From f5269ae7fe6ff845c396734be7ef0c807efc9bc7 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Thu, 12 May 2016 16:20:12 -0400 Subject: Remove vestigial KEK code, that's all handled by libhal now. --- pkcs11.c | 48 ------------------------------------------------ 1 file changed, 48 deletions(-) (limited to 'pkcs11.c') diff --git a/pkcs11.c b/pkcs11.c index 55b25e4..d2f9f8a 100644 --- a/pkcs11.c +++ b/pkcs11.c @@ -727,51 +727,6 @@ static inline hal_session_handle_t p11_session_hal_session(const p11_session_t * -/* - * Initialize KEK. If we had proper hardware support the KEK would be - * living in special RAM where we could wipe it if anything triggered - * our tamper circuitry. But we have no such at the moment, so we - * have no good place to store the KEK. - * - * So we store it in the SQL database, which kind of defeats the point - * of wrapping private keys that live in the same database -- except - * that we're trying to get all the other bits right so that we can - * just move the KEK to secure memory once we have it. - */ - -static int kek_init(void) -{ - static const char test_kek[] = - " SELECT kek IS NULL FROM global"; - - static const char set_kek[] = - " UPDATE global SET kek = ?1"; - - sqlite3_stmt *q = NULL; - - int ok = (sql_check_ok(sql_prepare(&q, test_kek)) && - sql_check_row(sqlite3_step(q))); - - if (ok && sqlite3_column_int(q, 0)) { - uint8_t kekbuf[bitsToBytes(256)]; - - ok = (hal_check(hal_get_random(NULL, kekbuf, sizeof(kekbuf))) && - sql_check_ok(sql_finalize_and_clear(&q)) && - sql_check_ok(sql_prepare(&q, set_kek)) && - sql_check_ok(sqlite3_bind_blob(q, 1, kekbuf, - sizeof(kekbuf), - NULL)) && - sql_check_done(sqlite3_step(q))); - - memset(kekbuf, 0, sizeof(kekbuf)); - } - - sqlite3_finalize(q); - return ok; -} - - - /* * Find an unused handle. * @@ -2511,9 +2466,6 @@ CK_RV C_Initialize(CK_VOID_PTR pInitArgs) initialized_sql = 1; - if (!kek_init()) - lose(CKR_GENERAL_ERROR); - #if USE_POSIX initialized_pid = getpid(); #endif -- cgit v1.2.3