From 25924fca88b34419adb9a123928931721d21c36a Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Wed, 22 Mar 2023 15:32:05 -0700
Subject: Set a maximum accepted challenge size.

This is in accordance with the maximum challenge size specified in the
generateCsrV2 request defined in the IRemotelyProvisionedComponent v3
HAL.

Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Ie3ef223ec49f83736813c9206c49fef5de5c10ca
---
 android_keymaster/android_keymaster.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp
index 94b3e99..4a97bad 100644
--- a/android_keymaster/android_keymaster.cpp
+++ b/android_keymaster/android_keymaster.cpp
@@ -134,6 +134,7 @@ std::pair<const uint8_t*, size_t> blob2Pair(const keymaster_blob_t& blob) {
     return {blob.data, blob.data_length};
 }
 
+constexpr int kMaxChallengeSizeV2 = 64;
 constexpr int kP256AffinePointSize = 32;
 constexpr int kRoTVersion1 = 40001;
 
@@ -525,6 +526,14 @@ void AndroidKeymaster::GenerateCsrV2(const GenerateCsrV2Request& request,
 
     if (response == nullptr) return;
 
+    if (request.challenge.size() > kMaxChallengeSizeV2) {
+        LOG_E("Challenge is too large. %zu expected. %zu actual.",
+              kMaxChallengeSizeV2,        //
+              request.challenge.size());  //
+        response->error = static_cast<keymaster_error_t>(kStatusFailed);
+        return;
+    }
+
     auto rem_prov_ctx = context_->GetRemoteProvisioningContext();
     if (rem_prov_ctx == nullptr) {
         LOG_E("Couldn't get a pointer to the remote provisioning context, returned null.", 0);
-- 
cgit v1.2.3