diff options
author | David Drysdale <drysdale@google.com> | 2023-03-28 10:15:16 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-03-28 10:15:16 +0000 |
commit | 62a0386f3db4c271a2ce395c4386902871a76d74 (patch) | |
tree | 36d93306f31198b4d5d5b9750e3d8243e16899e9 | |
parent | 565fae0f6ed02416bf2832afbdecf83956428ab0 (diff) | |
parent | ceed0f5660b53ca0e6756d2753cf544af46b8213 (diff) | |
download | keymaster-62a0386f3db4c271a2ce395c4386902871a76d74.tar.gz |
Merge "Use fallible allocation in UNIQUE_ID generation" am: ef7e220ebd am: ceed0f5660
Original change: https://android-review.googlesource.com/c/platform/system/keymaster/+/2505895
Change-Id: I3d129169b734a896c097ad0caa52ac7a445af4c0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | contexts/pure_soft_keymaster_context.cpp | 6 | ||||
-rw-r--r-- | include/keymaster/km_openssl/attestation_record.h | 11 | ||||
-rw-r--r-- | km_openssl/attestation_record.cpp | 51 |
3 files changed, 43 insertions, 25 deletions
diff --git a/contexts/pure_soft_keymaster_context.cpp b/contexts/pure_soft_keymaster_context.cpp index 95b1d29..d68ce05 100644 --- a/contexts/pure_soft_keymaster_context.cpp +++ b/contexts/pure_soft_keymaster_context.cpp @@ -454,8 +454,10 @@ keymaster::Buffer PureSoftKeymasterContext::GenerateUniqueId(uint64_t creation_d // The secret must contain at least 128 bits of entropy and be unique to the individual device" const std::vector<uint8_t> fake_hbk = {'M', 'u', 's', 't', 'B', 'e', 'R', 'a', 'n', 'd', 'o', 'm', 'B', 'i', 't', 's'}; - return keymaster::generate_unique_id(fake_hbk, creation_date_time, application_id, - reset_since_rotation); + Buffer unique_id; + *error = keymaster::generate_unique_id(fake_hbk, creation_date_time, application_id, + reset_since_rotation, &unique_id); + return unique_id; } static keymaster_error_t TranslateAuthorizationSetError(AuthorizationSet::Error err) { diff --git a/include/keymaster/km_openssl/attestation_record.h b/include/keymaster/km_openssl/attestation_record.h index 6a32ebc..35b9956 100644 --- a/include/keymaster/km_openssl/attestation_record.h +++ b/include/keymaster/km_openssl/attestation_record.h @@ -350,13 +350,14 @@ keymaster_error_t build_eat_record(const AuthorizationSet& attestation_params, std::vector<uint8_t>* eat_token); // Builds the input to HMAC-SHA256 for unique ID generation. -std::vector<uint8_t> build_unique_id_input(uint64_t creation_date_time, - const keymaster_blob_t& application_id, - bool reset_since_rotation); +keymaster_error_t build_unique_id_input(uint64_t creation_date_time, + const keymaster_blob_t& application_id, + bool reset_since_rotation, Buffer* input_data); // Builds a unique ID of size UNIQUE_ID_SIZE from the given inputs. -Buffer generate_unique_id(const std::vector<uint8_t>& hbk, uint64_t creation_date_time, - const keymaster_blob_t& application_id, bool reset_since_rotation); +keymaster_error_t generate_unique_id(const std::vector<uint8_t>& hbk, uint64_t creation_date_time, + const keymaster_blob_t& application_id, + bool reset_since_rotation, Buffer* unique_id); /** * Helper functions for attestation record tests. Caller takes ownership of diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp index 992301c..36cf320 100644 --- a/km_openssl/attestation_record.cpp +++ b/km_openssl/attestation_record.cpp @@ -940,32 +940,47 @@ keymaster_error_t build_eat_record(const AuthorizationSet& attestation_params, return KM_ERROR_OK; } -std::vector<uint8_t> build_unique_id_input(uint64_t creation_date_time, - const keymaster_blob_t& application_id, - bool reset_since_rotation) { +keymaster_error_t build_unique_id_input(uint64_t creation_date_time, + const keymaster_blob_t& application_id, + bool reset_since_rotation, Buffer* input_data) { + if (input_data == nullptr) { + return KM_ERROR_UNEXPECTED_NULL_POINTER; + } uint64_t rounded_date = creation_date_time / 2592000000LLU; uint8_t* serialized_date = reinterpret_cast<uint8_t*>(&rounded_date); + uint8_t reset_byte = (reset_since_rotation ? 1 : 0); - std::vector<uint8_t> input; - input.reserve(sizeof(rounded_date) + application_id.data_length + 1); - input.insert(input.end(), serialized_date, serialized_date + sizeof(rounded_date)); - input.insert(input.end(), application_id.data, - application_id.data + application_id.data_length); - input.push_back(reset_since_rotation ? 1 : 0); - return input; + if (!input_data->Reinitialize(sizeof(rounded_date) + application_id.data_length + 1) || + !input_data->write(serialized_date, sizeof(rounded_date)) || + !input_data->write(application_id.data, application_id.data_length) || + !input_data->write(&reset_byte, 1)) { + return KM_ERROR_MEMORY_ALLOCATION_FAILED; + } + return KM_ERROR_OK; } -Buffer generate_unique_id(const std::vector<uint8_t>& hbk, uint64_t creation_date_time, - const keymaster_blob_t& application_id, bool reset_since_rotation) { +keymaster_error_t generate_unique_id(const std::vector<uint8_t>& hbk, uint64_t creation_date_time, + const keymaster_blob_t& application_id, + bool reset_since_rotation, Buffer* unique_id) { + if (unique_id == nullptr) { + return KM_ERROR_UNEXPECTED_NULL_POINTER; + } HmacSha256 hmac; hmac.Init(hbk.data(), hbk.size()); - std::vector<uint8_t> input = - build_unique_id_input(creation_date_time, application_id, reset_since_rotation); - Buffer unique_id(UNIQUE_ID_SIZE); - hmac.Sign(input.data(), input.size(), unique_id.peek_write(), unique_id.available_write()); - unique_id.advance_write(UNIQUE_ID_SIZE); - return unique_id; + Buffer input; + keymaster_error_t error = + build_unique_id_input(creation_date_time, application_id, reset_since_rotation, &input); + if (error != KM_ERROR_OK) { + return error; + } + if (!unique_id->Reinitialize(UNIQUE_ID_SIZE)) { + return KM_ERROR_MEMORY_ALLOCATION_FAILED; + } + hmac.Sign(input.peek_read(), input.available_read(), unique_id->peek_write(), + unique_id->available_write()); + unique_id->advance_write(UNIQUE_ID_SIZE); + return KM_ERROR_OK; } // Construct an ASN1.1 DER-encoded attestation record containing the values from sw_enforced and |