/* * Copyright 2015 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * * TODO(anmorales): figure out a reasonable max buffer size */ #include #include namespace keyguard { /** * Variant of memset() that uses GCC-specific pragmas to disable optimizations, so effect is not * optimized away. This is important because we often need to wipe blocks of sensitive data from * memory. As an additional convenience, this implementation avoids writing to NULL pointers. */ #ifdef __clang__ #define OPTNONE __attribute__((optnone)) #else // not __clang__ #define OPTNONE __attribute__((optimize("O0"))) #endif // not __clang__ inline OPTNONE void* memset_s(void* s, int c, size_t n) { if (!s) return s; return memset(s, c, n); } #undef OPTNONE static inline size_t buffer_size(const SizedBuffer &buf) { return sizeof(uint32_t) + buf.length; } static inline void append_to_buffer(uint8_t **buffer, const SizedBuffer *to_append) { memcpy(*buffer, &to_append->length, sizeof(to_append->length)); *buffer += sizeof(to_append->length); memcpy(*buffer, to_append->buffer.get(), to_append->length); *buffer += to_append->length; } static inline keyguard_error_t read_from_buffer(const uint8_t **buffer, const uint8_t *end, SizedBuffer *target) { if (*buffer + sizeof(target->length) >= end) return KG_ERROR_INVALID; memcpy(&target->length, *buffer, sizeof(target->length)); *buffer += sizeof(target->length); const uint8_t *buffer_end = *buffer + target->length; if (buffer_end > end || buffer_end <= *buffer) return KG_ERROR_INVALID; target->buffer.reset(new uint8_t[target->length]); memcpy(target->buffer.get(), *buffer, target->length); *buffer += target->length; return KG_ERROR_OK; } size_t KeyguardMessage::GetSerializedSize() const { if (error_ == KG_ERROR_OK) { return sizeof(uint32_t) + nonErrorSerializedSize(); } else { return sizeof(uint32_t); } } uint8_t *KeyguardMessage::Serialize() const { if (error_ != KG_ERROR_OK) { uint32_t *error_buf = new uint32_t; *error_buf = static_cast(error_); return reinterpret_cast(error_buf); } else { uint8_t *buf = new uint8_t[sizeof(uint32_t) + nonErrorSerializedSize()]; uint32_t error_value = static_cast(error_); memcpy(buf, &error_value, sizeof(uint32_t)); nonErrorSerialize(buf + sizeof(uint32_t)); return buf; } } keyguard_error_t KeyguardMessage::Deserialize(const uint8_t *payload, const uint8_t *end) { uint32_t error_value; if (payload + sizeof(uint32_t) > end) return KG_ERROR_INVALID; memcpy(&error_value, payload, sizeof(uint32_t)); error_ = static_cast(error_value); if (error_ == KG_ERROR_OK) { error_ = nonErrorDeserialize(payload + sizeof(uint32_t), end); } return error_; } VerifyRequest::VerifyRequest(SizedBuffer *enrolled_password_handle, SizedBuffer *provided_password_payload) { password_handle_.buffer = std::move(enrolled_password_handle->buffer); password_handle_.length = enrolled_password_handle->length; provided_password_.buffer = std::move(provided_password_payload->buffer); provided_password_.length = provided_password_payload->length; } VerifyRequest::VerifyRequest() { memset_s(&password_handle_, 0, sizeof(password_handle_)); memset_s(&provided_password_, 0, sizeof(provided_password_)); } VerifyRequest::~VerifyRequest() { if (password_handle_.buffer) { password_handle_.buffer.reset(); } if (provided_password_.buffer) { memset_s(provided_password_.buffer.get(), 0, provided_password_.length); provided_password_.buffer.reset(); } } size_t VerifyRequest::nonErrorSerializedSize() const { return buffer_size(password_handle_) + buffer_size(provided_password_); } void VerifyRequest::nonErrorSerialize(uint8_t *buffer) const { append_to_buffer(&buffer, &password_handle_); append_to_buffer(&buffer, &provided_password_); } keyguard_error_t VerifyRequest::nonErrorDeserialize(const uint8_t *payload, const uint8_t *end) { keyguard_error_t error = KG_ERROR_OK; if (password_handle_.buffer) { password_handle_.buffer.reset(); } if (provided_password_.buffer) { memset_s(provided_password_.buffer.get(), 0, provided_password_.length); provided_password_.buffer.reset(); } error = read_from_buffer(&payload, end, &password_handle_); if (error != KG_ERROR_OK) return error; return read_from_buffer(&payload, end, &provided_password_); } VerifyResponse::VerifyResponse(SizedBuffer *verification_token) { verification_token_.buffer = std::move(verification_token->buffer); verification_token_.length = verification_token->length; } VerifyResponse::VerifyResponse() { memset_s(&verification_token_, 0, sizeof(verification_token_)); }; VerifyResponse::~VerifyResponse() { if (verification_token_.length > 0) { verification_token_.buffer.reset(); } } size_t VerifyResponse::nonErrorSerializedSize() const { return buffer_size(verification_token_); } void VerifyResponse::nonErrorSerialize(uint8_t *buffer) const { append_to_buffer(&buffer, &verification_token_); } keyguard_error_t VerifyResponse::nonErrorDeserialize(const uint8_t *payload, const uint8_t *end) { if (verification_token_.buffer) { verification_token_.buffer.reset(); } return read_from_buffer(&payload, end, &verification_token_); } EnrollRequest::EnrollRequest(SizedBuffer *provided_password) { provided_password_.buffer = std::move(provided_password->buffer); provided_password_.length = provided_password->length; } EnrollRequest::EnrollRequest() { memset_s(&provided_password_, 0, sizeof(provided_password_)); } EnrollRequest::~EnrollRequest() { if (provided_password_.buffer) { memset_s(provided_password_.buffer.get(), 0, provided_password_.length); provided_password_.buffer.reset(); } } size_t EnrollRequest::nonErrorSerializedSize() const { return buffer_size(provided_password_); } void EnrollRequest::nonErrorSerialize(uint8_t *buffer) const { append_to_buffer(&buffer, &provided_password_); } keyguard_error_t EnrollRequest::nonErrorDeserialize(const uint8_t *payload, const uint8_t *end) { if (provided_password_.buffer) { memset_s(provided_password_.buffer.get(), 0, provided_password_.length); provided_password_.buffer.reset(); } return read_from_buffer(&payload, end, &provided_password_); } EnrollResponse::EnrollResponse(SizedBuffer *enrolled_password_handle) { enrolled_password_handle_.buffer = std::move(enrolled_password_handle->buffer); enrolled_password_handle_.length = enrolled_password_handle->length; } EnrollResponse::EnrollResponse() { memset_s(&enrolled_password_handle_, 0, sizeof(enrolled_password_handle_)); } EnrollResponse::~EnrollResponse() { if (enrolled_password_handle_.buffer) { enrolled_password_handle_.buffer.reset(); } } size_t EnrollResponse::nonErrorSerializedSize() const { return buffer_size(enrolled_password_handle_); } void EnrollResponse::nonErrorSerialize(uint8_t *buffer) const { append_to_buffer(&buffer, &enrolled_password_handle_); } keyguard_error_t EnrollResponse::nonErrorDeserialize(const uint8_t *payload, const uint8_t *end) { if (enrolled_password_handle_.buffer) { enrolled_password_handle_.buffer.reset(); } return read_from_buffer(&payload, end, &enrolled_password_handle_); } };