| Age | Commit message (Collapse) | Author |
|---|
|
Various fixes extracted from the abandoned(-for-now?) reuse-cores
branch, principally:
* Change hal_core_alloc*() to support core reuse and to pick the
least-recently-used core of a particular type otherwise;
* Replace assert() and printf() calls with hal_assert() and hal_log(),
respectively. assert() is particularly useless on the HSM, since it
sends its error message into hyperspace then hangs the HSM.
|
|
Aside from not really needing to use every crayon in the box, using a
simpler control structure makes exceptions behave more as one expects.
|
|
Generating new RSA blinding factors turns out to be relatively
expensive, but we can amortize that cost by maintaining a small cache
and simply mutating old values after each use with a cheaper
operation. Squaring works, pretty much by definition.
Blinding factors are only sort-of-sensitive: we don't want them to
leak out of the HSM, but they're only based on the public modulus, not
the private key components, and we're only using them to foil side
channel attacks, so the risk involved in caching them seems small.
For the moment, the cache is very small, since we only care about this
for bulk signature operations. Tune this later if it becomes an issue.
|
|
|
|
hal_ks_fetch() was written as lock-at-the-top, unlock-at-the-bottom to
keep it as simple as possible, but this turns out to have bad
performance implications when unwrapping the key is slow. So now we
grab the wrapped key, release the lock, then unwrap, which should be
safe enough given that hal_ks_fetch() is read-only. This lets us make
better use of multiple AES cores to unwrap in parallel when we have
multiple active clients.
|
|
generation and deletion.
|
|
|
|
|
|
|
|
add ability to export public key to xdr for interop testing
|
|
|
|
|
|
premature optimization.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Copy ContextManagedUnpacker from latest version of libhal.py so that
this script won't depend on the current development code.
|
|
At the moment this only handles RSA keys, and can only handle one size
of key at a time. More bells and whistles will follow eventually,
now that the basic asynchronous API to our RPC protocol works.
|
|
Failing to clear the temporary buffer used to transfer bits from the
TRNG into a bignum was a real leak of something very close to keying
material, albeit only onto the local stack where it was almost certain
to have been overwritten by subsequent operations (generation of other
key components, wrap and PKCS #8 encoding) before pkey_generate_rsa()
ever returned to its caller. Still, bad coder, no biscuit.
Failing to clear the remainders array was probably harmless, but
doctrine says clear it anyway.
|
|
contextlib is cute, but incompatible with other coroutine schemes like
Tornado, so just write our own context manager for xdrlib.Unpacker.
|
|
add ability to export public key to xdr for interop testing
|
|
|
|
|
|
premature optimization.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Uncoordinated attempts to allocate two modexpa7 cores leads to deadlock if
multiple clients try to do concurrent RSA signing operations.
The simplest solution (back off and retry) could theoretically lead to
resource starvation, but we haven't seen it in actual testing.
|
|
This branch was sitting for long enough that master had been through a
cleanup pass, so beware of accidental reversions.
|
|
|
|
|
|
|
|
values.
|
|
|
|
|
|
|
|
|
|
Snapshot of mostly but not entirely working code to include the extra
ModExpA7 key components in the keystore. Need to investigate whether
a more compact representation is practical for these components, as
the current one bloats the key object so much that a bare 4096-bit key
won't fit in a single hash block, and there may not be enough room for
PKCS #11 attributes even for smaller keys.
If more compact representation not possible or insufficient, the other
option is to double the size of a keystore object, making it two flash
subsectors for a total of 8192 octets. Which would of course halve
the number of keys we can store and require a bunch of little tweaks
all through the ks code (particularly flash erase), so definitely
worth trying for a more compact representation first.
|
|
|
|
|
|
|
