def get_tpm_randomness(size=32): global randomness if size == 0: return "" sysrand = crypto.generate_random_key(size) if common.STUB_TPM: return sysrand tpmrand = "" while size > len(randomness): # need moar randomness extra = get_tpm_rand_block() if extra == []: break randomness += extra continue if size <= len(randomness): tpmrand = randomness[:size] randomness = randomness[size:] if len(tpmrand) == len(sysrand): return str(crypto.strbitxor(sysrand, str(tpmrand))) else: return str(sysrand)
def decrypt_check(self, decrypted_U, decrypted_V): """Decrypt the Cloud init script with the passed U and V values. This method will access the received auth tag, and may fail if decoy U and V values were received. Do not call directly unless you acquire uvLock. Returns None if decryption unsuccessful, else returns the decrypted agent UUID. """ if self.auth_tag is None: return None if len(decrypted_U) != len(decrypted_V): logger.warning("Invalid U len %d or V len %d. skipping..."%(len(decrypted_U),len(decrypted_V))) return None candidate_key = str(crypto.strbitxor(decrypted_U, decrypted_V)) # be very careful printing K, U, or V as they leak in logs stored on unprotected disks if common.INSECURE_DEBUG: logger.debug("U: " + base64.b64encode(decrypted_U)) logger.debug("V: " + base64.b64encode(decrypted_V)) logger.debug("K: " + base64.b64encode(candidate_key)) logger.debug( "auth_tag: " + self.auth_tag) ex_mac = crypto.do_hmac(candidate_key,self.agent_uuid) if ex_mac == self.auth_tag: logger.info( "Successfully derived K for UUID %s",self.agent_uuid) self.final_U = decrypted_U self.K = candidate_key return True return False
def encrypt(contents): k = crypto.generate_random_key(32) v = crypto.generate_random_key(32) u = crypto.strbitxor(k, v) ciphertext = crypto.encrypt(contents, k) recovered = crypto.decrypt(ciphertext, k) if recovered != contents: raise Exception("Test decryption failed") return {'u': u, 'v': v, 'k': k, 'ciphertext': ciphertext}