mirrors/pico-hsm
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-hsm.git synced 2026-04-17 21:58:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add strict build.

Browse source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos 2026-03-09 11:02:47 +01:00
parent cc0e4e43ca
commit 839fb431c4
No known key found for this signature in database
GPG key ID: C0095B7870A4CCD3
35 changed files with 170 additions and 158 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
CMakeLists.txt
View file

@ -96,13 +96,23 @@ if(NOT ESP_PLATFORM)
target_sources(pico_hsm PUBLIC ${SOURCES})
target_include_directories(pico_hsm PUBLIC ${INCLUDES})
target_compile_options(pico_hsm PUBLIC
set(COMMON_COMPILE_OPTIONS
-Wall
)
target_compile_options(pico_hsm PRIVATE ${COMMON_COMPILE_OPTIONS})
pico_keys_apply_strict_flags(
SOURCES ${SOURCES}
FILTER_REGEX "/src/hsm/|/pico-keys-sdk/src/|/pico-keys-sdk/config/"
)
if(NOT MSVC)
target_compile_options(pico_hsm PUBLIC
-Werror
)
string(FIND ${CMAKE_C_COMPILER} ":" COMPILER_COLON)
if(${COMPILER_COLON} GREATER_EQUAL 0)
target_compile_options(pico_hsm PRIVATE
-Wno-error=use-after-free
)
endif()
endif()
if(ENABLE_EMULATION)

2
pico-keys-sdk

@ -1 +1 @@
Subproject commit 34633828d7351cf979bbb7aa75fede3db047251a
Subproject commit 8aad7bdef9103f0c2abb4ececffa29928d489403

40
src/hsm/cmd_bip_slip.c
View file

@ -27,11 +27,11 @@ const uint8_t *sym_seed = (const uint8_t *) "Symmetric key seed";
mbedtls_ecp_keypair hd_context = { 0 };
uint8_t hd_keytype = 0;
int node_derive_bip_child(const mbedtls_ecp_keypair *parent,
const uint8_t cpar[32],
const uint8_t *i,
mbedtls_ecp_keypair *child,
uint8_t cchild[32]) {
static int node_derive_bip_child(const mbedtls_ecp_keypair *parent,
const uint8_t cpar[32],
const uint8_t *i,
mbedtls_ecp_keypair *child,
uint8_t cchild[32]) {
uint8_t data[1 + 32 + 4], I[64], *iL = I, *iR = I + 32;
mbedtls_mpi il, kchild;
mbedtls_mpi_init(&il);
@ -75,19 +75,19 @@ int node_derive_bip_child(const mbedtls_ecp_keypair *parent,
return PICOKEY_OK;
}
int sha256_ripemd160(const uint8_t *buffer, size_t buffer_len, uint8_t *output) {
static int sha256_ripemd160(const uint8_t *buffer, size_t buffer_len, uint8_t *output) {
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), buffer, buffer_len, output);
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_RIPEMD160), output, 32, output);
return PICOKEY_OK;
}
int sha256_sha256(const uint8_t *buffer, size_t buffer_len, uint8_t *output) {
static int sha256_sha256(const uint8_t *buffer, size_t buffer_len, uint8_t *output) {
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), buffer, buffer_len, output);
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), output, 32, output);
return PICOKEY_OK;
}
int node_fingerprint_bip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
static int node_fingerprint_bip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
size_t olen = 0;
uint8_t buffer[33];
mbedtls_ecp_point_write_binary(&ctx->grp,
@ -101,7 +101,7 @@ int node_fingerprint_bip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
return PICOKEY_OK;
}
int node_fingerprint_slip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
static int node_fingerprint_slip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
uint8_t buffer[32];
mbedtls_mpi_write_binary(&ctx->d, buffer, sizeof(buffer));
sha256_ripemd160(buffer, sizeof(buffer), buffer);
@ -109,8 +109,8 @@ int node_fingerprint_slip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
return PICOKEY_OK;
}
int load_master_bip(uint16_t mid, mbedtls_ecp_keypair *ctx, uint8_t chain[32],
uint8_t key_type[1]) {
static int load_master_bip(uint16_t mid, mbedtls_ecp_keypair *ctx, uint8_t chain[32],
uint8_t key_type[1]) {
uint8_t mkey[65];
mbedtls_ecp_keypair_init(ctx);
file_t *ef = search_file(EF_MASTER_SEED | mid);
@ -146,14 +146,14 @@ int load_master_bip(uint16_t mid, mbedtls_ecp_keypair *ctx, uint8_t chain[32],
return PICOKEY_OK;
}
int node_derive_path(const uint8_t *path,
uint16_t path_len,
mbedtls_ecp_keypair *ctx,
uint8_t chain[32],
uint8_t fingerprint[4],
uint8_t *nodes,
uint8_t last_node[4],
uint8_t key_type[1]) {
static int node_derive_path(const uint8_t *path,
uint16_t path_len,
mbedtls_ecp_keypair *ctx,
uint8_t chain[32],
uint8_t fingerprint[4],
uint8_t *nodes,
uint8_t last_node[4],
uint8_t key_type[1]) {
uint8_t *tag_data = NULL, *p = NULL;
uint16_t tag_len = 0, tag = 0x0;
uint8_t node = 0, N[64] = { 0 };
@ -205,7 +205,7 @@ int node_derive_path(const uint8_t *path,
return PICOKEY_OK;
}
int cmd_bip_slip() {
int cmd_bip_slip(void) {
uint8_t p1 = P1(apdu), p2 = P2(apdu);
if (p1 == 0x1 || p1 == 0x2 || p1 == 0x3) { // Master generation (K1 and P1)
if (p2 >= 10) {

2
src/hsm/cmd_challenge.c
View file

@ -21,7 +21,7 @@
uint8_t challenge[256];
uint8_t challenge_len = 0;
int cmd_challenge() {
int cmd_challenge(void) {
uint8_t *rb = (uint8_t *) random_bytes_get(apdu.ne);
if (!rb) {
return SW_WRONG_LENGTH();

2
src/hsm/cmd_change_pin.c
View file

@ -19,7 +19,7 @@
#include "sc_hsm.h"
#include "kek.h"
int cmd_change_pin() {
int cmd_change_pin(void) {
if (P1(apdu) == 0x0) {
if (P2(apdu) == 0x81 || P2(apdu) == 0x88) {
file_t *file_pin = NULL;

28
src/hsm/cmd_cipher_sym.c
View file

@ -77,11 +77,19 @@ static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
return 0;
}
if ((ret = mbedtls_asn1_get_int(&p, end, (int *)keylen)) != 0) {
int keylen_i = 0;
if ((ret = mbedtls_asn1_get_int(&p, end, &keylen_i)) != 0) {
if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
}
}
else if (keylen_i < 0 || keylen_i > UINT16_MAX) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
MBEDTLS_ERR_ASN1_INVALID_LENGTH);
}
else {
*keylen = (uint16_t) keylen_i;
}
if (p == end) {
return 0;
@ -104,13 +112,13 @@ static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
}
/* Taken from https://github.com/Mbed-TLS/mbedtls/issues/2335 */
int mbedtls_ansi_x963_kdf(mbedtls_md_type_t md_type,
uint16_t input_len,
uint8_t *input,
uint16_t shared_info_len,
uint8_t *shared_info,
uint16_t output_len,
uint8_t *output) {
static int mbedtls_ansi_x963_kdf(mbedtls_md_type_t md_type,
uint16_t input_len,
uint8_t *input,
uint16_t shared_info_len,
uint8_t *shared_info,
uint16_t output_len,
uint8_t *output) {
mbedtls_md_context_t md_ctx;
const mbedtls_md_info_t *md_info = NULL;
int hashlen = 0, exit_code = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
@ -128,7 +136,7 @@ int mbedtls_ansi_x963_kdf(mbedtls_md_type_t md_type,
return exit_code;
}
if (input_len + shared_info_len + 4 >= (1ULL << 61) - 1) {
if ((uint64_t) input_len + (uint64_t) shared_info_len + 4ULL >= (1ULL << 61) - 1) {
return exit_code;
}
@ -158,7 +166,7 @@ int mbedtls_ansi_x963_kdf(mbedtls_md_type_t md_type,
return 0;
}
int cmd_cipher_sym() {
int cmd_cipher_sym(void) {
uint8_t key_id = P1(apdu), algo = P2(apdu);
if (!isUserAuthenticated) {
return SW_SECURITY_STATUS_NOT_SATISFIED();

2
src/hsm/cmd_decrypt_asym.c
View file

@ -25,7 +25,7 @@
#include "random.h"
#include "oid.h"
int cmd_decrypt_asym() {
int cmd_decrypt_asym(void) {
uint8_t key_id = P1(apdu);
uint8_t p2 = P2(apdu);
if (!isUserAuthenticated) {

2
src/hsm/cmd_delete_file.c
View file

@ -17,7 +17,7 @@
#include "sc_hsm.h"
int cmd_delete_file() {
int cmd_delete_file(void) {
file_t *ef = NULL;
if (!isUserAuthenticated) {
return SW_SECURITY_STATUS_NOT_SATISFIED();

2
src/hsm/cmd_derive_asym.c
View file

@ -35,7 +35,7 @@ cleanup:
return ret;
}
int cmd_derive_asym() {
int cmd_derive_asym(void) {
uint8_t key_id = P1(apdu);
uint8_t dest_id = P2(apdu);
file_t *fkey;

2
src/hsm/cmd_external_authenticate.c
View file

@ -24,7 +24,7 @@ extern file_t *ef_puk_aut;
extern uint8_t challenge[256];
extern uint8_t challenge_len;
int cmd_external_authenticate() {
int cmd_external_authenticate(void) {
if (P1(apdu) != 0x0 || P2(apdu) != 0x0) {
return SW_INCORRECT_P1P2();
}

6
src/hsm/cmd_extras.c
View file

@ -45,7 +45,7 @@
#define CMD_OTP 0x4C
#define CMD_MEMORY 0x5
int cmd_extras() {
int cmd_extras(void) {
int cmd = P1(apdu);
#ifndef ENABLE_EMULATION
// Only allow change PHY without PIN
@ -172,7 +172,7 @@ int cmd_extras() {
if ((P2(apdu) == SECURE_LOCK_ENABLE && !(opts & HSM_OPT_SECURE_LOCK)) ||
(P2(apdu) == SECURE_LOCK_DISABLE && (opts & HSM_OPT_SECURE_LOCK))) {
uint16_t tfids[] = { EF_MKEK, EF_MKEK_SO };
for (int t = 0; t < sizeof(tfids) / sizeof(uint16_t); t++) {
for (size_t t = 0; t < sizeof(tfids) / sizeof(uint16_t); t++) {
file_t *tf = search_file(tfids[t]);
if (tf) {
uint8_t *tmp = (uint8_t *) calloc(1, file_get_size(tf));
@ -241,7 +241,7 @@ int cmd_extras() {
}
}
#endif
#if PICO_RP2350
#if defined(PICO_RP2350) && PICO_RP2350
else if (cmd == CMD_OTP) {
if (apdu.nc < 2) {
return SW_WRONG_LENGTH();

2
src/hsm/cmd_general_authenticate.c
View file

@ -24,7 +24,7 @@
#include "files.h"
#include "otp.h"
int cmd_general_authenticate() {
int cmd_general_authenticate(void) {
if (P1(apdu) == 0x0 && P2(apdu) == 0x0) {
if (apdu.data[0] == 0x7C) {
int r = 0;

7
src/hsm/cmd_initialize.c
View file

@ -25,10 +25,8 @@
#include "cvc.h"
#include "otp.h"
extern void scan_all();
extern char __StackLimit;
int heapLeft() {
static int heapLeft(void) {
#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM)
char *p = malloc(256); // try to avoid undue fragmentation
int left = &__StackLimit - p;
@ -39,8 +37,7 @@ int heapLeft() {
return left;
}
extern void reset_puk_store();
int cmd_initialize() {
int cmd_initialize(void) {
if (apdu.nc > 0) {
uint8_t mkek[MKEK_SIZE];
uint16_t opts = get_device_options();

2
src/hsm/cmd_key_domain.c
View file

@ -33,7 +33,7 @@ uint8_t get_key_domain(file_t *fkey) {
return 0x0;
}
int cmd_key_domain() {
int cmd_key_domain(void) {
//if (dkeks == 0)
// return SW_COMMAND_NOT_ALLOWED();
uint8_t p1 = P1(apdu), p2 = P2(apdu);

2
src/hsm/cmd_key_gen.c
View file

@ -19,7 +19,7 @@
#include "sc_hsm.h"
#include "random.h"
int cmd_key_gen() {
int cmd_key_gen(void) {
uint8_t key_id = P1(apdu);
uint8_t p2 = P2(apdu);
uint8_t key_size = 32;

2
src/hsm/cmd_key_unwrap.c
View file

@ -20,7 +20,7 @@
#include "kek.h"
#include "cvc.h"
int cmd_key_unwrap() {
int cmd_key_unwrap(void) {
uint8_t key_id = P1(apdu);
int r = 0;
if (P2(apdu) != 0x93) {

4
src/hsm/cmd_key_wrap.c
View file

@ -21,9 +21,7 @@
#include "kek.h"
#include "files.h"
extern uint8_t get_key_domain(file_t *fkey);
int cmd_key_wrap() {
int cmd_key_wrap(void) {
int r = 0;
uint8_t key_id = P1(apdu);
if (P2(apdu) != 0x92) {

2
src/hsm/cmd_keypair_gen.c
View file

@ -24,7 +24,7 @@
#include "random.h"
#include "kek.h"
int cmd_keypair_gen() {
int cmd_keypair_gen(void) {
uint8_t key_id = P1(apdu);
if (!isUserAuthenticated) {
return SW_SECURITY_STATUS_NOT_SATISFIED();

2
src/hsm/cmd_list_keys.c
View file

@ -18,7 +18,7 @@
#include "sc_hsm.h"
#include "files.h"
int cmd_list_keys() {
int cmd_list_keys(void) {
/* First we send DEV private key */
/* Both below conditions should be always TRUE */
if (search_file(EF_PRKD_DEV)) {

2
src/hsm/cmd_mse.c
View file

@ -24,7 +24,7 @@
file_t *ef_puk_aut = NULL;
int cmd_mse() {
int cmd_mse(void) {
int p1 = P1(apdu);
int p2 = P2(apdu);
if (p2 != 0xA4 && p2 != 0xA6 && p2 != 0xAA && p2 != 0xB4 && p2 != 0xB6 && p2 != 0xB8) {

3
src/hsm/cmd_pso.c
View file

@ -20,10 +20,9 @@
#include "asn1.h"
#include "cvc.h"
extern int add_cert_puk_store(const uint8_t *data, uint16_t data_len, bool copy);
extern PUK *current_puk;
int cmd_pso() {
int cmd_pso(void) {
uint8_t p1 = P1(apdu), p2 = P2(apdu);
if (p1 == 0x0 && (p2 == 0x92 || p2 == 0xAE || p2 == 0xBE)) { /* Verify certificate */
if (apdu.nc == 0) {

2
src/hsm/cmd_puk_auth.c
View file

@ -19,7 +19,7 @@
#include "files.h"
#include "cvc.h"
int cmd_puk_auth() {
int cmd_puk_auth(void) {
uint8_t p1 = P1(apdu), p2 = P2(apdu);
file_t *ef_puk = search_file(EF_PUKAUT);
if (!file_has_data(ef_puk)) {

10
src/hsm/cmd_read_binary.c
View file

@ -17,7 +17,9 @@
#include "sc_hsm.h"
int cmd_read_binary() {
typedef int (*file_data_handler_t)(const file_t *f, int mode);
int cmd_read_binary(void) {
uint16_t offset = 0;
uint8_t ins = INS(apdu), p1 = P1(apdu), p2 = P2(apdu);
const file_t *ef = NULL;
@ -65,7 +67,11 @@ int cmd_read_binary() {
}
if (ef->data) {
if ((ef->type & FILE_DATA_FUNC) == FILE_DATA_FUNC) {
uint16_t data_len = (uint16_t)((int (*)(const file_t *, int))(ef->data))((const file_t *) ef, 1); //already copies content to res_APDU
union {
uint8_t *data;
file_data_handler_t handler;
} data_func = { .data = ef->data };
uint16_t data_len = (uint16_t)data_func.handler((const file_t *) ef, 1); //already copies content to res_APDU
if (offset > data_len) {
return SW_WRONG_P1P2();
}

2
src/hsm/cmd_reset_retry.c
View file

@ -19,7 +19,7 @@
#include "sc_hsm.h"
#include "kek.h"
int cmd_reset_retry() {
int cmd_reset_retry(void) {
if (P2(apdu) != 0x81) {
return SW_REFERENCE_NOT_FOUND();
}

2
src/hsm/cmd_select.c
View file

@ -36,7 +36,7 @@ void select_file(file_t *pe) {
}
}
int cmd_select() {
int cmd_select(void) {
uint8_t p1 = P1(apdu);
uint8_t p2 = P2(apdu);
file_t *pe = NULL;

2
src/hsm/cmd_session_pin.c
View file

@ -19,7 +19,7 @@
#include "random.h"
#include "eac.h"
int cmd_session_pin() {
int cmd_session_pin(void) {
if (P1(apdu) == 0x01 && P2(apdu) == 0x81) {
memcpy(sm_session_pin, random_bytes_get(8), 8);
sm_session_pin_len = 8;

12
src/hsm/cmd_signature.c
View file

@ -72,11 +72,11 @@ static const struct digest_info_prefix {
{ MBEDTLS_MD_RIPEMD160, hdr_ripemd160, sizeof(hdr_ripemd160), 20 },
{ 0, NULL, 0, 0 }
};
int pkcs1_strip_digest_info_prefix(mbedtls_md_type_t *algorithm,
const uint8_t *in_dat,
uint16_t in_len,
uint8_t *out_dat,
uint16_t *out_len) {
static int pkcs1_strip_digest_info_prefix(mbedtls_md_type_t *algorithm,
const uint8_t *in_dat,
uint16_t in_len,
uint8_t *out_dat,
uint16_t *out_len) {
for (int i = 0; digest_info_prefix[i].algorithm != 0; i++) {
uint16_t hdr_len = digest_info_prefix[i].hdr_len, hash_len = digest_info_prefix[i].hash_len;
const uint8_t *hdr = digest_info_prefix[i].hdr;
@ -99,7 +99,7 @@ int pkcs1_strip_digest_info_prefix(mbedtls_md_type_t *algorithm,
}
//-----
int cmd_signature() {
int cmd_signature(void) {
uint8_t key_id = P1(apdu);
uint8_t p2 = P2(apdu);
mbedtls_md_type_t md = MBEDTLS_MD_NONE;

4
src/hsm/cmd_update_ef.c
View file

@ -18,9 +18,7 @@
#include "sc_hsm.h"
#include "asn1.h"
extern void select_file(file_t *pe);
int cmd_update_ef() {
int cmd_update_ef(void) {
uint8_t p1 = P1(apdu), p2 = P2(apdu);
uint16_t fid = (p1 << 8) | p2;
uint8_t *data = NULL;

2
src/hsm/cmd_verify.c
View file

@ -17,7 +17,7 @@
#include "sc_hsm.h"
int cmd_verify() {
int cmd_verify(void) {
uint8_t p1 = P1(apdu);
uint8_t p2 = P2(apdu);

27
src/hsm/cvc.c
View file

@ -30,10 +30,7 @@
#include "mbedtls/eddsa.h"
#endif
extern const uint8_t *dev_name;
extern uint16_t dev_name_len;
uint16_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, uint16_t buf_len) {
static uint16_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, uint16_t buf_len) {
const uint8_t oid_rsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x01, 0x02 };
uint16_t n_size = (uint16_t)mbedtls_mpi_size(&rsa->N), e_size = (uint16_t)mbedtls_mpi_size(&rsa->E);
uint16_t ntot_size = asn1_len_tag(0x81, n_size), etot_size = asn1_len_tag(0x82, e_size);
@ -74,7 +71,7 @@ const uint8_t *pointA[] = {
"\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC",
};
uint16_t asn1_cvc_public_key_ecdsa(mbedtls_ecp_keypair *ecdsa, uint8_t *buf, uint16_t buf_len) {
static uint16_t asn1_cvc_public_key_ecdsa(mbedtls_ecp_keypair *ecdsa, uint8_t *buf, uint16_t buf_len) {
uint8_t Y_buf[MBEDTLS_ECP_MAX_PT_LEN], G_buf[MBEDTLS_ECP_MAX_PT_LEN];
const uint8_t oid_ecdsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x02, 0x03 };
const uint8_t oid_ri[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x05, 0x02, 0x03 };
@ -167,13 +164,13 @@ uint16_t asn1_cvc_public_key_ecdsa(mbedtls_ecp_keypair *ecdsa, uint8_t *buf, uin
return tot_len;
}
uint16_t asn1_cvc_cert_body(void *rsa_ecdsa,
uint8_t key_type,
uint8_t *buf,
uint16_t buf_len,
const uint8_t *ext,
uint16_t ext_len,
bool full) {
static uint16_t asn1_cvc_cert_body(void *rsa_ecdsa,
uint8_t key_type,
uint8_t *buf,
uint16_t buf_len,
const uint8_t *ext,
uint16_t ext_len,
bool full) {
uint16_t pubkey_size = 0;
if (key_type & PICO_KEYS_KEY_RSA) {
pubkey_size = asn1_cvc_public_key_rsa(rsa_ecdsa, NULL, 0);
@ -611,7 +608,7 @@ const uint8_t *cvc_get_field(const uint8_t *data, uint16_t len, uint16_t *olen,
return ctxo.data;
}
const uint8_t *cvc_get_body(const uint8_t *data, uint16_t len, uint16_t *olen) {
static const uint8_t *cvc_get_body(const uint8_t *data, uint16_t len, uint16_t *olen) {
const uint8_t *bkdata = data;
if ((data = cvc_get_field(data, len, olen, 0x67)) == NULL) { /* Check for CSR */
data = bkdata;
@ -622,7 +619,7 @@ const uint8_t *cvc_get_body(const uint8_t *data, uint16_t len, uint16_t *olen) {
return NULL;
}
const uint8_t *cvc_get_sig(const uint8_t *data, uint16_t len, uint16_t *olen) {
static const uint8_t *cvc_get_sig(const uint8_t *data, uint16_t len, uint16_t *olen) {
const uint8_t *bkdata = data;
if ((data = cvc_get_field(data, len, olen, 0x67)) == NULL) { /* Check for CSR */
data = bkdata;
@ -664,7 +661,7 @@ const uint8_t *cvc_get_ext(const uint8_t *data, uint16_t len, uint16_t *olen) {
extern PUK puk_store[MAX_PUK_STORE_ENTRIES];
extern int puk_store_entries;
int puk_store_index(const uint8_t *chr, uint16_t chr_len) {
static int puk_store_index(const uint8_t *chr, uint16_t chr_len) {
for (int i = 0; i < puk_store_entries; i++) {
if (memcmp(puk_store[i].chr, chr, chr_len) == 0) {
return i;

5
src/hsm/files.h
View file

@ -51,9 +51,4 @@
#define EF_TOKENINFO 0x2F03
#define EF_STATICTOKEN 0xCB00
extern file_t *file_pin1;
extern file_t *file_retries_pin1;
extern file_t *file_sopin;
extern file_t *file_retries_sopin;
#endif

17
src/hsm/kek.c
View file

@ -31,13 +31,11 @@
#include "files.h"
#include "otp.h"
extern bool has_session_pin, has_session_sopin;
extern uint8_t session_pin[32], session_sopin[32];
uint8_t mkek_mask[MKEK_KEY_SIZE];
bool has_mkek_mask = false;
uint8_t pending_save_dkek = 0xff;
void mkek_masked(uint8_t *mkek, const uint8_t *mask) {
static void mkek_masked(uint8_t *mkek, const uint8_t *mask) {
if (mask) {
for (int i = 0; i < MKEK_KEY_SIZE; i++) {
MKEK_KEY(mkek)[i] ^= mask[i];
@ -76,7 +74,9 @@ int load_mkek(uint8_t *mkek) {
if (ret != 0) {
return PICOKEY_EXEC_ERROR;
}
if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != *(uint32_t *) MKEK_CHECKSUM(mkek)) {
uint32_t mkek_checksum = 0;
memcpy(&mkek_checksum, MKEK_CHECKSUM(mkek), sizeof(mkek_checksum));
if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != mkek_checksum) {
return PICOKEY_WRONG_DKEK;
}
if (otp_key_1) {
@ -96,7 +96,7 @@ int mse_decrypt_ct(uint8_t *data, size_t len) {
return ret;
}
int load_dkek(uint8_t id, uint8_t *dkek) {
static int load_dkek(uint8_t id, uint8_t *dkek) {
file_t *tf = search_file(EF_DKEK + id);
if (!file_has_data(tf)) {
return PICOKEY_ERR_FILE_NOT_FOUND;
@ -124,7 +124,8 @@ int store_mkek(const uint8_t *mkek) {
if (otp_key_1) {
mkek_masked(tmp_mkek, otp_key_1);
}
*(uint32_t *) MKEK_CHECKSUM(tmp_mkek) = crc32c(MKEK_KEY(tmp_mkek), MKEK_KEY_SIZE);
uint32_t mkek_checksum = crc32c(MKEK_KEY(tmp_mkek), MKEK_KEY_SIZE);
memcpy(MKEK_CHECKSUM(tmp_mkek), &mkek_checksum, sizeof(mkek_checksum));
if (has_session_pin) {
uint8_t tmp_mkek_pin[MKEK_SIZE];
memcpy(tmp_mkek_pin, tmp_mkek, MKEK_SIZE);
@ -217,7 +218,7 @@ int dkek_kcv(uint8_t id, uint8_t *kcv) { //kcv 8 bytes
return PICOKEY_OK;
}
int dkek_kenc(uint8_t id, uint8_t *kenc) { //kenc 32 bytes
static int dkek_kenc(uint8_t id, uint8_t *kenc) { //kenc 32 bytes
uint8_t dkek[DKEK_KEY_SIZE + 4];
memset(kenc, 0, 32);
int r = load_dkek(id, dkek);
@ -230,7 +231,7 @@ int dkek_kenc(uint8_t id, uint8_t *kenc) { //kenc 32 bytes
return PICOKEY_OK;
}
int dkek_kmac(uint8_t id, uint8_t *kmac) { //kmac 32 bytes
static int dkek_kmac(uint8_t id, uint8_t *kmac) { //kmac 32 bytes
uint8_t dkek[DKEK_KEY_SIZE + 4];
memset(kmac, 0, 32);
int r = load_dkek(id, dkek);

2
src/hsm/kek.h
View file

@ -28,7 +28,7 @@ extern int load_mkek(uint8_t *);
extern int store_mkek(const uint8_t *);
extern int save_dkek_key(uint8_t, const uint8_t *key);
extern int store_dkek_key(uint8_t, uint8_t *);
extern void init_mkek();
extern void init_mkek(void);
extern void release_mkek(uint8_t *);
extern int import_dkek_share(uint8_t, const uint8_t *share);
extern int dkek_kcv(uint8_t, uint8_t *kcv);

66
src/hsm/sc_hsm.c
View file

@ -48,44 +48,14 @@ uint8_t PICO_PRODUCT = 1;
uint8_t PICO_VERSION_MAJOR = HSM_VERSION_MAJOR;
uint8_t PICO_VERSION_MINOR = HSM_VERSION_MINOR;
static int sc_hsm_process_apdu();
static int sc_hsm_process_apdu(void);
static void init_sc_hsm();
static int sc_hsm_unload();
extern int cmd_select();
extern void select_file(file_t *pe);
extern int cmd_list_keys();
extern int cmd_read_binary();
extern int cmd_verify();
extern int cmd_reset_retry();
extern int cmd_challenge();
extern int cmd_external_authenticate();
extern int cmd_mse();
extern int cmd_initialize();
extern int cmd_key_domain();
extern int cmd_key_wrap();
extern int cmd_keypair_gen();
extern int cmd_update_ef();
extern int cmd_delete_file();
extern int cmd_change_pin();
extern int cmd_key_gen();
extern int cmd_signature();
extern int cmd_key_unwrap();
extern int cmd_decrypt_asym();
extern int cmd_cipher_sym();
extern int cmd_derive_asym();
extern int cmd_extras();
extern int cmd_general_authenticate();
extern int cmd_session_pin();
extern int cmd_puk_auth();
extern int cmd_pso();
extern int cmd_bip_slip();
static void init_sc_hsm(void);
static int sc_hsm_unload(void);
extern const uint8_t *ccid_atr;
int sc_hsm_select_aid(app_t *a, uint8_t force) {
static int sc_hsm_select_aid(app_t *a, uint8_t force) {
(void) force;
a->process_apdu = sc_hsm_process_apdu;
a->unload = sc_hsm_unload;
@ -99,7 +69,7 @@ INITIALIZER( sc_hsm_ctor ) {
register_app(sc_hsm_select_aid, sc_hsm_aid);
}
void scan_files() {
static void scan_files(void) {
file_pin1 = search_file(EF_PIN1);
if (file_pin1) {
if (!file_pin1->data) {
@ -171,7 +141,7 @@ void scan_files() {
low_flash_available();
}
void scan_all() {
void scan_all(void) {
scan_flash();
scan_files();
}
@ -223,7 +193,7 @@ int puk_store_select_chr(const uint8_t *chr) {
return PICOKEY_ERR_FILE_NOT_FOUND;
}
void reset_puk_store() {
void reset_puk_store(void) {
if (puk_store_entries > 0) { /* From previous session */
for (int i = 0; i < puk_store_entries; i++) {
if (puk_store[i].copied == true) {
@ -254,7 +224,7 @@ void reset_puk_store() {
memset(puk_status, 0, sizeof(puk_status));
}
void init_sc_hsm() {
void init_sc_hsm(void) {
scan_all();
has_session_pin = has_session_sopin = false;
isUserAuthenticated = false;
@ -262,14 +232,14 @@ void init_sc_hsm() {
reset_puk_store();
}
int sc_hsm_unload() {
int sc_hsm_unload(void) {
has_session_pin = has_session_sopin = false;
isUserAuthenticated = false;
sm_session_pin_len = 0;
return PICOKEY_OK;
}
uint16_t get_device_options() {
uint16_t get_device_options(void) {
file_t *ef = search_file(EF_DEVOPS);
if (file_has_data(ef)) {
return get_uint16_t_be(file_get_data(ef));
@ -277,7 +247,7 @@ uint16_t get_device_options() {
return 0x0;
}
bool wait_button_pressed() {
bool wait_button_pressed(void) {
uint32_t val = EV_PRESS_BUTTON;
#ifndef ENABLE_EMULATION
uint16_t opts = get_device_options();
@ -294,11 +264,11 @@ bool wait_button_pressed() {
int parse_token_info(const file_t *f, int mode) {
(void)f;
#ifdef __FOR_CI
char *label = "SmartCard-HSM";
const char *label = "SmartCard-HSM";
#else
char *label = "Pico-HSM";
const char *label = "Pico-HSM";
#endif
char *manu = "Pol Henarejos";
const char *manu = "Pol Henarejos";
if (mode == 1) {
uint8_t *p = res_APDU;
*p++ = 0x30;
@ -321,9 +291,9 @@ int parse_token_info(const file_t *f, int mode) {
int parse_ef_dir(const file_t *f, int mode) {
(void)f;
#ifdef __FOR_CI
char *label = "SmartCard-HSM";
const char *label = "SmartCard-HSM";
#else
char *label = "Pico-HSM";
const char *label = "Pico-HSM";
#endif
if (mode == 1) {
uint8_t *p = res_APDU;
@ -380,7 +350,7 @@ int pin_wrong_retry(const file_t *pin) {
return PICOKEY_ERR_BLOCKED;
}
bool pka_enabled() {
bool pka_enabled(void) {
file_t *ef_puk = search_file(EF_PUKAUT);
return file_has_data(ef_puk) && file_read_uint8(ef_puk) > 0;
}
@ -763,7 +733,7 @@ static const cmd_t cmds[] = {
{ 0x00, 0x0 }
};
int sc_hsm_process_apdu() {
int sc_hsm_process_apdu(void) {
uint32_t ne = apdu.ne;
int r = sm_unwrap();
if (r != PICOKEY_OK) {

41
src/hsm/sc_hsm.h
View file

@ -108,27 +108,60 @@ extern const uint8_t sc_hsm_aid[];
extern int pin_reset_retries(const file_t *pin, bool);
extern int pin_wrong_retry(const file_t *pin);
extern void select_file(file_t *pe);
extern void hash(const uint8_t *input, uint16_t len, uint8_t output[32]);
extern uint16_t get_device_options();
extern int add_cert_puk_store(const uint8_t *data, uint16_t data_len, bool copy);
extern int parse_token_info(const file_t *f, int mode);
extern int parse_ef_dir(const file_t *f, int mode);
extern void scan_all(void);
extern void reset_puk_store(void);
extern uint16_t get_device_options(void);
extern bool has_session_pin, has_session_sopin;
extern uint8_t session_pin[32], session_sopin[32];
extern uint16_t check_pin(const file_t *pin, const uint8_t *data, uint16_t len);
extern bool pka_enabled();
extern bool pka_enabled(void);
extern const uint8_t *dev_name;
extern uint16_t dev_name_len;
extern uint8_t puk_status[MAX_PUK];
extern int puk_store_select_chr(const uint8_t *chr);
extern int delete_file(file_t *ef);
extern const uint8_t *get_meta_tag(file_t *ef, uint16_t meta_tag, uint16_t *tag_len);
extern bool key_has_purpose(file_t *ef, uint8_t purpose);
extern int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey);
extern int load_private_key_ec(mbedtls_ecp_keypair *ctx, file_t *fkey);
extern int load_private_key_ecdh(mbedtls_ecp_keypair *ctx, file_t *fkey);
extern bool wait_button_pressed();
extern bool wait_button_pressed(void);
extern int store_keys(void *key_ctx, int type, uint8_t key_id);
extern int find_and_store_meta_key(uint8_t key_id);
extern uint32_t get_key_counter(file_t *fkey);
extern uint32_t decrement_key_counter(file_t *fkey);
extern int cmd_select(void);
extern int cmd_list_keys(void);
extern int cmd_read_binary(void);
extern int cmd_verify(void);
extern int cmd_reset_retry(void);
extern int cmd_challenge(void);
extern int cmd_external_authenticate(void);
extern int cmd_mse(void);
extern int cmd_initialize(void);
extern int cmd_key_domain(void);
extern int cmd_key_wrap(void);
extern int cmd_keypair_gen(void);
extern int cmd_update_ef(void);
extern int cmd_delete_file(void);
extern int cmd_change_pin(void);
extern int cmd_key_gen(void);
extern int cmd_signature(void);
extern int cmd_key_unwrap(void);
extern int cmd_decrypt_asym(void);
extern int cmd_cipher_sym(void);
extern int cmd_derive_asym(void);
extern int cmd_extras(void);
extern int cmd_general_authenticate(void);
extern int cmd_session_pin(void);
extern int cmd_puk_auth(void);
extern int cmd_pso(void);
extern int cmd_bip_slip(void);
extern uint8_t get_key_domain(file_t *fkey);
#endif