aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-11-06Export/import "raw" keys for external storage.Paul Selkirk
Exported keys are wrapped with the MKM KEK, not a transit KEK, and can only be imported back to the same HSM. The idea is to support operators who have more keys than will fit on the HSM, so they will cycle keys into and out of the HSM as needed. NOTE that hashsig is, as always, special. The hashsig key has an internal index that is updated on every signature. To prevent a hashsig key from being re-imported with an old index (which would compromise the security of the key), the hashsig key is disabled on export, and must be deleted from the HSM before being re-imported.
2019-04-10Allow multiple iterations in verify, for better timing measurement.Paul Selkirk
2019-04-10Add hashsig interop tests.Paul Selkirk
2019-04-09Huh, I forgot to add a Python RPC handler for pkey_generate_hashsig,Paul Selkirk
over a year ago.
2019-04-09In pkey_local_sign_hashsig, don't create the digest in the signaturePaul Selkirk
buffer, because hal_hashsig_sign assembles the signature incrementally, and will overwrite the digest before it's ready to sign it.
2019-04-05Update FPGA core name/version listPaul Selkirk
2019-04-05The FPGA register interface now does byte-swapping in hardware, so we canPaul Selkirk
just call memcpy here. (Although it turns out to be more efficient to use an inline version of memcpy than the library function.)
2019-04-02The all-singing, all-dancing key management appPaul Selkirk
2019-04-02Small cleanups in RPC code, e.g. to support null arguments.Paul Selkirk
- Add support for null pointer arguments in RPCs for get_digest_algorithm_id and get_public_key. This is years overdue, and would have obviated the need for get_public_key_len as a separate RPC. - Refactor pkey_local_get_public_key_len in terms of pkey_local_get_public_key. - Add more parameter sanity checks to rpc_api.c. - Add a len_max parameter to hal_xdr_decode_variable_opaque, rather than having len be an in/out parameter. This brings xdr slightly more in line with the rest of the code base (again after literal years), and slightly simplifies several calls in rpc_client.c.
2019-03-31Hashsig cleanup.Paul Selkirk
- Move hashsig.h contents into hal.h. - Uppercase lmots and lms algorithm types, because we have a convention that enum values are uppercase. - Change all I to hal_uuid_t, because that how we're using them, and it seems silly to have two different 16-byte array types. - Change all "memcpy(&this, &that, sizeof(this))" to "this = that", because it's more succinct, more type-safe, and harder to get wrong. - Slightly tighten up lmots_generate, lmots_sign, and lmots_public_key_candidate. - Remove verbatim draft text, now that I'm pretty sure I implemented it correctly.
2019-03-31Add support for hashsig key export/import.Paul Selkirk
2019-03-04Restructure hashsig test programPaul Selkirk
2019-03-04On device restart, if a hashsig key was generated using the pseudorandomPaul Selkirk
method, and it's missing one or more lmots keys, those keys can be regenerated. OTOH, if an lms key is damaged or missing, it's still a fatal error, because that's the only place we record the current q value.
2019-03-04Use the hashsig pseudorandom key generation method if the key is exportable.Paul Selkirk
2019-02-28Increase volatile keystore size to allow for multi-level hashsig trees.Paul Selkirk
2019-02-01Clean up mkm.cPaul Selkirk
2019-02-01Remove global stored core pointer from mkm.c.Paul Selkirk
This forces each hal_mkmif_* function to alloc/free the core, which is a miniscule performance hit, but the only sane thing to do in a tasking environment. Otherwise (with a stored/shared core pointer), one task will initiate a read, yield in hal_io_wait, another task will initiate a read, and both will be unhappy.
2018-12-03add some more statistics to parallel-signatures.pyPaul Selkirk
2018-11-14Add some yields to hal_hashsig_ks_init, so other tasks can run while we're ↵Paul Selkirk
rebuilding the hash tree.
2018-11-14Change scanf/printf %hhx format strings to %x, because not every libc ↵Paul Selkirk
supports it. In particular, the version of newlib distributed by Ubuntu is not configured with --enable-newlib-io-c99-formats, and now includes guard code that treats %hhx as an error, rather than silently interpreting it as %hx. The net effect was to break hal_uuid_parse. (Ironically, vfprintf.c does not (yet) include this guard code, but it's probably only a matter of time, and it seemed expedient to change hal_uuid_format at the same time.)
2018-11-01Tornado 5.0 made an incompatible API change in iostream.BaseIOStream.Paul Selkirk
Found when upgrading Ubuntu to 18.10.
2018-10-29Sigh, add8e03 botched handling of 0-length hal_xdr_encode_fixed_opaque requests.Paul Selkirk
It's an edge case, but it's supported, and it's used in a few places.
2018-10-25Enable bloat tests, since they work with the current 8K keystore block size.Paul Selkirk
2018-10-25Change explicitly signed XDR buffer overflow checks to explicitly unsigned.Paul Selkirk
This fixes CT-01-006 MCU: Value cast allows a bypass of the size checks (Critical)
2018-10-25Add buffer overflow checks before allocating stack arrays.Paul Selkirk
This fixes CT-01-005: OOB writes through dynamic stack allocations (Critical)
2018-08-27fix pkey_remote_get_attributesPaul Selkirk
2018-08-12Update .gitignore with newish test appsPaul Selkirk
2018-08-12Simplify makefile to make them easier to use with non-default directory namesPaul Selkirk
2018-08-12Clean up builds for *BSD/clang.Paul Selkirk
Move lm[ot]s_algorithm_t definitions to hal.h, prefix all public symbols with 'hal_'. Remove some unused functions. Wrap hal_pkey_slot_t initializers in an extra set of curly braces. Remove an unused-argument kludge (x=x;) because gcc doesn't care, and clang complains. Make timersub a proper macro. Add some casts to printf arguments, because !@#$ printf formats.
2018-08-11Un-break builds on MacOS.Rob Austein
timersub() is a macro on *BSD, including MacOS, so redefinition as a function in hashsig test code was breaking the whole build. Clang has other comments on the hashsig code, leaving those for Paul.
2018-07-31Add hashsig description to READMEPaul Selkirk
2018-07-25Merge branch 'hashsig'Paul Selkirk
2018-07-24Change the rest of the hashsig ASN.1 wrapper functions to static inline, for ↵Paul Selkirk
consistency.
2018-07-24A recent(?) version of arm-none-eabi-gcc decided to make storage for enumsPaul Selkirk
the minimum size necessary, so hal_asn1_decode_lms_algorithm and hal_asn1_decode_lmots_algorithm were writing 4 bytes of data into 1-byte variables. Hilarity ensued. Yes, I already knew that conflating enum with uint32_t was a bad idea, I was just being lazy. For that matter, sizeof(size_t) isn't guaranteed either, although arm-none-eabi-gcc treats it as 32 bits on this 32-bit target (for now), so exercise proper data hygiene in hal_asn1_decode_size_t as well.
2018-07-24Add protection against trying to use hashsig while the restart mechanism is ↵Paul Selkirk
rebuilding the tree.
2018-07-24Housekeeping: Mark hal_ks_pin_uuid extern, so it doesn't get instantiated in ↵Paul Selkirk
each object module.
2018-07-24Add descriptions of signature algorithm OIDs, because pre-encoded ASN.1 ↵Paul Selkirk
blobs are really inscrutable.
2018-07-16No-op out core alloc/free when no cores exist.Rob Austein
2018-07-15Support PF_UNIX socket inode modes other than 0600.Rob Austein
2018-05-27Inline hal_core_base().Rob Austein
2018-05-27FMC cleanup: constification, gratuitous pointer.Rob Austein
2018-05-22Disable seldom-used FMC I/O debugging code by default.Rob Austein
Profiling reports significant time spent in the hal_io_fmc.c debugging code even when runtime debugging is off. This is odd, and may be a profiling artifact, but we don't use that debugging code often, so if it costs anything at all we might as well disable it when not needed.
2018-05-20Drop <assert.h> now that everything should be using hal_assert() instead.Rob Austein
2018-05-20Better hal_core_alloc() semantics, assert() and printf() cleanup.Rob Austein
Various fixes extracted from the abandoned(-for-now?) reuse-cores branch, principally: * Change hal_core_alloc*() to support core reuse and to pick the least-recently-used core of a particular type otherwise; * Replace assert() and printf() calls with hal_assert() and hal_log(), respectively. assert() is particularly useless on the HSM, since it sends its error message into hyperspace then hangs the HSM.
2018-05-20Clean up parallel signature test script.Rob Austein
Aside from not really needing to use every crayon in the box, using a simpler control structure makes exceptions behave more as one expects.
2018-05-20Add small cache for RSA blinding factors.Rob Austein
Generating new RSA blinding factors turns out to be relatively expensive, but we can amortize that cost by maintaining a small cache and simply mutating old values after each use with a cheaper operation. Squaring works, pretty much by definition. Blinding factors are only sort-of-sensitive: we don't want them to leak out of the HSM, but they're only based on the public modulus, not the private key components, and we're only using them to foil side channel attacks, so the risk involved in caching them seems small. For the moment, the cache is very small, since we only care about this for bulk signature operations. Tune this later if it becomes an issue.
2018-05-20Silence compiler warning in revised hal_ks_fetch().Rob Austein
2018-05-19Release keystore lock before unwrapping key.Rob Austein
hal_ks_fetch() was written as lock-at-the-top, unlock-at-the-bottom to keep it as simple as possible, but this turns out to have bad performance implications when unwrapping the key is slow. So now we grab the wrapped key, release the lock, then unwrap, which should be safe enough given that hal_ks_fetch() is read-only. This lets us make better use of multiple AES cores to unwrap in parallel when we have multiple active clients.
2018-05-01Add some yields to try to improve responsiveness during hashsig key ↵Paul Selkirk
generation and deletion.
2018-04-19Merge branch 'profiling' into hashsigPaul Selkirk