resolve merge conflicts of 0ab28b7 to nyc-mr1-dev-plus-aosp
Test: Built with ". build/envsetup.sh && lunch shamu-eng && make -j32"
Change-Id: I4b3081c2b9091fa2d66c717f5d57dc6e567c50e2
diff --git a/keystore-engine/Android.mk b/keystore-engine/Android.mk
index 1f5d903..b4ba269 100644
--- a/keystore-engine/Android.mk
+++ b/keystore-engine/Android.mk
@@ -16,33 +16,10 @@
include $(CLEAR_VARS)
+LOCAL_MODULE := libkeystore-engine
-ifneq (,$(wildcard $(TOP)/external/boringssl/flavor.mk))
- include $(TOP)/external/boringssl/flavor.mk
-else
- include $(TOP)/external/openssl/flavor.mk
-endif
-ifeq ($(OPENSSL_FLAVOR),BoringSSL)
- LOCAL_MODULE := libkeystore-engine
-
- LOCAL_SRC_FILES := \
+LOCAL_SRC_FILES := \
android_engine.cpp
-else
- LOCAL_MODULE := libkeystore
-
- LOCAL_MODULE_RELATIVE_PATH := ssl/engines
-
- LOCAL_SRC_FILES := \
- eng_keystore.cpp \
- keyhandle.cpp \
- ecdsa_meth.cpp \
- dsa_meth.cpp \
- rsa_meth.cpp
-
- LOCAL_C_INCLUDES += \
- external/openssl/include \
- external/openssl
-endif
LOCAL_MODULE_TAGS := optional
LOCAL_CFLAGS := -fvisibility=hidden -Wall -Werror
diff --git a/keystore-engine/android_engine.cpp b/keystore-engine/android_engine.cpp
index d23f169..de67df2 100644
--- a/keystore-engine/android_engine.cpp
+++ b/keystore-engine/android_engine.cpp
@@ -125,7 +125,7 @@
* we've transferred ownership, without triggering a warning by not using the
* result of release(). */
#define OWNERSHIP_TRANSFERRED(obj) \
- typeof (obj.release()) _dummy __attribute__((unused)) = obj.release()
+ typeof ((obj).release()) _dummy __attribute__((unused)) = (obj).release()
const char* rsa_get_key_id(const RSA* rsa) {
return reinterpret_cast<char*>(
@@ -217,7 +217,7 @@
NULL /* mod_exp */,
NULL /* bn_mod_exp */,
- RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_OPAQUE | RSA_FLAG_EXT_PKEY,
+ RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_OPAQUE,
NULL /* keygen */,
NULL /* multi_prime_keygen */,
diff --git a/keystore-engine/dsa_meth.cpp b/keystore-engine/dsa_meth.cpp
deleted file mode 100644
index 3788364..0000000
--- a/keystore-engine/dsa_meth.cpp
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright 2013 The Android Open Source Project
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#include <UniquePtr.h>
-
-//#define LOG_NDEBUG 0
-#define LOG_TAG "OpenSSL-keystore-dsa"
-#include <cutils/log.h>
-
-#include <binder/IServiceManager.h>
-#include <keystore/IKeystoreService.h>
-
-#include <openssl/dsa.h>
-#include <openssl/engine.h>
-
-#include "methods.h"
-
-
-using namespace android;
-
-struct DSA_SIG_Delete {
- void operator()(DSA_SIG* p) const {
- DSA_SIG_free(p);
- }
-};
-typedef UniquePtr<DSA_SIG, struct DSA_SIG_Delete> Unique_DSA_SIG;
-
-static DSA_SIG* keystore_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) {
- ALOGV("keystore_dsa_do_sign(%p, %d, %p)", dgst, dlen, dsa);
-
- uint8_t* key_id = reinterpret_cast<uint8_t*>(DSA_get_ex_data(dsa, dsa_key_handle));
- if (key_id == NULL) {
- ALOGE("key had no key_id!");
- return 0;
- }
-
- sp<IServiceManager> sm = defaultServiceManager();
- sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
- sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
-
- if (service == NULL) {
- ALOGE("could not contact keystore");
- return 0;
- }
-
- int num = DSA_size(dsa);
-
- uint8_t* reply = NULL;
- size_t replyLen;
- int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), dgst,
- dlen, &reply, &replyLen);
- if (ret < 0) {
- ALOGW("There was an error during dsa_do_sign: could not connect");
- return 0;
- } else if (ret != 0) {
- ALOGW("Error during sign from keystore: %d", ret);
- return 0;
- } else if (replyLen <= 0) {
- ALOGW("No valid signature returned");
- return 0;
- } else if (replyLen > (size_t) num) {
- ALOGW("Signature is too large");
- return 0;
- }
-
- Unique_DSA_SIG dsa_sig(d2i_DSA_SIG(NULL,
- const_cast<const unsigned char**>(reinterpret_cast<unsigned char**>(&reply)),
- replyLen));
- if (dsa_sig.get() == NULL) {
- ALOGW("conversion from DER to DSA_SIG failed");
- return 0;
- }
-
- ALOGV("keystore_dsa_do_sign(%p, %d, %p) => returning %p len %zu", dgst, dlen, dsa,
- dsa_sig.get(), replyLen);
- return dsa_sig.release();
-}
-
-static DSA_METHOD keystore_dsa_meth = {
- kKeystoreEngineId, /* name */
- keystore_dsa_do_sign, /* dsa_do_sign */
- NULL, /* dsa_sign_setup */
- NULL, /* dsa_do_verify */
- NULL, /* dsa_mod_exp */
- NULL, /* bn_mod_exp */
- NULL, /* init */
- NULL, /* finish */
- 0, /* flags */
- NULL, /* app_data */
- NULL, /* dsa_paramgen */
- NULL, /* dsa_keygen */
-};
-
-static int register_dsa_methods() {
- const DSA_METHOD* dsa_meth = DSA_OpenSSL();
-
- keystore_dsa_meth.dsa_do_verify = dsa_meth->dsa_do_verify;
-
- return 1;
-}
-
-int dsa_pkey_setup(ENGINE *e, EVP_PKEY *pkey, const char *key_id) {
- Unique_DSA dsa(EVP_PKEY_get1_DSA(pkey));
- if (!DSA_set_ex_data(dsa.get(), dsa_key_handle, reinterpret_cast<void*>(strdup(key_id)))) {
- ALOGW("Could not set ex_data for loaded DSA key");
- return 0;
- }
-
- DSA_set_method(dsa.get(), &keystore_dsa_meth);
-
- /*
- * "DSA_set_ENGINE()" should probably be an OpenSSL API. Since it isn't,
- * and EVP_PKEY_free() calls ENGINE_finish(), we need to call ENGINE_init()
- * here.
- */
- ENGINE_init(e);
- dsa->engine = e;
-
- return 1;
-}
-
-int dsa_register(ENGINE* e) {
- if (!ENGINE_set_DSA(e, &keystore_dsa_meth)
- || !register_dsa_methods()) {
- ALOGE("Could not set up keystore DSA methods");
- return 0;
- }
-
- return 1;
-}
diff --git a/keystore-engine/ecdsa_meth.cpp b/keystore-engine/ecdsa_meth.cpp
deleted file mode 100644
index 48f178d..0000000
--- a/keystore-engine/ecdsa_meth.cpp
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
- * Copyright 2013 The Android Open Source Project
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#include <UniquePtr.h>
-
-//#define LOG_NDEBUG 0
-#define LOG_TAG "OpenSSL-keystore-ecdsa"
-#include <cutils/log.h>
-
-#include <binder/IServiceManager.h>
-#include <keystore/IKeystoreService.h>
-
-#include <openssl/ecdsa.h>
-#include <openssl/engine.h>
-
-// TODO replace this with real OpenSSL API when it exists
-#include "crypto/ec/ec_lcl.h"
-#include "crypto/ecdsa/ecs_locl.h"
-
-#include "methods.h"
-
-
-using namespace android;
-
-struct ECDSA_SIG_Delete {
- void operator()(ECDSA_SIG* p) const {
- ECDSA_SIG_free(p);
- }
-};
-typedef UniquePtr<ECDSA_SIG, struct ECDSA_SIG_Delete> Unique_ECDSA_SIG;
-
-static ECDSA_SIG* keystore_ecdsa_do_sign(const unsigned char *dgst, int dlen,
- const BIGNUM*, const BIGNUM*, EC_KEY *eckey) {
- ALOGV("keystore_ecdsa_do_sign(%p, %d, %p)", dgst, dlen, eckey);
-
- uint8_t* key_id = reinterpret_cast<uint8_t*>(EC_KEY_get_key_method_data(eckey,
- ex_data_dup, ex_data_free, ex_data_clear_free));
- if (key_id == NULL) {
- ALOGE("key had no key_id!");
- return 0;
- }
-
- sp<IServiceManager> sm = defaultServiceManager();
- sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
- sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
-
- if (service == NULL) {
- ALOGE("could not contact keystore");
- return 0;
- }
-
- int num = ECDSA_size(eckey);
-
- uint8_t* reply = NULL;
- size_t replyLen;
- int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), dgst,
- dlen, &reply, &replyLen);
- if (ret < 0) {
- ALOGW("There was an error during dsa_do_sign: could not connect");
- return 0;
- } else if (ret != 0) {
- ALOGW("Error during sign from keystore: %d", ret);
- return 0;
- } else if (replyLen <= 0) {
- ALOGW("No valid signature returned");
- return 0;
- } else if (replyLen > (size_t) num) {
- ALOGW("Signature is too large");
- return 0;
- }
-
- Unique_ECDSA_SIG ecdsa_sig(d2i_ECDSA_SIG(NULL,
- const_cast<const unsigned char**>(reinterpret_cast<unsigned char**>(&reply)),
- replyLen));
- if (ecdsa_sig.get() == NULL) {
- ALOGW("conversion from DER to ECDSA_SIG failed");
- return 0;
- }
-
- ALOGV("keystore_ecdsa_do_sign(%p, %d, %p) => returning %p len %zu", dgst, dlen, eckey,
- ecdsa_sig.get(), replyLen);
- return ecdsa_sig.release();
-}
-
-static ECDSA_METHOD keystore_ecdsa_meth = {
- kKeystoreEngineId, /* name */
- keystore_ecdsa_do_sign, /* ecdsa_do_sign */
- NULL, /* ecdsa_sign_setup */
- NULL, /* ecdsa_do_verify */
- 0, /* flags */
- NULL, /* app_data */
-};
-
-static int register_ecdsa_methods() {
- const ECDSA_METHOD* ecdsa_meth = ECDSA_OpenSSL();
-
- keystore_ecdsa_meth.ecdsa_do_verify = ecdsa_meth->ecdsa_do_verify;
-
- return 1;
-}
-
-int ecdsa_pkey_setup(ENGINE *e, EVP_PKEY *pkey, const char *key_id) {
- Unique_EC_KEY eckey(EVP_PKEY_get1_EC_KEY(pkey));
- void* oldData = EC_KEY_insert_key_method_data(eckey.get(),
- reinterpret_cast<void*>(strdup(key_id)), ex_data_dup, ex_data_free,
- ex_data_clear_free);
- if (oldData != NULL) {
- free(oldData);
- }
-
- ECDSA_set_method(eckey.get(), &keystore_ecdsa_meth);
-
- /*
- * "ECDSA_set_ENGINE()" should probably be an OpenSSL API. Since it isn't,
- * and EC_KEY_free() calls ENGINE_finish(), we need to call ENGINE_init()
- * here.
- */
- ECDSA_DATA *ecdsa = ecdsa_check(eckey.get());
- ENGINE_init(e);
- ecdsa->engine = e;
-
- return 1;
-}
-
-int ecdsa_register(ENGINE* e) {
- if (!ENGINE_set_ECDSA(e, &keystore_ecdsa_meth)
- || !register_ecdsa_methods()) {
- ALOGE("Could not set up keystore ECDSA methods");
- return 0;
- }
-
- return 1;
-}
diff --git a/keystore-engine/eng_keystore.cpp b/keystore-engine/eng_keystore.cpp
deleted file mode 100644
index 6feb0f9..0000000
--- a/keystore-engine/eng_keystore.cpp
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * Copyright 2012 The Android Open Source Project
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#include <UniquePtr.h>
-
-#include <sys/socket.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <openssl/dsa.h>
-#include <openssl/engine.h>
-#include <openssl/ec.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-
-//#define LOG_NDEBUG 0
-#define LOG_TAG "OpenSSL-keystore"
-#include <cutils/log.h>
-
-#include <binder/IServiceManager.h>
-#include <keystore/keystore.h>
-#include <keystore/IKeystoreService.h>
-
-#include "methods.h"
-
-using namespace android;
-
-#define DYNAMIC_ENGINE
-const char* kKeystoreEngineId = "keystore";
-static const char* kKeystoreEngineDesc = "Android keystore engine";
-
-
-/*
- * ex_data index for keystore's key alias.
- */
-int rsa_key_handle;
-int dsa_key_handle;
-
-
-/*
- * Only initialize the *_key_handle once.
- */
-static pthread_once_t key_handle_control = PTHREAD_ONCE_INIT;
-
-/**
- * Many OpenSSL APIs take ownership of an argument on success but don't free the argument
- * on failure. This means we need to tell our scoped pointers when we've transferred ownership,
- * without triggering a warning by not using the result of release().
- */
-#define OWNERSHIP_TRANSFERRED(obj) \
- typeof (obj.release()) _dummy __attribute__((unused)) = obj.release()
-
-
-struct ENGINE_Delete {
- void operator()(ENGINE* p) const {
- ENGINE_free(p);
- }
-};
-typedef UniquePtr<ENGINE, ENGINE_Delete> Unique_ENGINE;
-
-struct EVP_PKEY_Delete {
- void operator()(EVP_PKEY* p) const {
- EVP_PKEY_free(p);
- }
-};
-typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY;
-
-/**
- * Called to initialize RSA's ex_data for the key_id handle. This should
- * only be called when protected by a lock.
- */
-static void init_key_handle() {
- rsa_key_handle = RSA_get_ex_new_index(0, NULL, keyhandle_new, keyhandle_dup, keyhandle_free);
- dsa_key_handle = DSA_get_ex_new_index(0, NULL, keyhandle_new, keyhandle_dup, keyhandle_free);
-}
-
-static EVP_PKEY* keystore_loadkey(ENGINE* e, const char* key_id, UI_METHOD* ui_method,
- void* callback_data) {
-#if LOG_NDEBUG
- (void)ui_method;
- (void)callback_data;
-#else
- ALOGV("keystore_loadkey(%p, \"%s\", %p, %p)", e, key_id, ui_method, callback_data);
-#endif
-
- sp<IServiceManager> sm = defaultServiceManager();
- sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
- sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
-
- if (service == NULL) {
- ALOGE("could not contact keystore");
- return 0;
- }
-
- uint8_t *pubkey = NULL;
- size_t pubkeyLen;
- int32_t ret = service->get_pubkey(String16(key_id), &pubkey, &pubkeyLen);
- if (ret < 0) {
- ALOGW("could not contact keystore");
- free(pubkey);
- return NULL;
- } else if (ret != 0) {
- ALOGW("keystore reports error: %d", ret);
- free(pubkey);
- return NULL;
- }
-
- const unsigned char* tmp = reinterpret_cast<const unsigned char*>(pubkey);
- Unique_EVP_PKEY pkey(d2i_PUBKEY(NULL, &tmp, pubkeyLen));
- free(pubkey);
- if (pkey.get() == NULL) {
- ALOGW("Cannot convert pubkey");
- return NULL;
- }
-
- switch (EVP_PKEY_type(pkey->type)) {
- case EVP_PKEY_DSA: {
- dsa_pkey_setup(e, pkey.get(), key_id);
- break;
- }
- case EVP_PKEY_RSA: {
- rsa_pkey_setup(e, pkey.get(), key_id);
- break;
- }
- case EVP_PKEY_EC: {
- ecdsa_pkey_setup(e, pkey.get(), key_id);
- break;
- }
- default:
- ALOGE("Unsupported key type %d", EVP_PKEY_type(pkey->type));
- return NULL;
- }
-
- return pkey.release();
-}
-
-static const ENGINE_CMD_DEFN keystore_cmd_defns[] = {
- {0, NULL, NULL, 0}
-};
-
-static int keystore_engine_setup(ENGINE* e) {
- ALOGV("keystore_engine_setup");
-
- if (!ENGINE_set_id(e, kKeystoreEngineId)
- || !ENGINE_set_name(e, kKeystoreEngineDesc)
- || !ENGINE_set_load_privkey_function(e, keystore_loadkey)
- || !ENGINE_set_load_pubkey_function(e, keystore_loadkey)
- || !ENGINE_set_flags(e, 0)
- || !ENGINE_set_cmd_defns(e, keystore_cmd_defns)) {
- ALOGE("Could not set up keystore engine");
- return 0;
- }
-
- /* We need a handle in the keys types as well for keygen if it's not already initialized. */
- pthread_once(&key_handle_control, init_key_handle);
- if ((rsa_key_handle < 0) || (dsa_key_handle < 0)) {
- ALOGE("Could not set up ex_data index");
- return 0;
- }
-
- if (!dsa_register(e)) {
- ALOGE("DSA registration failed");
- return 0;
- } else if (!ecdsa_register(e)) {
- ALOGE("ECDSA registration failed");
- return 0;
- } else if (!rsa_register(e)) {
- ALOGE("RSA registration failed");
- return 0;
- }
-
- return 1;
-}
-
-ENGINE* ENGINE_keystore() {
- ALOGV("ENGINE_keystore");
-
- Unique_ENGINE engine(ENGINE_new());
- if (engine.get() == NULL) {
- return NULL;
- }
-
- if (!keystore_engine_setup(engine.get())) {
- return NULL;
- }
-
- return engine.release();
-}
-
-static int keystore_bind_fn(ENGINE *e, const char *id) {
- ALOGV("keystore_bind_fn");
-
- if (!id) {
- return 0;
- }
-
- if (strcmp(id, kKeystoreEngineId)) {
- return 0;
- }
-
- if (!keystore_engine_setup(e)) {
- return 0;
- }
-
- return 1;
-}
-
-extern "C" {
-#undef OPENSSL_EXPORT
-#define OPENSSL_EXPORT extern __attribute__ ((visibility ("default")))
-
-IMPLEMENT_DYNAMIC_CHECK_FN()
-IMPLEMENT_DYNAMIC_BIND_FN(keystore_bind_fn)
-};
diff --git a/keystore-engine/keyhandle.cpp b/keystore-engine/keyhandle.cpp
deleted file mode 100644
index aeba896..0000000
--- a/keystore-engine/keyhandle.cpp
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright 2012 The Android Open Source Project
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#include <openssl/engine.h>
-
-#include <string.h>
-
-/**
- * Makes sure the ex_data for the keyhandle is initially set to NULL.
- */
-int keyhandle_new(void*, void*, CRYPTO_EX_DATA* ad, int idx, long, void*) {
- return CRYPTO_set_ex_data(ad, idx, NULL);
-}
-
-/**
- * Frees a previously allocated keyhandle stored in ex_data.
- */
-void keyhandle_free(void *, void *ptr, CRYPTO_EX_DATA*, int, long, void*) {
- char* keyhandle = reinterpret_cast<char*>(ptr);
- if (keyhandle != NULL) {
- free(keyhandle);
- }
-}
-
-/**
- * Duplicates a keyhandle stored in ex_data in case we copy a key.
- */
-int keyhandle_dup(CRYPTO_EX_DATA* to, CRYPTO_EX_DATA*, void *ptrRef, int idx, long, void *) {
- // This appears to be a bug in OpenSSL.
- void** ptr = reinterpret_cast<void**>(ptrRef);
- char* keyhandle = reinterpret_cast<char*>(*ptr);
- if (keyhandle != NULL) {
- char* keyhandle_copy = strdup(keyhandle);
- *ptr = keyhandle_copy;
-
- // Call this in case OpenSSL is fixed in the future.
- (void) CRYPTO_set_ex_data(to, idx, keyhandle_copy);
- }
- return 1;
-}
-
-void *ex_data_dup(void *data) {
- char* keyhandle = reinterpret_cast<char*>(data);
- return strdup(keyhandle);
-}
-
-void ex_data_free(void *data) {
- char* keyhandle = reinterpret_cast<char*>(data);
- free(keyhandle);
-}
-
-void ex_data_clear_free(void *data) {
- char* keyhandle = reinterpret_cast<char*>(data);
- memset(data, '\0', strlen(keyhandle));
- free(keyhandle);
-}
diff --git a/keystore-engine/rsa_meth.cpp b/keystore-engine/rsa_meth.cpp
deleted file mode 100644
index 74dfa5c..0000000
--- a/keystore-engine/rsa_meth.cpp
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * Copyright 2012 The Android Open Source Project
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#include <UniquePtr.h>
-
-//#define LOG_NDEBUG 0
-#define LOG_TAG "OpenSSL-keystore-rsa"
-#include <cutils/log.h>
-
-#include <binder/IServiceManager.h>
-#include <keystore/IKeystoreService.h>
-
-#include <openssl/rsa.h>
-#include <openssl/engine.h>
-
-#include "methods.h"
-
-
-using namespace android;
-
-
-int keystore_rsa_priv_enc(int flen, const unsigned char* from, unsigned char* to, RSA* rsa,
- int padding) {
- ALOGV("keystore_rsa_priv_enc(%d, %p, %p, %p, %d)", flen, from, to, rsa, padding);
-
- int num = RSA_size(rsa);
- UniquePtr<uint8_t> padded(new uint8_t[num]);
- if (padded.get() == NULL) {
- ALOGE("could not allocate padded signature");
- return 0;
- }
-
- switch (padding) {
- case RSA_PKCS1_PADDING:
- if (!RSA_padding_add_PKCS1_type_1(padded.get(), num, from, flen)) {
- return 0;
- }
- break;
- case RSA_X931_PADDING:
- if (!RSA_padding_add_X931(padded.get(), num, from, flen)) {
- return 0;
- }
- break;
- case RSA_NO_PADDING:
- if (!RSA_padding_add_none(padded.get(), num, from, flen)) {
- return 0;
- }
- break;
- default:
- ALOGE("Unknown padding type: %d", padding);
- return 0;
- }
-
- uint8_t* key_id = reinterpret_cast<uint8_t*>(RSA_get_ex_data(rsa, rsa_key_handle));
- if (key_id == NULL) {
- ALOGE("key had no key_id!");
- return 0;
- }
-
- sp<IServiceManager> sm = defaultServiceManager();
- sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
- sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
-
- if (service == NULL) {
- ALOGE("could not contact keystore");
- return 0;
- }
-
- uint8_t* reply = NULL;
- size_t replyLen;
- int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), padded.get(),
- num, &reply, &replyLen);
- if (ret < 0) {
- ALOGW("There was an error during signing: could not connect");
- free(reply);
- return 0;
- } else if (ret != 0) {
- ALOGW("Error during signing from keystore: %d", ret);
- free(reply);
- return 0;
- } else if (replyLen <= 0) {
- ALOGW("No valid signature returned");
- return 0;
- }
-
- memcpy(to, reply, replyLen);
- free(reply);
-
- ALOGV("rsa=%p keystore_rsa_priv_enc => returning %p len %llu", rsa, to,
- (unsigned long long) replyLen);
- return static_cast<int>(replyLen);
-}
-
-int keystore_rsa_priv_dec(int flen, const unsigned char* from, unsigned char* to, RSA* rsa,
- int padding) {
- ALOGV("keystore_rsa_priv_dec(%d, %p, %p, %p, %d)", flen, from, to, rsa, padding);
-
- uint8_t* key_id = reinterpret_cast<uint8_t*>(RSA_get_ex_data(rsa, rsa_key_handle));
- if (key_id == NULL) {
- ALOGE("key had no key_id!");
- return 0;
- }
-
- sp<IServiceManager> sm = defaultServiceManager();
- sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
- sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
-
- if (service == NULL) {
- ALOGE("could not contact keystore");
- return 0;
- }
-
- int num = RSA_size(rsa);
-
- uint8_t* reply = NULL;
- size_t replyLen;
- int32_t ret = service->sign(String16(reinterpret_cast<const char*>(key_id)), from,
- flen, &reply, &replyLen);
- if (ret < 0) {
- ALOGW("There was an error during rsa_mod_exp: could not connect");
- return 0;
- } else if (ret != 0) {
- ALOGW("Error during sign from keystore: %d", ret);
- return 0;
- } else if (replyLen <= 0) {
- ALOGW("No valid signature returned");
- return 0;
- }
-
- /* Trim off the top zero if it's there */
- uint8_t* alignedReply;
- if (*reply == 0x00) {
- alignedReply = reply + 1;
- replyLen--;
- } else {
- alignedReply = reply;
- }
-
- int outSize;
- switch (padding) {
- case RSA_PKCS1_PADDING:
- outSize = RSA_padding_check_PKCS1_type_2(to, num, alignedReply, replyLen, num);
- break;
- case RSA_X931_PADDING:
- outSize = RSA_padding_check_X931(to, num, alignedReply, replyLen, num);
- break;
- case RSA_NO_PADDING:
- outSize = RSA_padding_check_none(to, num, alignedReply, replyLen, num);
- break;
- default:
- ALOGE("Unknown padding type: %d", padding);
- outSize = -1;
- break;
- }
-
- free(reply);
-
- ALOGV("rsa=%p keystore_rsa_priv_dec => returning %p len %d", rsa, to, outSize);
- return outSize;
-}
-
-static RSA_METHOD keystore_rsa_meth = {
- kKeystoreEngineId,
- NULL, /* rsa_pub_enc (wrap) */
- NULL, /* rsa_pub_dec (verification) */
- keystore_rsa_priv_enc, /* rsa_priv_enc (signing) */
- keystore_rsa_priv_dec, /* rsa_priv_dec (unwrap) */
- NULL, /* rsa_mod_exp */
- NULL, /* bn_mod_exp */
- NULL, /* init */
- NULL, /* finish */
- RSA_FLAG_EXT_PKEY | RSA_FLAG_NO_BLINDING, /* flags */
- NULL, /* app_data */
- NULL, /* rsa_sign */
- NULL, /* rsa_verify */
- NULL, /* rsa_keygen */
-};
-
-static int register_rsa_methods() {
- const RSA_METHOD* rsa_meth = RSA_PKCS1_SSLeay();
-
- keystore_rsa_meth.rsa_pub_enc = rsa_meth->rsa_pub_enc;
- keystore_rsa_meth.rsa_pub_dec = rsa_meth->rsa_pub_dec;
- keystore_rsa_meth.rsa_mod_exp = rsa_meth->rsa_mod_exp;
- keystore_rsa_meth.bn_mod_exp = rsa_meth->bn_mod_exp;
-
- return 1;
-}
-
-int rsa_pkey_setup(ENGINE *e, EVP_PKEY *pkey, const char *key_id) {
- Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey));
- if (!RSA_set_ex_data(rsa.get(), rsa_key_handle, reinterpret_cast<void*>(strdup(key_id)))) {
- ALOGW("Could not set ex_data for loaded RSA key");
- return 0;
- }
-
- RSA_set_method(rsa.get(), &keystore_rsa_meth);
- RSA_blinding_off(rsa.get());
-
- /*
- * "RSA_set_ENGINE()" should probably be an OpenSSL API. Since it isn't,
- * and EVP_PKEY_free() calls ENGINE_finish(), we need to call ENGINE_init()
- * here.
- */
- ENGINE_init(e);
- rsa->engine = e;
- rsa->flags |= RSA_FLAG_EXT_PKEY;
-
- return 1;
-}
-
-int rsa_register(ENGINE* e) {
- if (!ENGINE_set_RSA(e, &keystore_rsa_meth)
- || !register_rsa_methods()) {
- ALOGE("Could not set up keystore RSA methods");
- return 0;
- }
-
- return 1;
-}
diff --git a/keystore/Android.mk b/keystore/Android.mk
index baff509..f17d5eb 100644
--- a/keystore/Android.mk
+++ b/keystore/Android.mk
@@ -113,6 +113,7 @@
LOCAL_MODULE_TAGS := optional
LOCAL_C_INCLUDES := $(LOCAL_PATH)/include $(call keystore_proto_include)
LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+LOCAL_EXPORT_SHARED_LIBRARY_HEADERS := libbinder
LOCAL_CLANG := true
LOCAL_SANITIZE := integer
LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
diff --git a/keystore/IKeystoreService.cpp b/keystore/IKeystoreService.cpp
index 7df03c7..acd6968 100644
--- a/keystore/IKeystoreService.cpp
+++ b/keystore/IKeystoreService.cpp
@@ -55,7 +55,8 @@
OperationResult::~OperationResult() {
}
-void OperationResult::readFromParcel(const Parcel& in) {
+status_t OperationResult::readFromParcel(const Parcel* inn) {
+ const Parcel& in = *inn;
resultCode = in.readInt32();
token = in.readStrongBinder();
handle = static_cast<keymaster_operation_handle_t>(in.readInt64());
@@ -77,9 +78,10 @@
}
}
outParams.readFromParcel(in);
+ return OK;
}
-void OperationResult::writeToParcel(Parcel* out) const {
+status_t OperationResult::writeToParcel(Parcel* out) const {
out->writeInt32(resultCode);
out->writeStrongBinder(token);
out->writeInt64(handle);
@@ -94,6 +96,7 @@
}
}
outParams.writeToParcel(out);
+ return OK;
}
ExportResult::ExportResult() : resultCode(0), exportData(NULL), dataLength(0) {
@@ -102,7 +105,8 @@
ExportResult::~ExportResult() {
}
-void ExportResult::readFromParcel(const Parcel& in) {
+status_t ExportResult::readFromParcel(const Parcel* inn) {
+ const Parcel& in = *inn;
resultCode = in.readInt32();
ssize_t length = in.readInt32();
dataLength = 0;
@@ -120,9 +124,10 @@
ALOGE("Failed to readInplace ExportData data");
}
}
+ return OK;
}
-void ExportResult::writeToParcel(Parcel* out) const {
+status_t ExportResult::writeToParcel(Parcel* out) const {
out->writeInt32(resultCode);
out->writeInt32(dataLength);
if (exportData && dataLength) {
@@ -133,6 +138,7 @@
ALOGE("Failed to writeInplace ExportResult data.");
}
}
+ return OK;
}
KeymasterArguments::KeymasterArguments() {
@@ -176,7 +182,8 @@
keymaster_free_characteristics(&characteristics);
}
-void KeyCharacteristics::readFromParcel(const Parcel& in) {
+status_t KeyCharacteristics::readFromParcel(const Parcel* inn) {
+ const Parcel& in = *inn;
size_t length = 0;
keymaster_key_param_t* params = readParamList(in, &length);
characteristics.sw_enforced.params = params;
@@ -185,9 +192,10 @@
params = readParamList(in, &length);
characteristics.hw_enforced.params = params;
characteristics.hw_enforced.length = length;
+ return OK;
}
-void KeyCharacteristics::writeToParcel(Parcel* out) const {
+status_t KeyCharacteristics::writeToParcel(Parcel* out) const {
if (characteristics.sw_enforced.params) {
out->writeInt32(characteristics.sw_enforced.length);
for (size_t i = 0; i < characteristics.sw_enforced.length; i++) {
@@ -206,6 +214,7 @@
} else {
out->writeInt32(0);
}
+ return OK;
}
KeymasterCertificateChain::KeymasterCertificateChain() {
@@ -226,7 +235,7 @@
return false;
}
- blob->data = reinterpret_cast<const uint8_t*>(malloc(length));
+ blob->data = static_cast<const uint8_t*>(malloc(length));
if (!blob->data)
return false;
@@ -455,7 +464,7 @@
class BpKeystoreService: public BpInterface<IKeystoreService>
{
public:
- BpKeystoreService(const sp<IBinder>& impl)
+ explicit BpKeystoreService(const sp<IBinder>& impl)
: BpInterface<IKeystoreService>(impl)
{
}
@@ -1019,8 +1028,8 @@
ALOGD("generateKey() caught exception %d\n", err);
return KM_ERROR_UNKNOWN_ERROR;
}
- if (reply.readInt32() != 0 && outCharacteristics) {
- outCharacteristics->readFromParcel(reply);
+ if (outCharacteristics) {
+ reply.readParcelable(outCharacteristics);
}
return ret;
}
@@ -1055,8 +1064,8 @@
ALOGD("getKeyCharacteristics() caught exception %d\n", err);
return KM_ERROR_UNKNOWN_ERROR;
}
- if (reply.readInt32() != 0 && outCharacteristics) {
- outCharacteristics->readFromParcel(reply);
+ if (outCharacteristics) {
+ reply.readParcelable(outCharacteristics);
}
return ret;
}
@@ -1085,8 +1094,8 @@
ALOGD("importKey() caught exception %d\n", err);
return KM_ERROR_UNKNOWN_ERROR;
}
- if (reply.readInt32() != 0 && outCharacteristics) {
- outCharacteristics->readFromParcel(reply);
+ if (outCharacteristics) {
+ reply.readParcelable(outCharacteristics);
}
return ret;
}
@@ -1126,9 +1135,8 @@
result->resultCode = KM_ERROR_UNKNOWN_ERROR;
return;
}
- if (reply.readInt32() != 0) {
- result->readFromParcel(reply);
- }
+
+ reply.readParcelable(result);
}
virtual void begin(const sp<IBinder>& appToken, const String16& name,
@@ -1161,9 +1169,8 @@
result->resultCode = KM_ERROR_UNKNOWN_ERROR;
return;
}
- if (reply.readInt32() != 0) {
- result->readFromParcel(reply);
- }
+
+ reply.readParcelable(result);
}
virtual void update(const sp<IBinder>& token, const KeymasterArguments& params,
@@ -1190,9 +1197,8 @@
result->resultCode = KM_ERROR_UNKNOWN_ERROR;
return;
}
- if (reply.readInt32() != 0) {
- result->readFromParcel(reply);
- }
+
+ reply.readParcelable(result);
}
virtual void finish(const sp<IBinder>& token, const KeymasterArguments& params,
@@ -1222,9 +1228,8 @@
result->resultCode = KM_ERROR_UNKNOWN_ERROR;
return;
}
- if (reply.readInt32() != 0) {
- result->readFromParcel(reply);
- }
+
+ reply.readParcelable(result);
}
virtual int32_t abort(const sp<IBinder>& token)
@@ -1698,8 +1703,7 @@
&outCharacteristics);
reply->writeNoException();
reply->writeInt32(ret);
- reply->writeInt32(1);
- outCharacteristics.writeToParcel(reply);
+ reply->writeParcelable(outCharacteristics);
return NO_ERROR;
}
case GET_KEY_CHARACTERISTICS: {
@@ -1711,10 +1715,15 @@
KeyCharacteristics outCharacteristics;
int ret = getKeyCharacteristics(name, clientId.get(), appData.get(), uid,
&outCharacteristics);
+ if (clientId.get() && clientId->data) {
+ free(const_cast<void*>(static_cast<const void*>(clientId->data)));
+ }
+ if (appData.get() && appData->data) {
+ free(const_cast<void*>(static_cast<const void*>(appData->data)));
+ }
reply->writeNoException();
reply->writeInt32(ret);
- reply->writeInt32(1);
- outCharacteristics.writeToParcel(reply);
+ reply->writeParcelable(outCharacteristics);
return NO_ERROR;
}
case IMPORT_KEY: {
@@ -1735,9 +1744,7 @@
&outCharacteristics);
reply->writeNoException();
reply->writeInt32(ret);
- reply->writeInt32(1);
- outCharacteristics.writeToParcel(reply);
-
+ reply->writeParcelable(outCharacteristics);
return NO_ERROR;
}
case EXPORT_KEY: {
@@ -1749,9 +1756,14 @@
int32_t uid = data.readInt32();
ExportResult result;
exportKey(name, format, clientId.get(), appData.get(), uid, &result);
+ if (clientId.get() && clientId->data) {
+ free(const_cast<void*>(static_cast<const void*>(clientId->data)));
+ }
+ if (appData.get() && appData->data) {
+ free(const_cast<void*>(static_cast<const void*>(appData->data)));
+ }
reply->writeNoException();
- reply->writeInt32(1);
- result.writeToParcel(reply);
+ reply->writeParcelable(result);
return NO_ERROR;
}
@@ -1772,8 +1784,7 @@
OperationResult result;
begin(token, name, purpose, pruneable, args, entropy, entropyLength, uid, &result);
reply->writeNoException();
- reply->writeInt32(1);
- result.writeToParcel(reply);
+ reply->writeParcelable(result);
return NO_ERROR;
}
@@ -1790,8 +1801,7 @@
OperationResult result;
update(token, args, buf, bufLength, &result);
reply->writeNoException();
- reply->writeInt32(1);
- result.writeToParcel(reply);
+ reply->writeParcelable(result);
return NO_ERROR;
}
@@ -1811,8 +1821,7 @@
OperationResult result;
finish(token, args, signature, signatureLength, entropy, entropyLength, &result);
reply->writeNoException();
- reply->writeInt32(1);
- result.writeToParcel(reply);
+ reply->writeParcelable(result);
return NO_ERROR;
}
diff --git a/keystore/auth_token_table.h b/keystore/auth_token_table.h
index 76cf816..4d54a39 100644
--- a/keystore/auth_token_table.h
+++ b/keystore/auth_token_table.h
@@ -41,7 +41,7 @@
*/
class AuthTokenTable {
public:
- AuthTokenTable(size_t max_entries = 32, time_t (*clock_function)() = clock_gettime_raw)
+ explicit AuthTokenTable(size_t max_entries = 32, time_t (*clock_function)() = clock_gettime_raw)
: max_entries_(max_entries), last_off_body_(clock_function()), clock_function_(clock_function) {}
enum Error {
diff --git a/keystore/blob.h b/keystore/blob.h
index e2fc9be..d4b5a84 100644
--- a/keystore/blob.h
+++ b/keystore/blob.h
@@ -79,7 +79,7 @@
public:
Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_t infoLength,
BlobType type);
- Blob(blob b);
+ explicit Blob(blob b);
Blob();
diff --git a/keystore/include/keystore/IKeystoreService.h b/keystore/include/keystore/IKeystoreService.h
index defd4a9..1a2f554 100644
--- a/keystore/include/keystore/IKeystoreService.h
+++ b/keystore/include/keystore/IKeystoreService.h
@@ -53,11 +53,11 @@
};
// struct for serializing the results of begin/update/finish
-struct OperationResult {
+struct OperationResult : public ::android::Parcelable {
OperationResult();
~OperationResult();
- void readFromParcel(const Parcel& in);
- void writeToParcel(Parcel* out) const;
+ status_t readFromParcel(const Parcel* in) override;
+ status_t writeToParcel(Parcel* out) const override;
int resultCode;
sp<IBinder> token;
@@ -69,11 +69,11 @@
};
// struct for serializing the results of export
-struct ExportResult {
+struct ExportResult : public ::android::Parcelable {
ExportResult();
~ExportResult();
- void readFromParcel(const Parcel& in);
- void writeToParcel(Parcel* out) const;
+ status_t readFromParcel(const Parcel* in) override;
+ status_t writeToParcel(Parcel* out) const override;
int resultCode;
std::unique_ptr<uint8_t[], MallocDeleter> exportData;
@@ -81,11 +81,11 @@
};
// struct for serializing keymaster_key_characteristics_t's
-struct KeyCharacteristics {
+struct KeyCharacteristics : public ::android::Parcelable {
KeyCharacteristics();
~KeyCharacteristics();
- void readFromParcel(const Parcel& in);
- void writeToParcel(Parcel* out) const;
+ status_t readFromParcel(const Parcel* in) override;
+ status_t writeToParcel(Parcel* out) const override;
keymaster_key_characteristics_t characteristics;
};
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 020bfe4..f2207c0 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -50,7 +50,7 @@
void KeyStoreService::binderDied(const wp<IBinder>& who) {
auto operations = mOperationMap.getOperationsForToken(who.unsafe_get());
- for (auto token : operations) {
+ for (const auto& token : operations) {
abort(token);
}
}
@@ -315,7 +315,7 @@
ALOGI("invalid number of arguments: %zu", args->size());
return ::SYSTEM_ERROR;
} else if (args->size() == 1) {
- sp<KeystoreArg> expArg = args->itemAt(0);
+ const sp<KeystoreArg>& expArg = args->itemAt(0);
if (expArg != NULL) {
Unique_BIGNUM pubExpBn(BN_bin2bn(
reinterpret_cast<const unsigned char*>(expArg->data()), expArg->size(), NULL));
@@ -1494,7 +1494,7 @@
* KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid
* operation token.
*/
-int32_t KeyStoreService::addOperationAuthTokenIfNeeded(sp<IBinder> token,
+int32_t KeyStoreService::addOperationAuthTokenIfNeeded(const sp<IBinder>& token,
std::vector<keymaster_key_param_t>* params) {
const hw_auth_token_t* authToken = NULL;
mOperationMap.getOperationAuthToken(token, &authToken);
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index cd43391..cfbc91f 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -31,7 +31,7 @@
class KeyStoreService : public BnKeystoreService, public IBinder::DeathRecipient {
public:
- KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {}
+ explicit KeyStoreService(KeyStore* keyStore) : mKeyStore(keyStore), mOperationMap(this) {}
void binderDied(const wp<IBinder>& who);
@@ -209,7 +209,7 @@
* KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid
* operation token.
*/
- int32_t addOperationAuthTokenIfNeeded(sp<IBinder> token,
+ int32_t addOperationAuthTokenIfNeeded(const sp<IBinder>& token,
std::vector<keymaster_key_param_t>* params);
/**
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index d0a61bf..0b86e83 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -116,37 +116,37 @@
}
android::String8 KeyStore::getKeyName(const android::String8& keyName, const BlobType type) {
- char encoded[encode_key_length(keyName) + 1]; // add 1 for null char
- encode_key(encoded, keyName);
+ std::vector<char> encoded(encode_key_length(keyName) + 1); // add 1 for null char
+ encode_key(encoded.data(), keyName);
if (type == TYPE_KEY_CHARACTERISTICS) {
- return android::String8::format(".chr_%s", encoded);
+ return android::String8::format(".chr_%s", encoded.data());
} else {
- return android::String8(encoded);
+ return android::String8(encoded.data());
}
}
android::String8 KeyStore::getKeyNameForUid(
const android::String8& keyName, uid_t uid, const BlobType type) {
- char encoded[encode_key_length(keyName) + 1]; // add 1 for null char
- encode_key(encoded, keyName);
+ std::vector<char> encoded(encode_key_length(keyName) + 1); // add 1 for null char
+ encode_key(encoded.data(), keyName);
if (type == TYPE_KEY_CHARACTERISTICS) {
- return android::String8::format(".%u_chr_%s", uid, encoded);
+ return android::String8::format(".%u_chr_%s", uid, encoded.data());
} else {
- return android::String8::format("%u_%s", uid, encoded);
+ return android::String8::format("%u_%s", uid, encoded.data());
}
}
android::String8 KeyStore::getKeyNameForUidWithDir(
const android::String8& keyName, uid_t uid, const BlobType type) {
- char encoded[encode_key_length(keyName) + 1]; // add 1 for null char
- encode_key(encoded, keyName);
+ std::vector<char> encoded(encode_key_length(keyName) + 1); // add 1 for null char
+ encode_key(encoded.data(), keyName);
if (type == TYPE_KEY_CHARACTERISTICS) {
return android::String8::format("%s/.%u_chr_%s", getUserStateByUid(uid)->getUserDirName(),
- uid, encoded);
+ uid, encoded.data());
} else {
return android::String8::format("%s/%u_%s", getUserStateByUid(uid)->getUserDirName(), uid,
- encoded);
+ encoded.data());
}
}
diff --git a/keystore/keystore_cli.cpp b/keystore/keystore_cli.cpp
index 7f6996b..d9781e0 100644
--- a/keystore/keystore_cli.cpp
+++ b/keystore/keystore_cli.cpp
@@ -193,7 +193,7 @@
} \
} while (0)
-static int list(sp<IKeystoreService> service, const String16& name, int uid) {
+static int list(const sp<IKeystoreService>& service, const String16& name, int uid) {
Vector<String16> matches;
int32_t ret = service->list(name, uid, &matches);
if (ret < 0) {
diff --git a/keystore/keystore_cli_v2.cpp b/keystore/keystore_cli_v2.cpp
index c4dbf5d..6c229db 100644
--- a/keystore/keystore_cli_v2.cpp
+++ b/keystore/keystore_cli_v2.cpp
@@ -19,6 +19,7 @@
#include "base/command_line.h"
#include "base/files/file_util.h"
+#include "base/strings/string_util.h"
#include "keymaster/authorization_set.h"
#include "keymaster/keymaster_tags.h"
#include "keystore/keystore_client_impl.h"
@@ -38,7 +39,7 @@
void PrintUsageAndExit() {
printf("Usage: keystore_client_v2 <command> [options]\n");
- printf("Commands: brillo-platform-test [--prefix=<test_name_prefix>]\n"
+ printf("Commands: brillo-platform-test [--prefix=<test_name_prefix>] [--test_for_0_3]\n"
" list-brillo-tests\n"
" add-entropy --input=<entropy>\n"
" generate --name=<key_name>\n"
@@ -58,7 +59,7 @@
}
#ifndef KEYMASTER_NAME_TAGS
-#erro KEYMASTER_NAME_TAGS must be defined
+#error KEYMASTER_NAME_TAGS must be defined
#endif
void PrintTags(const AuthorizationSet& parameters) {
@@ -82,28 +83,25 @@
AuthorizationSet software_enforced_characteristics;
int32_t result = keystore->generateKey("tmp", parameters, &hardware_enforced_characteristics,
&software_enforced_characteristics);
+ const char kBoldRedAbort[] = "\033[1;31mABORT\033[0m";
if (result != KM_ERROR_OK) {
LOG(ERROR) << "Failed to generate key: " << result;
- printf("%s Result: ABORT\n", name.c_str());
+ printf("[%s] %s\n", kBoldRedAbort, name.c_str());
return false;
}
result = keystore->deleteKey("tmp");
if (result != KM_ERROR_OK) {
LOG(ERROR) << "Failed to delete key: " << result;
- printf("%s Result: ABORT\n", name.c_str());
+ printf("[%s] %s\n", kBoldRedAbort, name.c_str());
return false;
}
printf("===============================================================\n");
printf("%s Key Characteristics:\n", name.c_str());
PrintKeyCharacteristics(hardware_enforced_characteristics, software_enforced_characteristics);
bool hardware_backed = (hardware_enforced_characteristics.size() > 0);
- if (software_enforced_characteristics.GetTagCount(KM_TAG_PURPOSE) > 0 ||
- software_enforced_characteristics.GetTagCount(KM_TAG_ALGORITHM) > 0 ||
+ if (software_enforced_characteristics.GetTagCount(KM_TAG_ALGORITHM) > 0 ||
software_enforced_characteristics.GetTagCount(KM_TAG_KEY_SIZE) > 0 ||
- software_enforced_characteristics.GetTagCount(KM_TAG_RSA_PUBLIC_EXPONENT) > 0 ||
- software_enforced_characteristics.GetTagCount(KM_TAG_DIGEST) > 0 ||
- software_enforced_characteristics.GetTagCount(KM_TAG_PADDING) > 0 ||
- software_enforced_characteristics.GetTagCount(KM_TAG_BLOCK_MODE) > 0) {
+ software_enforced_characteristics.GetTagCount(KM_TAG_RSA_PUBLIC_EXPONENT) > 0) {
VLOG(1) << "Hardware-backed key but required characteristics enforced in software.";
hardware_backed = false;
}
@@ -164,6 +162,7 @@
parameters.Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_ECB);
parameters.Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_CBC);
parameters.Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_CTR);
+ parameters.Padding(KM_PAD_NONE);
}
return parameters.build();
}
@@ -205,12 +204,23 @@
return std::vector<TestCase>(&test_cases[0], &test_cases[arraysize(test_cases)]);
}
-int BrilloPlatformTest(const std::string& prefix) {
+int BrilloPlatformTest(const std::string& prefix, bool test_for_0_3) {
+ const char kBoldYellowWarning[] = "\033[1;33mWARNING\033[0m";
+ if (test_for_0_3) {
+ printf("%s: Testing for keymaster v0.3. "
+ "This does not meet Brillo requirements.\n", kBoldYellowWarning);
+ }
int test_count = 0;
int fail_count = 0;
std::vector<TestCase> test_cases = GetTestCases();
for (const auto& test_case : test_cases) {
- if (!prefix.empty() && test_case.name.find(prefix) != 0) {
+ if (!prefix.empty() &&
+ !base::StartsWith(test_case.name, prefix, base::CompareCase::SENSITIVE)) {
+ continue;
+ }
+ if (test_for_0_3 &&
+ (base::StartsWith(test_case.name, "AES", base::CompareCase::SENSITIVE) ||
+ base::StartsWith(test_case.name, "HMAC", base::CompareCase::SENSITIVE))) {
continue;
}
++test_count;
@@ -432,7 +442,8 @@
PrintUsageAndExit();
}
if (args[0] == "brillo-platform-test") {
- return BrilloPlatformTest(command_line->GetSwitchValueASCII("prefix"));
+ return BrilloPlatformTest(command_line->GetSwitchValueASCII("prefix"),
+ command_line->HasSwitch("test_for_0_3"));
} else if (args[0] == "list-brillo-tests") {
return ListTestCases();
} else if (args[0] == "add-entropy") {
diff --git a/keystore/keystore_utils.cpp b/keystore/keystore_utils.cpp
index b653dd8..4617afd 100644
--- a/keystore/keystore_utils.cpp
+++ b/keystore/keystore_utils.cpp
@@ -51,6 +51,10 @@
data += n;
remaining -= n;
}
+ if (TEMP_FAILURE_RETRY(fsync(fd)) == -1) {
+ ALOGW("fsync failed: %s", strerror(errno));
+ return -1;
+ }
return size;
}
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 72aa95f..e8ae8b7 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp
@@ -25,7 +25,7 @@
sp<IBinder> OperationMap::addOperation(keymaster_operation_handle_t handle, uint64_t keyid,
keymaster_purpose_t purpose, const keymaster2_device_t* dev,
- sp<IBinder> appToken,
+ const sp<IBinder>& appToken,
keymaster_key_characteristics_t* characteristics,
bool pruneable) {
sp<IBinder> token = new BBinder();
@@ -40,7 +40,7 @@
return token;
}
-bool OperationMap::getOperation(sp<IBinder> token, keymaster_operation_handle_t* outHandle,
+bool OperationMap::getOperation(const sp<IBinder>& token, keymaster_operation_handle_t* outHandle,
uint64_t* outKeyid, keymaster_purpose_t* outPurpose,
const keymaster2_device_t** outDevice,
const keymaster_key_characteristics_t** outCharacteristics) {
@@ -63,7 +63,7 @@
return true;
}
-void OperationMap::updateLru(sp<IBinder> token) {
+void OperationMap::updateLru(const sp<IBinder>& token) {
auto lruEntry = std::find(mLru.begin(), mLru.end(), token);
if (lruEntry != mLru.end()) {
mLru.erase(lruEntry);
@@ -71,7 +71,7 @@
}
}
-bool OperationMap::removeOperation(sp<IBinder> token) {
+bool OperationMap::removeOperation(const sp<IBinder>& token) {
auto entry = mMap.find(token);
if (entry == mMap.end()) {
return false;
@@ -86,7 +86,7 @@
return true;
}
-void OperationMap::removeOperationTracking(sp<IBinder> token, sp<IBinder> appToken) {
+void OperationMap::removeOperationTracking(const sp<IBinder>& token, const sp<IBinder>& appToken) {
auto appEntry = mAppTokenMap.find(appToken);
if (appEntry == mAppTokenMap.end()) {
ALOGE("Entry for %p contains unmapped application token %p", token.get(), appToken.get());
@@ -116,7 +116,7 @@
return mLru[0];
}
-bool OperationMap::getOperationAuthToken(sp<IBinder> token, const hw_auth_token_t** outToken) {
+bool OperationMap::getOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t** outToken) {
auto entry = mMap.find(token);
if (entry == mMap.end()) {
return false;
@@ -125,7 +125,7 @@
return true;
}
-bool OperationMap::setOperationAuthToken(sp<IBinder> token, const hw_auth_token_t* authToken) {
+bool OperationMap::setOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t* authToken) {
auto entry = mMap.find(token);
if (entry == mMap.end()) {
return false;
@@ -135,7 +135,7 @@
return true;
}
-std::vector<sp<IBinder>> OperationMap::getOperationsForToken(sp<IBinder> appToken) {
+std::vector<sp<IBinder>> OperationMap::getOperationsForToken(const sp<IBinder>& appToken) {
auto appEntry = mAppTokenMap.find(appToken);
if (appEntry != mAppTokenMap.end()) {
return appEntry->second;
diff --git a/keystore/operation.h b/keystore/operation.h
index eb16257..263b5c9 100644
--- a/keystore/operation.h
+++ b/keystore/operation.h
@@ -46,27 +46,27 @@
*/
class OperationMap {
public:
- OperationMap(IBinder::DeathRecipient* deathRecipient);
+ explicit OperationMap(IBinder::DeathRecipient* deathRecipient);
sp<IBinder> addOperation(keymaster_operation_handle_t handle, uint64_t keyid,
keymaster_purpose_t purpose, const keymaster2_device_t* dev,
- sp<IBinder> appToken, keymaster_key_characteristics_t* characteristics,
+ const sp<IBinder>& appToken, keymaster_key_characteristics_t* characteristics,
bool pruneable);
- bool getOperation(sp<IBinder> token, keymaster_operation_handle_t* outHandle,
+ bool getOperation(const sp<IBinder>& token, keymaster_operation_handle_t* outHandle,
uint64_t* outKeyid, keymaster_purpose_t* outPurpose,
const keymaster2_device_t** outDev,
const keymaster_key_characteristics_t** outCharacteristics);
- bool removeOperation(sp<IBinder> token);
+ bool removeOperation(const sp<IBinder>& token);
bool hasPruneableOperation() const;
size_t getOperationCount() const { return mMap.size(); }
size_t getPruneableOperationCount() const;
- bool getOperationAuthToken(sp<IBinder> token, const hw_auth_token_t** outToken);
- bool setOperationAuthToken(sp<IBinder> token, const hw_auth_token_t* authToken);
+ bool getOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t** outToken);
+ bool setOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t* authToken);
sp<IBinder> getOldestPruneableOperation();
- std::vector<sp<IBinder>> getOperationsForToken(sp<IBinder> appToken);
+ std::vector<sp<IBinder>> getOperationsForToken(const sp<IBinder>& appToken);
private:
- void updateLru(sp<IBinder> token);
- void removeOperationTracking(sp<IBinder> token, sp<IBinder> appToken);
+ void updateLru(const sp<IBinder>& token);
+ void removeOperationTracking(const sp<IBinder>& token, const sp<IBinder>& appToken);
struct Operation {
Operation();
Operation(keymaster_operation_handle_t handle, uint64_t keyid, keymaster_purpose_t purpose,
diff --git a/keystore/user_state.h b/keystore/user_state.h
index 2a52f81..902719c 100644
--- a/keystore/user_state.h
+++ b/keystore/user_state.h
@@ -29,7 +29,7 @@
class UserState {
public:
- UserState(uid_t userId);
+ explicit UserState(uid_t userId);
~UserState();
bool initialize();
diff --git a/softkeymaster/keymaster_openssl.cpp b/softkeymaster/keymaster_openssl.cpp
index 6f31195..927b4a6 100644
--- a/softkeymaster/keymaster_openssl.cpp
+++ b/softkeymaster/keymaster_openssl.cpp
@@ -208,17 +208,11 @@
return NULL;
}
- Unique_EVP_PKEY pkey(EVP_PKEY_new());
+ Unique_EVP_PKEY pkey(d2i_PrivateKey(type, nullptr, &p, privateLen));
if (pkey.get() == NULL) {
logOpenSSLError("unwrap_key");
return NULL;
}
- EVP_PKEY* tmp = pkey.get();
-
- if (d2i_PrivateKey(type, &tmp, &p, privateLen) == NULL) {
- logOpenSSLError("unwrap_key");
- return NULL;
- }
return pkey.release();
}