diff -uparN KMC/src/mip/linux/maskinfo_linux.c KMC_fix_keyring/src/mip/linux/maskinfo_linux.c --- KMC/src/mip/linux/maskinfo_linux.c 2020-12-21 19:30:35.894928607 +0800 +++ KMC_fix_keyring/src/mip/linux/maskinfo_linux.c 2020-12-21 19:28:36.155934189 +0800 @@ -1,116 +1,41 @@ /* * Copyright (c) Huawei Technologies Co., Ltd. 2019-2020. All rights reserved. - * Description: Linux使用Keyring保护内存敏感信息 + * Description: Linux Keyring * Author: z00316590 * Create: 2019-03-07 */ #ifdef WSEC_COMPILE_MIP_LINUX #include "kmcv3_maskinfo.h" -#include -#include -#include -#include #include "securec.h" #include "cacv2_pri.h" -#include "kmcv3_keyring.h" #include "wsecv2_errorcode.h" #include "wsecv2_util.h" #include "wsecv2_mem.h" +static unsigned char g_maskCode[KMC_MASKCODE_KEY_LENGTH] = {0}; static unsigned char g_xorCheck[KMC_MASKCODE_LENGTH] = {0}; /* MIP is Memory Info Protection */ -#define KMC_MASKINFO_SET_KEY_NAME_RADIX 10 -static char g_keyName[48] = {0}; /* 固定字符串连数字, 长度定不超过48 */ -static WsecBool g_hasName = WSEC_FALSE; - -/* 初始化keyName */ -static void KeyringSetKeyName(void) -{ - if (g_hasName == WSEC_FALSE) { - unsigned long pid = (unsigned long)(long)getpid(); - const char num[KMC_MASKINFO_SET_KEY_NAME_RADIX] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' }; - size_t idx = strlen("kmcv3maskcode"); - - (void)strcpy_s(g_keyName, sizeof(g_keyName), "kmcv3maskcode"); - /* 这里idx已计算不会越界 */ - while (pid > 0) { - g_keyName[idx] = num[pid % KMC_MASKINFO_SET_KEY_NAME_RADIX]; - pid = pid / KMC_MASKINFO_SET_KEY_NAME_RADIX; - idx++; - } - g_keyName[idx] = '\0'; - g_hasName = WSEC_TRUE; - } -} - -/* 移除内核密钥 */ -static void RemoveMaskCodeKey(void) -{ - long key; - long ret; - unsigned char zeroBuff[KMC_MASKCODE_KEY_LENGTH] = {0}; - - KeyringSetKeyName(); - key = KmcKeyringRequestKey("user", g_keyName, NULL, (long)KEY_SPEC_SESSION_KEYRING); - if (key == -1) { - WSEC_LOG_I1("Linux keyring request no key, errno=%d", errno); - return; - } - ret = KmcKeyringUpdate(key, zeroBuff, sizeof(zeroBuff)); - if (ret == -1) { - WSEC_LOG_I1("Linux keyring update key failed, errno=%d", errno); - } - ret = KmcKeyringRevoke(key); - if (ret == -1) { - WSEC_LOG_I1("Linux keyring revoke key failed, errno=%d", errno); - } - WSEC_LOG_I("Linux keyring remove key success\n"); - (void)memset_s(g_xorCheck, sizeof(g_xorCheck), 0, sizeof(g_xorCheck)); -} - -/* 初始化掩码机制 */ unsigned long InitMaskCode(void) { - unsigned char maskCode[KMC_MASKCODE_KEY_LENGTH]; - long key; int i; int j; - long ret; - KeyringSetKeyName(); - if (CacRandom(maskCode, (WsecUint32)sizeof(maskCode)) != WSEC_SUCCESS) { - WSEC_LOG_E("Linux keyring get random number failed"); - return WSEC_FAILURE; - } - RemoveMaskCodeKey(); - key = KmcKeyringAddKey("user", g_keyName, maskCode, sizeof(maskCode), (long)KEY_SPEC_SESSION_KEYRING); - if (key == -1) { - WSEC_LOG_E1("Linux keyring add key failed, errno=%d", errno); - (void)memset_s(maskCode, sizeof(maskCode), 0, sizeof(maskCode)); - return WSEC_FAILURE; - } - ret = KmcKeyringSetTimeOut(key, (long)0); - if (ret == -1) { - WSEC_LOG_E1("Linux keyring set time out failed, errno=%d", errno); - (void)memset_s(maskCode, sizeof(maskCode), 0, sizeof(maskCode)); + unsigned long ret; + ret = CacRandom(g_maskCode, (WsecUint32)sizeof(g_maskCode)); + if (ret != WSEC_SUCCESS) { + WSEC_LOG_E("Other os get random number failed"); return WSEC_FAILURE; } for (i = 0, j = KMC_MASKCODE_LENGTH; i < KMC_MASKCODE_LENGTH; i++, j++) { - g_xorCheck[i] = maskCode[j] ^ maskCode[i]; + g_xorCheck[i] = g_maskCode[i] ^ g_maskCode[j]; } - (void)memset_s(maskCode, sizeof(maskCode), 0, sizeof(maskCode)); - WSEC_LOG_I("Maskcode init successfully"); return WSEC_SUCCESS; } -/* Linux OS Keyring机制保护内存 */ static unsigned long LinuxXorData(const unsigned char *datain, unsigned int inlen, unsigned char *dataout, unsigned int *outlen) { - long key; - long ret; unsigned int i; unsigned int j; - unsigned char maskCode[KMC_MASKCODE_KEY_LENGTH]; unsigned char xorCheck[KMC_MASKCODE_LENGTH]; if (datain == NULL || dataout == NULL || outlen == NULL) { return WSEC_ERR_INVALID_ARG; @@ -118,51 +43,33 @@ static unsigned long LinuxXorData(const if (*outlen < inlen) { return WSEC_ERR_INVALID_ARG; } - KeyringSetKeyName(); - key = KmcKeyringRequestKey("user", g_keyName, NULL, (long)KEY_SPEC_SESSION_KEYRING); - if (key == -1) { - WSEC_LOG_E1("Linux keyring request key failed, errno=%d", errno); - return WSEC_FAILURE; - } - ret = KmcKeyringReadKey(key, maskCode, sizeof(maskCode)); - if (ret == -1) { - WSEC_LOG_E1("Linux keyring read key failed , errno=%d", errno); - (void)memset_s(maskCode, sizeof(maskCode), 0x00, sizeof(maskCode)); - return WSEC_FAILURE; - } for (i = 0, j = KMC_MASKCODE_LENGTH; i < KMC_MASKCODE_LENGTH; i++, j++) { - xorCheck[i] = maskCode[j] ^ maskCode[i]; + xorCheck[i] = g_maskCode[i] ^ g_maskCode[j]; } if (WSEC_MEMCMP(xorCheck, g_xorCheck, KMC_MASKCODE_LENGTH) != 0) { - WSEC_LOG_E("Linux keyring key is not right"); - (void)memset_s(maskCode, sizeof(maskCode), 0x00, sizeof(maskCode)); + WSEC_LOG_E("xor check failed"); return WSEC_FAILURE; } *outlen = inlen; for (i = 0; i < inlen; i++) { j = i % KMC_MASKCODE_LENGTH; - dataout[i] = (maskCode[j] ^ datain[i]); + dataout[i] = (g_maskCode[j] ^ datain[i]); } - (void)memset_s(maskCode, sizeof(maskCode), 0x00, sizeof(maskCode)); - (void)memset_s(xorCheck, sizeof(xorCheck), 0, sizeof(xorCheck)); return WSEC_SUCCESS; } -/* 保护内存数据 */ unsigned long ProtectData(const unsigned char *datain, unsigned int inlen, unsigned char *dataout, unsigned int *outlen) { return LinuxXorData(datain, inlen, dataout, outlen); } -/* 解除保护内存数据 */ unsigned long UnprotectData(const unsigned char *datain, unsigned int inlen, unsigned char *dataout, unsigned int *outlen) { return LinuxXorData(datain, inlen, dataout, outlen); } -/* 保护内存数据到同缓冲区 */ unsigned long ProtectDataSameBuf(unsigned char *data, unsigned int len) { unsigned int outLen = len; @@ -172,7 +79,6 @@ unsigned long ProtectDataSameBuf(unsigne return ret; } -/* 解除保护内存数据到同缓冲区 */ unsigned long UnprotectDataSameBuf(unsigned char *data, unsigned int len) { unsigned int outLen = len; @@ -182,9 +88,9 @@ unsigned long UnprotectDataSameBuf(unsig return ret; } -/* 去初始化掩码机制 */ void UninitMaskCode(void) { - RemoveMaskCodeKey(); + (void)memset_s(g_maskCode, sizeof(g_maskCode), 0, sizeof(g_maskCode)); + (void)memset_s(g_xorCheck, sizeof(g_xorCheck), 0, sizeof(g_xorCheck)); } #endif