From 8ee1d99146720575ee096ec10f813a2abc8797df Mon Sep 17 00:00:00 2001 From: Srinivas Edireswarapu - I17752 Date: Thu, 1 Feb 2024 16:37:17 +0530 Subject: [PATCH] Release v3.7.3 (20240131) --- CMakeLists.txt | 4 +- harmony/config/cryptoauthlib.py | 2 +- harmony/config/pkcs11.py | 4 + harmony/templates/pkcs11_config.h.ftl | 5 + lib/atca_basic.c | 8 +- lib/atca_config_check.h | 4 + lib/atca_version.h | 4 +- lib/atcacert/atcacert_client.c | 11 +- lib/atcacert/atcacert_def.c | 4 +- lib/calib/calib_sha.c | 27 +-- lib/cmake/pkcs11.cmake | 1 + lib/cryptoauthlib.h | 2 + lib/mbedtls/atca_mbedtls_wrap.c | 5 +- lib/pkcs11/pkcs11_cert.c | 4 +- lib/pkcs11/pkcs11_cert.h | 4 +- lib/pkcs11/pkcs11_config.c | 5 +- lib/pkcs11/pkcs11_config.h.in | 5 + lib/pkcs11/pkcs11_key.c | 243 +++++++++++++++++++++----- lib/pkcs11/pkcs11_key.h | 2 + lib/pkcs11/pkcs11_object.c | 11 +- lib/pkcs11/pkcs11_object.h | 2 + lib/pkcs11/pkcs11_os.c | 2 +- lib/pkcs11/pkcs11_session.c | 4 +- release_notes.md | 15 +- test/README.md | 6 +- test/api_atcab/atca_tests_sha.c | 40 +++++ 26 files changed, 339 insertions(+), 85 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index a0a8cb68e..9d66dd175 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,10 +2,10 @@ cmake_minimum_required(VERSION 3.1.0) project (cryptoauthlib C) # Set the current release version -set(VERSION "3.7.0") +set(VERSION "3.7.3") set(VERSION_MAJOR 3) set(VERSION_MINOR 7) -set(VERSION_PATCH 0) +set(VERSION_PATCH 3) # Build Options option(BUILD_TESTS "Create Test Application with library" OFF) diff --git a/harmony/config/cryptoauthlib.py b/harmony/config/cryptoauthlib.py index 6d78a67a7..f8e036629 100644 --- a/harmony/config/cryptoauthlib.py +++ b/harmony/config/cryptoauthlib.py @@ -35,7 +35,7 @@ _HAL_FILES = ["atca_hal.c", "atca_hal.h"] _CORE_PATHS = ['crypto/**/*', 'crypto/*', 'jwt/*', '*'] _CA_PATHS = ['atcacert/*', 'calib/*', 'host/*'] -_TA_PATHS = ['talib/*'] +_TA_PATHS = ['atcacert/*', 'talib/*'] _SHA206_PATHS = ['api_206a/*'] _EXCL_FILES = ['atca_utils_sizes.c'] diff --git a/harmony/config/pkcs11.py b/harmony/config/pkcs11.py index 56ff6d930..f879c65db 100644 --- a/harmony/config/pkcs11.py +++ b/harmony/config/pkcs11.py @@ -135,6 +135,10 @@ def instantiateComponent(calPkcs11Component): calPkcs11MaxCertsCache.setLabel('Maximum number of certificates cached') calPkcs11MaxCertsCache.setDefaultValue(5) + calPkcs11MaxKeyIDsCache = calPkcs11Component.createIntegerSymbol('PKCS11_MAX_KEYS_CACHED', None) + calPkcs11MaxKeyIDsCache.setLabel('Maximum number of Key IDs cached') + calPkcs11MaxKeyIDsCache.setDefaultValue(5) + calPkcs11MaxConfig = calPkcs11Component.createIntegerSymbol('CAL_PKCS11_MAX_CONFIG', None) calPkcs11MaxConfig.setLabel('Maximum number of PKCS11 Config Options') calPkcs11MaxConfig.setDefaultValue(7) diff --git a/harmony/templates/pkcs11_config.h.ftl b/harmony/templates/pkcs11_config.h.ftl index 3f058d6e7..afe2783d0 100644 --- a/harmony/templates/pkcs11_config.h.ftl +++ b/harmony/templates/pkcs11_config.h.ftl @@ -79,6 +79,11 @@ #define PKCS11_MAX_CERTS_CACHED ${CAL_PKCS11_MAX_CERTS_CACHED} #endif +/** Maximum number of Key ID's allowed to be cached*/ +#ifndef PKCS11_MAX_KEYS_CACHED +#define PKCS11_MAX_KEYS_CACHED ${PKCS11_MAX_KEYS_CACHED} +#endif + /** Maximum number of cryptographic objects allowed to be cached */ #ifndef PKCS11_MAX_OBJECTS_ALLOWED #define PKCS11_MAX_OBJECTS_ALLOWED ${CAL_PKCS11_MAX_OBJECTS} diff --git a/lib/atca_basic.c b/lib/atca_basic.c index 520cf8d60..4d352886f 100644 --- a/lib/atca_basic.c +++ b/lib/atca_basic.c @@ -3548,7 +3548,7 @@ ATCA_STATUS atcab_sha_hmac_init(atca_hmac_sha256_ctx_t* ctx, uint16_t key_slot) ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type)) + if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) { #if CALIB_SHA_HMAC_EN status = calib_sha_hmac_init(g_atcab_device_ptr, ctx, key_slot); @@ -3579,7 +3579,7 @@ ATCA_STATUS atcab_sha_hmac_update(atca_hmac_sha256_ctx_t* ctx, const uint8_t* da ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type)) + if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) { #if CALIB_SHA_HMAC_EN status = calib_sha_hmac_update(g_atcab_device_ptr, ctx, data, data_size); @@ -3613,7 +3613,7 @@ ATCA_STATUS atcab_sha_hmac_finish(atca_hmac_sha256_ctx_t* ctx, uint8_t* digest, ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type)) + if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) { #if CALIB_SHA_HMAC_EN status = calib_sha_hmac_finish(g_atcab_device_ptr, ctx, digest, target); @@ -3650,7 +3650,7 @@ ATCA_STATUS atcab_sha_hmac_ext(ATCADevice device, const uint8_t* data, size_t da ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type_ext(device); - if (atcab_is_ca_device(dev_type)) + if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) { #if CALIB_SHA_HMAC_EN status = calib_sha_hmac(device, data, data_size, key_slot, digest, target); diff --git a/lib/atca_config_check.h b/lib/atca_config_check.h index 2d0ad5873..c9319f2ee 100644 --- a/lib/atca_config_check.h +++ b/lib/atca_config_check.h @@ -124,6 +124,10 @@ #define ATCACERT_EN (DEFAULT_ENABLED) #endif +#ifndef ATCA_NO_HEAP +#define ATCA_HEAP +#endif + /**** AES command ****/ /** \def ATCAB_AES diff --git a/lib/atca_version.h b/lib/atca_version.h index e2aec8c86..0a2e83017 100644 --- a/lib/atca_version.h +++ b/lib/atca_version.h @@ -30,9 +30,9 @@ #define ATCA_VERSION_H // Version format yyyymmdd -#define ATCA_LIBRARY_VERSION_DATE "20231222" +#define ATCA_LIBRARY_VERSION_DATE "20240131" #define ATCA_LIBRARY_VERSION_MAJOR 3 #define ATCA_LIBRARY_VERSION_MINOR 7 -#define ATCA_LIBRARY_VERSION_BUILD 2 +#define ATCA_LIBRARY_VERSION_BUILD 3 #endif /* ATCA_VERSION_H */ diff --git a/lib/atcacert/atcacert_client.c b/lib/atcacert/atcacert_client.c index 205d7f760..7a780acce 100644 --- a/lib/atcacert/atcacert_client.c +++ b/lib/atcacert/atcacert_client.c @@ -33,7 +33,10 @@ #include "atcacert_der.h" #include "atcacert_pem.h" #include "cryptoauthlib.h" + +#if ATCA_CA_SUPPORT #include "calib/calib_basic.h" +#endif #if ATCACERT_COMPCERT_EN @@ -146,10 +149,12 @@ ATCA_STATUS atcacert_read_cert_ext(ATCADevice device, size_t* cert_size) { ATCA_STATUS ret = ATCACERT_E_BAD_PARAMS; +#if ATCACERT_COMPCERT_EN atcacert_device_loc_t device_locs[16]; size_t device_locs_count = 0; size_t i = 0; atcacert_build_state_t build_state; +#endif if (cert_def == NULL || cert_size == NULL) { @@ -245,9 +250,11 @@ ATCA_STATUS atcacert_write_cert_ext(ATCADevice device, size_t cert_size) { ATCA_STATUS ret = 0; +#if ATCACERT_COMPCERT_EN atcacert_device_loc_t device_locs[16]; size_t device_locs_count = 0; size_t i = 0; +#endif if (cert_def == NULL || cert == NULL) { @@ -511,9 +518,11 @@ ATCA_STATUS atcacert_read_cert_size_ext(ATCADevice device, const atcacert_def_t* cert_def, size_t* cert_size) { + ATCA_STATUS ret = ATCACERT_E_SUCCESS; +#if ATCACERT_COMPCERT_EN uint8_t buffer[75]; size_t buflen = sizeof(buffer); - ATCA_STATUS ret = ATCACERT_E_SUCCESS; +#endif if ((NULL == cert_def) || (NULL == cert_size)) { diff --git a/lib/atcacert/atcacert_def.c b/lib/atcacert/atcacert_def.c index 9d57423ec..c54cf3dbd 100644 --- a/lib/atcacert/atcacert_def.c +++ b/lib/atcacert/atcacert_def.c @@ -1131,6 +1131,7 @@ ATCA_STATUS atcacert_get_expire_date(const atcacert_def_t* cert_def, return status; } +#if ATCACERT_COMPCERT_EN static void uint8_to_hex(uint8_t num, uint8_t* hex_str) { uint8_t nibble = (num >> 4) & 0x0Fu; @@ -1154,7 +1155,6 @@ static void uint8_to_hex(uint8_t num, uint8_t* hex_str) } } -#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_set_signer_id(const atcacert_def_t* cert_def, uint8_t* cert, size_t cert_size, @@ -1172,7 +1172,6 @@ ATCA_STATUS atcacert_set_signer_id(const atcacert_def_t* cert_def, return atcacert_set_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_SIGNER_ID], cert, cert_size, hex_str, 4); } -#endif static ATCA_STATUS hex_to_uint8(const uint8_t hex_str[2], uint8_t* num) { @@ -1215,7 +1214,6 @@ static ATCA_STATUS hex_to_uint8(const uint8_t hex_str[2], uint8_t* num) return ATCACERT_E_SUCCESS; } -#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_get_signer_id(const atcacert_def_t* cert_def, const uint8_t* cert, size_t cert_size, diff --git a/lib/calib/calib_sha.c b/lib/calib/calib_sha.c index 3d2cbd329..b416384e7 100644 --- a/lib/calib/calib_sha.c +++ b/lib/calib/calib_sha.c @@ -489,25 +489,30 @@ ATCA_STATUS calib_sha_hmac_update(ATCADevice device, atca_hmac_sha256_ctx_t* ctx */ ATCA_STATUS calib_sha_hmac_finish(ATCADevice device, atca_hmac_sha256_ctx_t *ctx, uint8_t* digest, uint8_t target) { - uint8_t mode = SHA_MODE_HMAC_END; + uint8_t mode; uint16_t digest_size = 32; + ATCADeviceType dev_type = device->mIface.mIfaceCFG->devtype; if (device == NULL) { return ATCA_TRACE(ATCA_BAD_PARAM, "NULL pointer received"); } - if (ATECC608A == device->mIface.mIfaceCFG->devtype) + switch (dev_type) { - mode = SHA_MODE_608_HMAC_END; - } - if (atcab_is_ca2_device(device->mIface.mIfaceCFG->devtype)) - { - mode = SHA_MODE_ECC204_HMAC_END; - } - if (target != SHA_MODE_TARGET_TEMPKEY) - { - return ATCA_TRACE(ATCA_BAD_PARAM, "Invalid target received"); + case ATECC608: + mode = SHA_MODE_608_HMAC_END; + break; +#if ATCA_CA2_SUPPORT + case ECC204: + /* fallthrough */ + case TA010: + mode = SHA_MODE_ECC204_HMAC_END; + break; +#endif + default: + mode = SHA_MODE_HMAC_END; + break; } mode |= target; diff --git a/lib/cmake/pkcs11.cmake b/lib/cmake/pkcs11.cmake index b9bdfcf65..e610cb7dc 100644 --- a/lib/cmake/pkcs11.cmake +++ b/lib/cmake/pkcs11.cmake @@ -17,6 +17,7 @@ option(PKCS11_AUTH_TERMINATE_BEFORE_LOGIN "Enable auth terminate before c_log set(PKCS11_MAX_SLOTS_ALLOWED 1 CACHE STRING "Maximum number of slots allowed in the system") set(PKCS11_MAX_SESSIONS_ALLOWED 10 CACHE STRING "Maximum number of total sessions allowed in the system") set(PKCS11_MAX_CERTS_CACHED 5 CACHE STRING "Maximum number of x509 certificates allowed to be cached") +set(PKCS11_MAX_KEYS_CACHED 5 CACHE STRING "Maximum number of key IDs allowed to be cached") set(PKCS11_MAX_OBJECTS_ALLOWED 16 CACHE STRING "Maximum number of cryptographic objects allowed to be cached") set(PKCS11_MAX_LABEL_SIZE 30 CACHE STRING "Maximum label size in characters") set(PKCS11_MAX_CONFIG_ALLOWED 7 CACHE STRING "Maximum depth to configuration options") diff --git a/lib/cryptoauthlib.h b/lib/cryptoauthlib.h index 648761cdb..066d823c5 100644 --- a/lib/cryptoauthlib.h +++ b/lib/cryptoauthlib.h @@ -69,6 +69,8 @@ #define ATCA_ECCP256_PUBKEY_SIZE (64u) #define ATCA_ECCP256_SIG_SIZE (64u) +#define ATCA_ECC_UNCOMPRESSED_TYPE ((uint8_t)0x04) + #define ATCA_ZONE_CONFIG ((uint8_t)0x00) #define ATCA_ZONE_OTP ((uint8_t)0x01) #define ATCA_ZONE_DATA ((uint8_t)0x02) diff --git a/lib/mbedtls/atca_mbedtls_wrap.c b/lib/mbedtls/atca_mbedtls_wrap.c index e6889d328..181642869 100644 --- a/lib/mbedtls/atca_mbedtls_wrap.c +++ b/lib/mbedtls/atca_mbedtls_wrap.c @@ -773,13 +773,12 @@ ATCA_STATUS atcac_pk_free( struct atcac_pk_ctx* ctx /**< [in] pointer to a pk context */ ) { - ATCA_STATUS status = ATCA_BAD_PARAM; + ATCA_STATUS status = ATCA_SUCCESS; if (NULL != ctx) { void* tmp_ptr = ctx; - mbedtls_pk_init((mbedtls_pk_context*)tmp_ptr); - status = ATCA_SUCCESS; + mbedtls_pk_free((mbedtls_pk_context*)tmp_ptr); } return status; } diff --git a/lib/pkcs11/pkcs11_cert.c b/lib/pkcs11/pkcs11_cert.c index 4479df536..085591afb 100644 --- a/lib/pkcs11/pkcs11_cert.c +++ b/lib/pkcs11/pkcs11_cert.c @@ -1087,7 +1087,7 @@ CK_RV pkcs11_cert_x509_write(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, p } /* Called from auth session to clear the certificate */ -CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx) +CK_RV pkcs11_cert_clear_session_cache(pkcs11_session_ctx_ptr session_ctx) { CK_RV rv = CKR_GENERAL_ERROR; @@ -1133,7 +1133,7 @@ CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx) } /* Called to free certificate object */ -CK_RV pkcs11_cert_clear_cache(pkcs11_object_ptr pObject) +CK_RV pkcs11_cert_clear_object_cache(pkcs11_object_ptr pObject) { CK_RV rv = CKR_GENERAL_ERROR; diff --git a/lib/pkcs11/pkcs11_cert.h b/lib/pkcs11/pkcs11_cert.h index 31359bd42..7b6006616 100644 --- a/lib/pkcs11/pkcs11_cert.h +++ b/lib/pkcs11/pkcs11_cert.h @@ -45,8 +45,8 @@ extern const CK_ULONG pkcs11_cert_x509_attributes_count; CK_RV pkcs11_cert_x509_write(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr pSession); CK_RV pkcs11_cert_load(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAttribute, ATCADevice device); -CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx); -CK_RV pkcs11_cert_clear_cache(pkcs11_object_ptr pObject); +CK_RV pkcs11_cert_clear_session_cache(pkcs11_session_ctx_ptr session_ctx); +CK_RV pkcs11_cert_clear_object_cache(pkcs11_object_ptr pObject); #ifdef __cplusplus } diff --git a/lib/pkcs11/pkcs11_config.c b/lib/pkcs11/pkcs11_config.c index f01efe645..1d7c968d8 100644 --- a/lib/pkcs11/pkcs11_config.c +++ b/lib/pkcs11/pkcs11_config.c @@ -68,6 +68,7 @@ void pkcs11_config_init_private(pkcs11_object_ptr pObject, const char * label, s pObject->class_type = CKK_EC; pObject->attributes = pkcs11_key_private_attributes; pObject->count = pkcs11_key_private_attributes_count; + pObject->flags = PKCS11_OBJECT_FLAG_KEY_CACHE; #if ATCA_CA_SUPPORT pObject->data = NULL; #endif @@ -86,6 +87,7 @@ void pkcs11_config_init_public(pkcs11_object_ptr pObject, const char * label, si pObject->class_type = CKK_EC; pObject->attributes = pkcs11_key_public_attributes; pObject->count = pkcs11_key_public_attributes_count; + pObject->flags = PKCS11_OBJECT_FLAG_KEY_CACHE; #if ATCA_CA_SUPPORT pObject->data = NULL; #endif @@ -636,7 +638,6 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs { pkcs11_config_init_private(pObject, argv[1], strlen(argv[1])); pObject->slot = slot; - pObject->flags = 0; #if ATCA_CA_SUPPORT pObject->config = &slot_ctx->cfg_zone; #endif @@ -651,7 +652,6 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs { pkcs11_config_init_public(pPubkey, argv[1], strlen(argv[1])); pPubkey->slot = slot; - pPubkey->flags = 0; #if ATCA_CA_SUPPORT pPubkey->config = &slot_ctx->cfg_zone; #endif @@ -679,7 +679,6 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs pObject->slot = (uint16_t)l_tmp; } - pObject->flags = 0; #if ATCA_CA_SUPPORT pObject->config = &slot_ctx->cfg_zone; #endif diff --git a/lib/pkcs11/pkcs11_config.h.in b/lib/pkcs11/pkcs11_config.h.in index 452428902..5ce6c237e 100644 --- a/lib/pkcs11/pkcs11_config.h.in +++ b/lib/pkcs11/pkcs11_config.h.in @@ -75,6 +75,11 @@ #define PKCS11_MAX_CERTS_CACHED (@PKCS11_MAX_CERTS_CACHED@U) #endif +/** Maximum number of Key ID's allowed to be cached */ +#ifndef PKCS11_MAX_KEYS_CACHED +#define PKCS11_MAX_KEYS_CACHED (@PKCS11_MAX_KEYS_CACHED@U) +#endif + /** Maximum number of cryptographic objects allowed to be cached */ #ifndef PKCS11_MAX_OBJECTS_ALLOWED #define PKCS11_MAX_OBJECTS_ALLOWED (@PKCS11_MAX_OBJECTS_ALLOWED@U) diff --git a/lib/pkcs11/pkcs11_key.c b/lib/pkcs11/pkcs11_key.c index d1d90bc9c..9ccd46aa1 100644 --- a/lib/pkcs11/pkcs11_key.c +++ b/lib/pkcs11/pkcs11_key.c @@ -43,6 +43,18 @@ * \defgroup pkcs11 Key (pkcs11_key_) @{ */ +#if defined(ATCA_HEAP) +typedef struct pkcs11_key_cache_s +{ + CK_ATTRIBUTE key_id_hash; + pkcs11_session_ctx_ptr pSession_key; + pkcs11_object_ptr pObject_key; + CK_BBOOL in_use; +} pkcs11_key_cache_fields_t; + +static pkcs11_key_cache_fields_t pkcs11_key_cache_list[PKCS11_MAX_KEYS_CACHED]; +#endif + static CK_RV pkcs11_key_get_derivekey_flag(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr pSession) { pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; @@ -579,71 +591,159 @@ static CK_RV pkcs11_key_auth_required(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAtt return rv; } -static CK_RV pkcs11_key_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr session_ctx) +static CK_RV pkcs11_key_calc_key_id(const pkcs11_session_ctx_ptr pSession, const pkcs11_object_ptr pObject, uint8_t *key_id_buffer) { - pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + CK_BBOOL is_private = FALSE; CK_RV rv = CKR_ARGUMENTS_BAD; - if (NULL != obj_ptr && NULL != session_ctx) - { -#if PKCS11_AUTO_ID_ENABLE - if (NULL != pAttribute->pValue) - { - CK_BBOOL is_private; + if (CKR_OK == (rv = pkcs11_object_is_private(pObject, &is_private, pSession))) + { + uint8_t pubkey_buffer[1 + ATCA_ECCP256_PUBKEY_SIZE] = { 0x0 }; + pubkey_buffer[0] = ATCA_ECC_UNCOMPRESSED_TYPE; - if (CKR_OK == (rv = pkcs11_object_is_private(obj_ptr, &is_private, session_ctx))) + if (TRUE == is_private) + { + ATCADeviceType dev_type = atcab_get_device_type_ext(pSession->slot->device_ctx); + if (atcab_is_ca_device(dev_type)) { - ATCA_STATUS status = ATCA_GEN_FAIL; - uint8_t buffer[1 + ATCA_ECCP256_PUBKEY_SIZE] = { 0x0 }; - buffer[0] = 0x04; - - if (is_private) - { - ATCADeviceType dev_type = atcab_get_device_type_ext(session_ctx->slot->device_ctx); - if (atcab_is_ca_device(dev_type)) - { #if ATCA_CA_SUPPORT - status = atcab_get_pubkey_ext(session_ctx->slot->device_ctx, obj_ptr->slot, &buffer[1]); - PKCS11_DEBUG("atcab_get_pubkey: %x\r\n", status); + rv = pkcs11_util_convert_rv(atcab_get_pubkey_ext(pSession->slot->device_ctx, pObject->slot, &pubkey_buffer[1])); #endif - } - else if (atcab_is_ta_device(dev_type)) - { + } + else if (atcab_is_ta_device(dev_type)) + { #if ATCA_TA_SUPPORT - status = pkcs11_ta_get_pubkey(pObject, &buffer[1], session_ctx); + rv = pkcs11_util_convert_rv(pkcs11_ta_get_pubkey(pObject, &pubkey_buffer[1], pSession)); #endif + } + else + { + /* do nothing */ + } + } + else + { + rv = pkcs11_util_convert_rv(atcab_read_pubkey_ext(pSession->slot->device_ctx, pObject->slot, &pubkey_buffer[1])); + } + if (CKR_OK == rv) + { + rv = pkcs11_util_convert_rv(atcac_sw_sha1(pubkey_buffer, sizeof(pubkey_buffer), key_id_buffer)); + } + } + return rv; +} + +#if defined(ATCA_HEAP) +/* Loads keys into cache list*/ +static CK_RV pkcs11_key_load_key_id_cache(const pkcs11_session_ctx_ptr pSession, const pkcs11_object_ptr pObject, pkcs11_key_cache_fields_t** pkcs11_key_cache_item) +{ + CK_RV rv = CKR_ARGUMENTS_BAD; + + if ((NULL != pkcs11_key_cache_item) && (pObject->class_type == CKK_EC)) + { + CK_ULONG i; + + //Check if KEY ID has been cached already for the public key object + if (NULL == pObject->data) + { + rv = CKR_HOST_MEMORY; + /* Find free key ID cache slot*/ + for (i = 0U; i < PKCS11_MAX_KEYS_CACHED; i++) + { + //Check for free slots + if (FALSE == pkcs11_key_cache_list[i].in_use) + { + break; + } + } + + if (i < PKCS11_MAX_KEYS_CACHED) + { + /* Allocate key ID object memory */ + uint8_t *key_id_object_ptr = pkcs11_os_malloc(ATCA_SHA1_DIGEST_SIZE); + + if (NULL != key_id_object_ptr) + { + (void)memset(key_id_object_ptr, 0, ATCA_SHA1_DIGEST_SIZE); + //Read public key from device + //calculate SHA1 + rv = pkcs11_key_calc_key_id(pSession, pObject, key_id_object_ptr); + if (CKR_OK == rv) + { + pObject->data = key_id_object_ptr; + /* Link key ID buffer to cache list and object */ + pkcs11_key_cache_list[i].key_id_hash.pValue = pkcs11_os_malloc(ATCA_SHA1_DIGEST_SIZE); + pkcs11_key_cache_list[i].key_id_hash.ulValueLen = ATCA_SHA1_DIGEST_SIZE; + (void)memcpy(pkcs11_key_cache_list[i].key_id_hash.pValue, key_id_object_ptr, ATCA_SHA1_DIGEST_SIZE); + pkcs11_key_cache_list[i].in_use = TRUE; + pkcs11_key_cache_list[i].pSession_key = pSession; + pkcs11_key_cache_list[i].pObject_key = pObject; + *pkcs11_key_cache_item = &pkcs11_key_cache_list[i]; } else { - /* do nothing */ + pkcs11_os_free(key_id_object_ptr); } } - else + } + } + else + { + rv = CKR_GENERAL_ERROR; + for (i = 0U; i < PKCS11_MAX_KEYS_CACHED; i++) + { + if ((pkcs11_key_cache_list[i].pSession_key == pSession) && + (pkcs11_key_cache_list[i].pObject_key == pObject)) { - status = atcab_read_pubkey_ext(session_ctx->slot->device_ctx, obj_ptr->slot, &buffer[1]); - PKCS11_DEBUG("atcab_read_pubkey: %x\r\n", status); + *pkcs11_key_cache_item = &pkcs11_key_cache_list[i]; + rv = CKR_OK; + break; } + } + } + } + return rv; +} +#endif - if (ATCA_SUCCESS == status) - { - status = (ATCA_STATUS)atcac_sw_sha1(buffer, sizeof(buffer), buffer); - } +static CK_RV pkcs11_key_get_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr session_ctx) +{ + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + CK_RV rv = CKR_ARGUMENTS_BAD; - if (ATCA_SUCCESS == status) + //Check if object allocated and a valid session + if (NULL != obj_ptr && NULL != session_ctx) + { +#if PKCS11_AUTO_ID_ENABLE + //Check if attribute fields are valid and required buffer allocated + if (NULL != pAttribute->pValue) + { +#ifdef ATCA_HEAP + pkcs11_key_cache_fields_t *pkcs11_key_cache_item = NULL; + //Check if calculated key ID can be read from cache list + if (CKR_OK == (rv = pkcs11_key_load_key_id_cache(session_ctx, obj_ptr, &pkcs11_key_cache_item))) + { + return pkcs11_attrib_fill(pAttribute, pkcs11_key_cache_item->key_id_hash.pValue, pkcs11_key_cache_item->key_id_hash.ulValueLen); + } + else +#endif + { + uint8_t key_id[ATCA_SHA1_DIGEST_SIZE] = { 0x0 }; + + //Read public key from device and calculate key id + if(CKR_OK == pkcs11_key_calc_key_id(session_ctx, obj_ptr, key_id)) { - rv = pkcs11_attrib_fill(pAttribute, buffer, ATCA_SHA1_DIGEST_SIZE); + rv = pkcs11_attrib_fill(pAttribute, key_id, (uint8_t)ATCA_SHA1_DIGEST_SIZE); } else - { - (void)pkcs11_attrib_empty(pObject, pAttribute, NULL); - PKCS11_DEBUG("Couldnt generate public key\r\n", status); - rv = CKR_OK; + { + rv = pkcs11_attrib_empty(pObject, pAttribute, NULL); } } } else { - rv = pkcs11_attrib_fill(pAttribute, NULL, ATCA_SHA1_DIGEST_SIZE); + rv = pkcs11_attrib_fill(pAttribute, NULL, (uint8_t)ATCA_SHA1_DIGEST_SIZE); } #else uint16_t key_id = ATCA_UINT16_HOST_TO_BE(obj_ptr->slot); @@ -674,7 +774,7 @@ const pkcs11_attrib_model pkcs11_key_public_attributes[] = { /** Type of key */ { CKA_KEY_TYPE, pkcs11_object_get_type }, /** Key identifier for key (default empty) */ - { CKA_ID, pkcs11_key_get_id }, + { CKA_ID, pkcs11_key_get_key_id }, /** Start date for the key (default empty) */ { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the key (default empty) */ @@ -765,7 +865,7 @@ const pkcs11_attrib_model pkcs11_key_private_attributes[] = { /** Type of key */ { CKA_KEY_TYPE, pkcs11_object_get_type }, /** Key identifier for key (default empty) */ - { CKA_ID, pkcs11_key_get_id }, + { CKA_ID, pkcs11_key_get_key_id }, /** Start date for the key (default empty) */ { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the key (default empty) */ @@ -1597,4 +1697,65 @@ CK_RV pkcs11_key_derive return rv; } +/* Called from auth session to clear the key object */ +CK_RV pkcs11_key_clear_session_cache(pkcs11_session_ctx_ptr session_ctx) +{ + CK_RV rv = CKR_GENERAL_ERROR; + +#if defined(ATCA_HEAP) + CK_ULONG i; + + for (i = 0; i < PKCS11_MAX_KEYS_CACHED; i++) + { + if (session_ctx == pkcs11_key_cache_list[i].pSession_key) + { + if (NULL != pkcs11_key_cache_list[i].key_id_hash.pValue) + { + pkcs11_os_free(pkcs11_key_cache_list[i].key_id_hash.pValue); + pkcs11_key_cache_list[i].key_id_hash.pValue = NULL; + pkcs11_key_cache_list[i].in_use = FALSE; + pkcs11_key_cache_list[i].pSession_key = NULL; + rv = CKR_OK; + break; + } + } + } +#endif + + return rv; +} + +/* Called to free certificate object */ +CK_RV pkcs11_key_clear_object_cache(pkcs11_object_ptr pObject) +{ + CK_RV rv = CKR_GENERAL_ERROR; + +#if defined(ATCA_HEAP) + CK_ULONG i; + + for (i = 0; i < PKCS11_MAX_KEYS_CACHED; i++) + { + if (pObject == pkcs11_key_cache_list[i].pObject_key) + { + if (NULL != pObject->data) + { + pkcs11_os_free(pObject->data); + pObject->data = NULL; + } + if (NULL != pkcs11_key_cache_list[i].key_id_hash.pValue) + { + pkcs11_os_free(pkcs11_key_cache_list[i].key_id_hash.pValue); + pkcs11_key_cache_list[i].key_id_hash.pValue = NULL; + } + pkcs11_key_cache_list[i].in_use = FALSE; + pkcs11_key_cache_list[i].pSession_key = NULL; + pkcs11_key_cache_list[i].pObject_key = NULL; + rv = CKR_OK; + break; + } + } +#endif + return rv; +} + /** @} */ diff --git a/lib/pkcs11/pkcs11_key.h b/lib/pkcs11/pkcs11_key.h index f3d6e3d51..20caf6d28 100644 --- a/lib/pkcs11/pkcs11_key.h +++ b/lib/pkcs11/pkcs11_key.h @@ -56,5 +56,7 @@ CK_RV pkcs11_key_generate_pair(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey); CK_RV pkcs11_key_derive(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey); +CK_RV pkcs11_key_clear_session_cache(pkcs11_session_ctx_ptr session_ctx); +CK_RV pkcs11_key_clear_object_cache(pkcs11_object_ptr pObject); #endif /* PKCS11_KEY_H_ */ diff --git a/lib/pkcs11/pkcs11_object.c b/lib/pkcs11/pkcs11_object.c index 1e1a286d2..cf8aa46e9 100644 --- a/lib/pkcs11/pkcs11_object.c +++ b/lib/pkcs11/pkcs11_object.c @@ -195,16 +195,17 @@ CK_RV pkcs11_object_free(pkcs11_object_ptr pObject) { if (PKCS11_OBJECT_FLAG_CERT_CACHE == (pObject->flags & PKCS11_OBJECT_FLAG_CERT_CACHE)) { - (void)pkcs11_cert_clear_cache(pObject); + (void)pkcs11_cert_clear_object_cache(pObject); pObject->flags &= PKCS11_OBJECT_FLAG_CERT_CACHE_COMPLEMENT; } - else if (PKCS11_OBJECT_FLAG_SENSITIVE == (pObject->flags & PKCS11_OBJECT_FLAG_SENSITIVE)) + if (PKCS11_OBJECT_FLAG_KEY_CACHE == (pObject->flags & PKCS11_OBJECT_FLAG_KEY_CACHE)) { - (void)pkcs11_util_memset((CK_VOID_PTR)pObject->data, pObject->size, 0, pObject->size); + (void)pkcs11_key_clear_object_cache(pObject); + pObject->flags &= PKCS11_OBJECT_FLAG_KEY_CACHE_COMPLEMENT; } - else + if (PKCS11_OBJECT_FLAG_SENSITIVE == (pObject->flags & PKCS11_OBJECT_FLAG_SENSITIVE)) { - /* Added for MISRA Violation */ + (void)pkcs11_util_memset((CK_VOID_PTR)pObject->data, pObject->size, 0, pObject->size); } } diff --git a/lib/pkcs11/pkcs11_object.h b/lib/pkcs11/pkcs11_object.h index d72bb0565..27d29113d 100644 --- a/lib/pkcs11/pkcs11_object.h +++ b/lib/pkcs11/pkcs11_object.h @@ -83,6 +83,8 @@ extern const CK_ULONG pkcs11_object_monotonic_attributes_count; #define PKCS11_OBJECT_FLAG_TA_TYPE (0x10U) #define PKCS11_OBJECT_FLAG_TRUST_TYPE (0x20U) #define PKCS11_OBJECT_FLAG_CERT_CACHE (0x40U) +#define PKCS11_OBJECT_FLAG_KEY_CACHE (0x80U) +#define PKCS11_OBJECT_FLAG_KEY_CACHE_COMPLEMENT ~(PKCS11_OBJECT_FLAG_KEY_CACHE & 0xffu) #define PKCS11_OBJECT_FLAG_CERT_CACHE_COMPLEMENT ~(PKCS11_OBJECT_FLAG_CERT_CACHE & 0xffu) /* Object System Access */ diff --git a/lib/pkcs11/pkcs11_os.c b/lib/pkcs11/pkcs11_os.c index 62206843d..d4213f888 100644 --- a/lib/pkcs11/pkcs11_os.c +++ b/lib/pkcs11/pkcs11_os.c @@ -106,7 +106,7 @@ CK_RV pkcs11_os_free_shared_ctx(void * pShared, size_t size) { ATCA_STATUS status = ATCA_GEN_FAIL; -#if (defined(__linux__) && defined(ATCA_USE_SHARED_MUTEX)) || defined(__APPLE__) +#if ((defined(__linux__) || defined(__APPLE__)) && defined(ATCA_USE_SHARED_MUTEX)) status = hal_free_shared(pShared, size); #elif defined(ATCA_NO_HEAP) ((void)pShared); diff --git a/lib/pkcs11/pkcs11_session.c b/lib/pkcs11/pkcs11_session.c index 30f265f55..c8d340ba6 100644 --- a/lib/pkcs11/pkcs11_session.c +++ b/lib/pkcs11/pkcs11_session.c @@ -40,6 +40,7 @@ #include "pkcs11_object.h" #include "pkcs11_os.h" #include "pkcs11_util.h" +#include "pkcs11_key.h" #include "pkcs11_cert.h" /** @@ -622,7 +623,8 @@ CK_RV pkcs11_session_logout(CK_SESSION_HANDLE hSession) } #endif - (void)pkcs11_cert_clear_cache_session(session_ctx); + (void)pkcs11_cert_clear_session_cache(session_ctx); + (void)pkcs11_key_clear_session_cache(session_ctx); rv = pkcs11_release_resource(lib_ctx, session_ctx, PKCS11_AUTH_OP_0); /* Wipe the io protection secret regardless if the above operatios succeeded */ diff --git a/release_notes.md b/release_notes.md index 14b816077..bb8ede3e5 100644 --- a/release_notes.md +++ b/release_notes.md @@ -1,7 +1,20 @@ # Microchip Cryptoauthlib Release Notes -## Release v3.7.2 (01/19/2023) +## Release v3.7.3 (01/31/2024) + +### New Features + - In PKCS11 module, added cache support to store `Key id` attribute of + key type objects into stack memory and use it for subsequent accesses + +### Fixes + - Fixed calib_sha_hmac_finish api to set mode value correctly for + ECC204, TA010 and ECC608 devices + - Fixed memory leak in MbedTLS configuration + - Fixed build errors when a project is generated with PKCS11 Component enabled in + MPLAB Harmony Configurator (MHC) + +## Release v3.7.2 (01/19/2024) ### New Features - See [talib/CHANGES.md] for details on talib module changes diff --git a/test/README.md b/test/README.md index 70f62e3f2..297e10748 100644 --- a/test/README.md +++ b/test/README.md @@ -84,6 +84,7 @@ Commands * ecc508 - Select ATECC508A * ecc608 - Select ATECC608A/B * ta100 - Select TA100 +* ta101 - Select TA101 ### Utilities * info - Read the device revision data @@ -114,8 +115,8 @@ Commands * clkdivm1 - Sets the ECC608 clock divider to 0x05 * clkdivm2 - Sets the ECC608 clock divider to 0x0D -### TA100 Specific Commands -* handles - Prints the ta100 handle information for all created handles +### TA Specific Commands +* handles - Prints the handle information for all created handles * talib - Run (talib_) API validation tests @@ -140,6 +141,7 @@ macro is enabled: * ecc508 * ecc608 * ta100 +* ta101 ### -i (Interface) diff --git a/test/api_atcab/atca_tests_sha.c b/test/api_atcab/atca_tests_sha.c index ee213a1a4..23b014a77 100644 --- a/test/api_atcab/atca_tests_sha.c +++ b/test/api_atcab/atca_tests_sha.c @@ -634,6 +634,45 @@ TEST(atca_cmd_basic_test, sha_hmac_tempkey) TEST_ASSERT_EQUAL_MEMORY(hmac_ref, hmac, ATCA_SHA256_DIGEST_SIZE); } + +TEST(atca_cmd_basic_test, sha_hmac_msg_dig_buf) +{ + ATCA_STATUS status = ATCA_GEN_FAIL; + uint8_t hmac[ATCA_SHA256_DIGEST_SIZE]; + uint8_t data_input[] = { + 0x6f, 0xb3, 0xec, 0x66, 0xf9, 0xeb, 0x07, 0x0a, + 0x71, 0x9b, 0xeb, 0xbe, 0x70, 0x8b, 0x93, 0xa6, + 0x5b, 0x20, 0x1b, 0x78, 0xe2, 0xd2, 0x6d, 0x8c, + 0xcc, 0xdf, 0x1c, 0x33, 0xf7, 0x41, 0x90, 0x4a, + 0x9a, 0xde, 0x64, 0x0f, 0xce, 0x00, 0x0c, 0x33, + 0x4d, 0x04, 0xbb, 0x30, 0x79, 0x56, 0x83, 0xdc, + 0xa0, 0x9d, 0xbf, 0x3e, 0x7e, 0x32, 0xae, 0xa1, + 0x03, 0xd7, 0x60, 0xe8, 0x57, 0xa6, 0xd6, 0x21, + 0x1c + }; + const uint8_t hmac_ref[ATCA_SHA256_DIGEST_SIZE] = { + 0x29, 0x7f, 0x22, 0xb8, 0xd2, 0x51, 0xb0, 0x63, + 0xa7, 0xc0, 0x8d, 0xcf, 0x4d, 0xba, 0x0d, 0x1f, + 0xb3, 0x5d, 0x32, 0xa3, 0xba, 0xab, 0x15, 0xac, + 0xea, 0xf4, 0x39, 0x1c, 0x4a, 0xdb, 0x32, 0x77 + }; + + uint16_t key_id; + + status = atca_test_config_get_id(TEST_TYPE_HMAC, &key_id); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + test_assert_data_is_locked(); + + // Load key into message digest buffer + status = atcab_nonce_load(NONCE_MODE_TARGET_MSGDIGBUF, g_slot4_key, 32); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Calculating HMAC using the key in Message Digest Buffer + status = atcab_sha_hmac(data_input, sizeof(data_input), key_id, hmac, SHA_MODE_TARGET_MSGDIGBUF); + + TEST_ASSERT_EQUAL_MEMORY(hmac_ref, hmac, ATCA_SHA256_DIGEST_SIZE); +} #endif /* ATCA_ATECC608_SUPPORT */ #endif /* TEST_ATCAB_SHA_HMAC_EN */ @@ -664,6 +703,7 @@ t_test_case_info sha_basic_test_info[] = { REGISTER_TEST_CASE(atca_cmd_basic_test, sha_hmac), REGISTER_TEST_CONDITION(atca_cmd_basic_test, sha_hmac) }, #ifdef ATCA_ATECC608_SUPPORT { REGISTER_TEST_CASE(atca_cmd_basic_test, sha_hmac_tempkey), atca_test_cond_ecc608 }, + { REGISTER_TEST_CASE(atca_cmd_basic_test, sha_hmac_msg_dig_buf),atca_test_cond_ecc608 }, #endif #endif /* TEST_ATCAB_SHA_HMAC_EN */