def get_tpm_randomness(size=32):
global randomness
if size == 0:
return ""
sysrand = crypto.generate_random_key(size)
if common.STUB_TPM:
return sysrand
tpmrand = ""
while size > len(randomness):
# need moar randomness
extra = get_tpm_rand_block()
if extra == []:
break
randomness += extra
continue
if size <= len(randomness):
tpmrand = randomness[:size]
randomness = randomness[size:]
if len(tpmrand) == len(sysrand):
return str(crypto.strbitxor(sysrand, str(tpmrand)))
else:
return str(sysrand)
def decrypt_check(self, decrypted_U, decrypted_V):
"""Decrypt the Cloud init script with the passed U and V values.
This method will access the received auth tag, and may fail if decoy U and V values were received.
Do not call directly unless you acquire uvLock. Returns None if decryption unsuccessful, else returns the
decrypted agent UUID.
"""
if self.auth_tag is None:
return None
if len(decrypted_U) != len(decrypted_V):
logger.warning("Invalid U len %d or V len %d. skipping..."%(len(decrypted_U),len(decrypted_V)))
return None
candidate_key = str(crypto.strbitxor(decrypted_U, decrypted_V))
# be very careful printing K, U, or V as they leak in logs stored on unprotected disks
if common.INSECURE_DEBUG:
logger.debug("U: " + base64.b64encode(decrypted_U))
logger.debug("V: " + base64.b64encode(decrypted_V))
logger.debug("K: " + base64.b64encode(candidate_key))
logger.debug( "auth_tag: " + self.auth_tag)
ex_mac = crypto.do_hmac(candidate_key,self.agent_uuid)
if ex_mac == self.auth_tag:
logger.info( "Successfully derived K for UUID %s",self.agent_uuid)
self.final_U = decrypted_U
self.K = candidate_key
return True
return False
def encrypt(contents):
k = crypto.generate_random_key(32)
v = crypto.generate_random_key(32)
u = crypto.strbitxor(k, v)
ciphertext = crypto.encrypt(contents, k)
recovered = crypto.decrypt(ciphertext, k)
if recovered != contents:
raise Exception("Test decryption failed")
return {'u': u, 'v': v, 'k': k, 'ciphertext': ciphertext}
