[Cryptech-Commits] [sw/libhal] branch rpc updated: Initial implementations of ks_get_kek(). Untested, and none of these are secure (the one in ks_flash.c is a stub, and the others are for cases where we have no secure hardware in which to store the KEK).

git at cryptech.is git at cryptech.is
Fri Mar 4 04:28:53 UTC 2016

Next message (by thread): [Cryptech-Commits] [sw/libhal] branch rpc updated: Optional (compile time conditional) software hash cores. At the moment this is all-or-nothing, but could easily be tweaked to allow compile-time selection of particular hashes.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch rpc
in repository sw/libhal.

The following commit(s) were added to refs/heads/rpc by this push:
       new  8f9c3d1   Initial implementations of ks_get_kek().  Untested, and none of these are secure (the one in ks_flash.c is a stub, and the others are for cases where we have no secure hardware in which to store the KEK).
8f9c3d1 is described below

commit 8f9c3d1e3c9b2f882032a551b8ca46684ab030ae
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Thu Mar 3 23:25:28 2016 -0500

    Initial implementations of ks_get_kek().  Untested, and none of these
    are secure (the one in ks_flash.c is a stub, and the others are for
    cases where we have no secure hardware in which to store the KEK).
    
    These are primarily for testing, since in the long run the entire
    software implementation of AES-keywrap will be replaced by Verilog
    which never lets software see the unwrapped key.  Or so says current
    theory.  For the moment, we just need something that will let us test
    the rest of the RPC and keystore mechanisms.
---
 .gitignore    |  2 ++
 ks.c          |  8 --------
 ks_flash.c    | 18 ++++++++++++++++++
 ks_mmap.c     | 42 +++++++++++++++++++++++++++++++++++++++---
 ks_volatile.c | 36 ++++++++++++++++++++++++++++++++++++
 5 files changed, 95 insertions(+), 11 deletions(-)

diff --git a/.gitignore b/.gitignore
index 670e1d2..aa56703 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,8 @@ tests/test-ecdsa
 tests/test-ecdsa-*.der
 tests/test-hash
 tests/test-pbkdf2
+tests/test-rpc_hash
+tests/test-rpc_server
 tests/test-rsa
 tests/test-rsa-*.der
 tests/test-trng
diff --git a/ks.c b/ks.c
index 24cafca..a856bbf 100644
--- a/ks.c
+++ b/ks.c
@@ -294,14 +294,6 @@ hal_error_t hal_ks_get_pin(const hal_user_t user,
   return HAL_OK;
 }
 
-hal_error_t hal_ks_get_kek(uint8_t *kek,
-                           size_t *kek_len,
-                           const size_t kek_max)
-{
-# warning Stub out hal_ks_get_kek() for now
-    return HAL_ERROR_IMPOSSIBLE;
-}
-
 /*
  * Local variables:
  * indent-tabs-mode: nil
diff --git a/ks_flash.c b/ks_flash.c
index ed05ab5..eee259b 100644
--- a/ks_flash.c
+++ b/ks_flash.c
@@ -85,6 +85,24 @@ hal_error_t hal_ks_set_pin(const hal_user_t user,
 }
 
 
+hal_error_t hal_ks_get_kek(uint8_t *kek,
+                           size_t *kek_len,
+                           const size_t kek_max)
+{
+  if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128))
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) :
+                      (kek_max < bitsToBytes(256)) ? bitsToBytes(192) :
+                      bitsToBytes(256));
+
+#error Or what goes here
+
+  return HAL_OK;
+}
+
+
+
 /*
  * Local variables:
  * indent-tabs-mode: nil
diff --git a/ks_mmap.c b/ks_mmap.c
index a4e6cde..4c752ea 100644
--- a/ks_mmap.c
+++ b/ks_mmap.c
@@ -51,7 +51,15 @@
 #define MAP_FILE 0
 #endif
 
+/*
+ * Storing the KEK in with the keys it's protecting is a bad idea, but we have no better
+ * place to put it (real protection requires dedicated hardware, which we don't have here).
+ */
+
+#define KEKBUF_LEN (bitsToBytes(256))
+
 static hal_ks_keydb_t *db;
+static uint8_t *kekbuf;
 
 const hal_ks_keydb_t *hal_ks_get_keydb(void)
 {
@@ -62,7 +70,7 @@ const hal_ks_keydb_t *hal_ks_get_keydb(void)
   const char * const home = getenv("HOME");
   const char * const base = HAL_KS_MMAP_FILE;
   const long pagemask = sysconf(_SC_PAGESIZE) - 1;
-  const size_t len = (sizeof(hal_ks_keydb_t) + pagemask) & ~pagemask;
+  const size_t len = (sizeof(hal_ks_keydb_t) + KEKBUF_LEN + pagemask) & ~pagemask;
 
   char fn_[strlen(base) + (home == NULL ? 0 : strlen(home)) + 2];
   const char *fn = fn_;
@@ -87,8 +95,8 @@ const hal_ks_keydb_t *hal_ks_get_keydb(void)
     fd = open(fn, O_RDWR | O_CREAT, 0600);
   }
 
-  if (fd >= 0)
-    db = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_FILE | MAP_SHARED, fd, 0);
+  if (fd >= 0 && (db = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_FILE | MAP_SHARED, fd, 0)) != NULL)
+    kekbuf = (uint8_t *) (db + 1);
 
   (void) close(fd);
 
@@ -135,6 +143,34 @@ hal_error_t hal_ks_set_pin(const hal_user_t user,
   return HAL_OK;
 }
 
+hal_error_t hal_ks_get_kek(uint8_t *kek,
+                           size_t *kek_len,
+                           const size_t kek_max)
+{
+  if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128))
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  if (kekbuf == NULL)
+    return HAL_ERROR_IMPOSSIBLE;
+
+  hal_error_t err;
+
+  const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) :
+                      (kek_max < bitsToBytes(256)) ? bitsToBytes(192) :
+                      bitsToBytes(256));
+
+  uint8_t t = 0;
+
+  for (int i = 0; i < KEKBUF_LEN; i++)
+    t |= kekbuf[i];
+
+  if (t == 0 && (err = hal_rpc_get_random(kekbuf, sizeof(KEKBUF_LEN))) != HAL_OK)
+    return err;
+
+  memcpy(kek, kekbuf, len);
+  return HAL_OK;
+}
+
 /*
  * Local variables:
  * indent-tabs-mode: nil
diff --git a/ks_volatile.c b/ks_volatile.c
index 2381f4c..b71e27e 100644
--- a/ks_volatile.c
+++ b/ks_volatile.c
@@ -55,6 +55,17 @@
 
 static hal_ks_keydb_t db[1];
 
+/*
+ * There's no good place to store the master key (KEK) in this volatile memory implementation.
+ * We might be able to add a bit of protection doing things like using locked physical memory,
+ * as gpg does, or obfuscating the KEK a bit to make it harder to pull out of a crash dump,
+ * but, really, there's not a lot we can do against a determined opponant in this case.
+ *
+ * For now, we just go through the motions.
+ */
+
+static uint8_t kekbuf[bitsToBytes(256)];
+
 const hal_ks_keydb_t *hal_ks_get_keydb(void)
 {
   return db;
@@ -99,6 +110,31 @@ hal_error_t hal_ks_set_pin(const hal_user_t user,
   return HAL_OK;
 }
 
+hal_error_t hal_ks_get_kek(uint8_t *kek,
+                           size_t *kek_len,
+                           const size_t kek_max)
+{
+  if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128))
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  hal_error_t err;
+
+  const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) :
+                      (kek_max < bitsToBytes(256)) ? bitsToBytes(192) :
+                      bitsToBytes(256));
+
+  uint8_t t = 0;
+
+  for (int i = 0; i < sizeof(kekbuf); i++)
+    t |= kekbuf[i];
+
+  if (t == 0 && (err = hal_rpc_get_random(kekbuf, sizeof(kekbuf))) != HAL_OK)
+    return err;
+
+  memcpy(kek, kekbuf, len);
+  return HAL_OK;
+}
+
 /*
  * Local variables:
  * indent-tabs-mode: nil

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

Next message (by thread): [Cryptech-Commits] [sw/libhal] branch rpc updated: Optional (compile time conditional) software hash cores. At the moment this is all-or-nothing, but could easily be tweaked to allow compile-time selection of particular hashes.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commits mailing list