projects / platform / core / security / key-manager.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix secret pwd passing in TZ backend KBKDF
[platform/core/security/key-manager.git] / src / manager / crypto / tz-backend / tz-context.cpp
diff --git a/src/manager/crypto/tz-backend/tz-context.cpp b/src/manager/crypto/tz-backend/tz-context.cpp
index e8c500b..ad09c65 100644 (file)
--- a/src/manager/crypto/tz-backend/tz-context.cpp
+++ b/src/manager/crypto/tz-backend/tz-context.cpp
@@ -50,6 +50,9 @@ namespace {
 // whatever TA will return us.
 const uint32_t CIPHER_EXTRA_PADDING_SIZE = 16;
 
+// Maximum size of GCM tag in bytes.
+const size_t MAX_GCM_TAG_SIZE = 16;
+
 // Identifier of our TA
 const TEEC_UUID KEY_MANAGER_TA_UUID = KM_TA_UUID;
 
@@ -66,7 +69,8 @@ static std::string rawToHexString(const RawBuffer &raw)
 const std::unordered_map<tz_algo_type, size_t> MAX_KEY_SIZE = {
        { ALGO_RSA, 4096 / 8 },
        { ALGO_RSA_SV, 4096 / 8 },
-       { ALGO_DSA_SV, 4096 / 8 }
+       { ALGO_DSA_SV, 4096 / 8 },
+       { ALGO_ECDSA_SV, 1024 / 8 } // 384*2 + additional space for DERR encoding
 };
 
 struct EncPwd {
@@ -509,7 +513,7 @@ void TrustZoneContext::addGcmAAD(uint32_t opId,
        TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
        sIn.Serialize(inMemory);
 
-       TEEC_Operation op = makeOp(TEEC_VALUE_INPUT, inMemory);
+       TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory);
        op.params[0].value.a = opId;
 
        Execute(CMD_CIPHER_INIT_AAD, &op);
@@ -546,7 +550,7 @@ RawBuffer TrustZoneContext::finalizeGcmCipher(uint32_t opId,
        sIn.Serialize(inMemory);
 
        TZSerializer sOut;
-       sOut.Push(new TZSerializableBinary(data.size()));
+       sOut.Push(new TZSerializableBinary(MAX_GCM_TAG_SIZE, false));
        TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
 
        TEEC_Operation op = makeOp(TEEC_VALUE_INOUT, inMemory, outMemory);
@@ -684,7 +688,7 @@ void TrustZoneContext::importData(
        LogDebug("Imported object ID is (hex): " << rawToHexString(hash));
 }
 
-void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey,
+void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKeyId,
                                                                                const Pwd &wrappingKeyPwd,
                                                                                tz_algo_type algo,
                                                                                const RawBuffer &iv,
@@ -700,7 +704,7 @@ void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey,
        // command ID = CMD_IMPORT_WRAPPED_KEY
        LogDebug("TrustZoneContext::importWrappedKey encryptedKey size = [" << encryptedKey.size() << "]");
 
-       auto sIn = makeSerializer(wrappingKey,
+       auto sIn = makeSerializer(wrappingKeyId,
                                                          wrappingKeyPwd,
                                                          algo,
                                                          iv,
@@ -735,7 +739,7 @@ void TrustZoneContext::importWrappedKey(const RawBuffer &wrappingKey,
        LogDebug("Imported object ID is (hex): " << rawToHexString(encryptedKeyId));
 }
 
-RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKey,
+RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKeyId,
                                                                                         const Pwd &wrappingKeyPwd,
                                                                                         tz_algo_type algo,
                                                                                         const RawBuffer &iv,
@@ -747,7 +751,7 @@ RawBuffer TrustZoneContext::exportWrappedKey(const RawBuffer &wrappingKey,
        // command ID = CMD_EXPORT_WRAPPED_KEY
        LogDebug("TrustZoneContext::exportWrappedKey");
 
-       auto sIn = makeSerializer(wrappingKey,
+       auto sIn = makeSerializer(wrappingKeyId,
                                                          wrappingKeyPwd,
                                                          algo,
                                                          iv,
@@ -885,7 +889,8 @@ void TrustZoneContext::executeEcdh(const RawBuffer &prvKeyId,
        LogDebug("Derived object ID is (hex): " << rawToHexString(secretHash));
 }
 
-void TrustZoneContext::executeKbkdf(const RawBuffer& secret,
+void TrustZoneContext::executeKbkdf(const RawBuffer& secretId,
+                                                                       const Pwd& secretPwd,
                                                                        const RawBuffer& label,
                                                                        const RawBuffer& context,
                                                                        const RawBuffer& fixed,
@@ -903,7 +908,8 @@ void TrustZoneContext::executeKbkdf(const RawBuffer& secret,
        // command ID = CMD_DERIVE
        LogDebug("TrustZoneContext::executeKbkdf");
 
-       auto sIn = makeSerializer(secret,
+       auto sIn = makeSerializer(secretId,
+                                                         secretPwd,
                                                          label,
                                                          context,
                                                          fixed,
Domain: Security / Utilities;