identity: fix access control checks in libeic.

Also add a new libeic_test binary which has a regression test for this
vulnerability.

Bug: 190757775
Test: atest libeic_test
Test: atest VtsHalIdentityTargetTest
Test: atest CtsIdentityTestCases
Merged-In: I8344655c59930d6bf1baa4e0f8d0f60e4fc9e48d
Change-Id: I8344655c59930d6bf1baa4e0f8d0f60e4fc9e48d
diff --git a/identity/aidl/default/libeic/EicPresentation.c b/identity/aidl/default/libeic/EicPresentation.c
index 9e033b3..3d13766 100644
--- a/identity/aidl/default/libeic/EicPresentation.c
+++ b/identity/aidl/default/libeic/EicPresentation.c
@@ -633,6 +633,8 @@
 
     // We'll need to calc and store a digest of additionalData to check that it's the same
     // additionalData being passed in for every eicPresentationRetrieveEntryValue() call...
+    //
+    ctx->accessCheckOk = false;
     if (!eicCborCalcEntryAdditionalData(accessControlProfileIds, numAccessControlProfileIds,
                                         nameSpace, name, additionalDataCbor,
                                         additionalDataCborBufSize, &additionalDataCborSize,
@@ -680,6 +682,7 @@
 
     if (result == EIC_ACCESS_CHECK_RESULT_OK) {
         eicCborAppendString(&ctx->cbor, name);
+        ctx->accessCheckOk = true;
     }
     return result;
 }
@@ -702,10 +705,15 @@
                                         calculatedSha256)) {
         return false;
     }
+
     if (eicCryptoMemCmp(calculatedSha256, ctx->additionalDataSha256, EIC_SHA256_DIGEST_SIZE) != 0) {
         eicDebug("SHA-256 mismatch of additionalData");
         return false;
     }
+    if (!ctx->accessCheckOk) {
+        eicDebug("Attempting to retrieve a value for which access is not granted");
+        return false;
+    }
 
     if (!eicOpsDecryptAes128Gcm(ctx->storageKey, encryptedContent, encryptedContentSize,
                                 additionalDataCbor, additionalDataCborSize, content)) {