[Cryptech-Commits] [sw/libhal] branch master updated: Clean up definition of HAL_KS_WRAPPED_KEYSIZE.

git at cryptech.is git at cryptech.is
Sat Apr 14 18:26:12 UTC 2018


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository sw/libhal.

The following commit(s) were added to refs/heads/master by this push:
     new 0d17fd9  Clean up definition of HAL_KS_WRAPPED_KEYSIZE.
0d17fd9 is described below

commit 0d17fd984e6ed486d6cd622edee226e263aab510
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Sat Apr 14 14:10:45 2018 -0400

    Clean up definition of HAL_KS_WRAPPED_KEYSIZE.
---
 hal_internal.h | 23 +++++------------------
 ks.h           |  4 ++++
 2 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/hal_internal.h b/hal_internal.h
index ac51cfb..a97a8f2 100644
--- a/hal_internal.h
+++ b/hal_internal.h
@@ -406,30 +406,17 @@ static inline hal_crc32_t hal_crc32_finalize(hal_crc32_t crc)
  * EC P-384:             185 bytes
  * EC P-521:             240 bytes
  *
+ * Plus extra space for pre-computed speed-up factors specific to our
+ * Verilog implementation, which we store as fixed-length byte strings.
+ *
  * Plus we need a bit of AES-keywrap overhead, since we're storing the
  * wrapped form (see hal_aes_keywrap_cyphertext_length()).
  *
- * A buffer big enough for a 8192-bit RSA key would overflow one
- * sub-sector on the flash chip we're using on the Alpha.  We could
- * invent some more complex scheme where key blocks are allowed to
- * span multiple sub-sectors, but since an 8192-bit RSA key would also
- * be unusably slow with the current RSA implementation, for the
- * moment we take the easy way out and cap this at 4096-bit RSA.
+ * Length check warning moved to ks.h since size of keystore blocks is
+ * internal to the keystore implementation.
  */
 
-#if 0
-#define HAL_KS_WRAPPED_KEYSIZE  ((2373 + 15) & ~7)
-#else
-#warning Temporary test hack to HAL_KS_WRAPPED_KEYSIZE, clean this up
-//
-// See how much of the problem we're having with pkey support for the
-// new modexpa7 components is just this buffer size being too small.
-//
 #define HAL_KS_WRAPPED_KEYSIZE  ((2373 + 6 * 4096 / 8 + 6 * 4 + 15) & ~7)
-#if HAL_KS_WRAPPED_KEYSIZE + 8 > 4096
-#warning HAL_KS_WRAPPED_KEYSIZE is too big for a single 4096-octet block
-#endif
-#endif
 
 /*
  * PINs.
diff --git a/ks.h b/ks.h
index ae1ba1c..559e46f 100644
--- a/ks.h
+++ b/ks.h
@@ -49,6 +49,10 @@
 #define HAL_KS_BLOCK_SIZE       (4096 * 2)
 #endif
 
+#if HAL_KS_WRAPPED_KEYSIZE + 8 > HAL_KS_BLOCK_SIZE
+#warning HAL_KS_WRAPPED_KEYSIZE is too big for to fit in a keystore block
+#endif
+
 /*
  * PIN block gets the all-zeros UUID, which will never be returned by
  * the UUID generation code (by definition -- it's not a version 4 UUID).

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the Commits mailing list