5 files changed, 95 insertions, 11 deletions
diff --git a/.gitignore b/.gitignore
index 670e1d2..aa56703 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,8 @@ tests/test-ecdsa
 tests/test-ecdsa-*.der
 tests/test-hash
 tests/test-pbkdf2
+tests/test-rpc_hash
+tests/test-rpc_server
 tests/test-rsa
 tests/test-rsa-*.der
 tests/test-trng
diff --git a/ks.c b/ks.c
index 24cafca..a856bbf 100644
--- a/ks.c
+++ b/ks.c
@@ -294,14 +294,6 @@ hal_error_t hal_ks_get_pin(const hal_user_t user,
   return HAL_OK;
 }
 
-hal_error_t hal_ks_get_kek(uint8_t *kek,
-                           size_t *kek_len,
-                           const size_t kek_max)
-{
-# warning Stub out hal_ks_get_kek() for now
-    return HAL_ERROR_IMPOSSIBLE;
-}
-
 /*
  * Local variables:
  * indent-tabs-mode: nil
diff --git a/ks_flash.c b/ks_flash.c
index ed05ab5..eee259b 100644
--- a/ks_flash.c
+++ b/ks_flash.c
@@ -85,6 +85,24 @@ hal_error_t hal_ks_set_pin(const hal_user_t user,
 }
 
 
+hal_error_t hal_ks_get_kek(uint8_t *kek,
+                           size_t *kek_len,
+                           const size_t kek_max)
+{
+  if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128))
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) :
+                      (kek_max < bitsToBytes(256)) ? bitsToBytes(192) :
+                      bitsToBytes(256));
+
+#error Or what goes here
+
+  return HAL_OK;
+}
+
+
+
 /*
  * Local variables:
  * indent-tabs-mode: nil
diff --git a/ks_mmap.c b/ks_mmap.c
index a4e6cde..4c752ea 100644
--- a/ks_mmap.c
+++ b/ks_mmap.c
@@ -51,7 +51,15 @@
 #define MAP_FILE 0
 #endif
 
+/*
+ * Storing the KEK in with the keys it's protecting is a bad idea, but we have no better
+ * place to put it (real protection requires dedicated hardware, which we don't have here).
+ */
+
+#define KEKBUF_LEN (bitsToBytes(256))
+
 static hal_ks_keydb_t *db;
+static uint8_t *kekbuf;
 
 const hal_ks_keydb_t *hal_ks_get_keydb(void)
 {
@@ -62,7 +70,7 @@ const hal_ks_keydb_t *hal_ks_get_keydb(void)
   const char * const home = getenv("HOME");
   const char * const base = HAL_KS_MMAP_FILE;
   const long pagemask = sysconf(_SC_PAGESIZE) - 1;
-  const size_t len = (sizeof(hal_ks_keydb_t) + pagemask) & ~pagemask;
+  const size_t len = (sizeof(hal_ks_keydb_t) + KEKBUF_LEN + pagemask) & ~pagemask;
 
   char fn_[strlen(base) + (home == NULL ? 0 : strlen(home)) + 2];
   const char *fn = fn_;
@@ -87,8 +95,8 @@ const hal_ks_keydb_t *hal_ks_get_keydb(void)
     fd = open(fn, O_RDWR | O_CREAT, 0600);
   }
 
-  if (fd >= 0)
-    db = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_FILE | MAP_SHARED, fd, 0);
+  if (fd >= 0 && (db = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_FILE | MAP_SHARED, fd, 0)) != NULL)
+    kekbuf = (uint8_t *) (db + 1);
 
   (void) close(fd);
 
@@ -135,6 +143,34 @@ hal_error_t hal_ks_set_pin(const hal_user_t user,
   return HAL_OK;
 }
 
+hal_error_t hal_ks_get_kek(uint8_t *kek,
+                           size_t *kek_len,
+                           const size_t kek_max)
+{
+  if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128))
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  if (kekbuf == NULL)
+    return HAL_ERROR_IMPOSSIBLE;
+
+  hal_error_t err;
+
+  const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) :
+                      (kek_max < bitsToBytes(256)) ? bitsToBytes(192) :
+                      bitsToBytes(256));
+
+  uint8_t t = 0;
+
+  for (int i = 0; i < KEKBUF_LEN; i++)
+    t |= kekbuf[i];
+
+  if (t == 0 && (err = hal_rpc_get_random(kekbuf, sizeof(KEKBUF_LEN))) != HAL_OK)
+    return err;
+
+  memcpy(kek, kekbuf, len);
+  return HAL_OK;
+}
+
 /*
  * Local variables:
  * indent-tabs-mode: nil
diff --git a/ks_volatile.c b/ks_volatile.c
index 2381f4c..b71e27e 100644
--- a/ks_volatile.c
+++ b/ks_volatile.c
@@ -55,6 +55,17 @@
 
 static hal_ks_keydb_t db[1];
 
+/*
+ * There's no good place to store the master key (KEK) in this volatile memory implementation.
+ * We might be able to add a bit of protection doing things like using locked physical memory,
+ * as gpg does, or obfuscating the KEK a bit to make it harder to pull out of a crash dump,
+ * but, really, there's not a lot we can do against a determined opponant in this case.
+ *
+ * For now, we just go through the motions.
+ */
+
+static uint8_t kekbuf[bitsToBytes(256)];
+
 const hal_ks_keydb_t *hal_ks_get_keydb(void)
 {
   return db;
@@ -99,6 +110,31 @@ hal_error_t hal_ks_set_pin(const hal_user_t user,
   return HAL_OK;
 }
 
+hal_error_t hal_ks_get_kek(uint8_t *kek,
+                           size_t *kek_len,
+                           const size_t kek_max)
+{
+  if (kek == NULL || kek_len == NULL || kek_max < bitsToBytes(128))
+    return HAL_ERROR_BAD_ARGUMENTS;
+
+  hal_error_t err;
+
+  const size_t len = ((kek_max < bitsToBytes(192)) ? bitsToBytes(128) :
+                      (kek_max < bitsToBytes(256)) ? bitsToBytes(192) :
+                      bitsToBytes(256));
+
+  uint8_t t = 0;
+
+  for (int i = 0; i < sizeof(kekbuf); i++)
+    t |= kekbuf[i];
+
+  if (t == 0 && (err = hal_rpc_get_random(kekbuf, sizeof(kekbuf))) != HAL_OK)
+    return err;
+
+  memcpy(kek, kekbuf, len);
+  return HAL_OK;
+}
+
 /*
  * Local variables:
  * indent-tabs-mode: nil