Darren Krahn [Thu, 9 May 2013 18:18:56 +0000 (11:18 -0700)]
Added support for user-supplied token labels.
Now the label for a token can be supplied when that token is loaded.
This makes it possible to differentiate tokens when multiple user
profiles are in use.
BUG=chromium:239445
TEST=unit, manual
CQ-DEPEND=CL:50673
Change-Id: I500d9357c0ce62b4fd8557ee9930417d8eacff74
Reviewed-on: https://gerrit.chromium.org/gerrit/50680
Commit-Queue: Darren Krahn <dkrahn@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Ross McIlroy [Wed, 8 May 2013 11:25:15 +0000 (12:25 +0100)]
chaps: Salt users password before using it as authorization data to load token.
Modify isolate_login_client to salt the users password before using it as
authorization data when loading the users token. On the Linux build, we
use PKCS5_PBKDF2_HMAC with SHA512 as the key derivation function to add
this salt.
TEST=Built and ran tests, installed PAM module on Linux and tested, checked
result of SaltAuthData function manually against reference data.
BUG=None
Change-Id: I6d7cfe0e96f8065ba04c3f8dd7f50a77d9c2506c
Reviewed-on: https://gerrit.chromium.org/gerrit/50447
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Ross McIlroy [Tue, 30 Apr 2013 16:49:46 +0000 (17:49 +0100)]
chaps: Change chaps dbus config to have configurable policy permissions.
This change enables the chaps dbus configuration to be configured depending
upon the platform it is being installed on. On ChromeOS it will continue to
be only accessable to members of the pkcs11 group. On Linux, it will be
accessable to any user, since on Linux we use isolates to ensure a user can
only access their own token.
TEST=Built and ran tests. Tested using trybot. Ran on Linux to ensure correct
dbus interaction.
BUG=None
CQ-DEPEND=CL:50460
Change-Id: I02f90d386ca3c851be93858410af60ca3b4e14a0
Reviewed-on: https://gerrit.chromium.org/gerrit/49594
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Darren Krahn [Mon, 6 May 2013 20:25:49 +0000 (13:25 -0700)]
Added a database repair attempt during initialization.
Also added metrics for corruption events.
BUG=chrome-os-partner:17610
TEST=unit, manual
CQ-DEPEND=CL:50241
Change-Id: Ie0db759e7f799c51aa72fb6e0200b1bed2424792
Reviewed-on: https://gerrit.chromium.org/gerrit/50510
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Queue: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Ross McIlroy [Thu, 25 Apr 2013 18:15:19 +0000 (19:15 +0100)]
chaps: Provide a pam module which logs in a user to chaps on Linux.
This change adds a pam module to chaps which is built when building chaps
for Linux. When this module is added, it will open an isolate for the user
when they login, and load their user token into that isolate. On logout,
the isolate will be closed, unloading the token if all sessions have
been closed.
The change also adds a simple "make install" option for Linux.
TEST=Built and run on Linux, testing pam module login / logout /
change password functionality.
BUG=None
CQ-DEPEND=CL:50461
Change-Id: I0cf443873c895e1e2cd6ea966a4ab26caa2a9f34
Reviewed-on: https://gerrit.chromium.org/gerrit/49331
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Ross McIlroy [Tue, 30 Apr 2013 16:37:15 +0000 (17:37 +0100)]
chaps: Modify chapsd to run as root user on Linux.
Enable support for configuring the user which runs chapsd at
compile time, and have the Linux build use root, rather than
chaps user. This makes installing on Linux using a deb package
possible without having to add user chaps.
TEST=Compile and run tests.
BUG=None
Change-Id: Ibda57b0cd194e6ac076d9a141b8b10c4f0074e2c
Reviewed-on: https://gerrit.chromium.org/gerrit/49593
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Darren Krahn [Wed, 1 May 2013 23:53:03 +0000 (16:53 -0700)]
Added a slot_id output parameter to the OnLogin call.
When cryptohome configures a Chaps token it will now receive the
identifier of the PKCS #11 slot on which the token is loaded. This
allows cryptohome to maintain a mapping between multiple users and their
tokens.
BUG=chromium:205206
TEST=unit, platform_Pkcs11Events autotest
CQ-DEPEND=CL:49962
Change-Id: Ib6a587ce5232ce4e093e778e1c9105c46e223daa
Reviewed-on: https://gerrit.chromium.org/gerrit/49960
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Commit-Queue: David James <davidjames@chromium.org>
Ross McIlroy [Thu, 11 Apr 2013 13:54:18 +0000 (14:54 +0100)]
chaps: Add isolate support to the chaps daemon.
Modifies chaps to enable it to support isolated slot lists.
Each dbus request is modified to take an isolate credential, and
the request will only operate on slots which are part of the
isolate associated with the credential. When chaps starts, a default
isolate is created which has a well known credential, other
isolates can be created for each user with the OpenIsolate call.
Also fixed slot_manager_tests which were not compiling
(crosbug.com/224166) and added isolate specific tests.
TEST=Built and ran all chaps tests on Linux. Tested on remote buildbot.
BUG=chromium:224166
CQ-DEPEND=CL:49888, CL:49890
Change-Id: If775ab5def739acb9319521840ca8c5f7237edc9
Signed-off-by: Ross McIlroy <rmcilroy@google.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/47856
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Ross McIlroy [Tue, 30 Apr 2013 16:59:04 +0000 (17:59 +0100)]
chaps: Add libmemenv check to chaps build, and disable memenv if not
available.
The libmemenv library is not part of the standard libleveldb-dev debian
package. We only use this library for testing, so to enable chaps to be
built as a debian package, add a check for whether libmemenv is available
when building, and disable it's usage if it is not available.
TEST=built and ran tests on Linux and cbuildbot
BUG=None
Change-Id: I19594ceccb2c82a87fa8938ec93f85e92d42a9cc
Reviewed-on: https://gerrit.chromium.org/gerrit/49597
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Ross McIlroy [Thu, 25 Apr 2013 17:51:06 +0000 (18:51 +0100)]
Fix a bug in ChangeTokenAuth introduced in cl 47569.
Fix an issue with the chaps_adaptor ChangeTokenAuth method used by the Linux
build (without the DBus::Error param) which caused it to recursivly call itself.
TEST=Built and ran on Linux and changed a users token auth data.
BUG=None
Change-Id: If2c50b9f02939e30f96fbb73d5b7bb86b3f31f4d
Reviewed-on: https://gerrit.chromium.org/gerrit/49193
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Ross McIlroy [Fri, 15 Mar 2013 10:27:44 +0000 (10:27 +0000)]
chaps: Changes required to build Chaps for Linux.
Modifies chaps to enable it to be built for Linux as well as ChromeOS.
Some complications are different required libaries used by ChromeOS and
Linux and the different format of the DBus generated interface.
TEST=Built and ran Chaps on Linux, and ran tests on Linux. Also ran
on remote trybot with alex-paladin and alex-x86 configs.
BUG=none
Change-Id: I43843af04fec6156c0a16b5fed96250c8bbbb196
Signed-off-by: Ross McIlroy <rmcilroy@google.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/47569
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Tested-by: Ross McIlroy <rmcilroy@chromium.org>
Gaurav Shah [Wed, 27 Mar 2013 03:29:48 +0000 (20:29 -0700)]
chaps: Make unit tests building behave with gtest-1.6
Disable a bunch of tests under the #if GTEST_IS_THREADSAFE. These are
not currently being built or run (gtest-1.4 is not thread safe) and
need to be fixed to even compile, let alone run.
BUG=chromium:211445,chromium:224166
TEST=built and ran with both current gtest-1.4 and gtest-1.6.
Change-Id: I180abf8ce4338230a5d78ca3d1d2fdadbf675a57
Reviewed-on: https://gerrit.chromium.org/gerrit/46605
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Commit-Queue: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Darren Krahn [Fri, 15 Mar 2013 02:01:01 +0000 (19:01 -0700)]
Support the import of existing TPM-wrapped keys.
This CL makes it possible to create a private key object which already
holds a TPM-wrapped private key using the conventional Chaps vendor
attributes. This allows keys used in other parts of the system to be
imported into a PKCS #11 token.
Previously the read-only-on-create policy was set to true for internal
attributes because there was no reason not to. Now that we have a use
case for creating objects with internal attributes, this restriction has
been lifted.
BUG=chromium-os:37815
TEST=Unit tests; Manually tested importing an existing key.
Change-Id: I457da852b999d323dbdd6cb39b3b1f37f550fa1b
Reviewed-on: https://gerrit.chromium.org/gerrit/45534
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Queue: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Darren Krahn [Thu, 28 Feb 2013 23:12:19 +0000 (15:12 -0800)]
A few tweaks to support a fully mocked mode.
This change allows other packages linking with libchaps.so to use the
library with a mock interface. This effectively allows unit tests to
work with a mock PKCS #11 library.
BUG=None
TEST=- Chaps unit tests
- Cryptohome unit tests which use a mock Chaps interface
Change-Id: I26edd2e177273707438fd7664e00ccc92435aba1
Reviewed-on: https://gerrit.chromium.org/gerrit/44332
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Queue: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Liam McLoughlin [Sun, 3 Mar 2013 15:44:10 +0000 (10:44 -0500)]
Add changes from CL 26276 to support Clang in common.mk
Also make protobuf-compiled source files respect CXXFLAGS
BUG=chromium-os:32017
TEST=Compile chaps with Clang/GCC, all tests passed
Change-Id: I486b8404d9f17686185b802dfde221e304060465
Reviewed-on: https://gerrit.chromium.org/gerrit/44507
Tested-by: Liam McLoughlin <lmcloughlin@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Commit-Queue: Liam McLoughlin <lmcloughlin@chromium.org>
Darren Krahn [Fri, 15 Feb 2013 22:34:23 +0000 (14:34 -0800)]
Updated to use libchrome-180609.
BUG=chromium-os:38929
TEST=unit, manual, relevant autotests
CQ-DEPEND=CL:43670
Change-Id: I08385a73db5a370593ad7a1e6735eff80e349c11
Reviewed-on: https://gerrit.chromium.org/gerrit/43435
Reviewed-by: Chris Masone <cmasone@chromium.org>
Commit-Queue: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Darren Krahn [Wed, 7 Nov 2012 20:21:59 +0000 (12:21 -0800)]
Added a lock to serialize chaps requests.
The lock serializes requests at the chaps client proxy layer. This
fixes a problem where all the requests were being sent to chapsd and the
chapsd dispatcher flooded and dropped requests.
A replay test has been added to p11_replay which floods the dispatcher
in the same way Chrome does.
BUG=chromium:152655
TEST=Run all unit tests.
Run 'p11_replay --digest_test' and ensure there is no five minute
hang.
Change-Id: I5ee851ec0f4a88d72c561ec8a3674b487c78bd8d
Reviewed-on: https://gerrit.chromium.org/gerrit/37546
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Darren Krahn [Tue, 23 Oct 2012 02:08:38 +0000 (19:08 -0700)]
Fixed non-POD static data types.
BUG=chromium:157060
TEST=Ran all unit tests; manual tests which use PKCS #11.
Change-Id: Ied73499b48efe6818e628538597c0994dfc9995c
Reviewed-on: https://gerrit.chromium.org/gerrit/36302
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Darren Krahn [Tue, 11 Sep 2012 23:45:01 +0000 (16:45 -0700)]
Added code to work around key load failures.
If a key is evicted it may not be possible to reload it. In this case
tcsd will return TCS_E_KM_LOADFAILED from an operation that uses a
private key. The workaround is to unload and load the key again with a
new handle. In order to isolate the handle churn to a single layer,
TSS handles are virtualized in TPMUtilityImpl.
BUG=chrome-os-partner:13878
TEST=Ran all unit tests and relevant autotests.
Manually attempted to reproduced the problem and verified that the
reload logic was operating correctly. This condition is evidenced
by a warning in the syslog: "TCS load failure: attempting to reload
key.".
Change-Id: I3961456db3ac383a2721a9d0c102a4ae3dac1642
Reviewed-on: https://gerrit.chromium.org/gerrit/33023
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
J. Richard Barnette [Fri, 14 Sep 2012 22:08:23 +0000 (15:08 -0700)]
Fix chapsd upstart job start and stop conditions.
The 'ui' job has a post-stop script that depends indirectly on
chapsd. In order for 'ui' to shut down cleanly, chapsd must remain
running until the 'stopping boot-services' event. This fix changes
the 'chapsd' job so that a) it only depends on the public
boot-services interface, and that b) the chaps daemon stays running
long enough for a clean shutdown.
BUG=chromium-os:33354
TEST=observe no errors logged by chromeos_shutdown
TEST=run platform_BootPerfServer, and check both startup and shutdown times
Change-Id: Ib63268b547bf9ef3dc9de64149421a4fe6a5b2ff
Reviewed-on: https://gerrit.chromium.org/gerrit/33364
Tested-by: Richard Barnette <jrbarnette@chromium.org>
Reviewed-by: Scott James Remnant <keybuk@chromium.org>
Commit-Ready: Richard Barnette <jrbarnette@chromium.org>
Darren Krahn [Wed, 12 Sep 2012 23:58:11 +0000 (16:58 -0700)]
Added more timing data to p11_replay output.
BUG=None
TEST=Manual
Change-Id: Ia63168846fe7dca9d621b17c8216f31e72647768
Reviewed-on: https://gerrit.chromium.org/gerrit/33148
Reviewed-by: Christopher Wiley <wiley@chromium.org>
Commit-Ready: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
Christopher Wiley [Fri, 7 Sep 2012 17:52:32 +0000 (10:52 -0700)]
chaps: Add dependency for chaps_client.o on...
...chaps_proxy_generated.h
Apprarently if you build chaps enough you expose that we're missing this
dependency.
BUG=chromium-os:34223
TEST=Still compiles
Change-Id: I607fbb8363b0e10df601f33b63fd0ccec4bbcef6
Reviewed-on: https://gerrit.chromium.org/gerrit/32565
Tested-by: Christopher Wiley <wiley@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Commit-Ready: Christopher Wiley <wiley@chromium.org>
Christopher Wiley [Wed, 25 Jul 2012 18:19:39 +0000 (11:19 -0700)]
chaps: Add manual key/cert reads to p11_replay
Add facillities to p11_replay to allow users to load certificates and
private keys into a token via the command line. We accept DER encoded
keys and certificates in flat files for right now. We need this
functionality to be able to load our test certificates into the TPM for
wifi authentication testing.
BUG=chromium-os:31586
TEST=Run wifi tests with this tool, tests work as expected
Change-Id: I3a163f9aaf7e95f70f95b90d1f92706f119d4063
Reviewed-on: https://gerrit.chromium.org/gerrit/28411
Tested-by: Christopher Wiley <wiley@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Commit-Ready: Christopher Wiley <wiley@chromium.org>
Darren Krahn [Thu, 14 Jun 2012 20:38:15 +0000 (13:38 -0700)]
Moved to the latest version of common.mk.
- The new common.mk defaults to -fvisibility=internal so PKCS #11 entry
points and the LoginEventClient class have been exported explicitly.
- Tests have been cleaned up and live tests now run without errors.
- Generated code now resides in the output directory. This means
#include statements for these headers must lose the 'chaps/' prefix.
- A default output directory of 'build-opt-local' is used. The ebuild
specifies 'build-opt' so output generated by running 'make' locally
will not collide with output generated by 'emerge'.
- Tests now run on arm platforms in qemu.
BUG=chromium-os:28051
TEST='FEATURES=test emerge' on lumpy, zgb, arm-generic
Change-Id: Ie7759aec3f6f86c78eafa41414192bf67ef08fc4
Gerrit [Sat, 16 Jun 2012 01:25:35 +0000 (18:25 -0700)]
Merge "Limit chaps debug setting to a single restart."
Darren Krahn [Tue, 12 Jun 2012 04:11:08 +0000 (21:11 -0700)]
Use SecureBlob for authorization data and the master key.
BUG=chromium-os:27681
TEST=Ran all unit tests.
Change-Id: Ic1ebbf65704247a23ff9ff14f8aedfcad84ec73f
Darren Krahn [Fri, 15 Jun 2012 21:28:04 +0000 (14:28 -0700)]
Limit chaps debug setting to a single restart.
This prevents debug logging from being left on inadvertently.
BUG=None
TEST=Manual
Change-Id: If5fb7f09dc92829c8b114aa4d6dc13c10c118855
Darren Krahn [Thu, 7 Jun 2012 23:58:05 +0000 (16:58 -0700)]
Added support for chaps_debug files.
These files are created / removed by the chaps_debug crosh command.
BUG=None
TEST=Manual
Change-Id: I276c59031c674e71647a04b64706740cb9defeca
Darren Krahn [Thu, 7 Jun 2012 23:52:11 +0000 (16:52 -0700)]
A few changes related to the removal of opencryptoki.
- Cleaned up cryptoki.h.
- Removed opencryptoki option from upstart script.
BUG=chromium-os:21022
TEST=Ran all platform_Pkcs11* autotests.
Change-Id: I192e0fedbb4614ee0d96c1e347da6ae416ac3551
Gerrit [Thu, 7 Jun 2012 19:07:40 +0000 (12:07 -0700)]
Merge "Added list_objects options to p11_replay."
Darren Krahn [Mon, 4 Jun 2012 22:28:54 +0000 (15:28 -0700)]
Store only a single byte of the auth data hash.
Storing a single byte still allows a reasonable sanity check but is not
very useful for a brute-force attack.
BUG=None
TEST=Ran all unit tests; ran platform_Pkcs11ChangeAuthData.
Change-Id: I9f3a36d9258b6125c6fec85419abd78e6eda7d76
Darren Krahn [Tue, 5 Jun 2012 00:03:56 +0000 (17:03 -0700)]
Added list_objects options to p11_replay.
BUG=chromium-os:29776
TEST=Manual
Change-Id: I392c1b9fc277264a2e439079cc3aa29eb2e43b08
Darren Krahn [Thu, 31 May 2012 21:22:11 +0000 (14:22 -0700)]
Added support in p11_replay for key injection and key labels.
Also, improved logging in a few places.
BUG=None
TEST=Manual; Run platform_Pkcs11Events autotest.
Change-Id: I42738d18693e516a5a8f0d3bd7518e3867b0f89c
Darren Krahn [Fri, 25 May 2012 17:09:46 +0000 (10:09 -0700)]
Cleaned up commands that have been moved to chaps_client.
BUG=None
TEST=Manual
Change-Id: Ia72d0ffed4b56042916cb483a49610d7e7f27c82
Darren Krahn [Sat, 19 May 2012 00:59:09 +0000 (17:59 -0700)]
Added an authorization data hash.
Authorization data will only be sent to the TPM if it matches this hash.
This shields the TPM from bad authorization data which can cause it to
enter dictionary-attack-defense mode. Also, fixed a bug found during
testing: the private object mutex should not be signaled in the
ObjectPoolImpl::DeleteAll method.
Note: This CL is security-relevant. Previously a hash of the
authorization data was not stored.
BUG=chromium-os:30836
TEST=Ran all unit tests. Ran platform_Pkcs11ChangeAuthData autotest.
Change-Id: I7c65205e858f74f8a69e13cfe8ae00eb2de75bf2
Darren Krahn [Tue, 22 May 2012 19:57:44 +0000 (12:57 -0700)]
Removed support for less secure encrypted blob format.
BUG=chromium-os:31023
TEST=Ran all unit tests; manually tested existing objects are loaded.
Change-Id: I612d2f9729179b89bae306d3cc8ee3afc9b1b92a
Darren Krahn [Thu, 10 May 2012 17:10:58 +0000 (10:10 -0700)]
Moved the expensive part of token termination onto a worker thread.
The effect is that the OnLogout event is quick and consistent. There is
no noticeable difference (at the ms level) between this OnLogout
implementation and not doing anything in the OnLogout handler. File
system handles are still closed synchronously so a race condition does
not exist with ui.conf killing processes with open handles.
BUG=chromium-os:29933
TEST=Ran all unit tests.
Ran platform_Pkcs11Init* autotests.
Tested timing by manually unloading with active keys.
Manually verified that chapsd does not get killed on logout.
Change-Id: I8f73b15aeb4691232b890cfb1a3a26b870788fdb
Darren Krahn [Tue, 15 May 2012 23:54:26 +0000 (16:54 -0700)]
Created a dbus method which sets the log level and a chaps client.
Combined with a crosh command, this will allow verbose logging to be
enabled in normal mode. The chaps client also includes some of the
chaps-specific commands from p11_replay. These will be removed from
p11_replay once the dependent autotests have been updated.
BUG=chromium-os:30835
TEST=Ran all unit tests.
Manually tested setting log level.
Manually tested using all chaps_client commands.
Change-Id: If74949ffb6c2116528262b70a5e86e7cfd180bdf
Gerrit [Wed, 16 May 2012 23:05:39 +0000 (16:05 -0700)]
Merge "Implemented fall-back to software for out-of-range private key sizes."
Darren Krahn [Mon, 14 May 2012 19:13:41 +0000 (12:13 -0700)]
Implemented fall-back to software for out-of-range private key sizes.
Also:
- Added logging to 'not supported' errors.
- Updated p11_replay so software keys can be tested.
- Updated RSA key size and output buffer size checks.
BUG=chromium-os:29974
TEST=Ran all unit tests.
Manually imported sample certs attached to bug.
Manually tested generation and use of large keys using p11_replay.
Change-Id: I0750aca70cbfdc4b776a7e356aaa3b4268811d99
Darren Krahn [Mon, 14 May 2012 23:57:44 +0000 (16:57 -0700)]
Implemented recovery from bad authorization data.
If the authorization data passed to OnLogin is not correct, private
objects cannot be used. In practice, the correctness of the
authorization data should be checked before loading a token but in the
event this happens the response is to do the following:
1) Delete all objects, public and private.
2) Initialize a new key hierarchy with the given auth data.
If initializing a key hierarchy fails either the first time it runs or
during this recovery step, the private object condition will be set to
avoid blocking incoming requests for private object operations.
BUG=chromium-os:30668
TEST=Ran all unit tests, including two new ones.
Manually tested bad auth data cases using p11_replay.
Change-Id: I9ad20aa072dd08f9206f05ecf3c1559a842bde93
Darren Krahn [Mon, 7 May 2012 19:52:52 +0000 (12:52 -0700)]
Improved logging of attributes.
BUG=None
TEST=Unit tests, manually tested log output.
Change-Id: Ic897648f97644e94bec53864233a76098890a56f
Darren Krahn [Wed, 2 May 2012 21:55:14 +0000 (14:55 -0700)]
Improved encryption/authentication of persistent objects.
Now a MAC is computed after encryption and includes the IV. Also
SafeMemcmp is used when verifying the MAC before decryption. Existing
objects are migrated to the new format.
BUG=None
TEST=Ran all unit tests. Manually tested migration of existing objects.
Change-Id: If2f8b5fbcc8ea2c46e4e1c2fcea87e3ff6ecb24c
Darren Krahn [Sat, 5 May 2012 05:12:02 +0000 (22:12 -0700)]
Fixed an HMAC compatibility problem.
Due to a previous bug, the MAC for some public objects still exist as
computed with the master key (used for private objects). This CL
tolerates this case and considers such MACs valid.
BUG=chromium-os:30577
TEST=Ran all unit tests.
Change-Id: I364a8c724a898a6bed1b8c37e1ed5d0f41d2f2ba
Darren Krahn [Fri, 4 May 2012 19:23:01 +0000 (12:23 -0700)]
Fixed a 32-bit to 64-bit conversion error.
BUG=chromium-os:30145
TEST=Ran all unit tests. Manually tested SPDY.
Change-Id: I98a8eab260a74f8700393c7bbcb201d0652447d3
Darren Krahn [Wed, 2 May 2012 21:12:44 +0000 (14:12 -0700)]
Defined NSS-specific constants to improve logging.
BUG=None
TEST=Ran all unit tests. Manually checked logs for readable constants.
Change-Id: Ic23ecf1937fc54d6e8daee04eb4fbd23dc2ab13e
Gerrit [Wed, 2 May 2012 19:06:35 +0000 (12:06 -0700)]
Merge "Improved handling of corrupted database."
Gerrit [Wed, 2 May 2012 19:06:30 +0000 (12:06 -0700)]
Merge "Modified p11_replay to not attempt any other operations after unload."
Gerrit [Wed, 2 May 2012 19:06:30 +0000 (12:06 -0700)]
Merge "Default public keys and certificates to CKA_PRIVATE = false."
Gerrit [Wed, 2 May 2012 19:06:29 +0000 (12:06 -0700)]
Merge "Fixed HMAC bug. Public object MACs were incorrectly generated."
Darren Krahn [Wed, 25 Apr 2012 20:16:00 +0000 (13:16 -0700)]
Improved handling of corrupted database.
Now a database directory is backed up when it cannot be opened. This
allows PKCS #11 services to proceed with a functional database while
keeping the corrupt database for diagnosis.
BUG=None
TEST=platform_Pkcs11InitUnderErrors
Change-Id: Iecfeff548239eb542f6c73b21e9a5dcd3010155b
Darren Krahn [Mon, 23 Apr 2012 23:11:01 +0000 (16:11 -0700)]
Modified p11_replay to not attempt any other operations after unload.
BUG=None
TEST=Manual
Change-Id: I557b93bba20ea86ca94875a1f0a1ef1270ec8803
Darren Krahn [Fri, 27 Apr 2012 18:44:28 +0000 (11:44 -0700)]
Default public keys and certificates to CKA_PRIVATE = false.
Some applications (including NSS) don't always specify the CKA_PRIVATE
attribute and previously this always defaulted to true. For public keys
and certificates this attribute set to false is more appropriate and
allows faster access to certificates on login.
BUG=None
TEST=Ran all unit tests; manual tests.
Change-Id: Iafbcae09fe377d8cf4097cf63bdac05a78c16e74
Darren Krahn [Fri, 27 Apr 2012 00:18:33 +0000 (17:18 -0700)]
Fixed HMAC bug. Public object MACs were incorrectly generated.
BUG=None
TEST=Ran all unit tests. Manually tested using the following steps:
- Create a directory owned by chaps (e.g. /tmp/chaps)
- Restart chapsd
- Create a new token and generate a key pair:
> sudo p11_replay --load --path=/tmp/chaps --auth=1234 --generate
- Unload the new token:
> sudo p11_replay --unload --path=/tmp/chaps
- Load the token again and immediately list objects (before the token
master key can be decrypted by the TPM):
> sudo p11_replay --load --path=/tmp/chaps --auth=1234; pkcs11-tool
--module=libchaps.so -O
- Verify that the output of this command lists a public key. Before
this fix the output would not list any objects.
- Wait a few seconds (so the master key is decrypted).
- List objects again:
> pkcs11-tool --module=libchaps.so -O
- Verify that the output lists both the public and private keys.
Change-Id: Id11603cad9732878d72218a82444cf0b7f36e34b
Darren Krahn [Wed, 25 Apr 2012 20:18:45 +0000 (13:18 -0700)]
Fixed a hang during unit testing.
SlotManagerImpl::OnLogin creates a thread to perform asynchronous token
initialization. The version of gtest and gmock we currently use is not
thread-safe which can cause hangs. For now, all tests calling OnLogin
have been disabled.
BUG=None
TEST=Ran all unit tests.
Created new unit test which reproduces the problem often.
Change-Id: I518e07ef594253fb4f2b1c00762dffb4986acfee
Gerrit [Fri, 20 Apr 2012 22:40:36 +0000 (15:40 -0700)]
Merge "Fixed a memory / handle leak."
Darren Krahn [Fri, 20 Apr 2012 21:42:04 +0000 (14:42 -0700)]
Fixed a memory / handle leak.
Each leveldb iterator holds an open file handle. This needs to be closed
so chapsd doesn't get killed on logout.
BUG=chromium-os:29665
TEST=Ran all unit tests; manually verified all handles close correctly.
Change-Id: Ie63443e7f345455a41a0c9b56eadd0dda974e60b
Gerrit [Fri, 20 Apr 2012 21:33:13 +0000 (14:33 -0700)]
Merge "Added more robust handling of TPM failures."
Darren Krahn [Fri, 20 Apr 2012 16:16:56 +0000 (09:16 -0700)]
Cleaned up unused code.
The todo bug has been closed WontFix.
BUG=chromium-os:22297
TEST=none
Change-Id: I3c2a620aaecdc29400c4b85ac8f56bc2fcdf0d35
Darren Krahn [Thu, 19 Apr 2012 22:40:13 +0000 (15:40 -0700)]
Added more robust handling of TPM failures.
Previously, if the TPM failed to initialize a LOG(FATAL) killed the
process. Now a token will not be loaded but TPM initialization will be
reattempted each time a request to load a token is received.
BUG=chromium-os:29703
TEST=Ran all unit tests; created new unit test.
Manually tested with functional TPM and with fake TPM failure.
Change-Id: If757a01c35c8208a18ac1567c95cf418f8f15f12
Darren Krahn [Wed, 11 Apr 2012 17:32:19 +0000 (10:32 -0700)]
Enable the Chaps PKCS #11 implementation by default.
BUG=chromium-os:22543
TEST=Manually tested that an update that includes this change will cause
Chaps to be enabled on the next reboot.
Change-Id: I20d51ec81ababc996df495e2441e1eaf72b4148a
Gerrit [Tue, 17 Apr 2012 22:38:51 +0000 (15:38 -0700)]
Merge "Fixed flushing of objects modified after initial creation."
Darren Krahn [Tue, 17 Apr 2012 21:27:30 +0000 (14:27 -0700)]
Fixed a race condition between chapsd and chaps clients.
This race condition exhibits itself in practice when cryptohome restarts
chapsd and then waits for the process to be respawned before making
calls. If cryptohome calls between the time that chapsd has started and
the time it begins servicing dbus then the calls fail.
This is suspected of causing apparent certificate loss.
BUG=chromium:120767
TEST=Ran all unit tests.
Manually tested:
- Ran client but not service.
- Ran client and then service after a short delay.
- Ran service and then client.
Change-Id: I0a9105e3d10b0b359ed3faa0c91516c57dffa304
Darren Krahn [Tue, 17 Apr 2012 17:26:55 +0000 (10:26 -0700)]
Fixed flushing of objects modified after initial creation.
BUG=chromium:120767
TEST=New unit test; manually tested.
Change-Id: I79335c99a6616fdfb5286ccadcb5831d99833498
Darren Krahn [Tue, 10 Apr 2012 23:41:32 +0000 (16:41 -0700)]
Implemented asynchronous initialization and import of tokens.
When a token is initialized there is some expensive TPM work to do. If
legacy objects need to be imported there is even more TPM work to do.
Objects that are not encrypted with the TPM can be available before this
work is complete. This CL enables this immediate access so certificates
can be enumerated before TPM work is finished. The TPM work executes
asynchronously in the background.
To accomplish this the following changes have been made:
- Separate loading of public and private objects.
- Do not encrypt public objects with the TPM.
- Integrate import logic with object loading logic in the object pool.
- Add locking for the handle manager, tpm utility, and object pools.
- Separate importing of public and private objects.
BUG=chromium-os:21014
TEST=Ran all unit tests; manually tested expensive import, ensuring that
UI was not blocked on the completion of the import.
Change-Id: I2620cd2000b52d9d6d547453441a2286018e05b7
Gerrit [Wed, 11 Apr 2012 23:42:59 +0000 (16:42 -0700)]
Merge "Implemented migration from opencryptoki."
Darren Krahn [Fri, 23 Mar 2012 21:30:00 +0000 (14:30 -0700)]
Implemented migration from opencryptoki.
Private keys that have been imported need to keep the same parent
wrapping key so support has been added to store the imported root
key blobs and load them on demand.
Unit tests have been added that exercise the import logic with normal
data and with corrupted data.
BUG=chromium-os:21014
TEST=Run all unit tests.
Manually test importing a Google-A cert from opencryptoki and using
it with Chaps.
Change-Id: I0f19cbb284005dab7c62be8c466a67f3bbc35a55
Darren Krahn [Wed, 11 Apr 2012 18:02:11 +0000 (11:02 -0700)]
Removed TODO. TPM RNG evaluation shows its use as a seed is fine.
BUG=chromium-os:25435
TEST=None
Change-Id: I483011363de3473052bb0bb34aed92c124038cd6
Darren Krahn [Wed, 4 Apr 2012 20:56:22 +0000 (13:56 -0700)]
Added more functions to p11_replay.
These additional functions make p11_replay more useful for autotests:
* load: Loads an arbitrary token given a database path and auth data.
* unload: Unloads an existing token.
* change_auth: Changes the auth data for an arbitrary token.
* logout: Performs a C_Logout after any other commands.
* cleanup: Deletes all previously generated test keys.
BUG=chromium-os:27741
TEST=manually tested by running with each switch
Change-Id: I48b2151546822f2c44eb5711d8c7a09fde872ad9
Darren Krahn [Tue, 10 Apr 2012 20:53:04 +0000 (13:53 -0700)]
Fixed dependencies for generated protobuf headers.
BUG=chromium-os:29203
TEST='FEATURES=test emerge'
Change-Id: I11c8c6793a251e56ebd41167aae42fb2771b9077
Mike Frysinger [Tue, 10 Apr 2012 16:33:51 +0000 (12:33 -0400)]
update to newer libbase
BUG=chromium-os:25872
TEST=`emerge-x86-alex chaps` works
TEST=`cros_run_unit_tests --board=x86-alex -p chaps` passed
Change-Id: I01068bdb7440ec2073ddd926b89c6c72fc73b071
Elly Jones [Fri, 6 Apr 2012 17:12:19 +0000 (13:12 -0400)]
[chaps] add OWNERS
TEST=None
BUG=chromium-os:22007
Change-Id: Ia74ef03d2a796b54bd42de20862abcd328e9f55c
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Gerrit [Fri, 30 Mar 2012 18:23:47 +0000 (11:23 -0700)]
Merge "Added support for loading opencryptoki key blobs."
Gerrit [Fri, 30 Mar 2012 18:02:56 +0000 (11:02 -0700)]
Merge "Added more flexibility to the decoding of integral serialized types."
Gerrit [Fri, 30 Mar 2012 00:40:17 +0000 (17:40 -0700)]
Merge "Improved handling of invalid attributes."
Darren Krahn [Fri, 23 Mar 2012 21:25:09 +0000 (14:25 -0700)]
Added support for loading opencryptoki key blobs.
Support was added for loading keys which do not have any authorization
data (like opencryptoki root keys). Also, support was added for keys
which have a parent other than the SRK (like all other opencryptoki
keys, which have the root key as their parent).
BUG=chromium-os:21014
TEST=Run all unit tests.
Change-Id: I8e65810f30781b0f0cb0ddee38686d398fd5247e
Darren Krahn [Wed, 28 Mar 2012 20:06:03 +0000 (13:06 -0700)]
Added more flexibility to the decoding of integral serialized types.
This flexibility allows chaps to correctly import attribute values
written by other PKCS #11 libraries. Unit tests have been added.
BUG=chromium-os:21014
TEST=Run all unit tests.
Change-Id: I5783a2b55d04492139e7482fba19f851cc017a37
Darren Krahn [Wed, 28 Mar 2012 19:43:56 +0000 (12:43 -0700)]
Improved handling of invalid attributes.
BUG=chromium-os:28626
TEST=Ran all unit tests.
Manually tested using steps described in bug.
Change-Id: Iead35b0d5171bd4cee3d8d1226de706a877b2ddd
Darren Krahn [Tue, 20 Mar 2012 17:04:53 +0000 (10:04 -0700)]
Added framework for importing objects from opencryptoki.
BUG=chromium-os:21014
TEST=Run all unit tests.
Change-Id: I44b8f9facc1e0f9ef2375109de1abd1a7429347f
Gerrit [Tue, 27 Mar 2012 04:21:29 +0000 (21:21 -0700)]
Merge "Moved AES-CBC-PAD encryption to chaps_utility."
Darren Krahn [Tue, 20 Mar 2012 19:35:34 +0000 (12:35 -0700)]
Moved AES-CBC-PAD encryption to chaps_utility.
Migration code will reuse this function.
BUG=chromium-os:21014
TEST=Run all unit tests.
Change-Id: I32ad660eaa790b912e9e34e83a2f3e0990f3703d
Darren Krahn [Mon, 26 Mar 2012 16:17:35 +0000 (09:17 -0700)]
Fixed generated-header dependency.
BUG=None
TEST=emerge
Change-Id: I26ae90b488000aa6f915efc761adb5eacb6c6d5b
Darren Krahn [Fri, 23 Mar 2012 17:05:53 +0000 (10:05 -0700)]
Use a more restrictive umask so token database is not world readable.
BUG=chromium-os:21003
TEST=Run trybot along with cryptohome changes and autotest changes for
security_ProfilePermissions.
Change-Id: I00bee7c90b51f8567701e3b0b0401b59888dc9aa
Darren Krahn [Fri, 16 Mar 2012 23:10:58 +0000 (16:10 -0700)]
Update dbus policy and run as 'chaps'.
The dbus interface can now be owned by 'chaps' or 'root'. All members of
the 'pkcs11' group have normal access to the interface. When chaps is
disabled and calls are redirected to opencryptoki, the daemon still runs
as root and effective chronos. When chaps is enabled, the daemon will
switch to real chaps on startup. Cryptohome will be responsible for
creating a token database directory which is accessible by the chaps
user.
BUG=chromium-os:27967
TEST=Run all unit tests.
Manually test with chaps enabled and disabled:
- Use PKCS #11 services as chronos.
- Use PKCS #11 services as wpa.
- Connect to Google-A.
Change-Id: I24f29e6b7dab91c07bc5f428598c03653e35a748
Darren Krahn [Wed, 14 Mar 2012 23:15:15 +0000 (16:15 -0700)]
Implemented an object store using leveldb.
The magic database name ":memory:" is used to create a memory only
database suitable for testing.
BUG=chromium-os:21009
TEST=Ran all unit tests.
Manually using the following steps:
- Login as a user with no token.
- Create a key in the token and sign with the key.
- Logout.
- Login again and sign with the existing key.
Change-Id: I797f421479ebb013281112ab8e094a1f036255d7
Darren Krahn [Mon, 19 Mar 2012 16:11:32 +0000 (09:11 -0700)]
Fixed dependency bug.
BUG=chromium-os:27975
TEST=FEATURES=test emerge
Change-Id: I21e0ffd156a4d77c3964ab88bbdda84d47a7c9c5
Darren Krahn [Fri, 9 Mar 2012 02:24:11 +0000 (18:24 -0800)]
Updated replay app to support more scenarios.
Now following actions are available:
--generate : Generates a key pair suitable for other tests.
--generate_delete : Generates a key pair and immediately deletes it.
--replay_wifi : Replays a EAP-TLS negotiation (the default action).
--replay_vpn : Replays a L2TP/IPSEC vpn negotiation.
BUG=None
TEST=Manual tests.
Change-Id: I065d61cb26390a8fe2161b7602c0e89d775d5ab5
Gerrit [Mon, 19 Mar 2012 18:52:35 +0000 (11:52 -0700)]
Merge "Added an HMAC to each encrypted blob."
Gerrit [Mon, 19 Mar 2012 18:52:34 +0000 (11:52 -0700)]
Merge "Enabled the object store in ChapsFactory."
Gerrit [Fri, 16 Mar 2012 19:34:45 +0000 (12:34 -0700)]
Merge "Created an ObjectStore skeleton with functional encryption."
Darren Krahn [Fri, 16 Mar 2012 01:32:29 +0000 (18:32 -0700)]
Changed initialization to make connection to chapsd more robust.
The connection is initiated when the first event is fired. If the
connection fails, it will continue trying to connect each time an event
fires. This allows cryptohome unit tests to pass.
BUG=None
TEST=Run all unit tests for chaps, cryptohome.
Change-Id: Idbfba6d90e30154fdfc061614c8d0d0f76082234
Darren Krahn [Wed, 7 Mar 2012 00:05:37 +0000 (16:05 -0800)]
Added an HMAC to each encrypted blob.
This allows us to verify the blob was not tampered with when we decrypt
it and increases the difficulty of attacking chapsd by staging an
invalid database.
BUG=chromium-os:21009
TEST=Unit tests; Manual tests with valid and invalid databases.
Change-Id: I896f76700ec77d7d9b3165af7c5d684867727bcf
Darren Krahn [Sun, 26 Feb 2012 07:07:02 +0000 (23:07 -0800)]
Enabled the object store in ChapsFactory.
- Currently, the object store implementation is not complete and the
factory will fall back to using a fake.
- Changed object pool initialization so object blobs are loaded only
once the encryption key has been set.
BUG=chromium-os:21009
TEST=Ran all unit tests.
Change-Id: I12e91318bcdd5bffc02c01fe4808d801e691fd81
Darren Krahn [Fri, 24 Feb 2012 16:37:36 +0000 (08:37 -0800)]
Created an ObjectStore skeleton with functional encryption.
- Moved OpenSSL initialization and error strings to chaps_utility.
- Renamed 'SetKey' in ObjectPool 'SetEncryptionKey'.
- Changed SetEncryptionKey to return a boolean status.
BUG=chromium-os:21009
TEST=Run all unit tests on x86 and amd64.
Change-Id: Ia77577a83705b92ea64adab7f840ad5c1cc44f7c
Gerrit [Wed, 14 Mar 2012 18:53:49 +0000 (11:53 -0700)]
Merge "Changed the LoginEventClient interface to take pointers."
Gerrit [Wed, 14 Mar 2012 18:53:49 +0000 (11:53 -0700)]
Merge "Changed the slot configuration to be appropriate for a single user slot."
Darren Krahn [Tue, 13 Mar 2012 23:40:20 +0000 (16:40 -0700)]
Changed the slot configuration to be appropriate for a single user slot.
The system slot will be disabled until crosbug.com/27759 has been fixed.
Also updated unit tests to work with the new configuration.
BUG=chromium-os:21003
TEST=Run all unit tests.
Run platform_Pkcs11InitOnLogin with Chaps enabled.
Change-Id: I87973c77f1f8f65e78021d9f6b0984e4fb81c4e6
Darren Krahn [Tue, 13 Mar 2012 20:12:18 +0000 (13:12 -0700)]
Fixed dependency bug.
BUG=chromium-os:27738
TEST=emerge -j16
Change-Id: I548803fc4ecd72968a40fc8edfb5777a4526bdb8
Darren Krahn [Tue, 13 Mar 2012 17:58:32 +0000 (10:58 -0700)]
Changed the LoginEventClient interface to take pointers.
Taking authorization data pointers as opposed to strings allows callers
to use a more secure type than std::string. Also, erase the auth data
vector passed to the ChapsProxy instance once the call is complete.
BUG=None
TEST=Tested manually.
Change-Id: I81f7f22f05dae57a97249ca77886870985f7d7d2
Darren Krahn [Thu, 8 Mar 2012 21:41:31 +0000 (13:41 -0800)]
Created a simple class to help clients send login events.
The ChapsProxyImpl class is large and pulls in a bunch of stuff internal
to Chaps. It's not well-suited to be used by other projects. The
LoginEventClient class, by contrast, requires only a single header to be
published and provides a simple interface for firing off events to the
Chaps daemon.
Also changed the D-Bus interface to pass authorization data as a byte
array rather than a string.
BUG=chromium-os:21003
TEST=Manually tested with a client that sends login events.
Change-Id: Iba34d7092c7741c8b66d5bea384cbebff0ee3855
projects / chromiumos / platform / chaps.git / log