aboutsummaryrefslogblamecommitdiff
path: root/ks_flash.c
blob: 9393100bedc54863d1eb8cbe3c2da73f9e71c3af (plain) (tree)
1
2
3
4
5
6
7




                                           

                                                             



























                                                                           
                        

                         
             
 

                          
                      

             
                   
                   
 
                                   
 


                                                        

  




                                                                      

   















                                                                     



                                                          
                                              
 


                                                                            

 
                                                    
 








                                                                                      
 
 
                                
 
                                          







                                                                  
                             



































                                                                      

     
                                   
 

                                                                    
 





                                                              
     





















                                                                                                     
     

          
 
                                     






















                                                                                                     
                   




                                            

                                                                   
 


                                       
 

                                                                                        
 
















                                                                                        
 
                            
 


                                                                                                       
 

                   
 




                                                                
                                                  






                                     

 
                                         
 

                                   
 

                   
 











                                                                
 
                                                               
 
                       
 
                                                            
                                                                       
                         
 

              
 





                                                                                
 
                                                   



                                   
                        
















                                     
                                                                     




































                                                                                    

 







                                                                            
 


                                                                                                      
                                



















                                                            
                                                                   
                                                                               
 














                                         

                                   













































                                                                                                   
   
 








                                                                       
                                      



                                   
                              




                                               

                                    




                                                                   
 


                                                                 


                                                 











                                                                         

                                                 




































                                                                                     

 

                                                       
 

                                





                                   


                                                  


                                                       
                             
 







                                                                                                 


                                                                               
                                                  


 
                                     









                                                                       
                                                      
 
                         

                     
   
 
                                                    

                     
   
 

                                                                            




                                                                             


 




                        
/*
 * ks_flash.c
 * ----------
 * Keystore implementation in flash memory.
 *
 * Authors: Rob Austein, Fredrik Thulin
 * Copyright (c) 2015-2016, NORDUnet A/S All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the NORDUnet nor the names of its contributors may
 *   be used to endorse or promote products derived from this software
 *   without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#define HAL_OK LIBHAL_OK
#include "hal.h"
#include "hal_internal.h"
#undef HAL_OK

#define HAL_OK CMIS_HAL_OK
#include "stm-keystore.h"
#include "masterkey.h"
#undef HAL_OK

#include <string.h>
#include <assert.h>

#include "last_gasp_pin_internal.h"

#define PAGE_SIZE_MASK          (KEYSTORE_PAGE_SIZE - 1)

#define KEK_LENGTH              (bitsToBytes(256))

/*
 * Temporary hack: In-memory copy of entire (tiny) keystore database.
 * This is backwards compatability to let us debug without changing
 * too many moving parts at the same time, but will need to be
 * replaced by something that can handle a much larger number of keys,
 * which is one of the main points of the new keystore API.
 */

typedef struct {
  hal_ks_t ks;                  /* Must be first (C "subclassing") */

  hal_ks_pin_t wheel_pin;
  hal_ks_pin_t so_pin;
  hal_ks_pin_t user_pin;

#if HAL_STATIC_PKEY_STATE_BLOCKS > 0
  hal_ks_key_t keys[HAL_STATIC_PKEY_STATE_BLOCKS];
#else
#warning No keys in keydb
#endif

} db_t;

static db_t db;

#define FLASH_SECTOR_1_OFFSET	(0 * KEYSTORE_SECTOR_SIZE)
#define FLASH_SECTOR_2_OFFSET	(1 * KEYSTORE_SECTOR_SIZE)

static inline uint32_t _active_sector_offset()
{
  /* XXX Load status bytes from both sectors and decide which is current. */
#warning Have not implemented two flash sectors yet
  return FLASH_SECTOR_1_OFFSET;
}

static inline uint32_t _get_key_offset(uint32_t num)
{
  /*
   * Reserve first two pages for flash sector state, PINs and future additions.
   * The three PINs alone currently occupy 3 * (64 + 16 + 4) bytes (252).
   */
  uint32_t offset = KEYSTORE_PAGE_SIZE * 2;
  uint32_t key_size = sizeof(*db.keys);
  uint32_t bytes_per_key = KEYSTORE_PAGE_SIZE * ((key_size / KEYSTORE_PAGE_SIZE) + 1);
  offset += num * bytes_per_key;
  return offset;
}

static hal_error_t ks_init(void)
{
  if (db.ks.driver == hal_ks_token_driver)
    return LIBHAL_OK;

  if (db.ks.driver != NULL)
    return HAL_ERROR_IMPOSSIBLE;

  uint8_t page_buf[KEYSTORE_PAGE_SIZE];
  uint32_t idx = 0;             /* Current index into db.keys[] */

  memset(&db, 0, sizeof(db));

  if (keystore_check_id() != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  uint32_t active_sector_offset = _active_sector_offset();

  /*
   * The PINs are in the second page of the sector.
   * Caching all of these these makes some sense in any case.
   */

  uint32_t offset = active_sector_offset + KEYSTORE_PAGE_SIZE;
  if (keystore_read_data(offset, page_buf, sizeof(page_buf)) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  offset = 0;
  memcpy(&db.wheel_pin, page_buf + offset, sizeof(db.wheel_pin));

  offset += sizeof(db.wheel_pin);
  memcpy(&db.so_pin, page_buf + offset, sizeof(db.so_pin));

  offset += sizeof(db.so_pin);
  memcpy(&db.user_pin, page_buf + offset, sizeof(db.user_pin));

  /*
   * Now read out all the keys.  This is a temporary hack, in the long
   * run we want to pull these as they're needed, although depending
   * on how we organize the flash we might still need an initial scan
   * on startup to build some kind of in-memory index.
   */

  for (int i = 0; i < sizeof(db.keys) / sizeof(*db.keys); i++) {

    if ((offset = _get_key_offset(i)) > KEYSTORE_SECTOR_SIZE) {
      idx++;
      continue;
    }

    offset += active_sector_offset;

    if (keystore_read_data(offset, page_buf, sizeof(page_buf)) != 1)
      return HAL_ERROR_KEYSTORE_ACCESS;

    const hal_ks_key_t *key = (const hal_ks_key_t *) page_buf;

    if (key->in_use == 0xff) {
      /* unprogrammed data */
      idx++;
      continue;
    }

    if (key->in_use == 1) {
      uint8_t *dst = (uint8_t *) &db.keys[idx];
      uint32_t to_read = sizeof(*db.keys);

      /* We already have the first page in page_buf. Put it into place. */
      memcpy(dst, page_buf, sizeof(page_buf));
      to_read -= sizeof(page_buf);
      dst += sizeof(page_buf);

      /* Read as many more full pages as possible */
      if (keystore_read_data (offset + KEYSTORE_PAGE_SIZE, dst, to_read & ~PAGE_SIZE_MASK) != 1)
        return HAL_ERROR_KEYSTORE_ACCESS;
      dst += to_read & ~PAGE_SIZE_MASK;
      to_read &= PAGE_SIZE_MASK;

      if (to_read) {
        /* Partial last page. We can only read full pages so load it into page_buf. */
        if (keystore_read_data(offset + sizeof(*db.keys) - to_read, page_buf, sizeof(page_buf)) != 1)
          return HAL_ERROR_KEYSTORE_ACCESS;
        memcpy(dst, page_buf, to_read);
      }
    }
    idx++;
  }

  db.ks.driver = hal_ks_token_driver;

  return LIBHAL_OK;
}

static hal_error_t _write_data_to_flash(const uint32_t offset, const uint8_t *data, const size_t len)
{
  uint8_t page_buf[KEYSTORE_PAGE_SIZE];
  uint32_t to_write = len;

  if (keystore_write_data(offset, data, to_write & ~PAGE_SIZE_MASK) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  to_write &= PAGE_SIZE_MASK;
  if (to_write) {
    /*
     * Use page_buf to write the remaining bytes, since we must write a full page each time.
     */
    memset(page_buf, 0xff, sizeof(page_buf));
    memcpy(page_buf, data + len - to_write, to_write);
    if (keystore_write_data((offset + len) & ~PAGE_SIZE_MASK, page_buf, sizeof(page_buf)) != 1)
      return HAL_ERROR_KEYSTORE_ACCESS;
  }

  return LIBHAL_OK;
}

/*
 * Write the full DB to flash, PINs and all.
 */

static hal_error_t _write_db_to_flash(const uint32_t sector_offset)
{
  hal_error_t status;
  uint8_t page_buf[KEYSTORE_PAGE_SIZE];
  uint32_t i, offset;

  if (sizeof(db.wheel_pin) + sizeof(db.so_pin) + sizeof(db.user_pin) > sizeof(page_buf))
    return HAL_ERROR_BAD_ARGUMENTS;

  /* Put the three PINs into page_buf */
  offset = 0;
  memcpy(page_buf + offset, &db.wheel_pin, sizeof(db.wheel_pin));
  offset += sizeof(db.wheel_pin);
  memcpy(page_buf + offset, &db.so_pin, sizeof(db.so_pin));
  offset += sizeof(db.so_pin);
  memcpy(page_buf + offset, &db.user_pin, sizeof(db.user_pin));

  /* Write PINs into the second of the two reserved pages at the start of the sector. */
  offset = sector_offset + KEYSTORE_PAGE_SIZE;
  if ((status = _write_data_to_flash(offset, page_buf, sizeof(page_buf))) != LIBHAL_OK)
    return status;

  for (i = 0; i < sizeof(db.keys) / sizeof(*db.keys); i++) {
    offset = _get_key_offset(i);
    if (offset > KEYSTORE_SECTOR_SIZE)
      return HAL_ERROR_BAD_ARGUMENTS;

    offset += sector_offset;

    if ((status =_write_data_to_flash(offset, (uint8_t *) &db.keys[i], sizeof(*db.keys))) != LIBHAL_OK)
      return status;
  }

  return LIBHAL_OK;
}

static hal_error_t ks_open(const hal_ks_driver_t * const driver,
                                    hal_ks_t **ks)
{
  hal_error_t err;

  if (driver != hal_ks_token_driver || ks == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  if ((err = ks_init()) != LIBHAL_OK)
    return err;

  *ks = &db.ks;
  return LIBHAL_OK;
}

static hal_error_t ks_close(hal_ks_t *ks)
{
  if (ks != NULL && ks != &db.ks)
    return HAL_ERROR_BAD_ARGUMENTS;

  return LIBHAL_OK;
}

static inline int acceptable_key_type(const hal_key_type_t type)
{
  switch (type) {
  case HAL_KEY_TYPE_RSA_PRIVATE:
  case HAL_KEY_TYPE_EC_PRIVATE:
  case HAL_KEY_TYPE_RSA_PUBLIC:
  case HAL_KEY_TYPE_EC_PUBLIC:
    return 1;
  default:
    return 0;
  }
}

static inline hal_ks_key_t *find(const hal_uuid_t * const name)
{
  assert(name != NULL);

  for (int i = 0; i < sizeof(db.keys)/sizeof(*db.keys); i++)
    if (db.keys[i].in_use && hal_uuid_cmp(&db.keys[i].name, name) == 0)
      return &db.keys[i];

  return NULL;
}

static hal_error_t ks_fetch(hal_ks_t *ks,
                            hal_pkey_slot_t *slot,
                            uint8_t *der, size_t *der_len, const size_t der_max)
{
  if (ks != &db.ks || slot == NULL || !acceptable_key_type(slot->type))
    return HAL_ERROR_BAD_ARGUMENTS;

  const hal_ks_key_t * const k = find(&slot->name);

  if (k == NULL)
    return HAL_ERROR_KEY_NOT_FOUND;

  slot->type  = k->type;
  slot->curve = k->curve;
  slot->flags = k->flags;

  if (der == NULL && der_len != NULL)
    *der_len = k->der_len;

  if (der != NULL) {

    uint8_t kek[KEK_LENGTH];
    size_t kek_len, der_len_;
    hal_error_t err;

    if (der_len == NULL)
      der_len = &der_len_;

    *der_len = der_max;

    if ((err = hal_get_kek(kek, &kek_len, sizeof(kek))) == LIBHAL_OK)
      err = hal_aes_keyunwrap(NULL, kek, kek_len, k->der, k->der_len, der, der_len);

    memset(kek, 0, sizeof(kek));

    if (err != LIBHAL_OK)
      return err;
  }

  return LIBHAL_OK;
}

static hal_error_t ks_list(hal_ks_t *ks,
                           hal_pkey_info_t *result,
                           unsigned *result_len,
                           const unsigned result_max)
{
  if (ks != &db.ks || result == NULL || result_len == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  *result_len = 0;

  for (int i = 0; i < sizeof(db.keys)/sizeof(*db.keys); i++) {

    if (!db.keys[i].in_use)
      continue;

    if (*result_len == result_max)
      return HAL_ERROR_RESULT_TOO_LONG;

    result[*result_len].type  = db.keys[i].type;
    result[*result_len].curve = db.keys[i].curve;
    result[*result_len].flags = db.keys[i].flags;
    result[*result_len].name  = db.keys[i].name;
    ++ *result_len;
  }

  return LIBHAL_OK;
}

/*
 * This function in particular really needs to be rewritten to take
 * advantage of the new keystore API.
 */

static hal_error_t ks_store(hal_ks_t *ks,
                            const hal_pkey_slot_t * const slot,
                            const uint8_t * const der, const size_t der_len)
{
  if (ks != &db.ks || slot == NULL || der == NULL || der_len == 0 || !acceptable_key_type(slot->type))
    return HAL_ERROR_BAD_ARGUMENTS;

  if (find(&slot->name) != NULL)
    return HAL_ERROR_KEY_NAME_IN_USE;

  int loc = -1;

  for (int i = 0; i < sizeof(db.keys)/sizeof(*db.keys); i++)
    if (!db.keys[i].in_use && loc < 0)
      loc = i;

  if (loc < 0)
    return HAL_ERROR_NO_KEY_SLOTS_AVAILABLE;

  hal_ks_key_t k;
  memset(&k, 0, sizeof(k));
  k.der_len = sizeof(k.der);

  uint8_t kek[KEK_LENGTH];
  size_t kek_len;

  hal_error_t err;

  if ((err = hal_get_kek(kek, &kek_len, sizeof(kek))) == LIBHAL_OK)
    err = hal_aes_keywrap(NULL, kek, kek_len, der, der_len, k.der, &k.der_len);

  memset(kek, 0, sizeof(kek));

  if (err != LIBHAL_OK)
    return err;

  k.name  = slot->name;
  k.type  = slot->type;
  k.curve = slot->curve;
  k.flags = slot->flags;

  uint8_t page_buf[KEYSTORE_PAGE_SIZE];

  uint32_t offset = _get_key_offset(loc);

  if (offset > KEYSTORE_SECTOR_SIZE)
    return HAL_ERROR_BAD_ARGUMENTS;

  uint32_t active_sector_offset = _active_sector_offset();

  offset += active_sector_offset;

  if (keystore_check_id() != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  /*
   * Check if there is a key occupying this slot in the flash already.
   * This includes the case where we've zeroed a former key without
   * erasing the flash sector, so we have to check the flash itself,
   * we can't just look at the in-memory representation.
   */

  if (keystore_read_data(offset, page_buf, sizeof(page_buf)) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  const int unused_since_erasure = ((hal_ks_key_t *) page_buf)->in_use == 0xFF;

  db.keys[loc] = k;
  db.keys[loc].in_use = 1;

  if (unused_since_erasure) {

    /*
     * Key slot was unused in flash, so we can just write the new key there.
     */

    if ((err = _write_data_to_flash(offset, (uint8_t *) &k, sizeof(k))) != LIBHAL_OK)
      return err;

  } else {

    /*
     * Key slot in flash has been used.  We should be more clever than
     * this, but for now we just rewrite the whole freaking keystore.
     */

    /* TODO: Erase and write the database to the inactive sector, and then toggle active sector. */

    if (keystore_erase_sectors(active_sector_offset / KEYSTORE_SECTOR_SIZE,
                               active_sector_offset / KEYSTORE_SECTOR_SIZE) != 1)
      return HAL_ERROR_KEYSTORE_ACCESS;

    if ((err =_write_db_to_flash(active_sector_offset)) != LIBHAL_OK)
      return err;
  }

  return LIBHAL_OK;
}

static hal_error_t ks_delete(hal_ks_t *ks,
                             const hal_pkey_slot_t * const slot)
{
  if (ks != &db.ks || slot == NULL || !acceptable_key_type(slot->type))
    return HAL_ERROR_BAD_ARGUMENTS;

  hal_ks_key_t *k = find(&slot->name);

  if (k == NULL)
    return HAL_ERROR_KEY_NOT_FOUND;

  const int loc = k - db.keys;
  uint32_t offset = _get_key_offset(loc);

  if (loc < 0 || offset > KEYSTORE_SECTOR_SIZE)
    return HAL_ERROR_IMPOSSIBLE;

  offset += _active_sector_offset();

  memset(k, 0, sizeof(*k));

  /*
   * Setting bits to 0 never requires erasing flash. Just write it.
   */

  return _write_data_to_flash(offset, (uint8_t *) k, sizeof(*k));
}

const hal_ks_driver_t hal_ks_token_driver[1] = {{
  ks_open,
  ks_close,
  ks_store,
  ks_fetch,
  ks_delete,
  ks_list
}};

/*
 * The remaining functions aren't really part of the keystore API per se,
 * but they all involve non-key data which we keep in the keystore
 * because it's the flash we've got.
 */

hal_error_t hal_get_pin(const hal_user_t user,
                        const hal_ks_pin_t **pin)
{
  if (pin == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  hal_error_t err;

  if ((err = ks_init()) != LIBHAL_OK)
    return err;

  switch (user) {
  case HAL_USER_WHEEL:  *pin = &db.wheel_pin;  break;
  case HAL_USER_SO:	*pin = &db.so_pin;     break;
  case HAL_USER_NORMAL:	*pin = &db.user_pin;   break;
  default:		return HAL_ERROR_BAD_ARGUMENTS;
  }

  /*
   * If we were looking for the WHEEL PIN and it appears to be
   * completely unset, return the compiled-in last-gasp PIN.  This is
   * a terrible answer, but we need some kind of bootstrapping
   * mechanism.  Feel free to suggest something better.
   */

  uint8_t u00 = 0x00, uFF = 0xFF;
  for (int i = 0; i < sizeof((*pin)->pin); i++) {
    u00 |= (*pin)->pin[i];
    uFF &= (*pin)->pin[i];
  }
  for (int i = 0; i < sizeof((*pin)->salt); i++) {
    u00 |= (*pin)->salt[i];
    uFF &= (*pin)->salt[i];
  }
  if (user == HAL_USER_WHEEL && ((u00 == 0x00 && (*pin)->iterations == 0x00000000) ||
                                 (uFF == 0xFF && (*pin)->iterations == 0xFFFFFFFF)))
    *pin = &hal_last_gasp_pin;

  return LIBHAL_OK;
}

hal_error_t hal_set_pin(const hal_user_t user,
                        const hal_ks_pin_t * const pin)
{
  uint32_t active_sector_offset;

  if (pin == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  hal_ks_pin_t *p = NULL;

  switch (user) {
  case HAL_USER_WHEEL:  p = &db.wheel_pin;  break;
  case HAL_USER_SO:	p = &db.so_pin;     break;
  case HAL_USER_NORMAL:	p = &db.user_pin;   break;
  default:		return HAL_ERROR_BAD_ARGUMENTS;
  }

  memcpy(p, pin, sizeof(*p));

  active_sector_offset = _active_sector_offset();

  /* TODO: Could check if the PIN is currently all 0xff, in which case we wouldn't have to
   * erase and re-write the whole DB.
   */

  /* TODO: Erase and write the database to the inactive sector, and then toggle active sector. */
  if (keystore_erase_sectors(active_sector_offset / KEYSTORE_SECTOR_SIZE,
                             active_sector_offset / KEYSTORE_SECTOR_SIZE) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  return _write_db_to_flash(active_sector_offset);
}


hal_error_t hal_get_kek(uint8_t *kek,
                           size_t *kek_len,
                           const size_t kek_max)
{
  if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128))
    return HAL_ERROR_BAD_ARGUMENTS;

  const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) :
                      (kek_max < bitsToBytes(256)) ? bitsToBytes(192) :
                      bitsToBytes(256));

  hal_error_t err = masterkey_volatile_read(kek, len);

  if (err == LIBHAL_OK) {
    *kek_len = len;
    return LIBHAL_OK;
  }

  if (masterkey_flash_read(kek, len) == LIBHAL_OK) {
    *kek_len = len;
    return LIBHAL_OK;
  }

  /*
   * Both keystores returned an error, probably HAL_ERROR_MASTERKEY_NOT_SET.
   * I could try to be clever and compare the errors, but really the volatile
   * keystore is the important one (you shouldn't store the master key in
   * flash), so return that error.
   */
  return err;
}


/*
 * Local variables:
 * indent-tabs-mode: nil
 * End:
 */