per_sig = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / i;
+ printf(" (%ld.%03lds per signature)",
+ (long)per_sig / 1000000, ((long)per_sig % 1000000) / 1000);
+ }
+ printf("\n");
+ }
+
+ if (sig_fn != NULL && file_write(sig_fn, sig, sig_len, 0) != 0)
+ return -1;
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int pkey_verify(int argc, char *argv[])
+{
+ char usage[] = "Usage: verify [-h (hash)] [-k keyname] [-m msgfile] [-s sigfile] [-n iterations]";
+
+ int hash_msg = 0;
+ unsigned n = 1;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-hk:m:s:n:")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ break;
+ case 'h':
+ hash_msg = 1;
+ break;
+ case 'k':
+ if (pkey_open(optarg) != 0)
+ return -1;
+ break;
+ case 'm':
+ if (file_read(optarg, msg, &msg_len, sizeof(msg)) != 0)
+ return -1;
+ break;
+ case 's':
+ if (file_read(optarg, sig, &sig_len, sizeof(sig)) != 0)
+ return -1;
+ break;
+ case 'n':
+ n = atoi(optarg);
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (key_handle.handle == HAL_HANDLE_NONE) {
+ printf("verify: missing key\n");
+ puts(usage);
+ return -1;
+ }
+
+ if (msg_len == 0) {
+ printf("verify: missing message\n");
+ puts(usage);
+ return -1;
+ }
+
+ if (sig_len == 0) {
+ printf("verify: missing signature\n");
+ puts(usage);
+ return -1;
+ }
+
+ uint8_t *m = msg;
+ size_t mlen = msg_len;
+ uint8_t digest[128];
+ if (hash_msg && hash_message(m = digest, &mlen, sizeof(digest)) != 0)
+ goto fail;
+
+ struct timeval tv_start, tv_end, tv_diff;
+ if (info)
+ gettimeofday(&tv_start, NULL);
+
+ unsigned i;
+ for (i = 0; i < n; ++i) {
+ hal_error_t err;
+ if ((err = hal_rpc_pkey_verify(key_handle, hal_hash_handle_none,
+ m, mlen, sig, sig_len)) != HAL_OK)
+ lose("Error verifying: %s\n", hal_error_string(err));
+ }
+
+ if (info) {
+ gettimeofday(&tv_end, NULL);
+ timersub(&tv_end, &tv_start, &tv_diff);
+ printf("Info: %ldm%ld.%03lds to verify %d signature",
+ (long)tv_diff.tv_sec / 60, (long)tv_diff.tv_sec % 60, (long)tv_diff.tv_usec / 1000, i);
+ if (i > 1) {
+ long per_sig = (tv_diff.tv_sec * 1000000 + tv_diff.tv_usec) / i;
+ printf("s (%ld.%03lds per verification)",
+ (long)per_sig / 1000000, ((long)per_sig % 1000000) / 1000);
+ }
+ printf("\n");
+ }
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+static int pkey_export(int argc, char *argv[])
+{
+ char usage[] = "Usage: export [-k keyname] [-K kekekfile] [-o outfile]";
+
+ hal_pkey_handle_t kekek_handle = {HAL_HANDLE_NONE};
+ char *kekek_fn = NULL;
+ char *out_fn = NULL;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-k:K:o:")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ break;
+ case 'k':
+ if (pkey_open(optarg) != 0)
+ return -1;
+ break;
+ case 'K':
+ kekek_fn = optarg;
+ break;
+ case 'o':
+ out_fn = optarg;
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (key_handle.handle == HAL_HANDLE_NONE) {
+ printf("export: missing key\n");
+ puts(usage);
+ return -1;
+ }
+
+ if (kekek_fn == NULL) {
+ printf("export: missing kekek\n");
+ puts(usage);
+ return -1;
+ }
+
+ {
+ hal_error_t err;
+ char key_name[HAL_UUID_TEXT_SIZE];
+ if (out_fn == NULL) {
+ if ((err = hal_uuid_format(&key_uuid, key_name, sizeof(key_name))) != HAL_OK)
+ lose("Error formatting private key name: %s\n", hal_error_string(err));
+ out_fn = key_name;
+ }
+
+ if (pkey_load(kekek_fn, &kekek_handle) != 0)
+ goto fail;
+
+ uint8_t der[HAL_KS_WRAPPED_KEYSIZE]; size_t der_len;
+ uint8_t kek[HAL_KS_WRAPPED_KEYSIZE]; size_t kek_len;
+
+ if ((err = hal_rpc_pkey_export(key_handle, kekek_handle,
+ der, &der_len, sizeof(der),
+ kek, &kek_len, sizeof(kek))) != HAL_OK)
+ lose("Error exporting private key: %s\n", hal_error_string(err));
+
+ char fn[strlen(out_fn) + 5];
+ strcpy(fn, out_fn); strcat(fn, ".der");
+ if (file_write(fn, der, der_len, 1) != 0)
+ goto fail;
+
+ strcpy(fn, out_fn); strcat(fn, ".kek");
+ if (file_write(fn, kek, kek_len, 1) != 0)
+ goto fail;
+
+ if ((err = hal_rpc_pkey_delete(kekek_handle)) != HAL_OK)
+ lose("Could not delete key: %s\n", hal_error_string(err));
+ }
+
+ return 0;
+
+fail:
+ if (kekek_handle.handle != HAL_HANDLE_NONE)
+ (void)hal_rpc_pkey_delete(kekek_handle);
+
+ return -1;
+}
+
+static int pkey_import(int argc, char *argv[])
+{
+ char usage[] = "Usage: import [-K kekekfile] [-i infile] [-x (exportable)] [-v (volatile keystore)]";
+
+ hal_pkey_handle_t kekek_handle = {HAL_HANDLE_NONE};
+ char *kekek_fn = NULL;
+ char *in_fn = NULL;
+
+ int opt;
+ while ((opt = getopt(argc, argv, "-K:i:xv")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ break;
+ case 'K':
+ kekek_fn = optarg;
+ break;
+ case 'i':
+ in_fn = optarg;
+ break;
+ case 'x':
+ flags |= HAL_KEY_FLAG_EXPORTABLE;
+ break;
+ case 'v':
+ flags &= ~HAL_KEY_FLAG_TOKEN;
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (kekek_fn == NULL) {
+ printf("export: missing kekek\n");
+ puts(usage);
+ return -1;
+ }
+
+ if (in_fn == NULL) {
+ printf("export: missing infile\n");
+ puts(usage);
+ return -1;
+ }
+
+ if (pkey_load(kekek_fn, &kekek_handle) != 0)
+ goto fail;
+
+ {
+ char fn[strlen(in_fn) + 5];
+ strcpy(fn, in_fn); strcat(fn, ".der");
+ size_t der_len = file_size(fn);
+ if (der_len == SIZE_MAX)
+ goto fail;
+ uint8_t der[der_len];
+ if (file_read(fn, der, &der_len, sizeof(der)) != 0)
+ goto fail;
+
+ strcpy(fn, in_fn); strcat(fn, ".kek");
+ size_t kek_len = file_size(fn);
+ if (kek_len == SIZE_MAX)
+ goto fail;
+ uint8_t kek[kek_len];
+ if (file_read(fn, kek, &kek_len, sizeof(kek)) != 0)
+ goto fail;
+
+ hal_error_t err;
+ if ((err = hal_rpc_pkey_import(client, session,
+ &key_handle, &key_uuid,
+ kekek_handle,
+ der, der_len,
+ kek, kek_len,
+ flags)) != HAL_OK)
+ lose("Error importing private key: %s\n", hal_error_string(err));
+
+ char name_str[HAL_UUID_TEXT_SIZE];
+ if ((err = hal_uuid_format(&key_uuid, name_str, sizeof(name_str))) != HAL_OK)
+ lose("Error formatting private key name: %s\n", hal_error_string(err));
+ printf("New private key name: %s\n", name_str);
+
+ if ((err = hal_rpc_pkey_delete(kekek_handle)) != HAL_OK)
+ lose("Could not delete key: %s\n", hal_error_string(err));
+ }
+
+ return 0;
+
+fail:
+ if (kekek_handle.handle != HAL_HANDLE_NONE)
+ (void)hal_rpc_pkey_delete(kekek_handle);
+
+ return -1;
+}
+
+static int pkey_delete(int argc, char *argv[])
+{
+ char usage[] = "Usage: delete [-k keyname]";
+
+ int opt;
+ hal_error_t err;
+ while ((opt = getopt(argc, argv, "-k:")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ case 'k':
+ if (pkey_open(optarg) != 0)
+ return -1;
+ if ((err = hal_rpc_pkey_delete(key_handle)) != HAL_OK)
+ lose("Could not delete key: %s\n", hal_error_string(err));
+ key_handle.handle = HAL_HANDLE_NONE;
+ break;
+ default:
+ puts(usage);
+ return -1;
+ }
+ }
+done:
+
+ if (key_handle.handle != HAL_HANDLE_NONE) {
+ if ((err = hal_rpc_pkey_delete(key_handle)) != HAL_OK)
+ lose("Could not delete key: %s\n", hal_error_string(err));
+ key_handle.handle = HAL_HANDLE_NONE;
+ }
+
+ return 0;
+
+fail:
+ return -1;
+}
+
+int main(int argc, char *argv[])
+{
+ char usage[] = "Usage: %s [-i] [-p pin] generate|list|sign|verify|export|import|delete\n";
+
+ if (argc == 1) {
+ printf(usage, argv[0]);
+ return -1;
+ }
+
+ do {
+ int opt;
+ while ((opt = getopt(argc, argv, "-ip:")) != -1) {
+ switch (opt) {
+ case 1:
+ /* found the next command */
+ --optind;
+ goto done;
+ case 'i':
+ info = 1;
+ break;
+ case 'p':
+ pin = optarg;
+ break;
+ default:
+ printf(usage, argv[0]);
+ goto fail;
+ }
+ }
+ done:
+
+ if (pkey_login() != 0)
+ goto fail;
+
+ if (optind < argc) {
+ optarg = argv[optind++];
+ if (strcmp(optarg, "generate") == 0) {
+ if (pkey_generate(argc, argv) != 0)
+ goto fail;
+ }
+ else if (strcmp(optarg, "list") == 0) {
+ if (pkey_list(argc, argv) != 0)
+ goto fail;
+ }
+ else if (strcmp(optarg, "sign") == 0) {
+ if (pkey_sign(argc, argv) != 0)
+ goto fail;
+ }
+ else if (strcmp(optarg, "verify") == 0) {
+ if (pkey_verify(argc, argv) != 0)
+ goto fail;
+ }
+ else if (strcmp(optarg, "export") == 0) {
+ if (pkey_export(argc, argv) != 0)
+ goto fail;
+ }
+ else if (strcmp(optarg, "import") == 0) {
+ if (pkey_import(argc, argv) != 0)
+ goto fail;
+ }
+ else if (strcmp(optarg, "delete") == 0) {
+ if (pkey_delete(argc, argv) != 0)
+ goto fail;
+ }
+ else {
+ printf("unknown command '%s'\n", optarg);
+ printf(usage, argv[0]);
+ goto fail;
+ }
+ }
+ } while (optind < argc);
+
+ return pkey_logout();
+
+fail:
+ (void)pkey_logout();
+ return -1;
+}
diff --git a/uuid.c b/uuid.c
index 0a4d2d1..dacd031 100644
--- a/uuid.c
+++ b/uuid.c
@@ -71,14 +71,18 @@ hal_error_t hal_uuid_gen(hal_uuid_t *uuid)
hal_error_t hal_uuid_parse(hal_uuid_t *uuid, const char * const string)
{
static const char fmt[]
- = "%2hhx%2hhx%2hhx%2hhx-%2hhx%2hhx-%2hhx%2hhx-%2hhx%2hhx-%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx";
+ = "%2x%2x%2x%2x-%2x%2x-%2x%2x-%2x%2x-%2x%2x%2x%2x%2x%2x";
if (uuid == NULL || string == NULL ||
sscanf(string, fmt,
- uuid->uuid + 0, uuid->uuid + 1, uuid->uuid + 2, uuid->uuid + 3,
- uuid->uuid + 4, uuid->uuid + 5, uuid->uuid + 6, uuid->uuid + 7,
- uuid->uuid + 8, uuid->uuid + 9, uuid->uuid + 10, uuid->uuid + 11,
- uuid->uuid + 12, uuid->uuid + 13, uuid->uuid + 14, uuid->uuid + 15) != 16)
+ (unsigned *)(uuid->uuid + 0), (unsigned *)(uuid->uuid + 1),
+ (unsigned *)(uuid->uuid + 2), (unsigned *)(uuid->uuid + 3),
+ (unsigned *)(uuid->uuid + 4), (unsigned *)(uuid->uuid + 5),
+ (unsigned *)(uuid->uuid + 6), (unsigned *)(uuid->uuid + 7),
+ (unsigned *)(uuid->uuid + 8), (unsigned *)(uuid->uuid + 9),
+ (unsigned *)(uuid->uuid + 10), (unsigned *)(uuid->uuid + 11),
+ (unsigned *)(uuid->uuid + 12), (unsigned *)(uuid->uuid + 13),
+ (unsigned *)(uuid->uuid + 14), (unsigned *)(uuid->uuid + 15)) != 16)
return HAL_ERROR_BAD_ARGUMENTS;
return HAL_OK;
@@ -87,16 +91,20 @@ hal_error_t hal_uuid_parse(hal_uuid_t *uuid, const char * const string)
hal_error_t hal_uuid_format(const hal_uuid_t * const uuid, char *buffer, const size_t buffer_len)
{
static const char fmt[]
- = "%02hhx%02hhx%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx";
+ = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x";
if (uuid == NULL || buffer == NULL || buffer_len < HAL_UUID_TEXT_SIZE)
return HAL_ERROR_BAD_ARGUMENTS;
if (snprintf(buffer, buffer_len, fmt,
- uuid->uuid[ 0], uuid->uuid[ 1], uuid->uuid[ 2], uuid->uuid[ 3],
- uuid->uuid[ 4], uuid->uuid[ 5], uuid->uuid[ 6], uuid->uuid[ 7],
- uuid->uuid[ 8], uuid->uuid[ 9], uuid->uuid[10], uuid->uuid[11],
- uuid->uuid[12], uuid->uuid[13], uuid->uuid[14], uuid->uuid[15]) != HAL_UUID_TEXT_SIZE - 1)
+ (unsigned)uuid->uuid[ 0], (unsigned)uuid->uuid[ 1],
+ (unsigned)uuid->uuid[ 2], (unsigned)uuid->uuid[ 3],
+ (unsigned)uuid->uuid[ 4], (unsigned)uuid->uuid[ 5],
+ (unsigned)uuid->uuid[ 6], (unsigned)uuid->uuid[ 7],
+ (unsigned)uuid->uuid[ 8], (unsigned)uuid->uuid[ 9],
+ (unsigned)uuid->uuid[10], (unsigned)uuid->uuid[11],
+ (unsigned)uuid->uuid[12], (unsigned)uuid->uuid[13],
+ (unsigned)uuid->uuid[14], (unsigned)uuid->uuid[15]) != HAL_UUID_TEXT_SIZE - 1)
return HAL_ERROR_RESULT_TOO_LONG;
return HAL_OK;
diff --git a/verilog_constants.h b/verilog_constants.h
index 8735b12..db75294 100644
--- a/verilog_constants.h
+++ b/verilog_constants.h
@@ -9,6 +9,8 @@
*
* Authors: Joachim Strombergson, Paul Selkirk, Rob Austein
* Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
+ * Copyright: 2020, The Commons Conservancy Cryptech Project
+ * SPDX-License-Identifier: BSD-3-Clause
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -20,9 +22,9 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * - Neither the name of the NORDUnet nor the names of its contributors may
- * be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * - Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -257,6 +259,48 @@
#define MODEXPA7_MODE_PLAIN (0 << 1)
/*
+ * ModExpNG core
+ */
+#define MODEXPNG_OPERAND_BITS (4096)
+#define MODEXPNG_OPERAND_BYTES (MODEXPNG_OPERAND_BITS / 8)
+#define MODEXPNG_OPERAND_WORDS (MODEXPNG_OPERAND_BITS / 32)
+#define MODEXPNG_ADDR_NAME0 ADDR_NAME0
+#define MODEXPNG_ADDR_NAME1 ADDR_NAME1
+#define MODEXPNG_ADDR_VERSION ADDR_VERSION
+#define MODEXPNG_ADDR_CONTROL ADDR_CTRL
+#define MODEXPNG_ADDR_STATUS ADDR_STATUS
+#define MODEXPNG_ADDR_MODE (0x10)
+#define MODEXPNG_ADDR_MODULUS_BITS (0x11)
+#define MODEXPNG_ADDR_EXPONENT_BITS (0x12)
+#define MODEXPNG_ADDR_BANK_BITS (0x13)
+#define MODEXPNG_ADDR_NUM_MULTS (0x14)
+
+#define MODEXPNG_ADDR_BANK_M (1 * 0x400 + 0 * 0x80)
+#define MODEXPNG_ADDR_BANK_N (1 * 0x400 + 1 * 0x80)
+#define MODEXPNG_ADDR_BANK_N_FACTOR (1 * 0x400 + 2 * 0x80)
+#define MODEXPNG_ADDR_BANK_N_COEFF (1 * 0x400 + 3 * 0x80)
+#define MODEXPNG_ADDR_BANK_X (1 * 0x400 + 5 * 0x80)
+#define MODEXPNG_ADDR_BANK_Y (1 * 0x400 + 6 * 0x80)
+
+#define MODEXPNG_ADDR_BANK_D (2 * 0x400 + 0 * 0x80)
+#define MODEXPNG_ADDR_BANK_P (2 * 0x400 + 1 * 0x80)
+#define MODEXPNG_ADDR_BANK_DP (2 * 0x400 + 3 * 0x40)
+#define MODEXPNG_ADDR_BANK_P_FACTOR (2 * 0x400 + 2 * 0x80)
+#define MODEXPNG_ADDR_BANK_P_COEFF (2 * 0x400 + 3 * 0x80)
+#define MODEXPNG_ADDR_BANK_Q (2 * 0x400 + 4 * 0x80)
+#define MODEXPNG_ADDR_BANK_DQ (2 * 0x400 + 9 * 0x40)
+#define MODEXPNG_ADDR_BANK_Q_FACTOR (2 * 0x400 + 5 * 0x80)
+#define MODEXPNG_ADDR_BANK_Q_COEFF (2 * 0x400 + 6 * 0x80)
+#define MODEXPNG_ADDR_BANK_QINV (2 * 0x400 + 7 * 0x80)
+
+#define MODEXPNG_ADDR_BANK_S (3 * 0x400 + 0 * 0x80)
+#define MODEXPNG_ADDR_BANK_XM (3 * 0x400 + 1 * 0x80)
+#define MODEXPNG_ADDR_BANK_YM (3 * 0x400 + 2 * 0x80)
+
+#define MODEXPNG_MODE_CRT (1 << 1)
+#define MODEXPNG_MODE_PLAIN (0 << 1)
+
+/*
* ECDSA P-256 point multiplier core. ECDSA256_OPERAND_BITS is size
* in bits of the (only) supported operand size (256 bits, imagine that).
*
diff --git a/xdr.c b/xdr.c
index 9a958ac..92c2b64 100644
--- a/xdr.c
+++ b/xdr.c
@@ -35,7 +35,6 @@
#include <stdio.h>
#include <stdint.h>
-#include <stddef.h> /* ptrdiff_t */
#include <string.h> /* memcpy, memset */
#include "hal.h"
@@ -50,11 +49,10 @@
hal_error_t hal_xdr_encode_int(uint8_t ** const outbuf, const uint8_t * const limit, const uint32_t value)
{
/* arg checks */
- if (outbuf == NULL || *outbuf == NULL || limit == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
+ hal_assert(outbuf != NULL && *outbuf != NULL && limit != NULL && limit >= *outbuf);
/* buffer overflow check */
- if (limit - *outbuf < (ptrdiff_t)sizeof(value))
+ if ((size_t)(limit - *outbuf) < sizeof(value))
return HAL_ERROR_XDR_BUFFER_OVERFLOW;
**(uint32_t **)outbuf = htonl(value);
@@ -66,11 +64,10 @@ hal_error_t hal_xdr_encode_int(uint8_t ** const outbuf, const uint8_t * const li
hal_error_t hal_xdr_decode_int_peek(const uint8_t ** const inbuf, const uint8_t * const limit, uint32_t *value)
{
/* arg checks */
- if (inbuf == NULL || *inbuf == NULL || limit == NULL || value == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
+ hal_assert(inbuf != NULL && *inbuf != NULL && limit != NULL && limit >= *inbuf && value != NULL);
/* buffer overflow check */
- if (limit - *inbuf < (ptrdiff_t)sizeof(*value))
+ if ((size_t)(limit - *inbuf) < sizeof(*value))
return HAL_ERROR_XDR_BUFFER_OVERFLOW;
*value = ntohl(**(uint32_t **)inbuf);
@@ -94,15 +91,14 @@ hal_error_t hal_xdr_decode_int(const uint8_t ** const inbuf, const uint8_t * con
hal_error_t hal_xdr_encode_fixed_opaque(uint8_t ** const outbuf, const uint8_t * const limit, const uint8_t * const value, const size_t len)
{
- if (len == 0)
- return HAL_OK;
-
/* arg checks */
- if (outbuf == NULL || *outbuf == NULL || limit == NULL || value == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
+ hal_assert(outbuf != NULL && *outbuf != NULL && limit != NULL && limit >= *outbuf && (value != NULL || len == 0));
/* buffer overflow check */
- if (limit - *outbuf < (ptrdiff_t)((len + 3) & ~3))
+ /* We need to explicitly check (len > 0xfffffffc) because padding will
+ * round it up to 0.
+ */
+ if ((len > 0xfffffffc) || ((size_t)(limit - *outbuf) < ((len + 3) & ~3)))
return HAL_ERROR_XDR_BUFFER_OVERFLOW;
/* write the data */
@@ -110,11 +106,8 @@ hal_error_t hal_xdr_encode_fixed_opaque(uint8_t ** const outbuf, const uint8_t *
*outbuf += len;
/* pad if necessary */
- if (len & 3) {
- size_t n = 4 - (len & 3);
- memset(*outbuf, 0, n);
- *outbuf += n;
- }
+ for (size_t i = len; (i & 3) != 0; ++i)
+ *((*outbuf)++) = 0;
return HAL_OK;
}
@@ -122,11 +115,10 @@ hal_error_t hal_xdr_encode_fixed_opaque(uint8_t ** const outbuf, const uint8_t *
hal_error_t hal_xdr_decode_fixed_opaque_ptr(const uint8_t ** const inbuf, const uint8_t * const limit, const uint8_t ** const value, const size_t len)
{
/* arg checks */
- if (inbuf == NULL || *inbuf == NULL || limit == NULL || value == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
+ hal_assert(inbuf != NULL && *inbuf != NULL && limit != NULL && limit >= *inbuf && value != NULL);
/* buffer overflow check */
- if (limit - *inbuf < (ptrdiff_t)len)
+ if ((size_t)(limit - *inbuf) < len)
return HAL_ERROR_XDR_BUFFER_OVERFLOW;
/* return a pointer to the data */
@@ -180,8 +172,7 @@ hal_error_t hal_xdr_decode_variable_opaque_ptr(const uint8_t ** const inbuf, con
uint32_t xdr_len;
/* arg checks */
- if (len == NULL)
- return HAL_ERROR_BAD_ARGUMENTS;
+ hal_assert(len != NULL);
/* read length */
if ((err = hal_xdr_decode_int(inbuf, limit, &xdr_len)) == HAL_OK) {
@@ -199,16 +190,19 @@ hal_error_t hal_xdr_decode_variable_opaque_ptr(const uint8_t ** const inbuf, con
/* This version copies the data to the user-supplied buffer.
* It is used in the rpc client.
*/
-hal_error_t hal_xdr_decode_variable_opaque(const uint8_t ** const inbuf, const uint8_t * const limit, uint8_t * const value, size_t * const len)
+hal_error_t hal_xdr_decode_variable_opaque(const uint8_t ** const inbuf, const uint8_t * const limit, uint8_t * const value, size_t * const len, const size_t len_max)
{
hal_error_t err;
size_t xdr_len;
const uint8_t *p;
+ /* arg checks */
+ hal_assert(value != NULL && len != NULL && len_max != 0);
+
/* read data pointer and length */
if ((err = hal_xdr_decode_variable_opaque_ptr(inbuf, limit, &p, &xdr_len)) == HAL_OK) {
/* user buffer overflow check */
- if (*len < xdr_len)
+ if (len_max < xdr_len)
return HAL_ERROR_XDR_BUFFER_OVERFLOW;
/* read the data */
memcpy(value, p, xdr_len);
diff --git a/xdr_internal.h b/xdr_internal.h
index aa3a1e9..6cdc064 100644
--- a/xdr_internal.h
+++ b/xdr_internal.h
@@ -68,7 +68,7 @@ hal_error_t hal_xdr_encode_variable_opaque(uint8_t ** const outbuf,
hal_error_t hal_xdr_decode_variable_opaque(const uint8_t ** const inbuf,
const uint8_t * const limit,
uint8_t * const value,
- size_t * const len);
+ size_t * const len, const size_t len_max);
hal_error_t hal_xdr_decode_variable_opaque_ptr(const uint8_t ** const inbuf,
const uint8_t * const limit,