add key management commands for caching, exporting #16
Conversation
jpbland1
force-pushed
the
key-cache-export-evict
branch
from
d00d0c6 to
5482af4
Compare
don't need to read the entire label
src/wh_client.c
Outdated
| whPacket* packet = (whPacket*)rawPacket; | ||
| uint8_t* packOut = (uint8_t*)(&packet->keyExportRes + 1); | ||
| if (c == NULL || labelSz > WOLFHSM_NVM_LABEL_LEN || outSz == NULL) |
There was a problem hiding this comment.
Not sure why any labelSz could cause an error. If the user provides a smaller label storage (even 0), then I think that should be valid. Simply labelSz = min(sizeof(metadata.label), labelSz);
outSz == NULL is valid as long as out == NULL. Probably just a test case, but still consistent.
Should outSz be set to the size of out before the function is called?
There was a problem hiding this comment.
labelSz == 1000000000000 would cause out of bounds read, we can't accept any labelSz and outSz can't be NULL because when out is NULL it means the user is expecting outSz to be populated so they know how big their buffer needs to be for a subsequent call
There was a problem hiding this comment.
I've thought more about this, we definitely need to validate labelSz because an incorrect value of 25 doesn't guarantee the buffer can actually handle sizeof(metadata.label) which i think is 24. if we have an unknown length we should bail out, going to modify it to only err if label is non-NULL
There was a problem hiding this comment.
Scratch that, actually makes total sense for the buffer to be larger than max if they're reusing some generic buffer, my bad
| uint16_t size; | ||
| int ret; | ||
| whPacket packet[1] = {0}; |
There was a problem hiding this comment.
I'm a fan of unions, but some of these messages are really small. Consider using the smaller structs when possible to avoid a big allocations.
There was a problem hiding this comment.
Yeah it really saved a lot of space in the old design to only have 1 packet for everything huh?
| uint16_t keyId) | ||
| { | ||
| uint8_t rawPacket[WH_COMM_MTU] = {0}; |
There was a problem hiding this comment.
The CommClient context already has an MTU-sized packet precisely for construction. The SendRequest helper was put together to simplify calls, but you are welcome to directly use this buffer (at the data offset) and update the SendRequest to not perform the memcpy when the src of the data is the same as the destination. We'll add this to the todo list so we can provide an accessor and avoid extra copies and allocations.
Oh, and this size should be WH_COMM_DATA_LEN, not MTU.
There was a problem hiding this comment.
So change it back to using a single packet instead of taking data as a parameter? The way I had it in the old design?
| } | ||
| /* if the key wasn't found return an error */ | ||
| if (i >= WOLFHSM_NUM_RAMKEYS) | ||
| ret = WH_ERROR_BADARGS; |
| /* find key in cache */ | ||
| for (i = 0; i < WOLFHSM_NUM_RAMKEYS; i++) { | ||
| if (server->cache[i].meta->id == keyId) { | ||
| cacheSlot = &server->cache[i]; | ||
| break; | ||
| } | ||
| } | ||
| if (i >= WOLFHSM_NUM_RAMKEYS) | ||
| return WH_ERROR_NOTFOUND; |
There was a problem hiding this comment.
Refactor into _FindCacheIndexByKeyId() or something suitably named.
src/wh_server_keystore.c
Outdated
| int hsmEraseKey(whServerContext* server, whNvmId keyId) | ||
| { | ||
| int i; | ||
| if (keyId == WOLFHSM_ID_ERASED) |
There was a problem hiding this comment.
Always check for non-null server. Multiple instances.
| whPacket* packet = (whPacket*)data; | ||
| whNvmMetadata meta[1] = {0}; | ||
| switch (action) | ||
| { |
There was a problem hiding this comment.
The endianness of the server may not be the same as the client. Even if you don't handle it now, at least perform a quick check using the magic number to return an error on mismatch.
if (WH_COMM_FLAGS_SWAPTEST(magic)) return ABORTED or something.
There was a problem hiding this comment.
adding this made it error out every time, don't know why but I've commented it out
There was a problem hiding this comment.
Yeah, that's because I made that macro to compare the magics. Should have been !SWAPTEST. My bad.
src/wh_server_keystore.c
Outdated
| return 0; | ||
| } | ||
|
|
||
| int hsmReadKey(whServerContext* server, whNvmMetadata* meta, uint8_t* out, |
There was a problem hiding this comment.
This API conflates the NvmId and KeyId, which should be distinct. Recommend to change this API to:
int hsmReadKey(whServerContext* server, whKeyId key_id, whNvmMetadata *out_meta, whNvmSize inout_DataSize, uint8_t data);
out_meta == NULL means don't copy the metadata. inout_DataSize should be set to the length of data and will be set to the actual length if non-null. data == NULL means don't copy the data.
I updated the key_id backlog item to capture the need for distinct key_id functions.
There was a problem hiding this comment.
I'm confused, are KeyIds not a subset of NvmId? It's just an NvmId but with the context of being a key and with either WOLFHSM_KEYID_CRYPTO, WOLFHSM_KEYID_SHE or WOLFHSM_KEYID_SHE_RAM bits set? Or is there something I'm missing
| whPacket* packet = (whPacket*)data; | ||
| whNvmMetadata meta[1] = {0}; | ||
| switch (action) | ||
| { |
There was a problem hiding this comment.
Yeah, that's because I made that macro to compare the magics. Should have been !SWAPTEST. My bad.
jpbland1
force-pushed
the
key-cache-export-evict
branch
from
072ac77 to
6e60871
Compare
|
working now, please merge |
| if (labelSz > sizeof(packet->keyExportRes.label)) { | ||
| XMEMCPY(label, packet->keyExportRes.label, | ||
| WOLFHSM_NVM_LABEL_LEN); |
There was a problem hiding this comment.
we should probably have the memcpy size argument correspond to the size check we just did
There was a problem hiding this comment.
yeah that's a little messy, still correct but it would be better to use sizeof the actual buffer
and evicting keys for ram cache