summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVadim Bendebury <vbendeb@chromium.org>2017-09-28 12:57:33 -0700
committerchrome-bot <chrome-bot@chromium.org>2017-10-02 23:28:23 -0700
commit34ce0a90a59979f7a82e7efdd41481370fb31498 (patch)
tree8d2045526bd9da0a0eb9de849bac12c4e19c5c95
parent5ee37253d7213964c8a19129932fc68d30f10aae (diff)
downloadchrome-ec-34ce0a90a59979f7a82e7efdd41481370fb31498.tar.gz
commom: generalize rma_auth to and make it match server expectations
Different devices could have different sized unique device IDs. Let's just use the IDs as is if they are no larger than the rma_challenge:device_id field, or the first 8 bytes of the HMAC_sha256 value of the unique device ID, where the unique device ID is used both as the key and the payload. The server expects the board ID field in big endian format, let's swap it before calculating the RMA auth challenge. The test's server side implementation needs to be also adjusted. BRANCH=cr50 BUG=b:37952913 TEST=make buildall -j passes. With the rest of the patches applied RMA authentication process generates sensible values. Change-Id: Ia1fbf9161e01de30a2da8214258008f6e5f7d915 Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/690991 Reviewed-by: Michael Tang <ntang@chromium.org>
-rw-r--r--common/rma_auth.c35
-rw-r--r--test/rma_auth.c6
2 files changed, 37 insertions, 4 deletions
diff --git a/common/rma_auth.c b/common/rma_auth.c
index 5b932235c9..8ff7f1aa06 100644
--- a/common/rma_auth.c
+++ b/common/rma_auth.c
@@ -7,6 +7,7 @@
#include "common.h"
#include "base32.h"
+#include "byteorder.h"
#include "chip/g/board_id.h"
#include "curve25519.h"
#include "rma_auth.h"
@@ -49,6 +50,18 @@ static void get_hmac_sha256(void *hmac_out, const uint8_t *secret,
#endif
}
+static void hash_buffer(void *dest, size_t dest_size,
+ const void *buffer, size_t buf_size)
+{
+ /* We know that the destination is no larger than 32 bytes. */
+ uint8_t temp[32];
+
+ get_hmac_sha256(temp, buffer, buf_size, buffer, buf_size);
+
+ /* Or should we do XOR of the temp modulo dest size? */
+ memcpy(dest, temp, dest_size);
+}
+
/**
* Create a new RMA challenge/response
*
@@ -64,6 +77,7 @@ int rma_create_challenge(void)
uint8_t *device_id;
uint8_t *cptr = (uint8_t *)&c;
uint64_t t;
+ int unique_device_id_size;
/* Clear the current challenge and authcode, if any */
memset(challenge, 0, sizeof(challenge));
@@ -81,11 +95,26 @@ int rma_create_challenge(void)
if (read_board_id(&bid))
return EC_ERROR_UNKNOWN;
+
+ /* The server wants this as a string, not a number. */
+ bid.type = htobe32(bid.type);
memcpy(c.board_id, &bid.type, sizeof(c.board_id));
- if (system_get_chip_unique_id(&device_id) != sizeof(c.device_id))
- return EC_ERROR_UNKNOWN;
- memcpy(c.device_id, device_id, sizeof(c.device_id));
+ unique_device_id_size = system_get_chip_unique_id(&device_id);
+
+ /* Smaller unique device IDs will fill c.device_id only partially. */
+ if (unique_device_id_size <= sizeof(c.device_id)) {
+ /* The size matches, let's just copy it as is. */
+ memcpy(c.device_id, device_id, unique_device_id_size);
+ } else {
+ /*
+ * The unique device ID size exceeds space allotted in
+ * rma_challenge:device_id, let's use first few bytes of
+ * its hash.
+ */
+ hash_buffer(c.device_id, sizeof(c.device_id),
+ device_id, unique_device_id_size);
+ }
/* Calculate a new ephemeral key pair */
X25519_keypair(c.device_pub_key, temp);
diff --git a/test/rma_auth.c b/test/rma_auth.c
index d833a2c33b..1ff0c63ea5 100644
--- a/test/rma_auth.c
+++ b/test/rma_auth.c
@@ -5,6 +5,7 @@
* Test RMA auth challenge/response
*/
+#include <endian.h>
#include <stdio.h>
#include "common.h"
#include "chip/g/board_id.h"
@@ -62,6 +63,7 @@ int rma_server_side(char *out_auth_code, const char *challenge)
uint8_t hmac[32];
struct rma_challenge c;
uint8_t *cptr = (uint8_t *)&c;
+ uint32_t inverted_board_id;
/* Convert the challenge back into binary */
if (base32_decode(cptr, 8 * sizeof(c), challenge, 9) != 8 * sizeof(c)) {
@@ -100,7 +102,9 @@ int rma_server_side(char *out_auth_code, const char *challenge)
* Since this is just a test, here we'll just make sure the BoardID
* and DeviceID match what we expected.
*/
- if (memcmp(c.board_id, dummy_board_id, sizeof(c.board_id))) {
+ memcpy(&inverted_board_id, dummy_board_id, sizeof(inverted_board_id));
+ inverted_board_id = be32toh(inverted_board_id);
+ if (memcmp(c.board_id, &inverted_board_id, sizeof(c.board_id))) {
printf("BoardID mismatch\n");
return -1;
}