From 7de40f083b3732940c63f0e07cb8368932b79b39 Mon Sep 17 00:00:00 2001
From: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Date: Fri, 16 Feb 2018 12:09:52 +0100
Subject: [PATCH] Fix bits/bytes error in TEE_InitRefAttribute

According to TEE spec TEE_InitRefAttribute() should treat the length argument
as a length in bytes not bits.

This commit adjusts all TEE_InitRefAttribute() invocations and
TEE_Attribute::content.ref.length referencese to use length in bytes.

Change-Id: I84f7cce90987c69453b2dda5071dfd9c1ee3f3b4
---
 ssflib/src/ssf_storage.cpp | 46 +++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/ssflib/src/ssf_storage.cpp b/ssflib/src/ssf_storage.cpp
index 1c92a21..f96ee1c 100644
--- a/ssflib/src/ssf_storage.cpp
+++ b/ssflib/src/ssf_storage.cpp
@@ -112,7 +112,7 @@ TEE_Result copy_attribute(TEE_Attribute* dest, TEE_Attribute* src) {
 		dest->content.value.a = src->content.value.a;
 		dest->content.value.b = src->content.value.b;
 	} else {
-		int buf_size = (src->content.ref.length + 7) / 8;
+		int buf_size = src->content.ref.length;
 		void* buffer = OsaMalloc(buf_size);
 		if (!buffer) {
 			return TEE_ERROR_OUT_OF_MEMORY;
@@ -221,7 +221,7 @@ size_t calc_attr_size(TransientObject* tr) {
 			size += 2 * sizeof(uint32_t);
 		} else {
 			size += sizeof(size_t);
-			size += (attrs[i].content.ref.length + 7) / 8;
+			size += attrs[i].content.ref.length;
 		}
 	}
 	return size;
@@ -247,8 +247,8 @@ TEE_Result serialise_attr(TransientObject* tr, char* buf) {
 			memcpy(buf, &(attrs[i].content.ref.length), 4);
 			buf += 4;
 			memcpy(buf, (void*)attrs[i].content.ref.buffer,
-			    (attrs[i].content.ref.length + 7) / 8);
-			buf += (attrs[i].content.ref.length + 7) / 8;
+			    attrs[i].content.ref.length);
+			buf += attrs[i].content.ref.length;
 		}
 	}
 	return TEE_SUCCESS;
@@ -272,13 +272,13 @@ TEE_Result deserialise_attr(char* buf, TransientObject* tr) {
 		} else {
 			memcpy((void*)&attrs[i].content.ref.length, buf, 4);
 			buf += 4;
-			void* buffer = OsaMalloc((attrs[i].content.ref.length + 7) / 8);
+			void* buffer = OsaMalloc(attrs[i].content.ref.length);
 			if (!buffer) {
 				return TEE_ERROR_OUT_OF_MEMORY;
 			}
-			memcpy(buffer, buf, (attrs[i].content.ref.length + 7) / 8);
+			memcpy(buffer, buf, attrs[i].content.ref.length);
 			attrs[i].content.ref.buffer = buffer;
-			buf += (attrs[i].content.ref.length + 7) / 8;
+			buf += attrs[i].content.ref.length;
 		}
 	}
 	return TEE_SUCCESS;
@@ -1334,7 +1334,7 @@ TEE_Result TEE_GetObjectBufferAttribute(TEE_ObjectHandle object,
 		TEE_Panic(0);
 	}
 	//len = ((obj->attr.attr_array[n].content.ref.length & 0x7FFFFFFF) + 7) >> 3 ;
-	len = (obj->attr.attr_array[n].content.ref.length + 7) >> 3;
+	len = obj->attr.attr_array[n].content.ref.length;
 
 	// out buffer is too small
 	if (len > *size) {
@@ -1471,15 +1471,15 @@ TEE_Result TEE_PopulateTransientObject(TEE_ObjectHandle object,
 
 	TEE_Attribute* curr_attr = &tr->attr.attr_array[tr->attr.attr_number];
 	for (i = 0; i < attrCount; i++) {
-		if (attrs[i].content.ref.length > tr->info.maxObjectSize) {
+		if (attrs[i].content.ref.length * 8 > tr->info.maxObjectSize) {
 			TZ_ERROR("operation error line = %d,%s\n", __LINE__, __func__);
 			TEE_Panic(0);
 		}
 		copy_attribute(&curr_attr[i], (TEE_Attribute*)&attrs[i]);
 		tr->attr.attr_number++;
 		tr->info.objectSize =
-		    tr->info.objectSize > attrs[i].content.ref.length ?
-		        tr->info.objectSize : attrs[i].content.ref.length;
+		    tr->info.objectSize > attrs[i].content.ref.length * 8 ?
+		        tr->info.objectSize : attrs[i].content.ref.length * 8;
 	}
 
 	switch (tr->info.objectType) {
@@ -1629,7 +1629,7 @@ TEE_Result TEE_GenerateKey(TEE_ObjectHandle object, uint32_t keySize,
 		case TEE_TYPE_GENERIC_SECRET:
 			// generate 1 random key
 			gen_random((unsigned char*)key, (keySize + 7) / 8);
-			TEE_InitRefAttribute(&attrs[0], TEE_ATTR_SECRET_VALUE, key, keySize);
+			TEE_InitRefAttribute(&attrs[0], TEE_ATTR_SECRET_VALUE, key, (keySize + 7) / 8);
 			TEE_PopulateTransientObject(object, attrs, 1);
 			break;
 		case TEE_TYPE_RSA_KEYPAIR: {
@@ -1667,11 +1667,11 @@ TEE_Result TEE_GenerateKey(TEE_ObjectHandle object, uint32_t keySize,
 			uci_context_free(uh);
 
 			TEE_InitRefAttribute(&attrs[0], TEE_ATTR_RSA_MODULUS, uci_key.ucik_rsa_n,
-			    keySize);
+			    (keySize + 7) / 8);
 			TEE_InitRefAttribute(&attrs[1], TEE_ATTR_RSA_PUBLIC_EXPONENT,
-			    uci_key.ucik_rsa_e, keySize);
+			    uci_key.ucik_rsa_e, (keySize + 7) / 8);
 			TEE_InitRefAttribute(&attrs[2], TEE_ATTR_RSA_PRIVATE_EXPONENT,
-				uci_key.ucik_rsa_d, keySize);
+				uci_key.ucik_rsa_d, (keySize + 7) / 8);
 			TEE_PopulateTransientObject(object, attrs, 3);
 
 			OsaFree(uci_key.ucik_rsa_n);
@@ -1694,15 +1694,15 @@ TEE_Result TEE_GenerateKey(TEE_ObjectHandle object, uint32_t keySize,
 			for (i = 0; i < paramCount; i++) {
 				if (params[i].attributeID == TEE_ATTR_DSA_PRIME) {
 					up.ucip_dsa_p = (unsigned char*)params[i].content.ref.buffer;
-					up.ucip_dsa_p_len = (params[i].content.ref.length + 7) / 8;
+					up.ucip_dsa_p_len = params[i].content.ref.length;
 					check |= 0x01;
 				} else if (params[i].attributeID == TEE_ATTR_DSA_BASE) {
 					up.ucip_dsa_g = (unsigned char*)params[i].content.ref.buffer;
-					up.ucip_dsa_g_len = (params[i].content.ref.length + 7) / 8;
+					up.ucip_dsa_g_len = params[i].content.ref.length;
 					check |= 0x02;
 				} else if (params[i].attributeID == TEE_ATTR_DSA_SUBPRIME) {
 					up.ucip_dsa_q = (unsigned char*)params[i].content.ref.buffer;
-					up.ucip_dsa_q_len = (params[i].content.ref.length + 7) / 8;
+					up.ucip_dsa_q_len = params[i].content.ref.length;
 					check |= 0x04;
 				}
 			}
@@ -1724,9 +1724,9 @@ TEE_Result TEE_GenerateKey(TEE_ObjectHandle object, uint32_t keySize,
 				    params[i].content.ref.buffer, params[i].content.ref.length);
 			}
 			TEE_InitRefAttribute(&attrs[3], TEE_ATTR_DSA_PUBLIC_VALUE,
-			    uci_key.ucik_dsa_pubkey, uci_key.ucik_dsa_pubk_len * 8);
+			    uci_key.ucik_dsa_pubkey, uci_key.ucik_dsa_pubk_len);
 			TEE_InitRefAttribute(&attrs[4], TEE_ATTR_DSA_PRIVATE_VALUE,
-			    uci_key.ucik_dsa_privkey, uci_key.ucik_dsa_privk_len * 8);
+			    uci_key.ucik_dsa_privkey, uci_key.ucik_dsa_privk_len);
 			TEE_PopulateTransientObject(object, attrs, 5);
 			OsaFree(uci_key.ucik_dsa_pubkey);
 			OsaFree(uci_key.ucik_dsa_privkey);
@@ -1743,7 +1743,7 @@ TEE_Result TEE_GenerateKey(TEE_ObjectHandle object, uint32_t keySize,
 				if (params[i].attributeID == TEE_ATTR_DH_PRIME) {
 					check |= 0x01;
 					uciparam.ucip_dh_prime = (unsigned char*)params[i].content.ref.buffer;
-					uciparam.ucip_dh_len = (params[i].content.ref.length + 7) / 8;
+					uciparam.ucip_dh_len = params[i].content.ref.length;
 				} else if (params[i].attributeID == TEE_ATTR_DH_BASE) {
 					check |= 0x02;
 					uciparam.ucip_dh_generator = (unsigned char*)params[i].content.ref
@@ -1767,9 +1767,9 @@ TEE_Result TEE_GenerateKey(TEE_ObjectHandle object, uint32_t keySize,
 				    params[i].content.ref.buffer, params[i].content.ref.length);
 			}
 			TEE_InitRefAttribute(&attrs[2], TEE_ATTR_DH_PRIVATE_VALUE, privKey,
-			    keySize);
+				(keySize + 7) / 8);
 			TEE_InitRefAttribute(&attrs[3], TEE_ATTR_DH_PUBLIC_VALUE, pubKey,
-			    keySize);
+				(keySize + 7) / 8);
 			TEE_PopulateTransientObject(object, attrs, 4);
 
 			OsaFree(privKey);
-- 
2.7.4