diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2017-09-28 12:57:33 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2017-10-02 23:28:23 -0700 |
| commit | 34ce0a90a59979f7a82e7efdd41481370fb31498 (patch) | |
| tree | 8d2045526bd9da0a0eb9de849bac12c4e19c5c95 | |
| parent | 5ee37253d7213964c8a19129932fc68d30f10aae (diff) | |
| download | chrome-ec-34ce0a90a59979f7a82e7efdd41481370fb31498.tar.gz | |
commom: generalize rma_auth to and make it match server expectations
Different devices could have different sized unique device IDs. Let's
just use the IDs as is if they are no larger than the
rma_challenge:device_id field, or the first 8 bytes of the HMAC_sha256
value of the unique device ID, where the unique device ID is used both
as the key and the payload.
The server expects the board ID field in big endian format, let's swap
it before calculating the RMA auth challenge.
The test's server side implementation needs to be also adjusted.
BRANCH=cr50
BUG=b:37952913
TEST=make buildall -j passes. With the rest of the patches applied RMA
authentication process generates sensible values.
Change-Id: Ia1fbf9161e01de30a2da8214258008f6e5f7d915
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/690991
Reviewed-by: Michael Tang <ntang@chromium.org>
| -rw-r--r-- | common/rma_auth.c | 35 | ||||
| -rw-r--r-- | test/rma_auth.c | 6 |
2 files changed, 37 insertions, 4 deletions
diff --git a/common/rma_auth.c b/common/rma_auth.c index 5b932235c9..8ff7f1aa06 100644 --- a/common/rma_auth.c +++ b/common/rma_auth.c @@ -7,6 +7,7 @@ #include "common.h" #include "base32.h" +#include "byteorder.h" #include "chip/g/board_id.h" #include "curve25519.h" #include "rma_auth.h" @@ -49,6 +50,18 @@ static void get_hmac_sha256(void *hmac_out, const uint8_t *secret, #endif } +static void hash_buffer(void *dest, size_t dest_size, + const void *buffer, size_t buf_size) +{ + /* We know that the destination is no larger than 32 bytes. */ + uint8_t temp[32]; + + get_hmac_sha256(temp, buffer, buf_size, buffer, buf_size); + + /* Or should we do XOR of the temp modulo dest size? */ + memcpy(dest, temp, dest_size); +} + /** * Create a new RMA challenge/response * @@ -64,6 +77,7 @@ int rma_create_challenge(void) uint8_t *device_id; uint8_t *cptr = (uint8_t *)&c; uint64_t t; + int unique_device_id_size; /* Clear the current challenge and authcode, if any */ memset(challenge, 0, sizeof(challenge)); @@ -81,11 +95,26 @@ int rma_create_challenge(void) if (read_board_id(&bid)) return EC_ERROR_UNKNOWN; + + /* The server wants this as a string, not a number. */ + bid.type = htobe32(bid.type); memcpy(c.board_id, &bid.type, sizeof(c.board_id)); - if (system_get_chip_unique_id(&device_id) != sizeof(c.device_id)) - return EC_ERROR_UNKNOWN; - memcpy(c.device_id, device_id, sizeof(c.device_id)); + unique_device_id_size = system_get_chip_unique_id(&device_id); + + /* Smaller unique device IDs will fill c.device_id only partially. */ + if (unique_device_id_size <= sizeof(c.device_id)) { + /* The size matches, let's just copy it as is. */ + memcpy(c.device_id, device_id, unique_device_id_size); + } else { + /* + * The unique device ID size exceeds space allotted in + * rma_challenge:device_id, let's use first few bytes of + * its hash. + */ + hash_buffer(c.device_id, sizeof(c.device_id), + device_id, unique_device_id_size); + } /* Calculate a new ephemeral key pair */ X25519_keypair(c.device_pub_key, temp); diff --git a/test/rma_auth.c b/test/rma_auth.c index d833a2c33b..1ff0c63ea5 100644 --- a/test/rma_auth.c +++ b/test/rma_auth.c @@ -5,6 +5,7 @@ * Test RMA auth challenge/response */ +#include <endian.h> #include <stdio.h> #include "common.h" #include "chip/g/board_id.h" @@ -62,6 +63,7 @@ int rma_server_side(char *out_auth_code, const char *challenge) uint8_t hmac[32]; struct rma_challenge c; uint8_t *cptr = (uint8_t *)&c; + uint32_t inverted_board_id; /* Convert the challenge back into binary */ if (base32_decode(cptr, 8 * sizeof(c), challenge, 9) != 8 * sizeof(c)) { @@ -100,7 +102,9 @@ int rma_server_side(char *out_auth_code, const char *challenge) * Since this is just a test, here we'll just make sure the BoardID * and DeviceID match what we expected. */ - if (memcmp(c.board_id, dummy_board_id, sizeof(c.board_id))) { + memcpy(&inverted_board_id, dummy_board_id, sizeof(inverted_board_id)); + inverted_board_id = be32toh(inverted_board_id); + if (memcmp(c.board_id, &inverted_board_id, sizeof(c.board_id))) { printf("BoardID mismatch\n"); return -1; } |