aboutsummaryrefslogtreecommitdiff
path: root/rpc_pkey.c
AgeCommit message (Collapse)Author
2020-02-18timing tests for RSA signingmodexpngPaul Selkirk
2019-04-09In pkey_local_sign_hashsig, don't create the digest in the signaturePaul Selkirk
buffer, because hal_hashsig_sign assembles the signature incrementally, and will overwrite the digest before it's ready to sign it.
2019-04-02Small cleanups in RPC code, e.g. to support null arguments.Paul Selkirk
- Add support for null pointer arguments in RPCs for get_digest_algorithm_id and get_public_key. This is years overdue, and would have obviated the need for get_public_key_len as a separate RPC. - Refactor pkey_local_get_public_key_len in terms of pkey_local_get_public_key. - Add more parameter sanity checks to rpc_api.c. - Add a len_max parameter to hal_xdr_decode_variable_opaque, rather than having len be an in/out parameter. This brings xdr slightly more in line with the rest of the code base (again after literal years), and slightly simplifies several calls in rpc_client.c.
2019-03-31Hashsig cleanup.Paul Selkirk
- Move hashsig.h contents into hal.h. - Uppercase lmots and lms algorithm types, because we have a convention that enum values are uppercase. - Change all I to hal_uuid_t, because that how we're using them, and it seems silly to have two different 16-byte array types. - Change all "memcpy(&this, &that, sizeof(this))" to "this = that", because it's more succinct, more type-safe, and harder to get wrong. - Slightly tighten up lmots_generate, lmots_sign, and lmots_public_key_candidate. - Remove verbatim draft text, now that I'm pretty sure I implemented it correctly.
2019-03-31Add support for hashsig key export/import.Paul Selkirk
2019-03-04Use the hashsig pseudorandom key generation method if the key is exportable.Paul Selkirk
2018-08-12Clean up builds for *BSD/clang.Paul Selkirk
Move lm[ot]s_algorithm_t definitions to hal.h, prefix all public symbols with 'hal_'. Remove some unused functions. Wrap hal_pkey_slot_t initializers in an extra set of curly braces. Remove an unused-argument kludge (x=x;) because gcc doesn't care, and clang complains. Make timersub a proper macro. Add some casts to printf arguments, because !@#$ printf formats.
2018-07-25Merge branch 'hashsig'Paul Selkirk
2018-05-20Drop <assert.h> now that everything should be using hal_assert() instead.Rob Austein
2018-05-20Better hal_core_alloc() semantics, assert() and printf() cleanup.Rob Austein
Various fixes extracted from the abandoned(-for-now?) reuse-cores branch, principally: * Change hal_core_alloc*() to support core reuse and to pick the least-recently-used core of a particular type otherwise; * Replace assert() and printf() calls with hal_assert() and hal_log(), respectively. assert() is particularly useless on the HSM, since it sends its error message into hyperspace then hangs the HSM.
2018-04-19Implement hash-based signatures, per draft-mcgrew-hash-sigs-08.txtPaul Selkirk
2017-12-13Merge branch systolic_crt into master.Rob Austein
This branch was sitting for long enough that master had been through a cleanup pass, so beware of accidental reversions.
2017-10-23Cleanup signed/unsigned mismatches, mostly in loop countersPaul Selkirk
2017-09-13Preliminary support for parallel core RSA CRT.Rob Austein
2017-09-13Sort-of-working, large (4096-bit) RSA keys broken.Rob Austein
Snapshot of mostly but not entirely working code to include the extra ModExpA7 key components in the keystore. Need to investigate whether a more compact representation is practical for these components, as the current one bloats the key object so much that a bare 4096-bit key won't fit in a single hash block, and there may not be enough room for PKCS #11 attributes even for smaller keys. If more compact representation not possible or insufficient, the other option is to double the size of a keystore object, making it two flash subsectors for a total of 8192 octets. Which would of course halve the number of keys we can store and require a bunch of little tweaks all through the ks code (particularly flash erase), so definitely worth trying for a more compact representation first.
2017-05-30Merge branch 'logout' into ks9Rob Austein
The internal keystore API has changed enough since where the "logout" branch forked that a plain merge would have no prayer of compiling, must less running. So this merge goes well beyond manual conflict resolution: it salvages the useful code from the "logout" branch, with additional code as needed to reimplement the functionality. Sorry.
2017-05-29Missed a few references to old pkey_slot field names, oops.Rob Austein
2017-05-29Simplify per-session keys.Rob Austein
Cosmetic cleanup of pkey_slot along the way.
2017-05-28Almost compiles.Rob Austein
Need to refactor init sequence slightly (again), this time to humor the bootloader, which has its own special read-only view of the PIN block in the token keystore.
2017-04-25Shake dumb compile-time bugs out of new logout code.Rob Austein
What I get for writing code while build and test environment is tied up with a multi-day run testing something else.
2017-04-24Call a portable entrenching tool a portable entrenching tool.Rob Austein
2017-04-24Clean up pkey slots and volatile keys on client logout.Rob Austein
2017-04-23Wrap keyslot clearing in a critical section.Rob Austein
I doubt this change will have any noticable effect, but it's another theoretical race condition, might as well eliminate it.
2017-04-12Fix buffer size check when crossing token->volatile boundary in pkey_match().Rob Austein
2017-04-11API cleanup: pkey_open() and pkey_match().Rob Austein
pkey_open() now looks in both keystores rather than requiring the user to know. The chance of collision with randomly-generated UUID is low enough that we really ought to be able to present a single namespace. So now we do. pkey_match() now takes a couple of extra arguments which allow a single search to cover both keystores, as well as matching for specific key flags. The former interface was pretty much useless for anything involving flags, and required the user to issue a separate call for each keystore. User wheel is now exempt from the per-session key lookup constraints, Whether this is a good idea or not is an interesting question, but the whole PKCS #11 derived per-session key thing is weird to begin with, and having keystore listings on the console deliberately ignore session keys was just too confusing.
2017-04-07Tighten up hal_rpc_pkey_import() a bit more.Rob Austein
Enforce minimum PKCS #1.5 padding length when decrypting KEK. Use public interface to hal_pkey_load() rather than calling the internal function directly, so we go through all the normal error checks.
2017-04-07Pull key type information from uploaded key in hal_rpc_pkey_load().Rob Austein
Now that we use PKCS #8 format for private keys, all key formats we use include ASN.1 AlgorithmIdentifier field describing the key, so specifying key type and curve as arguments to hal_rpc_pkey_load() is neither necessary nor particularly useful.
2017-04-07Enforce key usage flags.Rob Austein
2017-04-07Shake bugs out of hal_rpc_pkey_import().Rob Austein
2017-04-06Defend against Bleichenbacher's Attack in hal_rpc_pkey_import().Rob Austein
Borrowing an idea from PyCrypto, we substitute CSPRNG output for the value of a decrypted KEK if the PKCS #1.5 type 02 block format check fails. Done properly, this should be very close to constant-time, and should make it harder to use hal_rpc_pkey_import() as an oracle.
2017-04-06Shake bugs out of hal_rpc_pkey_export().Rob Austein
Among other things, it turns out that this works better if one remembers to write the RPC server dispatch code as well as the client code, doh.
2017-04-06Fix a few dumb compile-time bugs.Rob Austein
2017-04-05First cut at key backup code. Not tested yet.Rob Austein
Still missing Python script to drive backup process, and need to do something about setting the EXPORTABLE key flag for this to be useful.
2017-03-03Fix race condition in pkey_slot allocation.Rob Austein
2017-02-13Add some comments for things I figured out while reviewing code.Paul Selkirk
2017-02-02Add locking around keystore operations.Rob Austein
2016-11-21Whack attribute code with a club until it works with PKCS #11.Rob Austein
PKCS #11 supports zero-length attributes (eg, CKA_LABEL) so hack of using zero length attribute as NIL value won't work, instead we use a slightly more portable version of the hack PKCS #11 uses (PKCS #11 stuffs -1 into a CK_ULONG, we stuff 0xFFFFFFFF into a uint32_t). ks_attribute.c code was trying too hard and tripping over its own socks. Instead of trying to maintain attributes[] in place during modification, we now perform the minimum necessary change then re-scan the block. This is (very slightly) slower but more robust, both because the scan code has better error checking and because it's the scan code that we want to be sure is happy before committing a change. Rename hal_rpc_pkey_attribute_t to hal_pkey_attribute_t.
2016-11-21pkey_match() should just skip keys it lacks permission to read.Rob Austein
2016-11-14Tweak pkey access control to allow wheel to see keys.Rob Austein
The current pkey access control rules are a bit complex, because they need to support the somewhat complex rules required by PKCS #11. This is fine, as far as it goes, but a strict interpretation leaves HAL_USER_NORMAL as the only user able to see many keys. This is confusing when using the CLI, to put it mildly. HAL_USER_WHEEL is intended for exactly this sort of thing: it's a user ID which, by definition, can never appear in an RPC call from PKCS to see the same keys that HAL_USER_NORMAL would. HAL_USER_SO remains restricted per the PKCS #11 rules.
2016-11-14More API cleanup: remove hal_rpc_pkey_list().Rob Austein
hal_rpc_pkey_list() was a simplistic solution that worked when the keystore only supported a handful of keys and we needed a quick temporary solution in time for a workshop. It doesn't handle large numbers of keys well, and while we could fix that, all of its functionality is now available via more robust API functions, so simplifying the API by deleting it seems best. Since this change required mucking with dispatch vectors yet again, it converts them to use C99 "designated initializer" syntax.
2016-11-14hal_rpc_pkey_find() -> hal_rpc_pkey_open().Rob Austein
2016-11-10Clean out huge swacks of RPC API we don't need anymore.Rob Austein
pkey attribute API is now just set_attributes() and get_attributes().
2016-11-08First cut at multi-attribute get/set/delete API.Rob Austein
This is not yet complete, only the ks_volatile driver supports it, ks_flash will be a bit more complicated and isn't written yet. At the moment, this adds a complete duplicate set of {set,get,delete}_attributes() functions in parallel to the earlier {set,get,delete}_attribute() functions. We will almost certainly want to get rid of the duplicates, probably (but not necessarily) the entire single-attribute suite. At the moment, though, we want both sets so we can compare execution speeds of the two sets of functions.
2016-11-01Add hal_rpc_pkey_get_key_curve().Rob Austein
Incidental minor refactoring of hal_rpc_server_dispatch().
2016-10-26Fix pure-remote-mode hal_rpc_pkey_{sign,verify}().Rob Austein
Pure-remote-mode (where even the hashing is done in the HSM) did not work, because XDR passes zero length strings rather than NULL string pointers. Mostly, we use fixed mode, so nobody noticed.
2016-10-24Flesh out key object access control.Rob Austein
This is more complicated than I'd have liked, because the PKCS #11 semantics are (much) more complicated than just "are you logged in?" New code passes basic testing with libhal.py and the PKCS #11 unit tests, but there are still unexplored corner cases to be checked. Private token objects remain simple. Code which does not need PKCS HAL_KEY_FLAG_TOKEN and avoid HAL_KEY_FLAG_PUBLIC.
2016-10-24Make previous_uuid an input-only argument to hal_rpc_pkey_match().Rob Austein
In retrospect it's obvious that this never needed to be an input/output argument, as its value will always be the same as the last value in the returned array. Doh. So simplify the RPC and call sequence slightly by removing the unnecessary output value.
2016-10-09Per-session objects in ks_volatile; more untested ks_attribute code.Rob Austein
Mostly this is another checkpoint (still passes PKCS #11 "make test"). ks_volatile.c now contains support for per-session object visibility; this may need more work to support things like a CLI view of all objects regardless of session. Adding this required minor changes to the keystore and pkey APIs, mostly because sessions are per-client. ks_volatile.c also contains an untested first cut at attribute support. Attribute support in ks_flash.c still under construction.
2016-10-07Fix session handle arguments in RPC calls.Rob Austein
RPC calls which pass a pkey handle don't need to pass a session handle, because the session handle is already in the HSM's pkey slot object; pkey RPC calls which don't pass a pkey argument do need to pass a session handle. This change percolates down to the keystore driver, because only the keystore driver knows whether that particular keystore cares about session handles.
2016-10-07Checkpoint along the way to adding keystore attribute support.Rob Austein
This is mostly to archive a commit where PKCS #11 "make test" still works after converting the ks_volatile code to use SDRAM allocated at startup instead of (large) static variables. The attribute code itself is incomplete at this point.