aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-06-03Add --soft-backup option to cryptech_backup.Rob Austein
cryptech_backup is designed to help the user transfer keys from one Cryptech HSM to another, but what is is a user who has no second HSM supposed to do for backup? The --soft-backup option enables a mode in which cryptech_backup generates its own KEKEK instead of getting one from the (nonexistent) target HSM. We make a best-effort attempt to keep this soft KEKEK secure, by wrapping it with a symmetric key derived from a passphrase, using AESKeyWrapWithPadding and PBKDF2, but there's a limit to what a software-only solution can do here. The --soft-backup code depends (heavily) on PyCrypto.
2017-05-23"core" arguments have not been const since we switched to core_selector.Rob Austein
2017-05-18Re-enable FPGA modexp.Rob Austein
2017-05-17Free modexp core after using it.Rob Austein
2017-05-17No, children, you can't || enum error codes. Again.Rob Austein
2017-05-11TestPKeyMatch was a little sloppy when counting keys.Rob Austein
2017-05-10Work around known bugs in PyCrypto ASN.1 code.Rob Austein
Turns out there are a couple of known minor bugs in PyCrypto's ASN.1 decoder, simple dumb things that never could have worked. Debian's packaging includes a patch for these bugs, but for some reason the patch is marked as not needing to be sent upstream, dunno why. So these methods work fine, but only on Debian. Feh. Simplest approach is to work around the bugs on all platforms, particularly given that this is just unit test support code.
2017-05-09Update README.md.Rob Austein
2017-05-04hal_rpc_pkey_match() works better with response buffer sized correctly.Rob Austein
2017-05-03Tweak PySerial write_timeout setting.Rob Austein
2017-04-30Merge branch 'ksng' into no-rtosRob Austein
2017-04-27Decorator doesn't work properly with --all-tests, use runtime check.Rob Austein
2017-04-26Lower PBKDF2 password iterations and add delay on bad PIN.Rob Austein
Consistent user complaints about HSM login taking too long. Underlying issue has both superficial and fundamental causes. Superficial: Our PBKDF2 implementation is slow. We could almost certainly make it faster by taking advantage of partial pre-calculation (see notes in code) and by reenabling use of FPGA hash cores when when checking passwords (which mgiht require linking the bootloader against a separate libhal build to avoid chicken-and-egg problem of needing FPGA to log into console to configure FPGA). Fundamental: The PBKDF2 iteration counts we used to use (10,000 minimum, 20,000 default) are in line with current NIST recommendations. The new, faster values (1,000 and 2,000, respectively) are not, or, rather, they're in line with what NIST recommended a decade ago. Well, OK, maybe the Coretex M4 is so slow that it's living in the past, but still. The fundamental issue is that anybody who can capture the encoded PIN can mount an offline dictionary attack on it, so we'd like to make that expensive. But the users are unhappy with the current behavior, so this change falls back to the ancient technique of adding a delay (currently five seconds, configurable at compile time) after a bad PIN, which makes it painful to use the login function as an oracle but does nothing about the offline dictionary attack problem. Feh. Note that users can still choose a higher iteration count, by setting the iteration count via the console. It's just not the default out of the box anymore.
2017-04-26Don't intefere with sys.exit().Rob Austein
2017-04-25adapt to the new experimental tasking systemPaul Selkirk
2017-04-23Wrap keyslot clearing in a critical section.Rob Austein
I doubt this change will have any noticable effect, but it's another theoretical race condition, might as well eliminate it.
2017-04-23Avoid deadlock triggered by low-probability race condition.Rob Austein
Static code analysis (Doxygen call graph) detected a low-probability race condition which could have triggered a deadlock on the keystore mutex if the mkmif code returns with an error like HAL_ERROR_CORE_BUSY when we're trying to fetch the KEK. This is a knock-on effect of the awful kludge of backing up the KEK in the keystore flash as an alternative to powering the MKM with a battery as called for in the design. This code path should not exist at all, but, for now, we avoid the deadlock by making it the caller's responsibility to grab the keystore mutex before looking up the KEK.
2017-04-23Handle error conditions when deleting keys by UUID.Rob Austein
2017-04-23Log exit conditionsRob Austein
2017-04-17Move hal_rpc_server_main() to test code.Paul Selkirk
2017-04-17Retry a couple of times on HAL_ERROR_CORE_BUSY. This doesn't guarantee ↵Paul Selkirk
success, but reduces the failure rate on a busy server.
2017-04-17Make sure hal_aes_keyunwrap() frees the core in all error cases.Paul Selkirk
2017-04-17Remove a redundant 'err' variable in ks_fetch() that was masking errorPaul Selkirk
conditions. This manifested as hal_aes_keyunwrap() returning HAL_ERROR_CORE_BUSY, but getting reported as HAL_OK, which led to HAL_ERROR_ASN1_PARSE_FAILED when trying to parse the not-unwrapped der.
2017-04-15Write to console socket and console log in parallel.Rob Austein
We're using non-blocking I/O in any case, might as well take advantage of it to keep console output a little smoother.
2017-04-15Add console log support to muxd.Rob Austein
2017-04-15Typo.Rob Austein
2017-04-15Logging infrastructure.Rob Austein
2017-04-14Clean up and document cryptech_backup.Rob Austein
2017-04-14Python interface API will need to be cryptech.libhal for installation.Rob Austein
2017-04-12Fix buffer size check when crossing token->volatile boundary in pkey_match().Rob Austein
2017-04-11Merge branch 'pymux' into pkcs8Rob Austein
2017-04-11Move login tests to "slow" test category.Rob Austein
2017-04-11Log packet drops.Rob Austein
2017-04-11Merge branch 'pymux' into pkcs8Rob Austein
2017-04-11Reject malformed messages from RPC UART, not just too-short ones.Rob Austein
2017-04-11API cleanup: pkey_open() and pkey_match().Rob Austein
pkey_open() now looks in both keystores rather than requiring the user to know. The chance of collision with randomly-generated UUID is low enough that we really ought to be able to present a single namespace. So now we do. pkey_match() now takes a couple of extra arguments which allow a single search to cover both keystores, as well as matching for specific key flags. The former interface was pretty much useless for anything involving flags, and required the user to issue a separate call for each keystore. User wheel is now exempt from the per-session key lookup constraints, Whether this is a good idea or not is an interesting question, but the whole PKCS #11 derived per-session key thing is weird to begin with, and having keystore listings on the console deliberately ignore session keys was just too confusing.
2017-04-09First cut at HSM backup script.Rob Austein
2017-04-09Unit tests for key backup operations.Rob Austein
2017-04-07Tighten up hal_rpc_pkey_import() a bit more.Rob Austein
Enforce minimum PKCS #1.5 padding length when decrypting KEK. Use public interface to hal_pkey_load() rather than calling the internal function directly, so we go through all the normal error checks.
2017-04-07Pull key type information from uploaded key in hal_rpc_pkey_load().Rob Austein
Now that we use PKCS #8 format for private keys, all key formats we use include ASN.1 AlgorithmIdentifier field describing the key, so specifying key type and curve as arguments to hal_rpc_pkey_load() is neither necessary nor particularly useful.
2017-04-07Enforce key usage flags.Rob Austein
2017-04-07Shake bugs out of hal_rpc_pkey_import().Rob Austein
2017-04-06Defend against Bleichenbacher's Attack in hal_rpc_pkey_import().Rob Austein
Borrowing an idea from PyCrypto, we substitute CSPRNG output for the value of a decrypted KEK if the PKCS #1.5 type 02 block format check fails. Done properly, this should be very close to constant-time, and should make it harder to use hal_rpc_pkey_import() as an oracle.
2017-04-06Initial test and debug script for key backup.Rob Austein
In the long run this code will fork for two different purposes: a) A user backup script, which need not handle ASN.1 or crypto, thus can (and should) be really simple; and b) Unit test code for the key export and import functions. So far, hal_rpc_pkey_export() appears to be working, at least under light testing (result of unpacking everything looks like a key, anyway, haven't tested the unpacked key yet). Still need to write test code for hal_rpc_pkey_import().
2017-04-06Shake bugs out of hal_rpc_pkey_export().Rob Austein
Among other things, it turns out that this works better if one remembers to write the RPC server dispatch code as well as the client code, doh.
2017-04-06First cut at libhal.py support for key backup.Rob Austein
2017-04-06Fix a few dumb compile-time bugs.Rob Austein
2017-04-05First cut at key backup code. Not tested yet.Rob Austein
Still missing Python script to drive backup process, and need to do something about setting the EXPORTABLE key flag for this to be useful.
2017-04-04Rework PKCS #8 PrivateKeyInfo wrapper code.Rob Austein
Handle AlgorithmIdentifier.parameters as in SubjectPublicKeyInfo: the field is OPTIONAL, but it's usually set to NULL if no OID is present. I have a vague memory that this is fallout from a specification error years ago in which the OPTIONAL was accidently left out. Whatever.
2017-04-04Fix strnagely-named test.Rob Austein