Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / af7e9cfb284b92e98299a7e9053505b145557686^! / . / identity / aidl / default / libeic
commitaf7e9cfb284b92e98299a7e9053505b145557686[log] [tgz]
authorDavid Zeuthen <zeuthen@google.com>Thu Jun 10 18:34:24 2021 -0400
committerDavid Zeuthen <zeuthen@google.com>Mon Jun 21 15:13:55 2021 -0400
tree72e168951301bc38d7749751849e3484a84d7df1
parent05e6b870a40e3f067686ba3acb4c75278cad9079 [diff]
identity: fix access control checks in libeic.

Also add a new libeic_test binary which has a regression test for this
vulnerability.

Bug: 190757775
Test: atest libeic_test
Test: atest VtsHalIdentityTargetTest
Test: atest CtsIdentityTestCases
Merged-In: I8344655c59930d6bf1baa4e0f8d0f60e4fc9e48d
Change-Id: I8344655c59930d6bf1baa4e0f8d0f60e4fc9e48d

diff --git a/identity/aidl/default/libeic/EicPresentation.c b/identity/aidl/default/libeic/EicPresentation.c
index 9e033b3..3d13766 100644
--- a/identity/aidl/default/libeic/EicPresentation.c
+++ b/identity/aidl/default/libeic/EicPresentation.c

@@ -633,6 +633,8 @@
 
     // We'll need to calc and store a digest of additionalData to check that it's the same
     // additionalData being passed in for every eicPresentationRetrieveEntryValue() call...
+    //
+    ctx->accessCheckOk = false;
     if (!eicCborCalcEntryAdditionalData(accessControlProfileIds, numAccessControlProfileIds,
                                         nameSpace, name, additionalDataCbor,
                                         additionalDataCborBufSize, &additionalDataCborSize,
@@ -680,6 +682,7 @@
 
     if (result == EIC_ACCESS_CHECK_RESULT_OK) {
         eicCborAppendString(&ctx->cbor, name);
+        ctx->accessCheckOk = true;
     }
     return result;
 }
@@ -702,10 +705,15 @@
                                         calculatedSha256)) {
         return false;
     }
+
     if (eicCryptoMemCmp(calculatedSha256, ctx->additionalDataSha256, EIC_SHA256_DIGEST_SIZE) != 0) {
         eicDebug("SHA-256 mismatch of additionalData");
         return false;
     }
+    if (!ctx->accessCheckOk) {
+        eicDebug("Attempting to retrieve a value for which access is not granted");
+        return false;
+    }
 
     if (!eicOpsDecryptAes128Gcm(ctx->storageKey, encryptedContent, encryptedContentSize,
                                 additionalDataCbor, additionalDataCborSize, content)) {

diff --git a/identity/aidl/default/libeic/EicPresentation.h b/identity/aidl/default/libeic/EicPresentation.h
index 7cad068..c888049 100644
--- a/identity/aidl/default/libeic/EicPresentation.h
+++ b/identity/aidl/default/libeic/EicPresentation.h

@@ -70,6 +70,10 @@
     // Set to true initialized as a test credential.
     bool testCredential;
 
+    // Set to true if the evaluation of access control checks in
+    // eicPresentationStartRetrieveEntryValue() resulted EIC_ACCESS_CHECK_RESULT_OK
+    bool accessCheckOk;
+
     // These are bitmasks indicating which of the possible 32 access control profiles are
     // authorized. They are built up by eicPresentationValidateAccessControlProfile().
     //