aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-03-04Don't use assert() for point-on-curve checks.Rob Austein
The stock assert() implementation turns out to be problematic in the stm32 environment, due to the lack of an output device, which makes "assert(foo)" equivalent to "if (!foo) abort()", leading to silent hangs. We probably ought to reimplement assert() to do something more useful, but, for now, avoid using it for "impossible" conditions which we do seem to be triggering anyway, like the occasional point-not-on-curve errors we get for points we ourselves have picked when testing multiple ECDSA clients in parallel. This should never happen, and we need to figure out what's causing it, but hanging the HSM when it happens does not help very much. assert() is somewhat problematic in an embedded environment in any case, since anything that can go wrong really should have some kind of recovery action, but in some of the low-probability cases it's far from obvious what sane recovery action we could possibly take.
2017-03-03Fix race condition in pkey_slot allocation.Rob Austein
2017-03-03Doh! Works better if one tests the right status bit.Rob Austein
2017-03-02Merge branch 'pymux' into hw_ecdsa_p256Rob Austein
2017-03-02Fix dumb copy/paste errors.Rob Austein
2017-03-02Refactor to add P384 support. Untested.Rob Austein
2017-03-01Merge ECDSA private key fix from branch ksng into branch pymux.Rob Austein
2017-03-01Compute public key if necessary when loading a private key.Rob Austein
libhal and PKCS #11 have slightly different models of private keys: in libhal, a "private key" object is really a keypair, while in PKCS #11 a private key really is a naked private key. This was a deliberate design decision in libhal, both for simplicity and to better support user interfaces other than PKCS #11, so we'd rather not change it. This difference doesn't matter very much for RSA keys in PKCS #11, where the private key components are a superset of the public key components anyway, but the PKCS #11 template for ECDSA private keys doesn't allow setting public key components with C_CreateObject(). Fortunately, computing the public components of an ECDSA key pair from the private key is straightforward, so we just do that when needed.
2017-02-27Compile-time configuration of software-only hash cores.Rob Austein
2017-02-27Track change to stm32 keystore API.Rob Austein
2017-02-14Erase new head of free list in ks_store().Rob Austein
2017-02-14Merge branch 'pymux' of git.cryptech.is:sw/libhal into pymuxRob Austein
Merge Paul's review comments.
2017-02-13Add some comments for things I figured out while reviewing code.Paul Selkirk
2017-02-03Unit test cleanup.Rob Austein
Log exceptions immediately when failing a test; doesn't replace backtrace at end of test run, but since a full test run can take a while it's useful to know what failed closer to when it happened. More conditionals to skip tests which require external Python crypto packages when those packages aren't installed.
2017-02-03Debug logging for pkey open/close/delete events.Rob Austein
2017-02-03Clean up csprng driver.Rob Austein
2017-02-02Add locking around keystore operations.Rob Austein
2017-01-31Enable low-level debugging support in libhal.py.Rob Austein
2017-01-26First attempt at using Pavel's ecdsa256 core. Not working yet.Rob Austein
Attempts to use Pavel's ecdsa256 base point multiplier instead of software point multiplier when selecting new random points (that is, when generating P-256 keys or P-256 signatures). Resulting points pass the point validation test (point_is_on_curve()) but the resulting signatures are invalid. Don't know why yet. Seems like an odd combination, as one would expect random garbage to fail validation. In any case: this commit is intended to archive progress so far, and perhaps see if somebody else can spot what's wrong. As presently coded, this wouldn't be suitable for production use even if it worked. NB: As I understand it, the ecdsa256 core is *not* a general purpose point multiplier even just for the P-256 curve. Rather, it is strictly a base point multiplier: it takes a single scalar as input, and returns the X,Y affine coordinates of the curve's base point multiplied by that scalar. This is essentially the eliptic curve portion of the computation involved in picking a random point for key or signature generation, but is not useful for signature validation. See the README.md in Pavel's source repository for further details.
2017-01-12Probing wants a brief delay after probe string on some machines.Rob Austein
Probably reached the point of diminishing returns for trying to get probing to work better. Best option, where practical, is to avoid probing completely; when necessary, best run it once then avoid repeating it. cryptech_muxd will probe if requested, but probing is never going to be reliable. Dedicated VID:PID would be much better.
2017-01-12Finish logging code, skip initialization for missing devices.Rob Austein
2017-01-12Refactor and simplify, whole program fits on one screen now.Rob Austein
2017-01-11Cleanup.Rob Austein
2017-01-11Add internal port probing code (like running cryptech_probe first).Rob Austein
Internal probe code mostly works, probably about as well as cryptech_probe ever did, but almost certainly needs timeouts around its I/O calls, and perhaps additional error handling. At the moment, it works except when it doesn't, just like cryptech_probe. Some day we'll get away from this kludge, but not today.
2017-01-10Handle connection close events properly, use logging library.Rob Austein
2017-01-05Whack multiplexer to handle console too.Rob Austein
Renamed multiplexer to cryptech_muxd, since it now handles both RPC and CTY. Added new program cryptech_console to act as client for CTY multiplexer. Might want to add console logging capability eventually, not today. Probably want to incorporate UART probing (what cryptech_probe does now) eventually, also not today.
2017-01-04Convert "daemon" mode of C client code to use Python RPC MUX.Rob Austein
2016-12-28Experimental libhal RPC MUX based on PySerial and Tornado.Rob Austein
This is a work in progress, so far it only works with libhal.py client, haven't adapted libhal C client code for this yet. General idea is to let PySerial and Tornado handle all the pesky work of dealing with Unix serial ports, PF_LOCAL connection management, select() vs epoll() vs kqueue() vs ... I/O management, etcetera. We could do this with just PySerial and the Python standard libraries, but using Tornado allows us to do it in a single process, without threading, and also leaves the door open for consolidating other HSM management functions (eg, console access) into the same single daemon process. For the moment we're using SLIP framing over a SOCK_STREAM connection, which is a bit silly but avoids the problem of OSX not supporting SOCK_SEQPACKET. In the long run we're going to want a real channel security protocol here, so don't sweat this too much right now.
2016-12-21Add hal_ks_init_read_only_pins_only() so bootloader can use PINs.Rob Austein
2016-12-19Merge broke forced selection of software-only hash cores in client builds.Rob Austein
2016-12-19Merge branch 'master' into ksngRob Austein
2016-11-22Clean up ks_set_attributes() a bit.Rob Austein
Fixed handling of deletion actions: code was still using the zero-length attribute convention instead of HAL_PKEY_ATTRIBUTE_NIL. Track existing attributes more closely while copying data from old chunks to new ones in the slow path: the old algorithm had a few dangerous corner cases which could have resulted in the wrong values being written to the new chunks. Single-block-update fast path now under compile-time conditional; in the long run, we probably want this enabled, but it's disabled for now in order to force use and testing of the slow path. This function probably needs to be broken up into a collection of smaller inline functions for readability.
2016-11-21Whack attribute code with a club until it works with PKCS #11.Rob Austein
PKCS #11 supports zero-length attributes (eg, CKA_LABEL) so hack of using zero length attribute as NIL value won't work, instead we use a slightly more portable version of the hack PKCS #11 uses (PKCS #11 stuffs -1 into a CK_ULONG, we stuff 0xFFFFFFFF into a uint32_t). ks_attribute.c code was trying too hard and tripping over its own socks. Instead of trying to maintain attributes[] in place during modification, we now perform the minimum necessary change then re-scan the block. This is (very slightly) slower but more robust, both because the scan code has better error checking and because it's the scan code that we want to be sure is happy before committing a change. Rename hal_rpc_pkey_attribute_t to hal_pkey_attribute_t.
2016-11-21pkey_match() should just skip keys it lacks permission to read.Rob Austein
2016-11-20Move UUID utilities to hal.h; change attribute values to (const void *).Rob Austein
2016-11-19Support queries for attribute length and presence.Rob Austein
Calling hal_rpc_pkey_get_attributes() with attribute_buffer_len = 0 now changes the return behavior so that it reports the lengths of attributes listed in the query, with a length of zero for attributes not present at all. This is mostly to support C_GetAttributeValue() in PKCS #11, but we also use it to make the Python interface a bit kinder to the user.
2016-11-15Allow keystore reinitialization without re-allocating static memory.Rob Austein
Wiping the keystore flash requires reinitializing the keystore, but we don't want to allocate new static memory when we do this.
2016-11-14Tweak pkey access control to allow wheel to see keys.Rob Austein
The current pkey access control rules are a bit complex, because they need to support the somewhat complex rules required by PKCS #11. This is fine, as far as it goes, but a strict interpretation leaves HAL_USER_NORMAL as the only user able to see many keys. This is confusing when using the CLI, to put it mildly. HAL_USER_WHEEL is intended for exactly this sort of thing: it's a user ID which, by definition, can never appear in an RPC call from PKCS to see the same keys that HAL_USER_NORMAL would. HAL_USER_SO remains restricted per the PKCS #11 rules.
2016-11-14More API cleanup: remove hal_rpc_pkey_list().Rob Austein
hal_rpc_pkey_list() was a simplistic solution that worked when the keystore only supported a handful of keys and we needed a quick temporary solution in time for a workshop. It doesn't handle large numbers of keys well, and while we could fix that, all of its functionality is now available via more robust API functions, so simplifying the API by deleting it seems best. Since this change required mucking with dispatch vectors yet again, it converts them to use C99 "designated initializer" syntax.
2016-11-14hal_rpc_pkey_find() -> hal_rpc_pkey_open().Rob Austein
2016-11-14Remove now-gratuitous check which kept attribute deletion from working.Rob Austein
This check made sense when attribute deletion was a separate operation, but now that it has been folded into set_attributes(), this check was worse than useless.
2016-11-11Drag C pkey test code up to current RPC API.Rob Austein
2016-11-10Clean out huge swacks of RPC API we don't need anymore.Rob Austein
pkey attribute API is now just set_attributes() and get_attributes().
2016-11-10First cut at ks_flash support for attribute get/set/delete API.Rob Austein
Passes minimal unit-testing and the same minimal tests report that it does deliver the desired performance speed-up. More testing and much cleanup still needed. Attribute API not quite stable yet, we're probably going to want to remove all the singleton attribute operations from the RPC protocol, and it turns out that ks_delete_attributes() has enough code in common with ks_set_attributes() that it makes more sense to handle the former as a special case of the latter.
2016-11-08First cut at multi-attribute get/set/delete API.Rob Austein
This is not yet complete, only the ks_volatile driver supports it, ks_flash will be a bit more complicated and isn't written yet. At the moment, this adds a complete duplicate set of {set,get,delete}_attributes() functions in parallel to the earlier {set,get,delete}_attribute() functions. We will almost certainly want to get rid of the duplicates, probably (but not necessarily) the entire single-attribute suite. At the moment, though, we want both sets so we can compare execution speeds of the two sets of functions.
2016-11-05Add hal_rpc_pkey_match() tests to C client test code.Rob Austein
2016-11-05Debug most recent changes to C client RPC API.Rob Austein
2016-11-05Add attribute read timing tests.Rob Austein
Result of running all these timing tests is about what theory would have predicted: read time does not vary significantly between RAM and flash, but write time sure does.
2016-11-05ks_list() was returning garbage for keys not visible to current session.Rob Austein
2016-11-04.set_attribute() speed tests.Rob Austein