aboutsummaryrefslogtreecommitdiff
path: root/rsa.c
AgeCommit message (Collapse)Author
2020-02-18timing tests for RSA signingmodexpngPaul Selkirk
2020-02-07driver for Pavel's ModExpNG corePaul Selkirk
2018-05-20Better hal_core_alloc() semantics, assert() and printf() cleanup.Rob Austein
Various fixes extracted from the abandoned(-for-now?) reuse-cores branch, principally: * Change hal_core_alloc*() to support core reuse and to pick the least-recently-used core of a particular type otherwise; * Replace assert() and printf() calls with hal_assert() and hal_log(), respectively. assert() is particularly useless on the HSM, since it sends its error message into hyperspace then hangs the HSM.
2018-05-20Add small cache for RSA blinding factors.Rob Austein
Generating new RSA blinding factors turns out to be relatively expensive, but we can amortize that cost by maintaining a small cache and simply mutating old values after each use with a cheaper operation. Squaring works, pretty much by definition. Blinding factors are only sort-of-sensitive: we don't want them to leak out of the HSM, but they're only based on the public modulus, not the private key components, and we're only using them to foil side channel attacks, so the risk involved in caching them seems small. For the moment, the cache is very small, since we only care about this for bulk signature operations. Tune this later if it becomes an issue.
2018-03-25Clear search state variables in rsa.c's find_prime().Rob Austein
Failing to clear the temporary buffer used to transfer bits from the TRNG into a bignum was a real leak of something very close to keying material, albeit only onto the local stack where it was almost certain to have been overwritten by subsequent operations (generation of other key components, wrap and PKCS #8 encoding) before pkey_generate_rsa() ever returned to its caller. Still, bad coder, no biscuit. Failing to clear the remainders array was probably harmless, but doctrine says clear it anyway.
2017-12-13Merge branch systolic_crt into master.Rob Austein
This branch was sitting for long enough that master had been through a cleanup pass, so beware of accidental reversions.
2017-10-23Cleanup signed/unsigned mismatches, mostly in loop countersPaul Selkirk
2017-09-13Preliminary support for parallel core RSA CRT.Rob Austein
2017-09-13Sort-of-working, large (4096-bit) RSA keys broken.Rob Austein
Snapshot of mostly but not entirely working code to include the extra ModExpA7 key components in the keystore. Need to investigate whether a more compact representation is practical for these components, as the current one bloats the key object so much that a bare 4096-bit key won't fit in a single hash block, and there may not be enough room for PKCS #11 attributes even for smaller keys. If more compact representation not possible or insufficient, the other option is to double the size of a keystore object, making it two flash subsectors for a total of 8192 octets. Which would of course halve the number of keys we can store and require a bunch of little tweaks all through the ks code (particularly flash erase), so definitely worth trying for a more compact representation first.
2017-09-12Silly macro bugs.Rob Austein
2017-09-12Untested ASN.1 support for ModExpA7 private speedup factors.Rob Austein
2017-09-09Far too much fun with modexpa7 operand lengths and locations.Rob Austein
2017-09-09Whack with club until compiles.Rob Austein
2017-09-09Start hacking for systolic modexp.Rob Austein
Work in progress. Probably won't even compile, much less run. Requires corresponding new core/math/modexpa7 core. No support (yet) for ASN.1 encoding of speedup factors or storage of same in keystore. No support (yet) for running CRT algorithm in parallel cores. Minor cleanup of ancient bus I/O code, including EIM and I2C bus code we'll probably never use again.
2017-07-24Split compile-time control of RSA ModExp.Rob Austein
At least for now, the speed tradeoff between software ModExp and our Verilog ModExp core differs significantly between signature and key generation. We don't really know why, but since key generation does not need to be constant time, we split out control over whether to use the software or FPGA implementation, so that we can use the FPGA for signature while using software for key generation. Revisit this if and when we figure out what the bottleneck is, as well as any time that the FPGA core itself changes significantly.
2017-07-24Use ModExp fast mode for Miller-Rabin tests.Rob Austein
Trying to make RSA key generation run in constant time is probably both futile and unnecessary, so we can speed it up a bit by switching the ModExpA7 core to use "fast" mode rather than "constant time" mode. Sadly, while this change produces a measureable improvement, it doesn't bring FGPA ModExp anywhere near the speed of the software equivalent in this case. Don't really know why.
2017-06-14Tidy up new prime generation code.Rob Austein
2017-06-14Faster prime generation algorithm for RSA.Rob Austein
Algorithm suggested by a note in Handbook of Applied Cryptography, motivated by profiling of libtfm fp_isprime() function showing something close to 50% of CPU time spent running Montgomery reductions in the small primes test, before we even get to Miller-Rabin.
2017-05-23"core" arguments have not been const since we switched to core_selector.Rob Austein
2017-04-03PKCS #8 code for RSA and ECDSA.Rob Austein
Compiles, not yet tested. Existing tests need conversion to PKCS #8 before we can do anything useful with this. Once everything uses PKCS #8 instead of algorithm-specific formats, we can revisit API issues like whether hal_rpc_pkey_load() should still be taking `type` and `curve` arguments.
2016-09-20Clean up the defines around rpc client, software hash cores, etc.Paul Selkirk
2016-07-05Attempt to add resource management, for multiple cores of the same type.Paul Selkirk
Find a suitable core, and mark it busy. Don't forget to release it as soon as you're done. This has a knock-on effect of un-const'ing core arguments and struct fields in a lot of places, and it moves some core checks around.
2016-06-14Add support for ModExpA7Paul Selkirk
2016-06-13Allow NULL der_len parameter in hal-rsa_private_key_to_der().Rob Austein
2016-05-14Trailing whitespace cleanup.Rob Austein
2016-03-29Client-side rsa and ecdsa need to call remote get_random.Paul Selkirk
2015-12-23RPC interface to TRNG and (incomplete) PIN code.Rob Austein
2015-12-23Software modexp() implementation didn't compile due to missing proRob Austein
forma hal_core_t* argument.
2015-12-22Add ASN.1 support for public keys (X.509 SubjectPublicKeyInfo format).Rob Austein
2015-12-21Fix names of private key DER functions.Rob Austein
2015-12-20RPC server stuff mostly written. Compiles, not yet tested. RPCRob Austein
public key extraction functions on hold pending ASN.1 cleanup.
2015-12-13whack copyrightsPaul Selkirk
2015-10-04Whack libhal API to use current configure_core_selector mechanism.Rob Austein
Compiles, not yet tested.
2015-10-03Use initializers for automatic variables of type fp_int because it's aRob Austein
bit more obvious when we've forgotten to do this than when we've forgotten to call fp_init() or memset(). Convert rsa.c to use the one-element-array idiom so we can get stop prefixing every bignum reference with "&".
2015-09-08Merge branch 'master' into ecdsaRob Austein
This required a bit of manual cleanup in hal.h, hash.c, and rsa.c. No intended changes to functionality provided by parent comments, just a few tweaks to track API changes beyond git's ken.
2015-09-06Add ECPoint I/O functions. ASN.1 cleanup.Rob Austein
2015-09-02Still more const-ification.Rob Austein
2015-09-02Clean up excessively complicated handling of opaque types in hash andRob Austein
RSA code; use simpler model (pointer to incomplete structure) used in ECDSA code. Refactor RSA code to use shared ASN.1 routines.
2015-07-14Changes to support Pavel's ModExpS6 core.Rob Austein
2015-07-01Change default to use software modexp until we sort out performanceRob Austein
issues in ModExp core.
2015-06-24Rework API for loading keys from components. Relax key sizeRob Austein
constraints to allow any key size within our supported range, since hsmbully seems to want to twist this knob to every possible setting.
2015-06-21libcryptech -> libhal, doh.Rob Austein
2015-06-21Add digest algorithm IDs.Rob Austein
2015-06-19Add methods to extract public components from an RSA key. Other minorRob Austein
cleanup and commenting within RSA module.
2015-06-19Add temporary workaround to let us use software ModExp when we'reRob Austein
testing other code and don't want to wait for the as-yet-unoptimized FPGA ModExp core.
2015-06-19Add replacement for fp_exptmod() using our ModExp core, so we don'tRob Austein
drag in all of TFM's Montgomery just to support the Miller-Rabin test.
2015-06-18Supply public exponent as bigendian byte string rather than unsignedRob Austein
long, since that's the form we'll need for PKCS #11.
2015-06-18Helps to set the return value when reading a key, doh.Rob Austein
2015-06-18Add RSA blinding.Rob Austein
2015-06-18Refactor CRT code into public API.Rob Austein