Add IBM specific mechanisms #669
Conversation
|
@ueno can one of the maintainers please approve the check workflows? |
p11-kit/rpc-message.h
Outdated
| @@ -224,7 +225,7 @@ static const p11_rpc_call p11_rpc_calls[] = { | |||
| { P11_RPC_CALL_C_GenerateKeyPair, "C_GenerateKeyPair", "uMaAaA", "uu" }, | |||
| { P11_RPC_CALL_C_WrapKey, "C_WrapKey", "uMuufy", "ay" }, | |||
| { P11_RPC_CALL_C_UnwrapKey, "C_UnwrapKey", "uMuayaA", "u" }, | |||
| { P11_RPC_CALL_C_DeriveKey, "C_DeriveKey", "uMuaA", "u" }, | |||
| { P11_RPC_CALL_C_DeriveKey, "C_DeriveKey", "uMuaA", "uPu" }, | |||
There was a problem hiding this comment.
This breaks compatibility at the protocol level; I would suggest bumping the protocol version and provide a proper fallback, as in b2dd8d5.
p11-kit/rpc-message.c
Outdated
| const unsigned char *data; | ||
| uint64_t val3; | ||
|
|
||
| if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1)) |
There was a problem hiding this comment.
You can combine these into a single if which would look much nicer, something like:
if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1) ||
!p11_rpc_buffer_get_uint64 (buffer, offset, &val2) ||
...)
return false;
Same can be done in p11_rpc_buffer_get_ibm_kyber_mechanism_value
|
You can find the documentation for the mechanisms here. |
|
I pumped the RPC protocol version to 2 and included the requested changes by @ZoltanFridrich and I hope I fixed all the Ci bugs. It looks like they were originating in the meson build failing. |
| #define CKA_IBM_OPAQUE_REENC (CKA_VENDOR_DEFINED + 3) | ||
| #define CKA_IBM_OPAQUE_OLD (CKA_VENDOR_DEFINED + 4) |
There was a problem hiding this comment.
I fail to see these mentioned in the documentation on https://www.ibm.com/docs/en/linux-on-systems?topic=opencryptoki-specific-mechanisms , remove.
There was a problem hiding this comment.
Unfortunately the documentation is not up to date here but an update is currently worked on. As reference here the opencryptoki commit that added those: link
There was a problem hiding this comment.
Thanks for the link, I'll yell at the people who reviewed that PR.
There was a problem hiding this comment.
Yelled at https://github.com/opencryptoki/opencryptoki/pull/659/files#r1946274303 but it would be nice if you could paste that documentation in here as a comment in the code.
| // EARLY_EXIT_ON_FAIL | ||
| #define PREP_EEOF \ | ||
| CK_RV err; | ||
|
|
||
| #define PROCESS_CALL_NO_CHECK \ | ||
| _ret = call_run (_mod, &_msg); | ||
|
|
||
| #define CHECK_EEOF \ | ||
| if(err != CKR_OK) \ | ||
| _ret = err; | ||
|
|
There was a problem hiding this comment.
These macros are only used in one place, code will be more readable without the use of macros.
There was a problem hiding this comment.
Since all of the rpc_C_ Functions make heavy use of macros I actually think this is more readable because mixing macros and plain code where almost exclusively macros are used is not helpful. Additionally it eases possible extensions of other rpc_C_ functions that could use the param update feature because they can just make use of the existing macros. If of course the majority agrees with you I will adjust the code.
This adds support for the following IBM specific attributes: - CKA_IBM_OPAQUE_REENC - CKA_IBM_OPAQUE_OLD - CKA_IBM_DILITHIUM_MODE - CKA_IBM_CCA_AES_KEY_MODE
This adds support for the CKM_IBM_ECDSA_OTHER IBM specific mechanism.
This adds support to the rpc_C_DeriveKey to send the mechanism parameter back to the client after the actual call. This is necessary to allow size queries for potential output fields in the parameter. In this case the call itself will fail but instead of writing an error response the client has to get the updated parameter. For this the server will send the error code along with the parameter back to the client that then can allocate space for the output fields in the parameter and do the call again. Since this will lead to a backwards compatability problem within the RPC protocol the version is bumped.
This adds support for the CKM_IBM_BTC_DERIVE IBM specific mechanism. Additionally this exploits the rpc_C_DeriveKey rework.
This adds support for the CKM_IBM_KYBER IBM specific mechanism. Additionally this exploits the rpc_C_DeriveKey rework.
This series adds support for three IBM specific mechanisms and four IBM specific attributes.
Additionally for the rpc_C_DeriveKey function support for size queries for potential output fields of the mechanisms parameters is implemented.