diff options
author | Shawn Willden <swillden@google.com> | 2015-06-22 05:25:59 -0600 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2015-06-22 15:34:23 -0600 |
commit | d530305019e1ccc1e30a4f8edeb88db3d126e235 (patch) | |
tree | cdd74425a31da12f69c32ca9b3eb6882a134d2d0 /rsa_key_factory.cpp | |
parent | 0f906ec40f6ade7955c6b967ea522aade54ea2e4 (diff) | |
download | android_system_keymaster-d530305019e1ccc1e30a4f8edeb88db3d126e235.tar.gz android_system_keymaster-d530305019e1ccc1e30a4f8edeb88db3d126e235.tar.bz2 android_system_keymaster-d530305019e1ccc1e30a4f8edeb88db3d126e235.zip |
Validate input sizes for RSA and ECDSA signing/verification ops.
Bug: 21955742
Change-Id: I4385a6539229b174facd5f04ce0391e2e8c3608d
Diffstat (limited to 'rsa_key_factory.cpp')
-rw-r--r-- | rsa_key_factory.cpp | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/rsa_key_factory.cpp b/rsa_key_factory.cpp index dfe2ddd..c17d9e8 100644 --- a/rsa_key_factory.cpp +++ b/rsa_key_factory.cpp @@ -25,14 +25,10 @@ #include "rsa_key.h" #include "rsa_operation.h" -#if defined(OPENSSL_IS_BORINGSSL) -typedef size_t openssl_size_t; -#else -typedef int openssl_size_t; -#endif - namespace keymaster { +const int kMaximumRsaKeySize = 16 * 1024; // 16kbits should be enough for anyone. + static RsaSigningOperationFactory sign_factory; static RsaVerificationOperationFactory verify_factory; static RsaEncryptionOperationFactory encrypt_factory; @@ -70,7 +66,11 @@ keymaster_error_t RsaKeyFactory::GenerateKey(const AuthorizationSet& key_descrip uint32_t key_size; if (!authorizations.GetTagValue(TAG_KEY_SIZE, &key_size)) { - LOG_E("%s", "No key size specified for RSA key generation"); + LOG_E("No key size specified for RSA key generation", 0); + return KM_ERROR_UNSUPPORTED_KEY_SIZE; + } + if (key_size % 8 != 0 || key_size > kMaximumRsaKeySize) { + LOG_E("Invalid key size of %u bits specified for RSA key generation", key_size); return KM_ERROR_UNSUPPORTED_KEY_SIZE; } @@ -143,14 +143,20 @@ keymaster_error_t RsaKeyFactory::UpdateImportKeyDescription(const AuthorizationS return KM_ERROR_INVALID_KEY_BLOB; if (!updated_description->GetTagValue(TAG_RSA_PUBLIC_EXPONENT, public_exponent)) updated_description->push_back(TAG_RSA_PUBLIC_EXPONENT, *public_exponent); - if (*public_exponent != BN_get_word(rsa_key->e)) + if (*public_exponent != BN_get_word(rsa_key->e)) { + LOG_E("Imported public exponent (%u) does not match specified public exponent (%u)", + *public_exponent, BN_get_word(rsa_key->e)); return KM_ERROR_IMPORT_PARAMETER_MISMATCH; + } *key_size = RSA_size(rsa_key.get()) * 8; if (!updated_description->GetTagValue(TAG_KEY_SIZE, key_size)) updated_description->push_back(TAG_KEY_SIZE, *key_size); - if (RSA_size(rsa_key.get()) * 8 != (openssl_size_t)*key_size) + if (RSA_size(rsa_key.get()) * 8 != *key_size) { + LOG_E("Imported key size (%u bits) does not match specified key size (%u bits)", + RSA_size(rsa_key.get()) * 8, *key_size); return KM_ERROR_IMPORT_PARAMETER_MISMATCH; + } keymaster_algorithm_t algorithm = KM_ALGORITHM_RSA; if (!updated_description->GetTagValue(TAG_ALGORITHM, &algorithm)) |