aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2016-05-12 16:20:12 -0400
committerRob Austein <sra@hactrn.net>2016-05-12 16:20:12 -0400
commitf5269ae7fe6ff845c396734be7ef0c807efc9bc7 (patch)
tree0c511215372a8d7ae7e2ae050f5d04c3ee830c3f
parent63d3f7f29aecf00468025c05bc01723360d86e24 (diff)
Remove vestigial KEK code, that's all handled by libhal now.
Diffstat
-rw-r--r--pkcs11.c48
1 files changed, 0 insertions, 48 deletions
diff --git a/pkcs11.c b/pkcs11.c
index 55b25e4..d2f9f8a 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -728,51 +728,6 @@ static inline hal_session_handle_t p11_session_hal_session(const p11_session_t *
/*
- * Initialize KEK. If we had proper hardware support the KEK would be
- * living in special RAM where we could wipe it if anything triggered
- * our tamper circuitry. But we have no such at the moment, so we
- * have no good place to store the KEK.
- *
- * So we store it in the SQL database, which kind of defeats the point
- * of wrapping private keys that live in the same database -- except
- * that we're trying to get all the other bits right so that we can
- * just move the KEK to secure memory once we have it.
- */
-
-static int kek_init(void)
-{
- static const char test_kek[] =
- " SELECT kek IS NULL FROM global";
-
- static const char set_kek[] =
- " UPDATE global SET kek = ?1";
-
- sqlite3_stmt *q = NULL;
-
- int ok = (sql_check_ok(sql_prepare(&q, test_kek)) &&
- sql_check_row(sqlite3_step(q)));
-
- if (ok && sqlite3_column_int(q, 0)) {
- uint8_t kekbuf[bitsToBytes(256)];
-
- ok = (hal_check(hal_get_random(NULL, kekbuf, sizeof(kekbuf))) &&
- sql_check_ok(sql_finalize_and_clear(&q)) &&
- sql_check_ok(sql_prepare(&q, set_kek)) &&
- sql_check_ok(sqlite3_bind_blob(q, 1, kekbuf,
- sizeof(kekbuf),
- NULL)) &&
- sql_check_done(sqlite3_step(q)));
-
- memset(kekbuf, 0, sizeof(kekbuf));
- }
-
- sqlite3_finalize(q);
- return ok;
-}
-
-
-
-/*
* Find an unused handle.
*
* Note that zero is an excluded value (CK_INVALID_HANDLE), hence the
@@ -2511,9 +2466,6 @@ CK_RV C_Initialize(CK_VOID_PTR pInitArgs)
initialized_sql = 1;
- if (!kek_init())
- lose(CKR_GENERAL_ERROR);
-
#if USE_POSIX
initialized_pid = getpid();
#endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 09:42:01 +0000