diff options
author | Janis Danisevskis <jdanis@google.com> | 2018-10-08 07:30:31 -0700 |
---|---|---|
committer | Janis Danisevskis <jdanis@google.com> | 2018-11-07 11:32:03 -0800 |
commit | 2ecd6597f3be11d76c5c3b11b6e3c67aedae3823 (patch) | |
tree | 20759b398f230831366a664d484e2dcd4685e429 /keymaster | |
parent | 2267c72423b01537c5844685867600ec46126fc2 (diff) | |
download | android_hardware_interfaces-2ecd6597f3be11d76c5c3b11b6e3c67aedae3823.tar.gz android_hardware_interfaces-2ecd6597f3be11d76c5c3b11b6e3c67aedae3823.tar.bz2 android_hardware_interfaces-2ecd6597f3be11d76c5c3b11b6e3c67aedae3823.zip |
Various fixes for async keystore.
* Added missing Tag::HARDWARE_TYPE and Tag::TRUSTED_CONFIRMATION_REQUIRED
* Made AuthorizationSet::hidl_data() safer to use.
hidl_data() initializes a hidl_vec with the internal data of
std::vector using setToExternal and returns it by value. This means
the returned temporay does not own the buffer which has the life cycle
of the AuthorizationSet. This is fine if passed as parameter to a
function where it is bound to a cont reference. But if the temporary
gets assigned to something with longer life cycle move semantics kicks
in and the buffer is now tracked by something with a longer life
cycle. This patch marks the returned temporary const, so that it can
no longer be moved. It can still be bound to a const reference, but
when assigned to a variable it must get copied.
* Add Filter function to AuthorizationSet.
Bug: 111443219
Test: KeyStore CTS tests
Change-Id: I4744b7c87d01fbd905c3afb8ebeefba93605994b
Diffstat (limited to 'keymaster')
4 files changed, 38 insertions, 10 deletions
diff --git a/keymaster/4.0/support/authorization_set.cpp b/keymaster/4.0/support/authorization_set.cpp index afbcdac6d..10d272a9b 100644 --- a/keymaster/4.0/support/authorization_set.cpp +++ b/keymaster/4.0/support/authorization_set.cpp @@ -18,6 +18,8 @@ #include <assert.h> +#include <android-base/logging.h> + namespace android { namespace hardware { namespace keymaster { @@ -97,10 +99,10 @@ void AuthorizationSet::Deduplicate() { if (prev->tag == Tag::INVALID) continue; if (!keyParamEqual(*prev, *curr)) { - result.emplace_back(std::move(*prev)); + result.push_back(std::move(*prev)); } } - result.emplace_back(std::move(*prev)); + result.push_back(std::move(*prev)); std::swap(data_, result); } @@ -127,6 +129,16 @@ void AuthorizationSet::Subtract(const AuthorizationSet& other) { } } +void AuthorizationSet::Filter(std::function<bool(const KeyParameter&)> doKeep) { + std::vector<KeyParameter> result; + for (auto& param : data_) { + if (doKeep(param)) { + result.push_back(std::move(param)); + } + } + std::swap(data_, result); +} + KeyParameter& AuthorizationSet::operator[](int at) { return data_[at]; } @@ -248,7 +260,12 @@ struct choose_serializer<MetaList<Tags...>> { template <> struct choose_serializer<> { - static OutStreams& serialize(OutStreams& out, const KeyParameter&) { return out; } + static OutStreams& serialize(OutStreams& out, const KeyParameter& param) { + LOG(FATAL) << "Trying to serialize unknown tag " << unsigned(param.tag) + << ". Did you forget to add it to all_tags_t?"; + abort(); + return out; + } }; template <TagType tag_type, Tag tag, typename... Tail> diff --git a/keymaster/4.0/support/include/keymasterV4_0/Keymaster.h b/keymaster/4.0/support/include/keymasterV4_0/Keymaster.h index 83b1d6999..458053a4e 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/Keymaster.h +++ b/keymaster/4.0/support/include/keymasterV4_0/Keymaster.h @@ -20,6 +20,9 @@ #include <android/hardware/keymaster/4.0/IKeymasterDevice.h> +#include <memory> +#include <vector> + namespace android { namespace hardware { namespace keymaster { diff --git a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h index 193e4ea25..ac96c863a 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h +++ b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h @@ -142,6 +142,11 @@ class AuthorizationSet { std::vector<KeyParameter>::const_iterator end() const { return data_.end(); } /** + * Modifies this Authorization set such that it only keeps the entries for which doKeep + * returns true. + */ + void Filter(std::function<bool(const KeyParameter&)> doKeep); + /** * Returns the nth element of the set. * Like for std::vector::operator[] there is no range check performed. Use of out of range * indices is undefined. @@ -209,7 +214,7 @@ class AuthorizationSet { } } - hidl_vec<KeyParameter> hidl_data() const { + const hidl_vec<KeyParameter> hidl_data() const { hidl_vec<KeyParameter> result; result.setToExternal(const_cast<KeyParameter*>(data()), size()); return result; diff --git a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h index 9e7d25222..61c444c16 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h +++ b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h @@ -122,6 +122,7 @@ DECLARE_TYPED_TAG(CONFIRMATION_TOKEN); DECLARE_TYPED_TAG(CREATION_DATETIME); DECLARE_TYPED_TAG(DIGEST); DECLARE_TYPED_TAG(EC_CURVE); +DECLARE_TYPED_TAG(HARDWARE_TYPE); DECLARE_TYPED_TAG(INCLUDE_UNIQUE_ID); DECLARE_TYPED_TAG(INVALID); DECLARE_TYPED_TAG(KEY_SIZE); @@ -162,12 +163,13 @@ using all_tags_t = TAG_USER_SECURE_ID_t, TAG_NO_AUTH_REQUIRED_t, TAG_AUTH_TIMEOUT_t, TAG_ALLOW_WHILE_ON_BODY_t, TAG_UNLOCKED_DEVICE_REQUIRED_t, TAG_APPLICATION_ID_t, TAG_APPLICATION_DATA_t, TAG_CREATION_DATETIME_t, TAG_ROLLBACK_RESISTANCE_t, - TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, TAG_BOOTLOADER_ONLY_t, - TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, - TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, - TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, - TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t, - TAG_BOOT_PATCHLEVEL_t, TAG_VENDOR_PATCHLEVEL_t, TAG_TRUSTED_USER_PRESENCE_REQUIRED_t>; + TAG_HARDWARE_TYPE_t, TAG_ROOT_OF_TRUST_t, TAG_ASSOCIATED_DATA_t, TAG_NONCE_t, + TAG_BOOTLOADER_ONLY_t, TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, + TAG_ATTESTATION_CHALLENGE_t, TAG_ATTESTATION_APPLICATION_ID_t, + TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, + TAG_DIGEST_t, TAG_PADDING_t, TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, + TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t, TAG_BOOT_PATCHLEVEL_t, TAG_VENDOR_PATCHLEVEL_t, + TAG_TRUSTED_CONFIRMATION_REQUIRED_t, TAG_TRUSTED_USER_PRESENCE_REQUIRED_t>; template <typename TypedTagType> struct TypedTag2ValueType; @@ -220,6 +222,7 @@ MAKE_TAG_ENUM_VALUE_ACCESSOR(TAG_ORIGIN, f.origin) MAKE_TAG_ENUM_VALUE_ACCESSOR(TAG_PADDING, f.paddingMode) MAKE_TAG_ENUM_VALUE_ACCESSOR(TAG_PURPOSE, f.purpose) MAKE_TAG_ENUM_VALUE_ACCESSOR(TAG_USER_AUTH_TYPE, f.hardwareAuthenticatorType) +MAKE_TAG_ENUM_VALUE_ACCESSOR(TAG_HARDWARE_TYPE, f.hardwareType) template <TagType tag_type, Tag tag, typename ValueT> inline KeyParameter makeKeyParameter(TypedTag<tag_type, tag> ttag, ValueT&& value) { |