From 1ec4f643604a03ac1ef5382457709aadce80ce28 Mon Sep 17 00:00:00 2001 From: Fred Gylys-Colwell Date: Sun, 26 Jun 2022 20:46:35 -0700 Subject: [PATCH] Version 17.1 Updates to OEMCrypto API and OPK reference implementation. --- CHANGELOG.md | 39 ++ oemcrypto/include/OEMCryptoCENC.h | 9 +- oemcrypto/odk/include/OEMCryptoCENCCommon.h | 5 + .../odk/include/core_message_deserialize.h | 14 + .../odk/include/core_message_serialize.h | 2 + oemcrypto/odk/include/core_message_types.h | 5 +- oemcrypto/odk/include/odk.h | 50 +- oemcrypto/odk/include/odk_message.h | 14 +- oemcrypto/odk/include/odk_structs.h | 5 +- .../odk/src/core_message_deserialize.cpp | 43 +- oemcrypto/odk/src/core_message_features.cpp | 2 +- oemcrypto/odk/src/core_message_serialize.cpp | 8 +- oemcrypto/odk/src/odk.c | 45 ++ oemcrypto/odk/src/odk_serialize.c | 24 +- oemcrypto/odk/src/odk_serialize.h | 4 + oemcrypto/odk/src/odk_structs_priv.h | 11 + oemcrypto/odk/src/serialization_base.c | 2 +- oemcrypto/odk/test/odk_core_message_test.cpp | 2 + oemcrypto/odk/test/odk_test.cpp | 111 ++++ oemcrypto/odk/test/odk_test_helper.cpp | 6 + oemcrypto/odk/test/odk_test_helper.h | 1 + oemcrypto/opk/build/Makefile.opk | 118 ---- oemcrypto/opk/build/Makefile.optee | 177 ------ oemcrypto/opk/build/Makefile.rules | 354 ----------- oemcrypto/opk/build/host.gyp | 90 --- .../opk/build/oemcrypto/odk/src/odk.target.mk | 143 ----- .../opk/build/liboemcrypto.target.mk | 49 -- .../build/oemcrypto/opk/build/ta.target.mk | 52 -- .../opk/oemcrypto_ta/oemcrypto_ta.target.mk | 165 ----- .../oemcrypto_ta_reference_clock.target.mk | 149 ----- .../oemcrypto_ta_reference_crypto.target.mk | 166 ----- .../oemcrypto_ta_reference_renewal.target.mk | 150 ----- ...rypto_ta_reference_root_of_trust.target.mk | 154 ----- .../wtpi_test/ree/opk_ree_api.target.mk | 157 ----- .../wtpi_test/tee/opk_tee_wtpi_test.target.mk | 160 ----- .../wtpi_test/wtpi_test.target.mk | 164 ----- .../wtpi_test/wtpi_test_lib.target.mk | 174 ----- .../oemcrypto/opk/ports/optee/build/README.md | 15 - .../opk/serialization/ree/opk_ree.target.mk | 173 ----- .../opk/serialization/tee/opk_tee.target.mk | 174 ----- oemcrypto/opk/build/ree-sources.mk | 231 +++++++ oemcrypto/opk/build/ta.gyp | 26 - oemcrypto/opk/build/tee-sources.mk | 154 +++++ .../third_party/boringssl/crypto.target.mk | 368 ----------- .../build/third_party/boringssl/ssl.target.mk | 165 ----- .../opk/build/third_party/cbor.target.mk | 118 ---- .../opk/build/third_party/gmock.target.mk | 119 ---- .../build/third_party/gmock_main.target.mk | 119 ---- .../opk/build/third_party/gtest.target.mk | 123 ---- oemcrypto/opk/oemcrypto_ta/oemcrypto.c | 65 +- .../opk/oemcrypto_ta/oemcrypto_api_macros.h | 8 +- .../opk/oemcrypto_ta/oemcrypto_build_info.h | 24 + .../oemcrypto_entitled_key_session.c | 18 +- .../opk/oemcrypto_ta/oemcrypto_key_types.h | 2 +- .../opk/oemcrypto_ta/oemcrypto_session.c | 85 +-- oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.gyp | 24 +- .../wtpi/wtpi_crypto_asymmetric_interface.h | 38 +- .../wtpi/wtpi_device_key_interface.h | 38 +- .../wtpi/wtpi_logging_interface.h | 4 + .../wtpi_root_of_trust_interface_layer1.h | 20 +- .../oemcrypto_ta/wtpi_reference/cose_util.c | 65 +- .../oemcrypto_ta/wtpi_reference/cose_util.h | 27 +- .../oemcrypto_ta/wtpi_reference/ecc_util.c | 19 + .../oemcrypto_ta/wtpi_reference/ecc_util.h | 27 + ...wtpi_crypto_and_key_management_layer1_hw.c | 1 + ...crypto_and_key_management_layer1_openssl.c | 31 +- .../wtpi_reference/wtpi_crypto_asymmetric.c | 31 +- .../wtpi_reference/wtpi_device_key.c | 7 +- .../wtpi_reference/wtpi_logging.c | 7 +- .../wtpi_reference/wtpi_reference.gyp | 12 + .../wtpi_root_of_trust_layer1.c | 52 +- .../opk/oemcrypto_ta/wtpi_test/README.md | 41 ++ .../wtpi_test/common/GEN_common_serializer.c | 10 + .../wtpi_test/common/GEN_common_serializer.h | 1 + .../oemcrypto_ta/wtpi_test/crypto_test.cpp | 316 ++++++++- .../ree/GEN_oemcrypto_tee_test_api.c | 155 ++++- .../wtpi_test/ree/GEN_ree_serializer.c | 301 ++++++--- .../wtpi_test/ree/GEN_ree_serializer.h | 34 +- .../wtpi_test/tee/GEN_dispatcher.c | 133 +++- .../wtpi_test/tee/GEN_tee_serializer.c | 208 ++++-- .../wtpi_test/tee/GEN_tee_serializer.h | 32 +- .../opk/oemcrypto_ta/wtpi_useless/README.md | 3 +- .../wtpi_useless/wtpi_device_key_access.c | 5 +- oemcrypto/opk/ports/optee/Makefile | 114 ++++ oemcrypto/opk/ports/optee/README.md | 17 +- .../opk/ports/optee/build/helloworld.gyp | 27 - oemcrypto/opk/ports/optee/build/host.gyp | 48 -- oemcrypto/opk/ports/optee/build/ta.gyp | 70 -- .../optee/host/common/tos/ree_tos.target.mk | 162 ----- .../host/common/tos/ree_tos_wtpi.target.mk | 161 ----- .../ports/optee/host/liboemcrypto/Makefile | 40 ++ .../optee/host/oemcrypto_helloworld/Makefile | 34 + .../oemcrypto_helloworld.target.mk | 149 ----- .../optee/host/oemcrypto_unittests/Makefile | 38 ++ .../oemcrypto_unittests.target.mk | 199 ------ oemcrypto/opk/ports/optee/host/rules.mk | 84 +++ .../ports/optee/host/wtpi_unittests/Makefile | 46 ++ .../wtpi_unittests/wtpi_unittests.target.mk | 148 ----- oemcrypto/opk/ports/optee/push.sh | 31 +- .../optee/ta/common/wtpi_impl/sources.mk | 63 ++ .../common/{ => wtpi_impl/util}/der_parse.c | 103 +++ .../common/{ => wtpi_impl/util}/der_parse.h | 24 + .../ta/common/{ => wtpi_impl/util}/ta_log.c | 0 .../ta/common/{ => wtpi_impl/util}/ta_log.h | 0 .../ta/common/wtpi_impl/wtpi_clock_layer2.c | 5 +- .../wtpi_crypto_and_key_management_layer1.c | 99 +-- .../common/wtpi_impl/wtpi_crypto_asymmetric.c | 296 ++++++++- .../ta/common/wtpi_impl/wtpi_decrypt_sample.c | 45 +- .../ta/common/wtpi_impl/wtpi_impl.target.mk | 195 ------ .../wtpi_persistent_storage_layer2.c | 2 +- .../opk/ports/optee/ta/oemcrypto_ta/Makefile | 33 +- .../opk/ports/optee/ta/oemcrypto_ta/sub.mk | 63 +- .../opk/ports/optee/ta/wtpi_test_ta/Makefile | 34 +- .../opk/ports/optee/ta/wtpi_test_ta/sub.mk | 56 +- ...crypto_and_key_management_layer1_openssl.c | 3 +- oemcrypto/test/common.mk | 5 +- .../test/fuzz_tests/build_oemcrypto_fuzztests | 13 +- .../test/fuzz_tests/oemcrypto_fuzztests.gypi | 1 + .../partner_oemcrypto_fuzztests.gypi | 1 + oemcrypto/test/oec_device_features.cpp | 5 + oemcrypto/test/oec_device_features.h | 1 + oemcrypto/test/oec_session_util.cpp | 116 +++- oemcrypto/test/oec_session_util.h | 43 +- .../test/oemcrypto_session_tests_helper.cpp | 49 +- .../test/oemcrypto_session_tests_helper.h | 42 +- oemcrypto/test/oemcrypto_test.cpp | 201 ++++-- oemcrypto/test/oemcrypto_unittests.gypi | 2 +- oemcrypto/test/wvcrc.cpp | 88 --- oemcrypto/test/wvcrc32.h | 23 - oemcrypto/util/include/hmac.h | 139 ++++ oemcrypto/util/oec_ref_util.gypi | 1 + oemcrypto/util/oec_ref_util_unittests.gypi | 1 + oemcrypto/util/src/hmac.cpp | 269 ++++++++ oemcrypto/util/test/hmac_unittest.cpp | 597 ++++++++++++++++++ 134 files changed, 4508 insertions(+), 5931 deletions(-) delete mode 100644 oemcrypto/opk/build/Makefile.opk delete mode 100644 oemcrypto/opk/build/Makefile.optee delete mode 100644 oemcrypto/opk/build/Makefile.rules delete mode 100644 oemcrypto/opk/build/host.gyp delete mode 100644 oemcrypto/opk/build/oemcrypto/odk/src/odk.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/build/liboemcrypto.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/build/ta.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_clock.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_crypto.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_renewal.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_root_of_trust.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/opk_ree_api.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/opk_tee_wtpi_test.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_lib.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/ports/optee/build/README.md delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/serialization/ree/opk_ree.target.mk delete mode 100644 oemcrypto/opk/build/oemcrypto/opk/serialization/tee/opk_tee.target.mk create mode 100644 oemcrypto/opk/build/ree-sources.mk delete mode 100644 oemcrypto/opk/build/ta.gyp create mode 100644 oemcrypto/opk/build/tee-sources.mk delete mode 100644 oemcrypto/opk/build/third_party/boringssl/crypto.target.mk delete mode 100644 oemcrypto/opk/build/third_party/boringssl/ssl.target.mk delete mode 100644 oemcrypto/opk/build/third_party/cbor.target.mk delete mode 100644 oemcrypto/opk/build/third_party/gmock.target.mk delete mode 100644 oemcrypto/opk/build/third_party/gmock_main.target.mk delete mode 100644 oemcrypto/opk/build/third_party/gtest.target.mk create mode 100644 oemcrypto/opk/oemcrypto_ta/oemcrypto_build_info.h create mode 100644 oemcrypto/opk/oemcrypto_ta/wtpi_test/README.md create mode 100644 oemcrypto/opk/ports/optee/Makefile delete mode 100644 oemcrypto/opk/ports/optee/build/helloworld.gyp delete mode 100644 oemcrypto/opk/ports/optee/build/host.gyp delete mode 100644 oemcrypto/opk/ports/optee/build/ta.gyp delete mode 100644 oemcrypto/opk/ports/optee/host/common/tos/ree_tos.target.mk delete mode 100644 oemcrypto/opk/ports/optee/host/common/tos/ree_tos_wtpi.target.mk create mode 100644 oemcrypto/opk/ports/optee/host/liboemcrypto/Makefile create mode 100644 oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/Makefile delete mode 100644 oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/oemcrypto_helloworld.target.mk create mode 100644 oemcrypto/opk/ports/optee/host/oemcrypto_unittests/Makefile delete mode 100644 oemcrypto/opk/ports/optee/host/oemcrypto_unittests/oemcrypto_unittests.target.mk create mode 100644 oemcrypto/opk/ports/optee/host/rules.mk create mode 100644 oemcrypto/opk/ports/optee/host/wtpi_unittests/Makefile delete mode 100644 oemcrypto/opk/ports/optee/host/wtpi_unittests/wtpi_unittests.target.mk create mode 100644 oemcrypto/opk/ports/optee/ta/common/wtpi_impl/sources.mk rename oemcrypto/opk/ports/optee/ta/common/{ => wtpi_impl/util}/der_parse.c (72%) rename oemcrypto/opk/ports/optee/ta/common/{ => wtpi_impl/util}/der_parse.h (75%) rename oemcrypto/opk/ports/optee/ta/common/{ => wtpi_impl/util}/ta_log.c (100%) rename oemcrypto/opk/ports/optee/ta/common/{ => wtpi_impl/util}/ta_log.h (100%) delete mode 100644 oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_impl.target.mk delete mode 100644 oemcrypto/test/wvcrc.cpp delete mode 100644 oemcrypto/test/wvcrc32.h create mode 100644 oemcrypto/util/include/hmac.h create mode 100644 oemcrypto/util/src/hmac.cpp create mode 100644 oemcrypto/util/test/hmac_unittest.cpp diff --git a/CHANGELOG.md b/CHANGELOG.md index 93720df..11d38aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,44 @@ [TOC] +## [Version 17.1][v17.1] + +This release contains a major change to the build process for the OP-TEE port, +a new ODK minor version, handling for v16.4.x licenses with clear key control +block, provisioning 4.0 in the wtpi_reference code, and various small changes. + +The build process for the OP-TEE port has been simplified. Previously, the OPK +components were compiled with their own makefiles, compiler flags, and +toolchain; a platform-specific build system would then need to link those +components into the final application. Now, a list of all OPK files is +provided in the new `tee-sources.mk` file for inclusion in the target platform's +build system. This guarantees that the OPK code will be compiled with the same +build flags and toolchain as the rest of the TA. The OP-TEE port has been +modified to use this new list of source files, and the generated makefiles from +previous versions have been removed. + +The ODK has been updated to v17.1. A new function has been added, +`ODK_PrepareCoreRenewedProvisioningRequest()`, for use with renewing deleted or +compromised keyboxes. An out of bounds buffer error was fixed in +`CreateCoreLicenseResponse()`. + +A unit test has been added to test against the issue where certain 16.4.x SDK +versions return a clear key control block (KCB) in the license response. An +OEMCrypto v17.1+ implementation should be able to handle the clear KCB in the +16.4.x response and load the license correctly. + +Provisioning 4.0 is now supported in oemcrypto_ta and the WTPI reference code. +The `WTPI_GetProvisioningMethod()` config function should return +`OEMCrypto_BootCertificateChain` to enable this. + +`WTPI_ED25519Sign()` has been removed from the WTPI layer. + +All oemcrypto_unittests now pass for the OP-TEE port running on NXP iMX8. +Provisioning 4.0 is not yet supported on the OP-TEE port. + +Please note that no changes have been made to the Trusty port code. As a result, +the Trusty port may not compile against the latest changes to the rest of OPK. + ## [Version 17 plus test updates and OPK v17][v17+test-updates+opk+mk] Add makefiles to partner visible git repo. @@ -124,3 +162,4 @@ Public release for OEMCrypto API and ODK library version 16.4. [v17-initial-release]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17-initial-release [v17+test-updates+opk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk [v17+test-updates+opk+mk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk+mk +[v17.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.1 diff --git a/oemcrypto/include/OEMCryptoCENC.h b/oemcrypto/include/OEMCryptoCENC.h index 97f64e1..d34b309 100644 --- a/oemcrypto/include/OEMCryptoCENC.h +++ b/oemcrypto/include/OEMCryptoCENC.h @@ -3094,10 +3094,11 @@ OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void); /** * Return a device unique id. For devices with a keybox, retrieve the - * DeviceID from the Keybox. For devices that have an OEM Certificate instead - * of a keybox, it should set the device ID to a device-unique string, such - * as the device serial number. The ID should be device-unique and it should - * be stable -- i.e. it should not change across a device reboot or a system + * DeviceID from the Keybox. For devices that have an OEM Certificate, or if + * provisioning 4 is used, it should set the device ID to a device-unique + * string, such as the device serial number or a hash of the device public key + * in boot certificate chain. The ID should be device-unique and it should be + * stable -- i.e. it should not change across a device reboot or a system * upgrade. This shall match the device id found in the core provisioning * request message. The maximum length of the device id is 64 bytes. The * device ID field in a keybox is 32 bytes. diff --git a/oemcrypto/odk/include/OEMCryptoCENCCommon.h b/oemcrypto/odk/include/OEMCryptoCENCCommon.h index cb343ab..ce51b8d 100644 --- a/oemcrypto/odk/include/OEMCryptoCENCCommon.h +++ b/oemcrypto/odk/include/OEMCryptoCENCCommon.h @@ -120,6 +120,11 @@ typedef enum OEMCrypto_Usage_Entry_Status { kInactiveUnused = 4, } OEMCrypto_Usage_Entry_Status; +typedef enum OEMCrypto_ProvisioningRenewalType { + OEMCrypto_NoRenewal = 0, + OEMCrypto_RenewalACert = 1, +} OEMCrypto_ProvisioningRenewalType; + /** * OEMCrypto_LicenseType is used in the license message to indicate if the key * objects are for content keys, or for entitlement keys. diff --git a/oemcrypto/odk/include/core_message_deserialize.h b/oemcrypto/odk/include/core_message_deserialize.h index 76dccc5..545a806 100644 --- a/oemcrypto/odk/include/core_message_deserialize.h +++ b/oemcrypto/odk/include/core_message_deserialize.h @@ -17,6 +17,8 @@ #ifndef WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_DESERIALIZE_H_ #define WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_DESERIALIZE_H_ +#include + #include "core_message_types.h" namespace oemcrypto_core_message { @@ -53,6 +55,18 @@ bool CoreProvisioningRequestFromMessage( const std::string& oemcrypto_core_message, ODK_ProvisioningRequest* core_provisioning_request); +/** + * Counterpart (deserializer) of ODK_PrepareCoreRenewedProvisioningRequest + * (serializer) + * + * Parameters: + * [in] oemcrypto_core_message + * [out] core_provisioning_request + */ +bool CoreRenewedProvisioningRequestFromMessage( + const std::string& oemcrypto_core_message, + ODK_ProvisioningRequest* core_provisioning_request); + /** * Serializer counterpart is not used and is therefore not implemented. * diff --git a/oemcrypto/odk/include/core_message_serialize.h b/oemcrypto/odk/include/core_message_serialize.h index 0e1c287..bd6d635 100644 --- a/oemcrypto/odk/include/core_message_serialize.h +++ b/oemcrypto/odk/include/core_message_serialize.h @@ -17,6 +17,8 @@ #ifndef WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_SERIALIZE_H_ #define WIDEVINE_ODK_INCLUDE_CORE_MESSAGE_SERIALIZE_H_ +#include + #include "core_message_features.h" #include "core_message_types.h" #include "odk_structs.h" diff --git a/oemcrypto/odk/include/core_message_types.h b/oemcrypto/odk/include/core_message_types.h index 3d02aa9..5315913 100644 --- a/oemcrypto/odk/include/core_message_types.h +++ b/oemcrypto/odk/include/core_message_types.h @@ -96,7 +96,8 @@ struct ODK_RenewalRequest { }; /** - * Output structure for CoreProvisioningRequestFromMessage + * Output structure for CoreProvisioningRequestFromMessage and + * CoreRenewedProvisioningRequestFromMessage * Input structure for CreateCoreProvisioningResponse */ struct ODK_ProvisioningRequest { @@ -105,6 +106,8 @@ struct ODK_ProvisioningRequest { uint32_t nonce; uint32_t session_id; std::string device_id; + uint16_t renewal_type; + std::string renewal_data; }; } // namespace oemcrypto_core_message diff --git a/oemcrypto/odk/include/odk.h b/oemcrypto/odk/include/odk.h index 941afc1..e3499da 100644 --- a/oemcrypto/odk/include/odk.h +++ b/oemcrypto/odk/include/odk.h @@ -326,7 +326,7 @@ OEMCryptoResult ODK_PrepareCoreRenewalRequest(uint8_t* message, * OEMCrypto_GetDeviceID. The device ID shall be unique to the device, and * stable across reboots and factory resets for an L1 device. * - * NOTE: if the message pointer is null and/or input core_message_size is + * NOTE: if the message pointer is null and/or input core_message_length is * zero, this function returns OEMCrypto_ERROR_SHORT_BUFFER and sets output * core_message_size to the size needed. * @@ -351,10 +351,56 @@ OEMCryptoResult ODK_PrepareCoreRenewalRequest(uint8_t* message, * This method is new in version 16 of the API. */ OEMCryptoResult ODK_PrepareCoreProvisioningRequest( - uint8_t* message, size_t message_length, size_t* core_message_size, + uint8_t* message, size_t message_length, size_t* core_message_length, const ODK_NonceValues* nonce_values, const uint8_t* device_id, size_t device_id_length); +/** + * Modifies the message to include a core renewal provisioning request at the + * beginning of the message buffer. The values in nonce_values are used to + * populate the message. + * + * This shall be called by OEMCrypto from + * OEMCrypto_PrepAndSignProvisioningRequest. + * + * The buffer device_id shall be the same string returned by + * OEMCrypto_GetDeviceID. The device ID shall be unique to the device, and + * stable across reboots and factory resets for an L1 device. + * + * NOTE: if the message pointer is null and/or input core_message_length is + * zero, this function returns OEMCrypto_ERROR_SHORT_BUFFER and sets output + * core_message_size to the size needed. + * + * @param[in,out] message: pointer to memory for the entire message. Modified by + * the ODK library. + * @param[in] message_length: length of the entire message buffer. + * @param[in,out] core_message_size: length of the core message at the beginning + * of the message. (in) size of buffer reserved for the core message, in + * bytes. (out) actual length of the core message, in bytes. + * @param[in] nonce_values: pointer to the session's nonce data. + * @param[in] device_id: For devices with a keybox, this is the device ID from + * the keybox. For devices with an OEM Certificate, this is a device + * unique id string. + * @param[in] device_id_length: length of device_id. The device ID can be at + * most 64 bytes. + * @param[in] renewal_type: type of renewal used + * @param[in] renewal_data: renewal data used. For renewal_type = 1, + * renewal_data is the Android attestation batch certificate. + * @param[in] renewal_data_length: length of renewal_data + * + * @retval OEMCrypto_SUCCESS + * @retval OEMCrypto_ERROR_SHORT_BUFFER: core_message_size is too small + * @retval OEMCrypto_ERROR_INVALID_CONTEXT + * + * @version + * This method is new in version 17 of the API. + */ +OEMCryptoResult ODK_PrepareCoreRenewedProvisioningRequest( + uint8_t* message, size_t message_length, size_t* core_message_length, + const ODK_NonceValues* nonce_values, const uint8_t* device_id, + size_t device_id_length, uint16_t renewal_type, const uint8_t* renewal_data, + size_t renewal_data_length); + /// @} /// @addtogroup odk_timer diff --git a/oemcrypto/odk/include/odk_message.h b/oemcrypto/odk/include/odk_message.h index 94ce2ae..075f28c 100644 --- a/oemcrypto/odk/include/odk_message.h +++ b/oemcrypto/odk/include/odk_message.h @@ -48,19 +48,19 @@ typedef struct { } ALIGNED ODK_Message; typedef enum { - MESSAGE_STATUS_OK = 0xe937fcf7, - MESSAGE_STATUS_UNKNOWN_ERROR = 0xe06c1190, - MESSAGE_STATUS_OVERFLOW_ERROR = 0xc43ae4bc, + MESSAGE_STATUS_OK = 0x7937fcf7, + MESSAGE_STATUS_UNKNOWN_ERROR = 0x706c1190, + MESSAGE_STATUS_OVERFLOW_ERROR = 0x543ae4bc, MESSAGE_STATUS_UNDERFLOW_ERROR = 0x7123cd0b, MESSAGE_STATUS_PARSE_ERROR = 0x0b9f6189, MESSAGE_STATUS_NULL_POINTER_ERROR = 0x2d66837a, MESSAGE_STATUS_API_VALUE_ERROR = 0x6ba34f47, - MESSAGE_STATUS_END_OF_MESSAGE_ERROR = 0x998db72a, - MESSAGE_STATUS_INVALID_ENUM_VALUE = 0xedb88197, + MESSAGE_STATUS_END_OF_MESSAGE_ERROR = 0x798db72a, + MESSAGE_STATUS_INVALID_ENUM_VALUE = 0x7db88197, MESSAGE_STATUS_INVALID_TAG_ERROR = 0x14dce06a, MESSAGE_STATUS_NOT_INITIALIZED = 0x2990b6c6, - MESSAGE_STATUS_OUT_OF_MEMORY = 0xfc5c64cc, - MESSAGE_STATUS_MAP_SHARED_MEMORY_FAILED = 0xfafecacf, + MESSAGE_STATUS_OUT_OF_MEMORY = 0x7c5c64cc, + MESSAGE_STATUS_MAP_SHARED_MEMORY_FAILED = 0x7afecacf, MESSAGE_STATUS_SECURE_BUFFER_ERROR = 0x78f0e873 } ODK_MessageStatus; diff --git a/oemcrypto/odk/include/odk_structs.h b/oemcrypto/odk/include/odk_structs.h index 2799732..24ca23e 100644 --- a/oemcrypto/odk/include/odk_structs.h +++ b/oemcrypto/odk/include/odk_structs.h @@ -16,10 +16,10 @@ extern "C" { /* The version of this library. */ #define ODK_MAJOR_VERSION 17 -#define ODK_MINOR_VERSION 0 +#define ODK_MINOR_VERSION 1 /* ODK Version string. Date changed automatically on each release. */ -#define ODK_RELEASE_DATE "ODK v17.0 2022-03-25" +#define ODK_RELEASE_DATE "ODK v17.1 2022-06-21" /* The lowest version number for an ODK message. */ #define ODK_FIRST_VERSION 16 @@ -27,6 +27,7 @@ extern "C" { /* Some useful constants. */ #define ODK_DEVICE_ID_LEN_MAX 64 #define ODK_SHA256_HASH_SIZE 32 +#define ODK_KEYBOX_RENEWAL_DATA_SIZE 1600 /// @addtogroup odk_timer /// @{ diff --git a/oemcrypto/odk/src/core_message_deserialize.cpp b/oemcrypto/odk/src/core_message_deserialize.cpp index 9f485d5..2e69641 100644 --- a/oemcrypto/odk/src/core_message_deserialize.cpp +++ b/oemcrypto/odk/src/core_message_deserialize.cpp @@ -10,6 +10,7 @@ #include #include +#include "OEMCryptoCENCCommon.h" #include "odk_serialize.h" #include "odk_structs.h" #include "odk_structs_priv.h" @@ -52,6 +53,7 @@ bool ParseRequest(uint32_t message_type, core_request->api_minor_version = core_message.nonce_values.api_minor_version; core_request->nonce = core_message.nonce_values.nonce; core_request->session_id = core_message.nonce_values.session_id; + // Verify that the minor version matches the released version for the given // major version. if (core_request->api_major_version < ODK_FIRST_VERSION) { @@ -68,10 +70,13 @@ bool ParseRequest(uint32_t message_type, // For v16, a release and a renewal use the same message structure. // However, for future API versions, the release might be a separate // message. Otherwise, we expect an exact match of message types. + // A provisioning request may contain a renewed provisioning message. if (message_type != ODK_Common_Request_Type && core_message.message_type != message_type && !(message_type == ODK_Renewal_Request_Type && - core_message.message_type == ODK_Release_Request_Type)) { + core_message.message_type == ODK_Release_Request_Type) && + !(message_type == ODK_Provisioning_Request_Type && + core_message.message_type == ODK_Renewed_Provisioning_Request_Type)) { return false; } // Verify that the amount of buffer we read, which is GetOffset, is not more @@ -125,6 +130,42 @@ bool CoreProvisioningRequestFromMessage( } core_provisioning_request->device_id.assign( reinterpret_cast(device_id), device_id_length); + core_provisioning_request->renewal_type = OEMCrypto_NoRenewal; + core_provisioning_request->renewal_data.clear(); + return true; +} + +bool CoreRenewedProvisioningRequestFromMessage( + const std::string& oemcrypto_core_message, + ODK_ProvisioningRequest* core_provisioning_request) { + const auto unpacker = Unpack_ODK_PreparedRenewedProvisioningRequest; + ODK_PreparedRenewedProvisioningRequest prepared_provision = {}; + if (!ParseRequest(ODK_Renewed_Provisioning_Request_Type, + oemcrypto_core_message, core_provisioning_request, + &prepared_provision, unpacker)) { + return false; + } + const uint8_t* device_id = prepared_provision.device_id; + const uint32_t device_id_length = prepared_provision.device_id_length; + if (device_id_length > ODK_DEVICE_ID_LEN_MAX) { + return false; + } + uint8_t zero[ODK_DEVICE_ID_LEN_MAX] = {}; + if (memcmp(zero, device_id + device_id_length, + ODK_DEVICE_ID_LEN_MAX - device_id_length)) { + return false; + } + core_provisioning_request->device_id.assign( + reinterpret_cast(device_id), device_id_length); + + if (prepared_provision.renewal_data_length > + sizeof(prepared_provision.renewal_data)) { + return false; + } + core_provisioning_request->renewal_type = OEMCrypto_RenewalACert; + core_provisioning_request->renewal_data.assign( + reinterpret_cast(prepared_provision.renewal_data), + prepared_provision.renewal_data_length); return true; } diff --git a/oemcrypto/odk/src/core_message_features.cpp b/oemcrypto/odk/src/core_message_features.cpp index c28622c..615e477 100644 --- a/oemcrypto/odk/src/core_message_features.cpp +++ b/oemcrypto/odk/src/core_message_features.cpp @@ -23,7 +23,7 @@ CoreMessageFeatures CoreMessageFeatures::DefaultFeatures( features.maximum_minor_version = 5; // 16.5 break; case 17: - features.maximum_minor_version = 0; // 17.0 + features.maximum_minor_version = 1; // 17.1 break; default: features.maximum_minor_version = 0; diff --git a/oemcrypto/odk/src/core_message_serialize.cpp b/oemcrypto/odk/src/core_message_serialize.cpp index 334f442..3c3590e 100644 --- a/oemcrypto/odk/src/core_message_serialize.cpp +++ b/oemcrypto/odk/src/core_message_serialize.cpp @@ -13,6 +13,7 @@ #include "odk_serialize.h" #include "odk_structs.h" #include "odk_structs_priv.h" +#include "odk_target.h" #include "serialization_base.h" namespace oemcrypto_core_message { @@ -122,6 +123,9 @@ bool CreateCoreLicenseResponse(const CoreMessageFeatures& features, license_response)) { return false; } + if (ODK_MAX_NUM_KEYS < license_response.parsed_license->key_array_length) { + return false; + } if (license_response.request.core_message.nonce_values.api_major_version == 16) { ODK_LicenseResponseV16 license_response_v16; @@ -143,7 +147,9 @@ bool CreateCoreLicenseResponse(const CoreMessageFeatures& features, license_response_v16.parsed_license.key_array_length = license_response.parsed_license->key_array_length; uint32_t i; - for (i = 0; i < license_response_v16.parsed_license.key_array_length; i++) { + for (i = 0; i < license_response_v16.parsed_license.key_array_length && + i < license_response.parsed_license->key_array_length; + i++) { license_response_v16.parsed_license.key_array[i] = license_response.parsed_license->key_array[i]; } diff --git a/oemcrypto/odk/src/odk.c b/oemcrypto/odk/src/odk.c index 019d50e..204db18 100644 --- a/oemcrypto/odk/src/odk.c +++ b/oemcrypto/odk/src/odk.c @@ -72,6 +72,17 @@ static OEMCryptoResult ODK_PrepareRequest( &msg, (ODK_PreparedProvisioningRequest*)prepared_request_buffer); break; } + case ODK_Renewed_Provisioning_Request_Type: { + core_message->message_length = ODK_RENEWED_PROVISIONING_REQUEST_SIZE; + if (sizeof(ODK_PreparedRenewedProvisioningRequest) > + prepared_request_buffer_length) { + return ODK_ERROR_CORE_MESSAGE; + } + Pack_ODK_PreparedRenewedProvisioningRequest( + &msg, + (ODK_PreparedRenewedProvisioningRequest*)prepared_request_buffer); + break; + } default: { return ODK_ERROR_CORE_MESSAGE; } @@ -238,6 +249,37 @@ OEMCryptoResult ODK_PrepareCoreProvisioningRequest( sizeof(ODK_PreparedProvisioningRequest)); } +OEMCryptoResult ODK_PrepareCoreRenewedProvisioningRequest( + uint8_t* message, size_t message_length, size_t* core_message_length, + const ODK_NonceValues* nonce_values, const uint8_t* device_id, + size_t device_id_length, uint16_t renewal_type, const uint8_t* renewal_data, + size_t renewal_data_length) { + if (core_message_length == NULL || nonce_values == NULL) { + return ODK_ERROR_CORE_MESSAGE; + } + ODK_PreparedRenewedProvisioningRequest provisioning_request = {0}; + if (device_id_length > sizeof(provisioning_request.device_id)) { + return ODK_ERROR_CORE_MESSAGE; + } + provisioning_request.device_id_length = (uint32_t)device_id_length; + if (device_id) { + memcpy(provisioning_request.device_id, device_id, device_id_length); + } + if (renewal_data_length > sizeof(provisioning_request.renewal_data)) { + return ODK_ERROR_CORE_MESSAGE; + } + provisioning_request.renewal_type = renewal_type; + provisioning_request.renewal_data_length = (uint32_t)renewal_data_length; + if (renewal_data) { + memcpy(provisioning_request.renewal_data, renewal_data, + renewal_data_length); + } + return ODK_PrepareRequest(message, message_length, core_message_length, + ODK_Renewed_Provisioning_Request_Type, nonce_values, + &provisioning_request, + sizeof(provisioning_request)); +} + /* @@ parse response functions */ OEMCryptoResult ODK_ParseLicense( @@ -424,6 +466,9 @@ OEMCryptoResult ODK_ParseProvisioning( if (err != OEMCrypto_SUCCESS) { return err; } + if (parsed_response->key_type != 0 && parsed_response->key_type != 1) { + return ODK_ERROR_CORE_MESSAGE; + } ODK_ProvisioningResponse provisioning_response = {0}; provisioning_response.parsed_provisioning = parsed_response; diff --git a/oemcrypto/odk/src/odk_serialize.c b/oemcrypto/odk/src/odk_serialize.c index 55ea3a4..5c58200 100644 --- a/oemcrypto/odk/src/odk_serialize.c +++ b/oemcrypto/odk/src/odk_serialize.c @@ -128,12 +128,22 @@ void Pack_ODK_PreparedRenewalRequest(ODK_Message* msg, } void Pack_ODK_PreparedProvisioningRequest( - ODK_Message* msg, ODK_PreparedProvisioningRequest const* obj) { + ODK_Message* msg, const ODK_PreparedProvisioningRequest* obj) { Pack_ODK_CoreMessage(msg, &obj->core_message); Pack_uint32_t(msg, &obj->device_id_length); PackArray(msg, &obj->device_id[0], sizeof(obj->device_id)); } +void Pack_ODK_PreparedRenewedProvisioningRequest( + ODK_Message* msg, const ODK_PreparedRenewedProvisioningRequest* obj) { + Pack_ODK_CoreMessage(msg, &obj->core_message); + Pack_uint32_t(msg, &obj->device_id_length); + PackArray(msg, &obj->device_id[0], sizeof(obj->device_id)); + Pack_uint16_t(msg, &obj->renewal_type); + Pack_uint32_t(msg, &obj->renewal_data_length); + PackArray(msg, &obj->renewal_data[0], sizeof(obj->renewal_data)); +} + /* @@ kdo serialize */ void Pack_ODK_LicenseResponse(ODK_Message* msg, @@ -156,7 +166,7 @@ void Pack_ODK_RenewalResponse(ODK_Message* msg, } void Pack_ODK_ProvisioningResponse(ODK_Message* msg, - ODK_ProvisioningResponse const* obj) { + const ODK_ProvisioningResponse* obj) { Pack_ODK_PreparedProvisioningRequest(msg, &obj->request); Pack_ODK_ParsedProvisioning( msg, (const ODK_ParsedProvisioning*)obj->parsed_provisioning); @@ -302,6 +312,16 @@ void Unpack_ODK_PreparedProvisioningRequest( UnpackArray(msg, &obj->device_id[0], sizeof(obj->device_id)); } +void Unpack_ODK_PreparedRenewedProvisioningRequest( + ODK_Message* msg, ODK_PreparedRenewedProvisioningRequest* obj) { + Unpack_ODK_CoreMessage(msg, &obj->core_message); + Unpack_uint32_t(msg, &obj->device_id_length); + UnpackArray(msg, &obj->device_id[0], sizeof(obj->device_id)); + Unpack_uint16_t(msg, &obj->renewal_type); + Unpack_uint32_t(msg, &obj->renewal_data_length); + UnpackArray(msg, &obj->renewal_data[0], obj->renewal_data_length); +} + void Unpack_ODK_PreparedCommonRequest(ODK_Message* msg, ODK_PreparedCommonRequest* obj) { Unpack_ODK_CoreMessage(msg, &obj->core_message); diff --git a/oemcrypto/odk/src/odk_serialize.h b/oemcrypto/odk/src/odk_serialize.h index c08b4d5..0904700 100644 --- a/oemcrypto/odk/src/odk_serialize.h +++ b/oemcrypto/odk/src/odk_serialize.h @@ -22,6 +22,8 @@ void Pack_ODK_PreparedRenewalRequest(ODK_Message* msg, const ODK_PreparedRenewalRequest* obj); void Pack_ODK_PreparedProvisioningRequest( ODK_Message* msg, const ODK_PreparedProvisioningRequest* obj); +void Pack_ODK_PreparedRenewedProvisioningRequest( + ODK_Message* msg, const ODK_PreparedRenewedProvisioningRequest* obj); /* odk unpack */ void Unpack_ODK_CoreMessage(ODK_Message* msg, ODK_CoreMessage* obj); @@ -47,6 +49,8 @@ void Unpack_ODK_PreparedRenewalRequest(ODK_Message* msg, ODK_PreparedRenewalRequest* obj); void Unpack_ODK_PreparedProvisioningRequest( ODK_Message* msg, ODK_PreparedProvisioningRequest* obj); +void Unpack_ODK_PreparedRenewedProvisioningRequest( + ODK_Message* msg, ODK_PreparedRenewedProvisioningRequest* obj); void Unpack_ODK_PreparedCommonRequest(ODK_Message* msg, ODK_PreparedCommonRequest* obj); diff --git a/oemcrypto/odk/src/odk_structs_priv.h b/oemcrypto/odk/src/odk_structs_priv.h index 1bfc597..3fe73ee 100644 --- a/oemcrypto/odk/src/odk_structs_priv.h +++ b/oemcrypto/odk/src/odk_structs_priv.h @@ -24,6 +24,7 @@ typedef uint32_t ODK_MessageType; #define ODK_Renewal_Response_Type ((ODK_MessageType)4u) #define ODK_Provisioning_Request_Type ((ODK_MessageType)5u) #define ODK_Provisioning_Response_Type ((ODK_MessageType)6u) +#define ODK_Renewed_Provisioning_Request_Type ((ODK_MessageType)11u) // Reserve future message types to support forward compatibility. #define ODK_Release_Request_Type ((ODK_MessageType)7u) @@ -52,6 +53,15 @@ typedef struct { uint8_t device_id[ODK_DEVICE_ID_LEN_MAX]; } ODK_PreparedProvisioningRequest; +typedef struct { + ODK_CoreMessage core_message; + uint32_t device_id_length; + uint8_t device_id[ODK_DEVICE_ID_LEN_MAX]; + uint16_t renewal_type; + uint32_t renewal_data_length; + uint8_t renewal_data[ODK_KEYBOX_RENEWAL_DATA_SIZE]; +} ODK_PreparedRenewedProvisioningRequest; + typedef struct { ODK_CoreMessage core_message; } ODK_PreparedCommonRequest; @@ -96,6 +106,7 @@ typedef struct { #define ODK_LICENSE_REQUEST_SIZE 20u #define ODK_RENEWAL_REQUEST_SIZE 28u #define ODK_PROVISIONING_REQUEST_SIZE 88u +#define ODK_RENEWED_PROVISIONING_REQUEST_SIZE 1694u // These are the possible timer status values. #define ODK_CLOCK_TIMER_STATUS_UNDEFINED 0u // Should not happen. diff --git a/oemcrypto/odk/src/serialization_base.c b/oemcrypto/odk/src/serialization_base.c index 90b84b3..30af34c 100644 --- a/oemcrypto/odk/src/serialization_base.c +++ b/oemcrypto/odk/src/serialization_base.c @@ -38,7 +38,7 @@ static void PackBytes(ODK_Message* message, const uint8_t* ptr, size_t count) { } void Pack_enum(ODK_Message* message, int value) { - uint32_t v32 = value; + uint32_t v32 = (uint32_t)value; Pack_uint32_t(message, &v32); } diff --git a/oemcrypto/odk/test/odk_core_message_test.cpp b/oemcrypto/odk/test/odk_core_message_test.cpp index 24fbe6d..22051b2 100644 --- a/oemcrypto/odk/test/odk_core_message_test.cpp +++ b/oemcrypto/odk/test/odk_core_message_test.cpp @@ -2,6 +2,8 @@ // source code may only be used and distributed under the Widevine // License Agreement. +#include + #include "OEMCryptoCENCCommon.h" #include "gtest/gtest.h" #include "odk.h" diff --git a/oemcrypto/odk/test/odk_test.cpp b/oemcrypto/odk/test/odk_test.cpp index d1a817d..a244d25 100644 --- a/oemcrypto/odk/test/odk_test.cpp +++ b/oemcrypto/odk/test/odk_test.cpp @@ -6,6 +6,7 @@ #include #include +#include #include "OEMCryptoCENCCommon.h" #include "core_message_deserialize.h" @@ -27,6 +28,8 @@ using oemcrypto_core_message::ODK_RenewalRequest; using oemcrypto_core_message::deserialize::CoreLicenseRequestFromMessage; using oemcrypto_core_message::deserialize::CoreProvisioningRequestFromMessage; using oemcrypto_core_message::deserialize::CoreRenewalRequestFromMessage; +using oemcrypto_core_message::deserialize:: + CoreRenewedProvisioningRequestFromMessage; using oemcrypto_core_message::features::CoreMessageFeatures; @@ -270,6 +273,35 @@ TEST(OdkTest, NullRequestTest) { ODK_PrepareCoreProvisioningRequest( message, ODK_PROVISIONING_REQUEST_SIZE, &core_message_length, &nonce_values, nullptr, 0uL)); + + EXPECT_EQ(ODK_ERROR_CORE_MESSAGE, + ODK_PrepareCoreRenewedProvisioningRequest( + nullptr, 0uL, &core_message_length, nullptr, nullptr, 0uL, + OEMCrypto_RenewalACert, nullptr, 0uL)); + EXPECT_EQ(ODK_ERROR_CORE_MESSAGE, + ODK_PrepareCoreRenewedProvisioningRequest( + nullptr, 0uL, nullptr, &nonce_values, nullptr, 0uL, + OEMCrypto_RenewalACert, nullptr, 0uL)); + + // Null device id in renewed provisioning request is ok + uint8_t renewed_message[ODK_RENEWED_PROVISIONING_REQUEST_SIZE] = {0}; + uint8_t renewal_data[ODK_KEYBOX_RENEWAL_DATA_SIZE] = {0}; + uint32_t renewal_data_length = ODK_KEYBOX_RENEWAL_DATA_SIZE; + core_message_length = ODK_RENEWED_PROVISIONING_REQUEST_SIZE; + EXPECT_EQ(OEMCrypto_SUCCESS, + ODK_PrepareCoreRenewedProvisioningRequest( + renewed_message, ODK_RENEWED_PROVISIONING_REQUEST_SIZE, + &core_message_length, &nonce_values, nullptr, 0uL, + OEMCrypto_RenewalACert, renewal_data, renewal_data_length)); + + // Null renewal data in renewed provisioning request is ok + uint8_t device_id[ODK_DEVICE_ID_LEN_MAX] = {0}; + uint32_t device_id_length = ODK_DEVICE_ID_LEN_MAX; + core_message_length = ODK_RENEWED_PROVISIONING_REQUEST_SIZE; + ODK_PrepareCoreRenewedProvisioningRequest( + renewed_message, ODK_RENEWED_PROVISIONING_REQUEST_SIZE, + &core_message_length, &nonce_values, device_id, device_id_length, + OEMCrypto_RenewalACert, nullptr, 0uL); } TEST(OdkTest, NullResponseTest) { @@ -422,6 +454,21 @@ TEST(OdkTest, PrepareCoreProvisioningRequest) { &core_message_length, &nonce_values, device_id, sizeof(device_id))); } +TEST(OdkTest, PrepareCoreRenewedProvisioningRequest) { + uint8_t provisioning_message[ODK_RENEWED_PROVISIONING_REQUEST_SIZE] = {0}; + size_t core_message_length = sizeof(provisioning_message); + ODK_NonceValues nonce_values; + memset(&nonce_values, 0, sizeof(nonce_values)); + uint8_t device_id[ODK_DEVICE_ID_LEN_MAX] = {0}; + uint8_t renewal_data[ODK_KEYBOX_RENEWAL_DATA_SIZE] = {0}; + EXPECT_EQ( + OEMCrypto_SUCCESS, + ODK_PrepareCoreRenewedProvisioningRequest( + provisioning_message, sizeof(provisioning_message), + &core_message_length, &nonce_values, device_id, sizeof(device_id), + OEMCrypto_RenewalACert, renewal_data, sizeof(renewal_data))); +} + TEST(OdkTest, PrepareCoreProvisioningRequestDeviceId) { uint8_t provisioning_message[ODK_PROVISIONING_REQUEST_SIZE] = {0}; size_t core_message_length = sizeof(provisioning_message); @@ -435,6 +482,36 @@ TEST(OdkTest, PrepareCoreProvisioningRequestDeviceId) { sizeof(device_id_invalid))); } +TEST(OdkTest, PrepareCoreRenewedProvisioningRequestDeviceId) { + uint8_t provisioning_message[ODK_PROVISIONING_REQUEST_SIZE] = {0}; + size_t core_message_length = sizeof(provisioning_message); + ODK_NonceValues nonce_values; + memset(&nonce_values, 0, sizeof(nonce_values)); + uint8_t device_id_invalid[ODK_DEVICE_ID_LEN_MAX + 1] = {0}; + uint8_t renewal_data[ODK_KEYBOX_RENEWAL_DATA_SIZE] = {0}; + EXPECT_EQ(ODK_ERROR_CORE_MESSAGE, + ODK_PrepareCoreRenewedProvisioningRequest( + provisioning_message, sizeof(provisioning_message), + &core_message_length, &nonce_values, device_id_invalid, + sizeof(device_id_invalid), OEMCrypto_RenewalACert, renewal_data, + sizeof(renewal_data))); +} + +TEST(OdkTest, PrepareCoreRenewedProvisioningRequestRenewalDataInvalid) { + uint8_t provisioning_message[ODK_PROVISIONING_REQUEST_SIZE] = {0}; + size_t core_message_length = sizeof(provisioning_message); + ODK_NonceValues nonce_values; + memset(&nonce_values, 0, sizeof(nonce_values)); + uint8_t device_id[ODK_DEVICE_ID_LEN_MAX] = {0}; + uint8_t renewal_data_invalid[ODK_KEYBOX_RENEWAL_DATA_SIZE + 1] = {0}; + EXPECT_EQ(ODK_ERROR_CORE_MESSAGE, + ODK_PrepareCoreRenewedProvisioningRequest( + provisioning_message, sizeof(provisioning_message), + &core_message_length, &nonce_values, device_id, + sizeof(device_id), OEMCrypto_RenewalACert, renewal_data_invalid, + sizeof(renewal_data_invalid))); +} + // Serialize and de-serialize license request TEST(OdkTest, LicenseRequestRoundtrip) { std::vector empty; @@ -497,6 +574,39 @@ TEST(OdkTest, ProvisionRequestRoundtrip) { kdo_parse_func); } +TEST(OdkTest, RenewedProvisionRequestRoundtrip) { + uint32_t device_id_length = ODK_DEVICE_ID_LEN_MAX / 2; + uint8_t device_id[ODK_DEVICE_ID_LEN_MAX] = {0}; + memset(device_id, 0xff, device_id_length); + uint16_t renewal_type = OEMCrypto_RenewalACert; + uint32_t renewal_data_length = ODK_KEYBOX_RENEWAL_DATA_SIZE / 2; + uint8_t renewal_data[ODK_KEYBOX_RENEWAL_DATA_SIZE] = {0}; + memset(renewal_data, 0xff, renewal_data_length); + std::vector extra_fields = { + {ODK_UINT32, &device_id_length, "device_id_length"}, + {ODK_DEVICEID, device_id, "device_id"}, + {ODK_UINT16, &renewal_type, "renewal_type"}, + {ODK_UINT32, &renewal_data_length, "renewal_data_length"}, + {ODK_RENEWALDATA, renewal_data, "renewal_data"}, + }; + auto odk_prepare_func = [&](uint8_t* const buf, size_t* size, + const ODK_NonceValues* nonce_values) { + return ODK_PrepareCoreRenewedProvisioningRequest( + buf, SIZE_MAX, size, nonce_values, device_id, device_id_length, + renewal_type, renewal_data, renewal_data_length); + }; + auto kdo_parse_func = + [&](const std::string& oemcrypto_core_message, + ODK_ProvisioningRequest* core_provisioning_request) { + bool ok = CoreRenewedProvisioningRequestFromMessage( + oemcrypto_core_message, core_provisioning_request); + return ok; + }; + ValidateRequest( + ODK_Renewed_Provisioning_Request_Type, extra_fields, odk_prepare_func, + kdo_parse_func); +} + TEST(OdkTest, ParseLicenseErrorNonce) { ODK_LicenseResponseParams params; ODK_SetDefaultLicenseResponseParams(¶ms, ODK_MAJOR_VERSION); @@ -761,6 +871,7 @@ std::vector TestCases() { {17, 16, 4, 16, 4}, {17, 16, 5, 16, 5}, {17, 17, 0, 17, 0}, + {17, 17, 1, 17, 1}, }; return test_cases; } diff --git a/oemcrypto/odk/test/odk_test_helper.cpp b/oemcrypto/odk/test/odk_test_helper.cpp index c1cf465..dab9afa 100644 --- a/oemcrypto/odk/test/odk_test_helper.cpp +++ b/oemcrypto/odk/test/odk_test_helper.cpp @@ -9,6 +9,7 @@ #include #include #include +#include #include #include "OEMCryptoCENCCommon.h" @@ -329,6 +330,8 @@ size_t ODK_FieldLength(ODK_FieldType type) { return sizeof(uint32_t) + sizeof(uint32_t); case ODK_DEVICEID: return ODK_DEVICE_ID_LEN_MAX; + case ODK_RENEWALDATA: + return ODK_KEYBOX_RENEWAL_DATA_SIZE; case ODK_HASH: return ODK_SHA256_HASH_SIZE; default: @@ -385,6 +388,7 @@ OEMCryptoResult ODK_WriteSingleField(uint8_t* buf, const ODK_Field* field) { break; } case ODK_DEVICEID: + case ODK_RENEWALDATA: case ODK_HASH: { const size_t field_len = ODK_FieldLength(field->type); const uint8_t* const id = static_cast(field->value); @@ -444,6 +448,7 @@ OEMCryptoResult ODK_ReadSingleField(const uint8_t* buf, break; } case ODK_DEVICEID: + case ODK_RENEWALDATA: case ODK_HASH: { const size_t field_len = ODK_FieldLength(field->type); uint8_t* const id = static_cast(field->value); @@ -503,6 +508,7 @@ OEMCryptoResult ODK_DumpSingleField(const uint8_t* buf, break; } case ODK_DEVICEID: + case ODK_RENEWALDATA: case ODK_HASH: { const size_t field_len = ODK_FieldLength(field->type); std::cerr << field->name << ": "; diff --git a/oemcrypto/odk/test/odk_test_helper.h b/oemcrypto/odk/test/odk_test_helper.h index 650950b..f825af1 100644 --- a/oemcrypto/odk/test/odk_test_helper.h +++ b/oemcrypto/odk/test/odk_test_helper.h @@ -21,6 +21,7 @@ enum ODK_FieldType { ODK_UINT64, ODK_SUBSTRING, ODK_DEVICEID, + ODK_RENEWALDATA, ODK_HASH, // The "stressable" types are the ones we can put in a stress test that packs // and unpacks random data and can expect to get back the same thing. diff --git a/oemcrypto/opk/build/Makefile.opk b/oemcrypto/opk/build/Makefile.opk deleted file mode 100644 index ff46389..0000000 --- a/oemcrypto/opk/build/Makefile.opk +++ /dev/null @@ -1,118 +0,0 @@ -# This is the top level makefile for a port of the OPK. It -# invokes the gyp-generated Makefile.rules, then includes the -# generated target.mk for each target library. - -# The directory structure under ./build mirrors the directory -# structure rooted at the top level of the repo. This isolates all of -# the generated makefiles from the source tree so they are not -# intermingled with the source code, and can be managed/cleaned -# independently. Since these are generated files there is usually no -# need to modify these makefiles or the directory structure. -# -# The top level files are: -# Makefile.opk : This file, top level makefile for the OPK -# Makefile.rules : Generated Make rules for building the OPK -# host.gyp : gyp file to make liboemcrypto and unit tests -# ta.gyp : gyp file with dependencies to make the TEE libraries - -# The generated *.mk files contain the rules to build each library: -# ├── oemcrypto -# │ ├── odk -# │ │ └── src -# │ │ └── odk.target.mk -# │ └── opk -# │ ├── build -# │ │ ├── liboemcrypto.target.mk -# │ │ └── ta.target.mk -# │ ├── oemcrypto_ta -# │ │ ├── oemcrypto_ta.target.mk -# │ │ ├── wtpi_reference -# │ │ │ ├── oemcrypto_ta_reference_clock.target.mk -# │ │ │ ├── oemcrypto_ta_reference_crypto.target.mk -# │ │ │ ├── oemcrypto_ta_reference_renewal.target.mk -# │ │ │ └── oemcrypto_ta_reference_root_of_trust.target.mk -# │ │ └── wtpi_test -# │ │ ├── ree -# │ │ │ ├── opk_ree_api.target.mk -# │ │ │ └── opk_ree.target.mk -# │ │ ├── tee -# │ │ │ └── opk_tee_wtpi_test.target.mk -# │ │ ├── wtpi_test_lib.target.mk -# │ │ └── wtpi_test.target.mk -# │ └── serialization -# │ ├── ree -# │ │ └── opk_ree.target.mk -# │ └── tee -# │ └── opk_tee.target.mk -# └── third_party -# ├── boringssl -# │ └── crypto.target.mk -# └── gtest.target.mk - -# You can add additional compiler options by setting these defines or -# passing them on the make command line: -# -# CFLAGS := -# CPPFLAGS := -# CXXFLAGS := - -# By default, warnings are not treated as errors, and no additional -# compiler warnings are enabled, to avoid adding warnings that may not -# be supported by all compilers, or introducing build failures that -# may in fact be harmless. You may choose to enable warnings by -# uncommenting the define and adding other warnings as desired: -# -# CPPFLAGS := -Werror -Wall -Wextra -Wunused - -# NO_LOAD disables the includes from Makefile.rules, they are -# included explicitly below -NO_LOAD := oemcrypto third_party - -include Makefile.rules - -# Include rules to build unit tests -include third_party/boringssl/ssl.target.mk -include third_party/boringssl/crypto.target.mk -include third_party/gmock.target.mk -include third_party/gtest.target.mk -include $(OEMCRYPTO_UNITTEST_DIR)/oemcrypto_unittests.target.mk - -# Include rules to build the OPK libraries -include oemcrypto/odk/src/odk.target.mk -include oemcrypto/opk/build/ta.target.mk -include oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.target.mk -include oemcrypto/opk/serialization/ree/opk_ree.target.mk -include oemcrypto/opk/serialization/tee/opk_tee.target.mk -include $(WTPI_IMPL_DIR)/wtpi_impl.target.mk - -# Include rules to build the WTPI test libraries -include oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/opk_ree_api.target.mk -include oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_lib.target.mk -include oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/opk_tee_wtpi_test.target.mk -include $(WTPI_UNITTEST_DIR)/wtpi_unittests.target.mk - -# Add rules for the transport layer implementations for OEMCrypto TA and WTPI unit tests -include $(REE_TOS_DIR)/ree_tos.target.mk -include $(REE_TOS_WTPI_DIR)/ree_tos_wtpi.target.mk - -ifeq ($(USE_TA_REFERENCE_CRYPTO),yes) - include oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_crypto.target.mk - ta_libs: oemcrypto_ta_reference_crypto -endif - -ifeq ($(USE_TA_REFERENCE_CLOCK),yes) - include oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_clock.target.mk - ta_libs: oemcrypto_ta_reference_clock -endif - -ifeq ($(USE_TA_REFERENCE_RENEWAL),yes) - include oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_renewal.target.mk - ta_libs: oemcrypto_ta_reference_renewal -endif - -ifeq ($(USE_TA_REFERENCE_ROOT_OF_TRUST),yes) - include oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_root_of_trust.target.mk - ta_libs: oemcrypto_ta_reference_root_of_trust -endif - -include oemcrypto/opk/build/liboemcrypto.target.mk diff --git a/oemcrypto/opk/build/Makefile.optee b/oemcrypto/opk/build/Makefile.optee deleted file mode 100644 index 4ec4665..0000000 --- a/oemcrypto/opk/build/Makefile.optee +++ /dev/null @@ -1,177 +0,0 @@ -# Makefile for OP-TEE liboemcrypto.so and the OP-TEE widevine trusted app - -# $OPTEE_DIR must be defined as the root of the OP-TEE SDK -ifndef OPTEE_DIR - $(error OPTEE_DIR is undefined) -endif - -# $CDM_DIR must be defined as the path to the top level of the OPK release -ifndef CDM_DIR - $(error CDM_DIR is undefined) -endif - -.EXPORT_ALL_VARIABLES: - -# Set platform-specific toolchain flags for OP-TEE -# Run make with the OPTEE_PLATFORM variable set to one of the following values: -# qemu (QEMU v7) -# stm32mp1 (STM32MP157 DK1 eval kit) -# nxpimx8m (NXP iMX8M eval kit) - -# Default is QEMU -OPTEE_PLATFORM ?= qemu -CFG_TEE_TA_MALLOC_DEBUG:=y - -# Default toolchain dir from the optee repositories -OPTEE_TOOLCHAIN_DIR ?= $(OPTEE_DIR)/toolchains - -ifeq ($(OPTEE_PLATFORM),qemu) -PLATFORM := vexpress-qemu_virt -TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec -OPTEE_TOOLCHAIN := $(OPTEE_TOOLCHAIN_DIR)/aarch32 -TA_DEV_KIT_DIR := $(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32 -CROSS_COMPILE := arm-linux-gnueabihf- -CPPFLAGS := \ - -isystem $(OPTEE_TOOLCHAIN)/lib/gcc/arm-none-linux-gnueabihf/10.2.1/include \ - -else ifeq ($(OPTEE_PLATFORM),stm32mp1) -TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec -OPTEE_TOOLCHAIN := $(OPTEE_TOOLCHAIN_DIR)/aarch32 -TA_DEV_KIT_DIR := $(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32 -CROSS_COMPILE := arm-linux-gnueabihf- -CPPFLAGS := \ - -isystem $(OPTEE_TOOLCHAIN)/lib/gcc/arm-none-linux-gnueabihf/10.2.1/include \ - -else ifeq ($(OPTEE_PLATFORM),nxpimx8m) -PLATFORM := imx-mx8mqevk -TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec -OPTEE_TOOLCHAIN := $(OPTEE_TOOLCHAIN_DIR)/aarch64 -TA_DEV_KIT_DIR := $(OPTEE_DIR)/optee_os/out/arm/export-ta_arm64 -CROSS_COMPILE := aarch64-linux-gnu- -CPPFLAGS := \ - -isystem $(OPTEE_TOOLCHAIN)/lib/gcc/aarch64-none-linux-gnu/10.2.1/include \ - -else -$(error Unknown OPTEE_PLATFORM $(OPTEE_PLATFORM)) -endif - -# Set paths and flags for the OP-TEE toolchain -PATH := $(PATH):$(OPTEE_TOOLCHAIN)/bin -CC_target := $(OPTEE_TOOLCHAIN)/bin/$(CROSS_COMPILE)gcc -CXX_target := $(OPTEE_TOOLCHAIN)/bin/$(CROSS_COMPILE)g++ -AR_target := $(OPTEE_TOOLCHAIN)/bin/$(CROSS_COMPILE)ar -CPPFLAGS += \ - -I $(OPTEE_DIR)/optee_client/public \ - -Wno-psabi \ - -# OEMCrypto TA optional components -USE_TA_REFERENCE_CRYPTO := no -USE_TA_REFERENCE_CLOCK := no -USE_TA_REFERENCE_RENEWAL := no -USE_TA_REFERENCE_ROOT_OF_TRUST := no - -# Where the build output goes: $CDM/out/opk_optee -builddir_name := $(shell 'pwd')/../../../out/opk_optee -$(info XXXXX builddir_name $(builddir_name)) - -# List libraries from the Trusted OS SDK to link into -# liboemcrypto.so -TRUSTED_OS_SDK_LIBS := $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec/libteec.so - -PORT_BASE_DIR:=../ports/optee - -# The makefile for liboemcrypto_ta.a requires this environment variable in -# order to locate headers with configuration macros, which can be -# implementation specific -WTPI_CONFIG_MACRO_DIR := $(PORT_BASE_DIR)/ta/common/wtpi_impl - -# NO_LOAD disables the includes from Makefile.rules, they are -# included explicitly from Makefile.opk instead -NO_LOAD := oemcrypto third_party -include Makefile.rules - -# OP-TEE specific linker flags for liboemcrypto.so -# Manually add entire ree_tos library for liboemcrypto.so. This ree_tos library -# implementation uses a file with static functions that are not reachable by -# main, but we still want to include. So we force inclusion with --whole-archive -LIBOEMCRYPTO_LDFLAGS := \ - -Wl,--whole-archive \ - -L$(builddir)/ \ - -lree_tos \ - -Wl,-no-whole-archive \ - -# OP-TEE specific linker flags for the WTPI unit tests -WTPI_UNITTEST_LDFLAGS := \ - -Wl,--whole-archive -lteec -L$(TEEC_EXPORT) \ - -L$(builddir)/ \ - -L$(builddir)/obj.target/third_party \ - -L$(builddir)/obj.target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree \ - -lcrypto \ - -lopk_ree_api \ - -lgtest \ - -lwtpi_test_lib \ - -lree_tos_wtpi \ - -Wl,-no-whole-archive \ - -static-libstdc++ \ - -# OP-TEE specific linker flags for the oemcrypto unit tests -OEMCRYPTO_UNITTEST_LDFLAGS := \ - -static-libstdc++ \ - -# Makefile.opk expects this variable, which points to the directory containing -# wtpi_impl.target.mk. This builds a static lib containing all the required -# WTPI functions for the OEMCrypto TA or WTPI unit tests to link -WTPI_IMPL_DIR := $(PORT_BASE_DIR)/ta/common/wtpi_impl - -# Makefile.opk expects this variable, which points to -# oemcrypto_unittests.target.mk. That makefile builds the oemcrypto unittest -# host executable. -OEMCRYPTO_UNITTEST_DIR := $(PORT_BASE_DIR)/host/oemcrypto_unittests - -# Makefile.opk expects this variable, which points to wtpi_unittests.target.mk. -# That makefile builds the wtpi unittest host executable. -WTPI_UNITTEST_DIR := $(PORT_BASE_DIR)/host/wtpi_unittests - -# Makefile.opk expects these two variables. They point to ree_tos.target.mk and -# ree_tos_wtpi.target.mk respectively, which build the transport layer -# implementations ree_tos.a and ree_tos_wtpi.a -REE_TOS_DIR := $(PORT_BASE_DIR)/host/common/tos -REE_TOS_WTPI_DIR := $(PORT_BASE_DIR)/host/common/tos - -# Add rules for a simple "hello world" host executable, which can be used to check -# that REE-TEE interactions are working correctly. This is not expected by Makefile.opk. -include $(PORT_BASE_DIR)/host/oemcrypto_helloworld/oemcrypto_helloworld.target.mk - -# Include common OPK make rules -include Makefile.opk - -# Force ree_tos recipe to execute before liboemcrypto.so artifact is built. -# Using the absolute path in the output directory instead of the top level, -# since the absolute path is what gets built, while the top level is where -# liboemcrypto.so gets copied to -# TODO: clean up dependency organization between liboemcrypto.so and port-specific ree_tos -$(obj).target/oemcrypto/opk/build/liboemcrypto.so: ree_tos - -# Add in dependency-tracking rules. $(all_deps) is the list of every single -# target in our tree. Only consider the ones with .d (dependency) info: -d_files := $(wildcard $(foreach f,$(all_deps),$(depsdir)/$(f).d)) -ifneq ($(d_files),) - include $(d_files) -endif - -# Build the OEMCrypto trusted app using the OP-TEE target build system -# The prerequisites are linked by the oemcrypto_ta makefile, so necessarily must be built first -.PHONY: trusted_app -trusted_app: odk opk_tee oemcrypto_ta wtpi_impl - CFLAGS="$(CFLAGS.target)" $(MAKE) -C ../ports/optee/ta/oemcrypto_ta --no-builtin-variables - -# Build the WTPI unit test trusted app -.PHONY: wtpi_test_ta -wtpi_test_ta: odk opk_tee_wtpi_test oemcrypto_ta wtpi_impl - CFLAGS="$(CFLAGS.target)" $(MAKE) -C ../ports/optee/ta/wtpi_test_ta --no-builtin-variables - -# Add OEMCrypto TA and WTPI unit test TA recipes to all. All the other targets -# included from Makefile.opk are already part of the "all" recipe; these -# two must be added manually -.PHONY: all -all: trusted_app wtpi_test_ta diff --git a/oemcrypto/opk/build/Makefile.rules b/oemcrypto/opk/build/Makefile.rules deleted file mode 100644 index 02c4be6..0000000 --- a/oemcrypto/opk/build/Makefile.rules +++ /dev/null @@ -1,354 +0,0 @@ -# We borrow heavily from the kernel build setup, though we are simpler since -# we don't have Kconfig tweaking settings on us. - -# The implicit make rules have it looking for RCS files, among other things. -# We instead explicitly write all the rules we care about. -# It's even quicker (saves ~200ms) to pass -r on the command line. -MAKEFLAGS=-r - -# The source directory tree. -srcdir := ../../.. -abs_srcdir := $(abspath $(srcdir)) - -# The name of the builddir. -builddir_name ?= out - -# The V=1 flag on command line makes us verbosely print command lines. -ifdef V - quiet= -else - quiet=quiet_ -endif - -# Specify BUILDTYPE=Release on the command line for a release build. -BUILDTYPE ?= debug - -# Directory all our build output goes into. -# Note that this must be two directories beneath src/ for unit tests to pass, -# as they reach into the src/ directory for data with relative paths. -builddir ?= $(builddir_name)/$(BUILDTYPE) -abs_builddir := $(abspath $(builddir)) -depsdir := $(builddir)/.deps - -# Object output directory. -obj := $(builddir)/obj -abs_obj := $(abspath $(obj)) - -# We build up a list of every single one of the targets so we can slurp in the -# generated dependency rule Makefiles in one pass. -all_deps := - - - -CC.target ?= $(CC_target) -CFLAGS.target ?= $(CPPFLAGS) $(CFLAGS) -CXX.target ?= $(CXX_target) -CXXFLAGS.target ?= $(CPPFLAGS) $(CXXFLAGS) -LINK.target ?= $(LINK) -LDFLAGS.target ?= $(LDFLAGS) -AR.target ?= $(AR) - -# C++ apps need to be linked with g++. -LINK ?= $(CXX.target) - -# TODO(evan): move all cross-compilation logic to gyp-time so we don't need -# to replicate this environment fallback in make as well. -CC.host ?= $(CC_host) -CFLAGS.host ?= $(CPPFLAGS_host) $(CFLAGS_host) -CXX.host ?= $(CXX_host) -CXXFLAGS.host ?= $(CPPFLAGS_host) $(CXXFLAGS_host) -LINK.host ?= $(CXX.host) -LDFLAGS.host ?= $(LDFLAGS_host) -AR.host ?= $(AR_host) - -# Define a dir function that can handle spaces. -# http://www.gnu.org/software/make/manual/make.html#Syntax-of-Functions -# "leading spaces cannot appear in the text of the first argument as written. -# These characters can be put into the argument value by variable substitution." -empty := -space := $(empty) $(empty) - -# http://stackoverflow.com/questions/1189781/using-make-dir-or-notdir-on-a-path-with-spaces -replace_spaces = $(subst $(space),?,$1) -unreplace_spaces = $(subst ?,$(space),$1) -dirx = $(call unreplace_spaces,$(dir $(call replace_spaces,$1))) - -# Flags to make gcc output dependency info. Note that you need to be -# careful here to use the flags that ccache and distcc can understand. -# We write to a dep file on the side first and then rename at the end -# so we can't end up with a broken dep file. -depfile = $(depsdir)/$(call replace_spaces,$@).d -DEPFLAGS = -MMD -MF $(depfile).raw - -# We have to fixup the deps output in a few ways. -# (1) the file output should mention the proper .o file. -# ccache or distcc lose the path to the target, so we convert a rule of -# the form: -# foobar.o: DEP1 DEP2 -# into -# path/to/foobar.o: DEP1 DEP2 -# (2) we want missing files not to cause us to fail to build. -# We want to rewrite -# foobar.o: DEP1 DEP2 \ -# DEP3 -# to -# DEP1: -# DEP2: -# DEP3: -# so if the files are missing, they're just considered phony rules. -# We have to do some pretty insane escaping to get those backslashes -# and dollar signs past make, the shell, and sed at the same time. -# Doesn't work with spaces, but that's fine: .d files have spaces in -# their names replaced with other characters. -define fixup_dep -# The depfile may not exist if the input file didn't have any #includes. -touch $(depfile).raw -# Fixup path as in (1). -sed -e "s|^$(notdir $@)|$@|" $(depfile).raw >> $(depfile) -# Add extra rules as in (2). -# We remove slashes and replace spaces with new lines; -# remove blank lines; -# delete the first line and append a colon to the remaining lines. -sed -e 's|\\||' -e 'y| |\n|' $(depfile).raw |\ - grep -v '^$$' |\ - sed -e 1d -e 's|$$|:|' \ - >> $(depfile) -rm $(depfile).raw -endef - -# Command definitions: -# - cmd_foo is the actual command to run; -# - quiet_cmd_foo is the brief-output summary of the command. - -quiet_cmd_cc = CC($(TOOLSET)) $@ -cmd_cc = $(CC.$(TOOLSET)) $(GYP_CFLAGS) $(DEPFLAGS) $(CFLAGS.$(TOOLSET)) -c -o $@ $< - -quiet_cmd_cxx = CXX($(TOOLSET)) $@ -cmd_cxx = $(CXX.$(TOOLSET)) $(GYP_CXXFLAGS) $(DEPFLAGS) $(CXXFLAGS.$(TOOLSET)) -c -o $@ $< - -quiet_cmd_touch = TOUCH $@ -cmd_touch = touch $@ - -quiet_cmd_copy = COPY $@ -# send stderr to /dev/null to ignore messages when linking directories. -cmd_copy = ln -f "$<" "$@" 2>/dev/null || (rm -rf "$@" && cp -af "$<" "$@") - -quiet_cmd_alink = AR($(TOOLSET)) $@ -cmd_alink = rm -f $@ && $(AR.$(TOOLSET)) crs $@ $(filter %.o,$^) - -quiet_cmd_alink_thin = AR($(TOOLSET)) $@ -cmd_alink_thin = rm -f $@ && $(AR.$(TOOLSET)) crsT $@ $(filter %.o,$^) - -# Due to circular dependencies between libraries :(, we wrap the -# special "figure out circular dependencies" flags around the entire -# input list during linking. -quiet_cmd_link = LINK($(TOOLSET)) $@ -cmd_link = $(LINK.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) -Wl,--end-group $(LIBS) - -# We support two kinds of shared objects (.so): -# 1) shared_library, which is just bundling together many dependent libraries -# into a link line. -# 2) loadable_module, which is generating a module intended for dlopen(). -# -# They differ only slightly: -# In the former case, we want to package all dependent code into the .so. -# In the latter case, we want to package just the API exposed by the -# outermost module. -# This means shared_library uses --whole-archive, while loadable_module doesn't. -# (Note that --whole-archive is incompatible with the --start-group used in -# normal linking.) - -# Other shared-object link notes: -# - Set SONAME to the library filename so our binaries don't reference -# the local, absolute paths used on the link command-line. -quiet_cmd_solink = SOLINK($(TOOLSET)) $@ -cmd_solink = $(LINK.$(TOOLSET)) -shared $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -Wl,-soname=$(@F) -o $@ -Wl,--whole-archive $(LD_INPUTS) -Wl,--no-whole-archive $(LIBS) - -quiet_cmd_solink_module = SOLINK_MODULE($(TOOLSET)) $@ -cmd_solink_module = $(LINK.$(TOOLSET)) -shared $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -Wl,-soname=$(@F) -o $@ -Wl,--start-group $(filter-out FORCE_DO_CMD, $^) -Wl,--end-group $(LIBS) - - -# Define an escape_quotes function to escape single quotes. -# This allows us to handle quotes properly as long as we always use -# use single quotes and escape_quotes. -escape_quotes = $(subst ','\'',$(1)) -# This comment is here just to include a ' to unconfuse syntax highlighting. -# Define an escape_vars function to escape '$' variable syntax. -# This allows us to read/write command lines with shell variables (e.g. -# $LD_LIBRARY_PATH), without triggering make substitution. -escape_vars = $(subst $$,$$$$,$(1)) -# Helper that expands to a shell command to echo a string exactly as it is in -# make. This uses printf instead of echo because printf's behaviour with respect -# to escape sequences is more portable than echo's across different shells -# (e.g., dash, bash). -exact_echo = printf '%s\n' '$(call escape_quotes,$(1))' - -# Helper to compare the command we're about to run against the command -# we logged the last time we ran the command. Produces an empty -# string (false) when the commands match. -# Tricky point: Make has no string-equality test function. -# The kernel uses the following, but it seems like it would have false -# positives, where one string reordered its arguments. -# arg_check = $(strip $(filter-out $(cmd_$(1)), $(cmd_$@)) \ -# $(filter-out $(cmd_$@), $(cmd_$(1)))) -# We instead substitute each for the empty string into the other, and -# say they're equal if both substitutions produce the empty string. -# .d files contain ? instead of spaces, take that into account. -command_changed = $(or $(subst $(cmd_$(1)),,$(cmd_$(call replace_spaces,$@))),\ - $(subst $(cmd_$(call replace_spaces,$@)),,$(cmd_$(1)))) - -# Helper that is non-empty when a prerequisite changes. -# Normally make does this implicitly, but we force rules to always run -# so we can check their command lines. -# $? -- new prerequisites -# $| -- order-only dependencies -prereq_changed = $(filter-out FORCE_DO_CMD,$(filter-out $|,$?)) - -# Helper that executes all postbuilds until one fails. -define do_postbuilds - @E=0;\ - for p in $(POSTBUILDS); do\ - eval $$p;\ - E=$$?;\ - if [ $$E -ne 0 ]; then\ - break;\ - fi;\ - done;\ - if [ $$E -ne 0 ]; then\ - rm -rf "$@";\ - exit $$E;\ - fi -endef - -# do_cmd: run a command via the above cmd_foo names, if necessary. -# Should always run for a given target to handle command-line changes. -# Second argument, if non-zero, makes it do asm/C/C++ dependency munging. -# Third argument, if non-zero, makes it do POSTBUILDS processing. -# Note: We intentionally do NOT call dirx for depfile, since it contains ? for -# spaces already and dirx strips the ? characters. -define do_cmd -$(if $(or $(command_changed),$(prereq_changed)), - @$(call exact_echo, $($(quiet)cmd_$(1))) - @mkdir -p "$(call dirx,$@)" "$(dir $(depfile))" - $(if $(findstring flock,$(word 1,$(cmd_$1))), - @$(cmd_$(1)) - @echo " $(quiet_cmd_$(1)): Finished", - @$(cmd_$(1)) - ) - @$(call exact_echo,$(call escape_vars,cmd_$(call replace_spaces,$@) := $(cmd_$(1)))) > $(depfile) - @$(if $(2),$(fixup_dep)) - $(if $(and $(3), $(POSTBUILDS)), - $(call do_postbuilds) - ) -) -endef - -# Declare the "all" target first so it is the default, -# even though we don't have the deps yet. -.PHONY: all -all: - -# make looks for ways to re-generate included makefiles, but in our case, we -# don't have a direct way. Explicitly telling make that it has nothing to do -# for them makes it go faster. -%.d: ; - -# Use FORCE_DO_CMD to force a target to run. Should be coupled with -# do_cmd. -.PHONY: FORCE_DO_CMD -FORCE_DO_CMD: - -TOOLSET := target -# Suffix rules, putting all outputs into $(obj). -$(obj).$(TOOLSET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) -$(obj).$(TOOLSET)/%.o: $(srcdir)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(srcdir)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(srcdir)/%.cxx FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(srcdir)/%.s FORCE_DO_CMD - @$(call do_cmd,cc,1) -$(obj).$(TOOLSET)/%.o: $(srcdir)/%.S FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. -$(obj).$(TOOLSET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) -$(obj).$(TOOLSET)/%.o: $(obj).$(TOOLSET)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(obj).$(TOOLSET)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(obj).$(TOOLSET)/%.cxx FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(obj).$(TOOLSET)/%.s FORCE_DO_CMD - @$(call do_cmd,cc,1) -$(obj).$(TOOLSET)/%.o: $(obj).$(TOOLSET)/%.S FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) -$(obj).$(TOOLSET)/%.o: $(obj)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(obj)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(obj)/%.cxx FORCE_DO_CMD - @$(call do_cmd,cxx,1) -$(obj).$(TOOLSET)/%.o: $(obj)/%.s FORCE_DO_CMD - @$(call do_cmd,cc,1) -$(obj).$(TOOLSET)/%.o: $(obj)/%.S FORCE_DO_CMD - @$(call do_cmd,cc,1) - - -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,oemcrypto/odk/src/odk.target.mk)))),) - include oemcrypto/odk/src/odk.target.mk -endif -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,oemcrypto/opk/build/ta.target.mk)))),) - include oemcrypto/opk/build/ta.target.mk -endif -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.target.mk)))),) - include oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.target.mk -endif -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_clock.target.mk)))),) - include oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_clock.target.mk -endif -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_crypto.target.mk)))),) - include oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_crypto.target.mk -endif -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_root_of_trust.target.mk)))),) - include oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_root_of_trust.target.mk -endif -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,oemcrypto/opk/serialization/tee/opk_tee.target.mk)))),) - include oemcrypto/opk/serialization/tee/opk_tee.target.mk -endif -ifeq ($(strip $(foreach prefix,$(NO_LOAD),\ - $(findstring $(join ^,$(prefix)),\ - $(join ^,third_party/boringssl/crypto.target.mk)))),) - include third_party/boringssl/crypto.target.mk -endif - -# "all" is a concatenation of the "all" targets from all the included -# sub-makefiles. This is just here to clarify. -all: - -# Add in dependency-tracking rules. $(all_deps) is the list of every single -# target in our tree. Only consider the ones with .d (dependency) info: -d_files := $(wildcard $(foreach f,$(all_deps),$(depsdir)/$(f).d)) -ifneq ($(d_files),) - include $(d_files) -endif diff --git a/oemcrypto/opk/build/host.gyp b/oemcrypto/opk/build/host.gyp deleted file mode 100644 index 2a2903e..0000000 --- a/oemcrypto/opk/build/host.gyp +++ /dev/null @@ -1,90 +0,0 @@ -{ - 'includes' : [ - '../serialization/settings.gypi', - ], - 'variables': { - 'platform_specific_dir': '<(DEPTH)/linux/src', - 'util_dir': '<(DEPTH)/util', - 'privacy_crypto_impl': 'boringssl', - 'boringssl_libcrypto_path': '<(third_party_dir)/boringssl/boringssl.gyp:crypto', - 'boringssl_libssl_path': '<(third_party_dir)/boringssl/boringssl.gyp:ssl', - 'gtest_dependency': '<(third_party_dir)/googletest.gyp:gtest', - 'gmock_dependency': '<(third_party_dir)/googletest.gyp:gmock', - 'support_ota_keybox_functions': 'false', - 'wtpi_test_serialization': '<(oemcrypto_ta_dir)/wtpi_test', - }, - 'targets' : [ - { - # liboemcrypto.so shared library - 'toolsets' : [ 'target' ], - 'target_name': 'liboemcrypto', - 'type': 'shared_library', - 'link_settings': { - 'libraries': [ - '$(TRUSTED_OS_SDK_LIBS)', - '<(PRODUCT_DIR)/libree_tos.a', - ], - }, - 'dependencies': [ - '<(ree_dir)/ree.gyp:opk_ree', - ], - 'ldflags': [ - '$(LIBOEMCRYPTO_LDFLAGS)', - ], - }, - { - # OEMCrypto unit tests - 'toolsets' : [ 'target' ], - 'target_name': 'oemcrypto_unittests', - 'type': 'executable', - 'sources': [ - '<(oemcrypto_dir)/test/oemcrypto_test_main.cpp', - '<(odk_dir)/src/core_message_deserialize.cpp', - '<(odk_dir)/src/core_message_serialize.cpp', - '<(platform_specific_dir)/file_store.cpp', - '<(platform_specific_dir)/log.cpp', - '<(util_dir)/src/cdm_random.cpp', - '<(util_dir)/src/platform.cpp', - '<(util_dir)/src/rw_lock.cpp', - '<(util_dir)/src/string_conversions.cpp', - '<(util_dir)/test/test_sleep.cpp', - '<(util_dir)/test/test_clock.cpp', - '<(odk_dir)/src/core_message_features.cpp', - ], - 'include_dirs': [ - '<(util_dir)/include', - '<(util_dir)/test', - ], - 'dependencies': [ - 'liboemcrypto', - '<(gtest_dependency)', - '<(gmock_dependency)', - ], - 'includes': [ - '../../test/oemcrypto_unittests.gypi', - '../../util/oec_ref_util.gypi', - ], - 'ldflags': [ - '$(OEMCRYPTO_UNITTEST_LDFLAGS)', - ], - }, - { - # WTPI unit tests - 'toolsets': [ 'target' ], - 'target_name': 'wtpi_unittests', - 'type': 'executable', - 'sources': [ - '<(wtpi_test_serialization)/wtpi_test_main.cpp', - ], - 'dependencies': [ - '<(wtpi_test_serialization)/ree/ree_api.gyp:opk_ree_api', - '<(wtpi_test_serialization)/wtpi_test.gyp:wtpi_test_lib', - '<(gtest_dependency)', - '<(gmock_dependency)', - ], - 'ldflags': [ - '$(WTPI_UNITTEST_LDFLAGS)', - ], - }, - ] -} diff --git a/oemcrypto/opk/build/oemcrypto/odk/src/odk.target.mk b/oemcrypto/opk/build/oemcrypto/odk/src/odk.target.mk deleted file mode 100644 index 09000f4..0000000 --- a/oemcrypto/opk/build/oemcrypto/odk/src/odk.target.mk +++ /dev/null @@ -1,143 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := odk -DEFS_debug := \ - '-D_DEFAULT_SOURCE' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error=cast-qual \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/include - -DEFS_release := \ - '-D_DEFAULT_SOURCE' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error=cast-qual \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_message.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_overflow.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_serialize.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_timer.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_util.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/serialization_base.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/odk/src/libodk.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/odk/src/libodk.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/odk/src/libodk.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/odk/src/libodk.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/odk/src/libodk.a -# Add target alias -.PHONY: odk -odk: $(obj).target/oemcrypto/odk/src/libodk.a - -# Add target alias to "all" target. -.PHONY: all -all: odk - -# Add target alias -.PHONY: odk -odk: $(builddir)/libodk.a - -# Copy this to the static library output path. -$(builddir)/libodk.a: TOOLSET := $(TOOLSET) -$(builddir)/libodk.a: $(obj).target/oemcrypto/odk/src/libodk.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libodk.a -# Short alias for building this static library. -.PHONY: libodk.a -libodk.a: $(obj).target/oemcrypto/odk/src/libodk.a $(builddir)/libodk.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libodk.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/build/liboemcrypto.target.mk b/oemcrypto/opk/build/oemcrypto/opk/build/liboemcrypto.target.mk deleted file mode 100644 index b77e430..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/build/liboemcrypto.target.mk +++ /dev/null @@ -1,49 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := liboemcrypto -### Rules for final target. -LDFLAGS_debug := \ - $(LIBOEMCRYPTO_LDFLAGS) - -LDFLAGS_release := \ - $(LIBOEMCRYPTO_LDFLAGS) \ - -O2 \ - -Wl,--strip-debug - -LIBS := \ - $(TRUSTED_OS_SDK_LIBS) \ - $(builddir)/libree_tos.a - -$(obj).target/oemcrypto/opk/build/liboemcrypto.so: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/build/liboemcrypto.so: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/build/liboemcrypto.so: LD_INPUTS := $(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a -$(obj).target/oemcrypto/opk/build/liboemcrypto.so: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/build/liboemcrypto.so: $(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a FORCE_DO_CMD - $(call do_cmd,solink) - -all_deps += $(obj).target/oemcrypto/opk/build/liboemcrypto.so -# Add target alias -.PHONY: liboemcrypto -liboemcrypto: $(builddir)/lib.target/liboemcrypto.so - -# Copy this to the shared library output path. -$(builddir)/lib.target/liboemcrypto.so: TOOLSET := $(TOOLSET) -$(builddir)/lib.target/liboemcrypto.so: $(obj).target/oemcrypto/opk/build/liboemcrypto.so FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/lib.target/liboemcrypto.so -# Short alias for building this shared library. -.PHONY: liboemcrypto.so -liboemcrypto.so: $(obj).target/oemcrypto/opk/build/liboemcrypto.so $(builddir)/lib.target/liboemcrypto.so - -# Add shared library to "all" target. -.PHONY: all -all: $(builddir)/lib.target/liboemcrypto.so - diff --git a/oemcrypto/opk/build/oemcrypto/opk/build/ta.target.mk b/oemcrypto/opk/build/oemcrypto/opk/build/ta.target.mk deleted file mode 100644 index 002167d..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/build/ta.target.mk +++ /dev/null @@ -1,52 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := ta -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/build/libta.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/build/libta.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/build/libta.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/build/libta.a: FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/build/libta.a -# Add target alias -.PHONY: ta -ta: $(obj).target/oemcrypto/opk/build/libta.a - -# Add target alias to "all" target. -.PHONY: all -all: ta - -# Add target alias -.PHONY: ta -ta: $(builddir)/libta.a - -# Copy this to the static library output path. -$(builddir)/libta.a: TOOLSET := $(TOOLSET) -$(builddir)/libta.a: $(obj).target/oemcrypto/opk/build/libta.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libta.a -# Short alias for building this static library. -.PHONY: libta.a -libta.a: $(obj).target/oemcrypto/opk/build/libta.a $(builddir)/libta.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libta.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.target.mk deleted file mode 100644 index afae255..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.target.mk +++ /dev/null @@ -1,165 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := oemcrypto_ta -DEFS_debug := \ - '-D_DEFAULT_SOURCE' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -DEFS_release := \ - '-D_DEFAULT_SOURCE' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_asymmetric_key_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_entitled_key_session.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_entitled_key_session_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_key.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_key_control_block.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_key_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_object_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_output.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_overflow.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_serialized_usage_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_session.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_session_key_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_session_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_session_type.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_usage_table.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/oemcrypto_wall_clock.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a -# Add target alias -.PHONY: oemcrypto_ta -oemcrypto_ta: $(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a - -# Add target alias to "all" target. -.PHONY: all -all: oemcrypto_ta - -# Add target alias -.PHONY: oemcrypto_ta -oemcrypto_ta: $(builddir)/liboemcrypto_ta.a - -# Copy this to the static library output path. -$(builddir)/liboemcrypto_ta.a: TOOLSET := $(TOOLSET) -$(builddir)/liboemcrypto_ta.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/liboemcrypto_ta.a -# Short alias for building this static library. -.PHONY: liboemcrypto_ta.a -liboemcrypto_ta.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/liboemcrypto_ta.a $(builddir)/liboemcrypto_ta.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/liboemcrypto_ta.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_clock.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_clock.target.mk deleted file mode 100644 index b2629bd..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_clock.target.mk +++ /dev/null @@ -1,149 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := oemcrypto_ta_reference_clock -DEFS_debug := \ - '-D_DEFAULT_SOURCE' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -DEFS_release := \ - '-D_DEFAULT_SOURCE' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_clock_and_gn_layer1.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a -# Add target alias -.PHONY: oemcrypto_ta_reference_clock -oemcrypto_ta_reference_clock: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a - -# Add target alias to "all" target. -.PHONY: all -all: oemcrypto_ta_reference_clock - -# Add target alias -.PHONY: oemcrypto_ta_reference_clock -oemcrypto_ta_reference_clock: $(builddir)/liboemcrypto_ta_reference_clock.a - -# Copy this to the static library output path. -$(builddir)/liboemcrypto_ta_reference_clock.a: TOOLSET := $(TOOLSET) -$(builddir)/liboemcrypto_ta_reference_clock.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/liboemcrypto_ta_reference_clock.a -# Short alias for building this static library. -.PHONY: liboemcrypto_ta_reference_clock.a -liboemcrypto_ta_reference_clock.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_clock.a $(builddir)/liboemcrypto_ta_reference_clock.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/liboemcrypto_ta_reference_clock.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_crypto.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_crypto.target.mk deleted file mode 100644 index 9d5f80e..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_crypto.target.mk +++ /dev/null @@ -1,166 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := oemcrypto_ta_reference_crypto -DEFS_debug := \ - '-D_DEFAULT_SOURCE' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L \ - -std=c11 - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_reference \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/third_party/open-dice/include \ - -I$(srcdir)/third_party/open-dice/include/dice/config/boringssl_ed25519 \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -DEFS_release := \ - '-D_DEFAULT_SOURCE' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L \ - -std=c11 - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_reference \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/third_party/open-dice/include \ - -I$(srcdir)/third_party/open-dice/include/dice/config/boringssl_ed25519 \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/crypto_util.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/rsa_util.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crc32.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_asymmetric.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_decrypt_sample.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_openssl.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a -# Add target alias -.PHONY: oemcrypto_ta_reference_crypto -oemcrypto_ta_reference_crypto: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a - -# Add target alias to "all" target. -.PHONY: all -all: oemcrypto_ta_reference_crypto - -# Add target alias -.PHONY: oemcrypto_ta_reference_crypto -oemcrypto_ta_reference_crypto: $(builddir)/liboemcrypto_ta_reference_crypto.a - -# Copy this to the static library output path. -$(builddir)/liboemcrypto_ta_reference_crypto.a: TOOLSET := $(TOOLSET) -$(builddir)/liboemcrypto_ta_reference_crypto.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/liboemcrypto_ta_reference_crypto.a -# Short alias for building this static library. -.PHONY: liboemcrypto_ta_reference_crypto.a -liboemcrypto_ta_reference_crypto.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_crypto.a $(builddir)/liboemcrypto_ta_reference_crypto.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/liboemcrypto_ta_reference_crypto.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_renewal.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_renewal.target.mk deleted file mode 100644 index 1f3704c..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_renewal.target.mk +++ /dev/null @@ -1,150 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := oemcrypto_ta_reference_renewal -DEFS_debug := \ - '-D_DEFAULT_SOURCE' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -DEFS_release := \ - '-D_DEFAULT_SOURCE' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_renewal_layer1.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_renewal_layer2.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a -# Add target alias -.PHONY: oemcrypto_ta_reference_renewal -oemcrypto_ta_reference_renewal: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a - -# Add target alias to "all" target. -.PHONY: all -all: oemcrypto_ta_reference_renewal - -# Add target alias -.PHONY: oemcrypto_ta_reference_renewal -oemcrypto_ta_reference_renewal: $(builddir)/liboemcrypto_ta_reference_renewal.a - -# Copy this to the static library output path. -$(builddir)/liboemcrypto_ta_reference_renewal.a: TOOLSET := $(TOOLSET) -$(builddir)/liboemcrypto_ta_reference_renewal.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/liboemcrypto_ta_reference_renewal.a -# Short alias for building this static library. -.PHONY: liboemcrypto_ta_reference_renewal.a -liboemcrypto_ta_reference_renewal.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_renewal.a $(builddir)/liboemcrypto_ta_reference_renewal.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/liboemcrypto_ta_reference_renewal.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_root_of_trust.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_root_of_trust.target.mk deleted file mode 100644 index d1be0da..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_reference/oemcrypto_ta_reference_root_of_trust.target.mk +++ /dev/null @@ -1,154 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := oemcrypto_ta_reference_root_of_trust -DEFS_debug := \ - '-D_DEFAULT_SOURCE' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_reference \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -DEFS_release := \ - '-D_DEFAULT_SOURCE' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -pedantic \ - -pedantic-errors \ - -Werror=pedantic \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -D_POSIX_C_SOURCE=200809L \ - -std=c99 - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_reference \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(WTPI_CONFIG_MACRO_DIR) \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/renewal_util.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_wrap_asymmetric.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_key.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_root_of_trust_layer1.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a -# Add target alias -.PHONY: oemcrypto_ta_reference_root_of_trust -oemcrypto_ta_reference_root_of_trust: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a - -# Add target alias to "all" target. -.PHONY: all -all: oemcrypto_ta_reference_root_of_trust - -# Add target alias -.PHONY: oemcrypto_ta_reference_root_of_trust -oemcrypto_ta_reference_root_of_trust: $(builddir)/liboemcrypto_ta_reference_root_of_trust.a - -# Copy this to the static library output path. -$(builddir)/liboemcrypto_ta_reference_root_of_trust.a: TOOLSET := $(TOOLSET) -$(builddir)/liboemcrypto_ta_reference_root_of_trust.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/liboemcrypto_ta_reference_root_of_trust.a -# Short alias for building this static library. -.PHONY: liboemcrypto_ta_reference_root_of_trust.a -liboemcrypto_ta_reference_root_of_trust.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_reference/liboemcrypto_ta_reference_root_of_trust.a $(builddir)/liboemcrypto_ta_reference_root_of_trust.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/liboemcrypto_ta_reference_root_of_trust.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/opk_ree_api.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/opk_ree_api.target.mk deleted file mode 100644 index 22e683e..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/opk_ree_api.target.mk +++ /dev/null @@ -1,157 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := opk_ree_api -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_oemcrypto_tee_test_api.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/ree_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/common_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_message.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_overflow.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/bump_allocator.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/log_macros.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/length_types.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/marshaller_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_init.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_serialization_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/shared_buffer_allocator.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/api_support.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink_thin) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a -# Add target alias -.PHONY: opk_ree_api -opk_ree_api: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a - -# Add target alias to "all" target. -.PHONY: all -all: opk_ree_api - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/opk_tee_wtpi_test.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/opk_tee_wtpi_test.target.mk deleted file mode 100644 index ed23214..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/opk_tee_wtpi_test.target.mk +++ /dev/null @@ -1,160 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := opk_tee_wtpi_test -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator \ - -I$(srcdir)/oemcrypto/opk/serialization/tee/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/generator - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator \ - -I$(srcdir)/oemcrypto/opk/serialization/tee/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/generator - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_dispatcher.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/tee_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/common_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_message.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_overflow.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/bump_allocator.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/length_types.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/log_macros.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/marshaller_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_init.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_serialization_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/shared_buffer_allocator.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/libopk_tee_wtpi_test.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/libopk_tee_wtpi_test.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/libopk_tee_wtpi_test.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/libopk_tee_wtpi_test.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink_thin) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/libopk_tee_wtpi_test.a -# Add target alias -.PHONY: opk_tee_wtpi_test -opk_tee_wtpi_test: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/libopk_tee_wtpi_test.a - -# Add target alias to "all" target. -.PHONY: all -all: opk_tee_wtpi_test - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test.target.mk deleted file mode 100644 index 1498ff6..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test.target.mk +++ /dev/null @@ -1,164 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := wtpi_test -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/third_party/googletest/googletest/include \ - -I$(srcdir)/util/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator \ - -I$(srcdir)/third_party/googletest/googlemock/include - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/third_party/googletest/googletest/include \ - -I$(srcdir)/util/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator \ - -I$(srcdir)/third_party/googletest/googlemock/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_main.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# Make sure our dependencies are built before any of us. -$(OBJS): | $(obj).target/third_party/libgtest.a $(builddir)/libwtpi_test_lib.a $(builddir)/libcrypto.a $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a $(obj).target/third_party/boringssl/libcrypto.a - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := \ - -Wl,--whole-archive \ - libwtpi_test_lib.a \ - -Wl,--no-whole-archive - -LDFLAGS_release := \ - -Wl,--whole-archive \ - libwtpi_test_lib.a \ - -Wl,--no-whole-archive \ - -O2 \ - -Wl,--strip-debug - -LIBS := \ - -lrt \ - -lpthread \ - -ldl - -$(builddir)/wtpi_test: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(builddir)/wtpi_test: LIBS := $(LIBS) -$(builddir)/wtpi_test: LD_INPUTS := $(OBJS) $(obj).target/third_party/libgtest.a $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a $(obj).target/third_party/boringssl/libcrypto.a -$(builddir)/wtpi_test: TOOLSET := $(TOOLSET) -$(builddir)/wtpi_test: $(OBJS) $(obj).target/third_party/libgtest.a $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a $(obj).target/third_party/boringssl/libcrypto.a FORCE_DO_CMD - $(call do_cmd,link) - -all_deps += $(builddir)/wtpi_test -# Add target alias -.PHONY: wtpi_test -wtpi_test: $(builddir)/wtpi_test - -# Add executable to "all" target. -.PHONY: all -all: $(builddir)/wtpi_test - diff --git a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_lib.target.mk b/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_lib.target.mk deleted file mode 100644 index 755cfe6..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_lib.target.mk +++ /dev/null @@ -1,174 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := wtpi_test_lib -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/third_party/googletest/googletest/include \ - -I$(srcdir)/util/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DMIN_LOG_LEVEL=LOG_LEVEL_DEBUG' \ - '-DENABLE_ANSI_COLORS=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/third_party/googletest/googletest/include \ - -I$(srcdir)/util/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_test/common \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/oemcrypto/opk/serialization/generator \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/clock_interface_test.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/crypto_test.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/generation_number_interface_test.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/ssl_util.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/test_rsa_key.o \ - $(obj).target/$(TARGET)/linux/src/log.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a -# Add target alias -.PHONY: wtpi_test_lib -wtpi_test_lib: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a - -# Add target alias to "all" target. -.PHONY: all -all: wtpi_test_lib - -# Add target alias -.PHONY: wtpi_test_lib -wtpi_test_lib: $(builddir)/libwtpi_test_lib.a - -# Copy this to the static library output path. -$(builddir)/libwtpi_test_lib.a: TOOLSET := $(TOOLSET) -$(builddir)/libwtpi_test_lib.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libwtpi_test_lib.a -# Short alias for building this static library. -.PHONY: libwtpi_test_lib.a -libwtpi_test_lib.a: $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a $(builddir)/libwtpi_test_lib.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libwtpi_test_lib.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/ports/optee/build/README.md b/oemcrypto/opk/build/oemcrypto/opk/ports/optee/build/README.md deleted file mode 100644 index e9bcfb2..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/ports/optee/build/README.md +++ /dev/null @@ -1,15 +0,0 @@ -Port-specific makefiles for OP-TEE will be placed here after running -jenkins/opk_makefiles with optee-specific gen_makefiles scripts executed. The -generated port-specific makefiles include: - * oemcrypto_helloworld.target.mk - * ree_tos.target.mk - * ree_tos_wtpi_target.mk - * wtpi_impl.target.mk - -as well as the unit test makefiles under `oemcrypto/opk/build/oemcrypto/opk/build/`: - * oemcrypto_unittests.target.mk - * wtpi_unittests.target.mk - -Examples of how these are referenced can be found in the include rules in the -top level file `Makefile.opk`. Examples of how these are defined for the OP-TEE -port can be found in file `Makefile.optee`. \ No newline at end of file diff --git a/oemcrypto/opk/build/oemcrypto/opk/serialization/ree/opk_ree.target.mk b/oemcrypto/opk/build/oemcrypto/opk/serialization/ree/opk_ree.target.mk deleted file mode 100644 index 0a8b63e..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/serialization/ree/opk_ree.target.mk +++ /dev/null @@ -1,173 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := opk_ree -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/api_support.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/GEN_ree_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/GEN_oemcrypto_api.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/ree_os_type.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/ree_version.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/ree_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/ree/special_case_apis.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/bump_allocator.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/common_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/GEN_common_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/log_macros.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/length_types.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/marshaller_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/message_debug.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_init.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_serialization_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/shared_buffer_allocator.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_message.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_overflow.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a -# Add target alias -.PHONY: opk_ree -opk_ree: $(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a - -# Add target alias to "all" target. -.PHONY: all -all: opk_ree - -# Add target alias -.PHONY: opk_ree -opk_ree: $(builddir)/libopk_ree.a - -# Copy this to the static library output path. -$(builddir)/libopk_ree.a: TOOLSET := $(TOOLSET) -$(builddir)/libopk_ree.a: $(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libopk_ree.a -# Short alias for building this static library. -.PHONY: libopk_ree.a -libopk_ree.a: $(obj).target/oemcrypto/opk/serialization/ree/libopk_ree.a $(builddir)/libopk_ree.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libopk_ree.a - diff --git a/oemcrypto/opk/build/oemcrypto/opk/serialization/tee/opk_tee.target.mk b/oemcrypto/opk/build/oemcrypto/opk/serialization/tee/opk_tee.target.mk deleted file mode 100644 index 356c7ee..0000000 --- a/oemcrypto/opk/build/oemcrypto/opk/serialization/tee/opk_tee.target.mk +++ /dev/null @@ -1,174 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := opk_tee -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/tee/include - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/serialization/tee/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/tee/GEN_dispatcher.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/tee/GEN_tee_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/tee/tee_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/tee/tee_os_type.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/tee/tee_version.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/tee/tee_tos_stubs.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/bump_allocator.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/common_special_cases.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/GEN_common_serializer.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/length_types.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/log_macros.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/marshaller_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/message_debug.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_init.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/opk_serialization_base.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/serialization/common/shared_buffer_allocator.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_message.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/odk_overflow.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a -# Add target alias -.PHONY: opk_tee -opk_tee: $(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a - -# Add target alias to "all" target. -.PHONY: all -all: opk_tee - -# Add target alias -.PHONY: opk_tee -opk_tee: $(builddir)/libopk_tee.a - -# Copy this to the static library output path. -$(builddir)/libopk_tee.a: TOOLSET := $(TOOLSET) -$(builddir)/libopk_tee.a: $(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libopk_tee.a -# Short alias for building this static library. -.PHONY: libopk_tee.a -libopk_tee.a: $(obj).target/oemcrypto/opk/serialization/tee/libopk_tee.a $(builddir)/libopk_tee.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libopk_tee.a - diff --git a/oemcrypto/opk/build/ree-sources.mk b/oemcrypto/opk/build/ree-sources.mk new file mode 100644 index 0000000..67b5233 --- /dev/null +++ b/oemcrypto/opk/build/ree-sources.mk @@ -0,0 +1,231 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This file lists out all of the OPK source files that are provided for +# OEMCrypto REE-side applications. These files are largely platform +# independent. +# +# By default, USE_DEFAULT_BORINGSSL is set to 'y' which searches for the +# default BoringSSL source at a known path. If you wish to use this, you may +# optionally set the ARCH variable to either 32 or 64 to include the +# appropriate assembly source. If you would like to use your own OpenSSL or +# BoringSSL copy, then set USE_DEFULAT_BORINGSSL to 'n' and include the source +# files manually in your own makefile. +# +# At the bottom of the file are variables `oemcrypto_unittests_sources`, +# `wtpi_unittests_sources`, and `liboemcrypto_sources` along with corresponding +# `includes`. These are intended for use with external Make-based systems to +# easily include required OPK files for common targets. +# +# This file does not include platform-specific sources such as transport layer +# implementations. Those should be provided on a case-by-base basis for each +# platform. + +# Points to the top of the repository. Defined separately from the CDM_DIR +# variable to allow for slight modifications in build systems (eg use +# a relative path here instead of absolute CDM_DIR) +OPK_REPO_TOP ?= $(CDM_DIR) +USE_DEFAULT_BORINGSSL ?= y + +oemcrypto_dir := $(OPK_REPO_TOP)/oemcrypto +util_dir ?= $(OPK_REPO_TOP)/util +odk_dir ?= $(OPK_REPO_TOP)/oemcrypto/odk +serialization_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/serialization +wtpi_serialization_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/oemcrypto_ta/wtpi_test +oemcrypto_unittests_dir ?= $(OPK_REPO_TOP)/oemcrypto/test +wtpi_unittests_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/oemcrypto_ta/wtpi_test +log_dir ?= $(OPK_REPO_TOP)/linux/src +gtest_dir ?= $(OPK_REPO_TOP)/third_party/googletest/googletest + +serialization_ree_sources += \ + $(serialization_dir)/ree/api_support.c \ + $(serialization_dir)/ree/GEN_ree_serializer.c \ + $(serialization_dir)/ree/GEN_oemcrypto_api.c \ + $(serialization_dir)/ree/ree_os_type.c \ + $(serialization_dir)/ree/ree_version.c \ + $(serialization_dir)/ree/ree_special_cases.c \ + $(serialization_dir)/ree/special_case_apis.c \ + $(serialization_dir)/common/bump_allocator.c \ + $(serialization_dir)/common/common_special_cases.c \ + $(serialization_dir)/common/GEN_common_serializer.c \ + $(serialization_dir)/common/log_macros.c \ + $(serialization_dir)/common/length_types.c \ + $(serialization_dir)/common/marshaller_base.c \ + $(serialization_dir)/common/message_debug.c \ + $(serialization_dir)/common/opk_init.c \ + $(serialization_dir)/common/opk_serialization_base.c \ + $(serialization_dir)/common/shared_buffer_allocator.c \ + +serialization_ree_includes += \ + $(serialization_dir)/ree \ + $(serialization_dir)/common \ + $(serialization_dir)/common/include \ + $(serialization_dir)/os_interfaces \ + +# These files are only for WTPI unit tests +wtpi_serialization_ree_sources += \ + $(wtpi_serialization_dir)/ree/GEN_ree_serializer.c \ + $(wtpi_serialization_dir)/ree/GEN_oemcrypto_tee_test_api.c \ + $(wtpi_serialization_dir)/ree/ree_special_cases.c \ + $(wtpi_serialization_dir)/common/GEN_common_serializer.c \ + $(wtpi_serialization_dir)/common/common_special_cases.c \ + $(serialization_dir)/common/bump_allocator.c \ + $(serialization_dir)/common/log_macros.c \ + $(serialization_dir)/common/length_types.c \ + $(serialization_dir)/common/marshaller_base.c \ + $(serialization_dir)/common/opk_init.c \ + $(serialization_dir)/common/opk_serialization_base.c \ + $(serialization_dir)/common/shared_buffer_allocator.c \ + $(serialization_dir)/ree/api_support.c \ + +wtpi_serialization_ree_includes += \ + $(wtpi_serialization_dir)/ree \ + $(wtpi_serialization_dir)/common \ + $(serialization_dir)/common \ + $(serialization_dir)/common/include \ + $(serialization_dir)/os_interfaces \ + +odk_sources += \ + $(odk_dir)/src/odk_message.c \ + $(odk_dir)/src/odk_overflow.c \ + +odk_includes += \ + $(odk_dir)/src \ + $(odk_dir)/include \ + $(odk_dir)/../include \ + +gtest_sources += \ + $(gtest_dir)/src/gtest-all.cc \ + +gtest_includes += \ + $(gtest_dir) \ + $(gtest_dir)/include \ + +ifeq ($(USE_DEFAULT_BORINGSSL), y) + include $(CDM_DIR)/third_party/boringssl/kit/sources.mk + boringssl_dir ?= $(OPK_REPO_TOP)/third_party/boringssl + + boringssl_sources_raw += \ + $(crypto_sources) + + ifeq ($(ARCH), 64) + boringssl_sources_raw += \ + $(linux_aarch64_sources) \ + + else ifeq($(ARCH), 32)) + boringssl_sources_raw += \ + $(linux_arm_sources) \ + + else + $(info No known value for ARCH; assembly not included for BoringSSL) + endif + + boringssl_sources += \ + $(addprefix $(boringssl_dir)/kit/, $(boringssl_sources_raw)) \ + + boringssl_includes += \ + $(boringssl_dir)/kit/src/include \ + +endif + +######################################################### +# Variables to be used by makefiles are below +######################################################### + +# Source files for a host app that runs unit tests against the OEMCrypto TA. +# Requires liboemcrypto.so +oemcrypto_unittests_sources += \ + $(oemcrypto_unittests_dir)/oemcrypto_test_main.cpp \ + $(odk_dir)/src/core_message_deserialize.cpp \ + $(odk_dir)/src/core_message_serialize.cpp \ + $(odk_dir)/src/core_message_features.cpp \ + $(odk_dir)/src/odk_serialize.c \ + $(odk_dir)/src/serialization_base.c \ + $(log_dir)/file_store.cpp \ + $(log_dir)/log.cpp \ + $(util_dir)/src/cdm_random.cpp \ + $(util_dir)/src/platform.cpp \ + $(util_dir)/src/rw_lock.cpp \ + $(util_dir)/src/string_conversions.cpp \ + $(util_dir)/test/test_sleep.cpp \ + $(util_dir)/test/test_clock.cpp \ + $(oemcrypto_unittests_dir)/oec_device_features.cpp \ + $(oemcrypto_unittests_dir)/oec_decrypt_fallback_chain.cpp \ + $(oemcrypto_unittests_dir)/oec_key_deriver.cpp \ + $(oemcrypto_unittests_dir)/oec_session_util.cpp \ + $(oemcrypto_unittests_dir)/oemcrypto_corpus_generator_helper.cpp \ + $(oemcrypto_unittests_dir)/oemcrypto_session_tests_helper.cpp \ + $(oemcrypto_unittests_dir)/oemcrypto_test.cpp \ + $(oemcrypto_dir)/util/src/cmac.cpp \ + $(oemcrypto_dir)/util/src/oemcrypto_drm_key.cpp \ + $(oemcrypto_dir)/util/src/oemcrypto_ecc_key.cpp \ + $(oemcrypto_dir)/util/src/oemcrypto_key_deriver.cpp \ + $(oemcrypto_dir)/util/src/oemcrypto_oem_cert.cpp \ + $(oemcrypto_dir)/util/src/oemcrypto_rsa_key.cpp \ + $(oemcrypto_dir)/util/src/wvcrc.cpp \ + $(gtest_sources) \ + $(serialization_ree_sources) \ + $(odk_sources) \ + +ifeq ($(USE_DEFAULT_BORINGSSL), y) + oemcrypto_unittests_sources += $(boringssl_sources) +endif + +oemcrypto_unittests_includes += \ + $(util_dir)/include \ + $(util_dir)/test \ + $(oemcrypto_dir)/include \ + $(oemcrypto_unittests_dir) \ + $(oemcrypto_unittests_dir)/fuzz_tests \ + $(oemcrypto_dir)/odk/include \ + $(oemcrypto_dir)/util/include \ + $(gtest_includes) \ + $(serialization_ree_includes) \ + $(odk_includes) \ + $(oemcrypto_dir)/opk/oemcrypto_ta \ + +ifeq ($(USE_DEFAULT_BORINGSSL), y) + oemcrypto_unittests_includes += $(boringssl_includes) +endif + +# Source files for a host app that runs unit tests against the WTPI Test TA. +# Does not require liboemcrypto.so, since that serializes OEMCrypto functions +# instead of WTPI. The WTPI serialization is statically compiled in this case. +wtpi_unittests_sources += \ + $(wtpi_unittests_dir)/clock_interface_test.cpp \ + $(wtpi_unittests_dir)/crypto_test.cpp \ + $(wtpi_unittests_dir)/generation_number_interface_test.cpp \ + $(wtpi_unittests_dir)/ssl_util.cpp \ + $(wtpi_unittests_dir)/test_rsa_key.cpp \ + $(log_dir)/log.cpp \ + $(odk_sources) \ + $(wtpi_serialization_ree_sources) \ + $(gtest_sources) \ + $(boringssl_sources) \ + +wtpi_unittests_includes += \ + $(wtpi_unittests_dir) \ + $(wtpi_serialization_dir)/common \ + $(wtpi_serialization_ree_includes) \ + $(odk_includes) \ + $(oemcrypto_dir)/opk/oemcrypto_ta/wtpi \ + $(oemcrypto_dir)/opk/oemcrypto_ta \ + $(gtest_includes) \ + $(util_dir)/include \ + $(boringssl_includes) \ + +# Source files for liboemcrypto.so. Does not include platform specific REE-side +# transport functions. +liboemcrypto_sources += \ + $(odk_sources) \ + $(serialization_ree_sources) \ + +liboemcrypto_includes += \ + $(odk_includes) \ + $(serialization_ree_includes) \ + $(oemcrypto_dir)/opk/oemcrypto_ta \ + $(oemcrypto_dir)/include \ + diff --git a/oemcrypto/opk/build/ta.gyp b/oemcrypto/opk/build/ta.gyp deleted file mode 100644 index 435d403..0000000 --- a/oemcrypto/opk/build/ta.gyp +++ /dev/null @@ -1,26 +0,0 @@ -# -# Builds a static library which contains the TEE -# serialization code, dispatcher and the OEMCrypto TA -# -{ - 'includes' : [ - '../serialization/settings.gypi', - ], - 'targets' : [ - { - 'target_name' : 'ta', - 'toolsets' : [ 'target' ], - 'type' : 'static_library', - 'standalone_static_library' : 1, - 'dependencies' : [ - '<(odk_dir)/src/odk.gyp:odk', - '<(oemcrypto_ta_dir)/oemcrypto_ta.gyp:oemcrypto_ta', - '<(oemcrypto_ta_dir)/wtpi_reference/wtpi_reference.gyp:oemcrypto_ta_reference_renewal', - '<(oemcrypto_ta_dir)/wtpi_reference/wtpi_reference.gyp:oemcrypto_ta_reference_root_of_trust', - '<(oemcrypto_ta_dir)/wtpi_reference/wtpi_reference.gyp:oemcrypto_ta_reference_clock', - '<(oemcrypto_ta_dir)/wtpi_reference/wtpi_reference.gyp:oemcrypto_ta_reference_crypto', - '<(tee_dir)/tee.gyp:opk_tee', - ], - }, - ], -} diff --git a/oemcrypto/opk/build/tee-sources.mk b/oemcrypto/opk/build/tee-sources.mk new file mode 100644 index 0000000..9f8d542 --- /dev/null +++ b/oemcrypto/opk/build/tee-sources.mk @@ -0,0 +1,154 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This file lists out all of the OPK source files that are provided for +# OEMCrypto TEE-side applications. These files are platform independent. +# +# At the bottom of the file are variables `opk_base_ta_sources`, +# `opk_base_wtpi_ta_sources`, and corresponding `includes`. These are intended +# for use with external Make-based systems to easily include required OPK files +# for common TA build targets. +# +# This file does not include platform-specific sources such as WTPI or +# transport layer implementations. Those should be provided on a case-by-base +# basis for each platform. + +# Points to the top of the repository. Defined separately from the CDM_DIR +# variable to allow for slight modifications in build systems (eg use +# a relative path here instead of absolute CDM_DIR) +OPK_REPO_TOP ?= $(CDM_DIR) + +oemcrypto_ta_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/oemcrypto_ta +odk_dir ?= $(OPK_REPO_TOP)/oemcrypto/odk +serialization_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/serialization +wtpi_serialization_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/oemcrypto_ta/wtpi_test + +oemcrypto_ta_sources += \ + $(oemcrypto_ta_dir)/oemcrypto.c \ + $(oemcrypto_ta_dir)/oemcrypto_asymmetric_key_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_entitled_key_session.c \ + $(oemcrypto_ta_dir)/oemcrypto_entitled_key_session_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_key.c \ + $(oemcrypto_ta_dir)/oemcrypto_key_control_block.c \ + $(oemcrypto_ta_dir)/oemcrypto_key_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_object_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_output.c \ + $(oemcrypto_ta_dir)/oemcrypto_overflow.c \ + $(oemcrypto_ta_dir)/oemcrypto_serialized_usage_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_session.c \ + $(oemcrypto_ta_dir)/oemcrypto_session_key_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_session_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_session_type.c \ + $(oemcrypto_ta_dir)/oemcrypto_usage_table.c \ + $(oemcrypto_ta_dir)/oemcrypto_wall_clock.c \ + +oemcrypto_ta_includes += \ + $(oemcrypto_ta_dir)/. \ + $(oemcrypto_ta_dir)/../../include \ + $(oemcrypto_ta_dir)/wtpi \ + +odk_sources += \ + $(odk_dir)/src/odk.c \ + $(odk_dir)/src/odk_message.c \ + $(odk_dir)/src/odk_overflow.c \ + $(odk_dir)/src/odk_serialize.c \ + $(odk_dir)/src/odk_timer.c \ + $(odk_dir)/src/odk_util.c \ + $(odk_dir)/src/serialization_base.c \ + +odk_includes += \ + $(odk_dir)/src \ + $(odk_dir)/include \ + $(odk_dir)/../include \ + +serialization_common_sources += \ + $(serialization_dir)/common/bump_allocator.c \ + $(serialization_dir)/common/common_special_cases.c \ + $(serialization_dir)/common/GEN_common_serializer.c \ + $(serialization_dir)/common/length_types.c \ + $(serialization_dir)/common/log_macros.c \ + $(serialization_dir)/common/marshaller_base.c \ + $(serialization_dir)/common/message_debug.c \ + $(serialization_dir)/common/opk_init.c \ + $(serialization_dir)/common/opk_serialization_base.c \ + $(serialization_dir)/common/shared_buffer_allocator.c \ + +serialization_common_includes += \ + $(serialization_dir)/os_interfaces \ + $(serialization_dir)/common \ + $(serialization_dir)/common/include \ + +wtpi_serialization_common_sources += \ + $(wtpi_serialization_dir)/common/GEN_common_serializer.c \ + $(wtpi_serialization_dir)/common/common_special_cases.c \ + $(serialization_dir)/common/bump_allocator.c \ + $(serialization_dir)/common/length_types.c \ + $(serialization_dir)/common/log_macros.c \ + $(serialization_dir)/common/marshaller_base.c \ + $(serialization_dir)/common/opk_init.c \ + $(serialization_dir)/common/opk_serialization_base.c \ + $(serialization_dir)/common/shared_buffer_allocator.c \ + +wtpi_serialization_common_includes += \ + $(wtpi_serialization_dir)/common \ + +wtpi_serialization_tee_sources += \ + $(wtpi_serialization_dir)/tee/GEN_dispatcher.c \ + $(wtpi_serialization_dir)/tee/GEN_tee_serializer.c \ + $(wtpi_serialization_dir)/tee/tee_special_cases.c \ + $(wtpi_serialization_common_sources) \ + +wtpi_serialization_tee_includes += \ + $(wtpi_serialization_dir)/common \ + $(wtpi_serialization_dir)/tee \ + $(serialization_common_includes) \ + +serialization_tee_sources += \ + $(serialization_dir)/tee/GEN_dispatcher.c \ + $(serialization_dir)/tee/GEN_tee_serializer.c \ + $(serialization_dir)/tee/tee_special_cases.c \ + $(serialization_dir)/tee/tee_os_type.c \ + $(serialization_dir)/tee/tee_version.c \ + $(serialization_dir)/tee/tee_tos_stubs.c \ + $(serialization_common_sources) \ + +serialization_tee_includes += \ + $(serialization_dir)/tee \ + $(serialization_common_includes) \ + +######################################################### +# Variables to be used by makefiles are below +######################################################### + +# OPK source files required to build a TA that implements the OEMCrypto API. +# Does not include platform-specific files such as WTPI implementations and +# transport layer implementations +opk_base_ta_sources += \ + $(oemcrypto_ta_sources) \ + $(odk_sources) \ + $(serialization_tee_sources) \ + +opk_base_ta_includes += \ + $(oemcrypto_ta_includes) \ + $(odk_includes) \ + $(serialization_tee_includes) \ + +# OPK source files required to build a TA that only implements the WTPI +# functions. The serialization layer only recognizes WTPI functions, not +# OEMCrypto, and is intended to be used with a host app that is running unit +# tests against the WTPI. Does not include WTPI implementations themselves or +# the transport implementations. +# WARNING: This TA should never be released on devices! It is only for testing. +opk_base_wtpi_ta_sources += \ + $(odk_sources) \ + $(oemcrypto_ta_dir)/oemcrypto_wall_clock.c \ + $(oemcrypto_ta_dir)/oemcrypto_output.c \ + $(wtpi_serialization_tee_sources) \ + +opk_base_wtpi_ta_includes += \ + $(odk_includes) \ + $(wtpi_serialization_tee_includes) \ + diff --git a/oemcrypto/opk/build/third_party/boringssl/crypto.target.mk b/oemcrypto/opk/build/third_party/boringssl/crypto.target.mk deleted file mode 100644 index ee1adb9..0000000 --- a/oemcrypto/opk/build/third_party/boringssl/crypto.target.mk +++ /dev/null @@ -1,368 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := crypto -DEFS_debug := \ - '-DOPENSSL_NO_ASM' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fvisibility=hidden \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -DEFS_release := \ - '-DOPENSSL_NO_ASM' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fvisibility=hidden \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -OBJS := \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/err_data.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_bitstr.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_bool.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_d2i_fp.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_dup.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_enum.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_gentm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_i2d_fp.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_int.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_mbstr.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_object.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_octet.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_print.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_strex.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_strnid.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_time.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_type.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_utctm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/a_utf8.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/asn1_lib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/asn1_par.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/asn_pack.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/f_int.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/f_string.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/tasn_dec.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/tasn_enc.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/tasn_fre.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/tasn_new.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/tasn_typ.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/tasn_utl.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/asn1/time_support.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/base64/base64.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/bio.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/bio_mem.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/connect.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/fd.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/file.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/hexdump.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/pair.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/printf.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/socket.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bio/socket_helper.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/blake2/blake2.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bn_extra/bn_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bn_extra/convert.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/buf/buf.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bytestring/asn1_compat.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bytestring/ber.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bytestring/cbb.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bytestring/cbs.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/bytestring/unicode.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/chacha/chacha.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/cipher_extra.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/derive_key.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_aesccm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_aesctrhmac.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_aesgcmsiv.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_chacha20poly1305.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_null.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_rc2.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_rc4.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/e_tls.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cipher_extra/tls_cbc.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cmac/cmac.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/conf/conf.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cpu-aarch64-fuchsia.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cpu-aarch64-linux.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cpu-aarch64-win.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cpu-arm-linux.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cpu-arm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cpu-intel.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/cpu-ppc64le.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/crypto.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/curve25519/curve25519.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/curve25519/spake25519.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/dh_extra/dh_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/dh_extra/params.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/digest_extra/digest_extra.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/dsa/dsa.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/dsa/dsa_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/ec_extra/ec_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/ec_extra/ec_derive.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/ec_extra/hash_to_curve.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/ecdh_extra/ecdh_extra.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/ecdsa_extra/ecdsa_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/engine/engine.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/err/err.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/digestsign.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/evp.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/evp_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/evp_ctx.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_dsa_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_ec.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_ec_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_ed25519.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_ed25519_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_rsa.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_rsa_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_x25519.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/p_x25519_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/pbkdf.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/print.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/scrypt.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/evp/sign.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/ex_data.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/fipsmodule/bcm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/fipsmodule/fips_shared_support.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/hkdf/hkdf.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/hpke/hpke.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/hrss/hrss.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/lhash/lhash.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/mem.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/obj/obj.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/obj/obj_xref.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_all.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_info.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_lib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_oth.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_pk8.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_pkey.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_x509.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pem/pem_xaux.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pkcs7/pkcs7.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pkcs7/pkcs7_x509.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pkcs8/p5_pbev2.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pkcs8/pkcs8.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pkcs8/pkcs8_x509.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/poly1305/poly1305.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/poly1305/poly1305_arm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/poly1305/poly1305_vec.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/pool/pool.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rand_extra/deterministic.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rand_extra/forkunsafe.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rand_extra/fuchsia.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rand_extra/passive.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rand_extra/rand_extra.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rand_extra/windows.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rc4/rc4.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/refcount_c11.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/refcount_lock.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rsa_extra/rsa_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/rsa_extra/rsa_print.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/siphash/siphash.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/stack/stack.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/thread.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/thread_none.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/thread_pthread.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/thread_win.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/trust_token/pmbtoken.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/trust_token/trust_token.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/trust_token/voprf.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/a_digest.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/a_sign.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/a_verify.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/algorithm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/asn1_gen.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/by_dir.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/by_file.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/i2d_pr.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/name_print.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/rsa_pss.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/t_crl.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/t_req.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/t_x509.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/t_x509a.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_att.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_cmp.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_d2.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_def.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_ext.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_lu.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_obj.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_req.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_set.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_trs.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_txt.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_v3.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_vfy.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509_vpm.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509cset.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509name.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509rset.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x509spki.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_algor.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_all.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_attrib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_crl.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_exten.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_info.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_name.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_pkey.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_pubkey.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_req.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_sig.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_spki.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_val.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_x509.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509/x_x509a.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/pcy_cache.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/pcy_data.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/pcy_lib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/pcy_map.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/pcy_node.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/pcy_tree.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_akey.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_akeya.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_alt.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_bcons.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_bitst.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_conf.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_cpols.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_crld.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_enum.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_extku.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_genn.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_ia5.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_info.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_int.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_lib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_ncons.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_ocsp.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_pci.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_pcia.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_pcons.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_pmaps.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_prn.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_purp.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_skey.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/crypto/x509v3/v3_utl.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/third_party/boringssl/libcrypto.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/third_party/boringssl/libcrypto.a: LIBS := $(LIBS) -$(obj).target/third_party/boringssl/libcrypto.a: TOOLSET := $(TOOLSET) -$(obj).target/third_party/boringssl/libcrypto.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/third_party/boringssl/libcrypto.a -# Add target alias -.PHONY: crypto -crypto: $(obj).target/third_party/boringssl/libcrypto.a - -# Add target alias to "all" target. -.PHONY: all -all: crypto - -# Add target alias -.PHONY: crypto -crypto: $(builddir)/libcrypto.a - -# Copy this to the static library output path. -$(builddir)/libcrypto.a: TOOLSET := $(TOOLSET) -$(builddir)/libcrypto.a: $(obj).target/third_party/boringssl/libcrypto.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libcrypto.a -# Short alias for building this static library. -.PHONY: libcrypto.a -libcrypto.a: $(obj).target/third_party/boringssl/libcrypto.a $(builddir)/libcrypto.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libcrypto.a - diff --git a/oemcrypto/opk/build/third_party/boringssl/ssl.target.mk b/oemcrypto/opk/build/third_party/boringssl/ssl.target.mk deleted file mode 100644 index d743050..0000000 --- a/oemcrypto/opk/build/third_party/boringssl/ssl.target.mk +++ /dev/null @@ -1,165 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := ssl -DEFS_debug := \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fvisibility=hidden \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -DEFS_release := \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fvisibility=hidden \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -OBJS := \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/bio_ssl.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/d1_both.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/d1_lib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/d1_pkt.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/d1_srtp.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/dtls_method.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/dtls_record.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/encrypted_client_hello.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/extensions.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/handoff.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/handshake.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/handshake_client.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/handshake_server.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/s3_both.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/s3_lib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/s3_pkt.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_aead_ctx.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_asn1.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_buffer.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_cert.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_cipher.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_file.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_key_share.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_lib.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_privkey.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_session.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_stat.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_transcript.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_versions.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/ssl_x509.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/t1_enc.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/tls13_both.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/tls13_client.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/tls13_enc.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/tls13_server.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/tls_method.o \ - $(obj).target/$(TARGET)/third_party/boringssl/kit/src/ssl/tls_record.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/third_party/boringssl/libssl.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/third_party/boringssl/libssl.a: LIBS := $(LIBS) -$(obj).target/third_party/boringssl/libssl.a: TOOLSET := $(TOOLSET) -$(obj).target/third_party/boringssl/libssl.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/third_party/boringssl/libssl.a -# Add target alias -.PHONY: ssl -ssl: $(obj).target/third_party/boringssl/libssl.a - -# Add target alias -.PHONY: ssl -ssl: $(builddir)/libssl.a - -# Copy this to the static library output path. -$(builddir)/libssl.a: TOOLSET := $(TOOLSET) -$(builddir)/libssl.a: $(obj).target/third_party/boringssl/libssl.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libssl.a -# Short alias for building this static library. -.PHONY: libssl.a -libssl.a: $(obj).target/third_party/boringssl/libssl.a $(builddir)/libssl.a - diff --git a/oemcrypto/opk/build/third_party/cbor.target.mk b/oemcrypto/opk/build/third_party/cbor.target.mk deleted file mode 100644 index d473399..0000000 --- a/oemcrypto/opk/build/third_party/cbor.target.mk +++ /dev/null @@ -1,118 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := cbor -DEFS_debug := \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/third_party/open-dice/include \ - -I$(srcdir)/third_party/open-dice/include/dice/config/boringssl_ed25519 - -DEFS_release := \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/third_party/open-dice/include \ - -I$(srcdir)/third_party/open-dice/include/dice/config/boringssl_ed25519 - -OBJS := \ - $(obj).target/$(TARGET)/third_party/open-dice/src/cbor_writer.o \ - $(obj).target/$(TARGET)/third_party/open-dice/src/clear_memory.o \ - $(obj).target/$(TARGET)/third_party/open-dice/src/dice.o \ - $(obj).target/$(TARGET)/third_party/open-dice/src/utils.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/third_party/libcbor.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/third_party/libcbor.a: LIBS := $(LIBS) -$(obj).target/third_party/libcbor.a: TOOLSET := $(TOOLSET) -$(obj).target/third_party/libcbor.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink_thin) - -all_deps += $(obj).target/third_party/libcbor.a -# Add target alias -.PHONY: cbor -cbor: $(obj).target/third_party/libcbor.a - -# Add target alias to "all" target. -.PHONY: all -all: cbor - diff --git a/oemcrypto/opk/build/third_party/gmock.target.mk b/oemcrypto/opk/build/third_party/gmock.target.mk deleted file mode 100644 index f2653fa..0000000 --- a/oemcrypto/opk/build/third_party/gmock.target.mk +++ /dev/null @@ -1,119 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := gmock -DEFS_debug := \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/third_party/googletest/googlemock \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest \ - -I$(srcdir)/third_party/googletest/googletest/include - -DEFS_release := \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/third_party/googletest/googlemock \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest \ - -I$(srcdir)/third_party/googletest/googletest/include - -OBJS := \ - $(obj).target/$(TARGET)/third_party/googletest/googlemock/src/gmock-all.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/third_party/libgmock.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/third_party/libgmock.a: LIBS := $(LIBS) -$(obj).target/third_party/libgmock.a: TOOLSET := $(TOOLSET) -$(obj).target/third_party/libgmock.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink_thin) - -all_deps += $(obj).target/third_party/libgmock.a -# Add target alias -.PHONY: gmock -gmock: $(obj).target/third_party/libgmock.a - diff --git a/oemcrypto/opk/build/third_party/gmock_main.target.mk b/oemcrypto/opk/build/third_party/gmock_main.target.mk deleted file mode 100644 index 668c245..0000000 --- a/oemcrypto/opk/build/third_party/gmock_main.target.mk +++ /dev/null @@ -1,119 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := gmock_main -DEFS_debug := \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/third_party/googletest/googlemock \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest \ - -I$(srcdir)/third_party/googletest/googletest/include - -DEFS_release := \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/third_party/googletest/googlemock \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest \ - -I$(srcdir)/third_party/googletest/googletest/include - -OBJS := \ - $(obj).target/$(TARGET)/third_party/googletest/googlemock/src/gmock_main.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/third_party/libgmock_main.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/third_party/libgmock_main.a: LIBS := $(LIBS) -$(obj).target/third_party/libgmock_main.a: TOOLSET := $(TOOLSET) -$(obj).target/third_party/libgmock_main.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink_thin) - -all_deps += $(obj).target/third_party/libgmock_main.a -# Add target alias -.PHONY: gmock_main -gmock_main: $(obj).target/third_party/libgmock_main.a - diff --git a/oemcrypto/opk/build/third_party/gtest.target.mk b/oemcrypto/opk/build/third_party/gtest.target.mk deleted file mode 100644 index 176c864..0000000 --- a/oemcrypto/opk/build/third_party/gtest.target.mk +++ /dev/null @@ -1,123 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := gtest -DEFS_debug := \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/third_party/googletest/googlemock \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest \ - -I$(srcdir)/third_party/googletest/googletest/include - -DEFS_release := \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -Wno-error \ - -w \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/third_party/googletest/googlemock \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest \ - -I$(srcdir)/third_party/googletest/googletest/include - -OBJS := \ - $(obj).target/$(TARGET)/third_party/googletest/googletest/src/gtest-all.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cc FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/third_party/libgtest.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/third_party/libgtest.a: LIBS := $(LIBS) -$(obj).target/third_party/libgtest.a: TOOLSET := $(TOOLSET) -$(obj).target/third_party/libgtest.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink_thin) - -all_deps += $(obj).target/third_party/libgtest.a -# Add target alias -.PHONY: gtest -gtest: $(obj).target/third_party/libgtest.a - -# Add target alias to "all" target. -.PHONY: all -all: gtest - diff --git a/oemcrypto/opk/oemcrypto_ta/oemcrypto.c b/oemcrypto/opk/oemcrypto_ta/oemcrypto.c index ffd9004..73ebb78 100644 --- a/oemcrypto/opk/oemcrypto_ta/oemcrypto.c +++ b/oemcrypto/opk/oemcrypto_ta/oemcrypto.c @@ -12,6 +12,7 @@ #include "odk_util.h" #include "oemcrypto_api_macros.h" #include "oemcrypto_asymmetric_key_table.h" +#include "oemcrypto_build_info.h" #include "oemcrypto_check_macros.h" #include "oemcrypto_compiler_attributes.h" #include "oemcrypto_entitled_key_session.h" @@ -143,7 +144,7 @@ static OEMCryptoResult RewrapDeviceDRMKeyOEMCert( ABORT_IF_NULL(wrapped_drm_key); ABORT_IF_ZERO(wrapped_drm_key_length); - // TODO(b/180530495): implement this. + // TODO(b/225216277): implement this. OEMCryptoResult result = OEMCrypto_ERROR_NOT_IMPLEMENTED; /* RSA decryption needs at most RSA_size to decrypt. 3072 is the largest size @@ -328,19 +329,24 @@ static OEMCryptoResult GetDeviceID(uint8_t* device_id, if (device_id_length == NULL) { return OEMCrypto_ERROR_INVALID_CONTEXT; } - if (WTPI_GetProvisioningMethod() != OEMCrypto_Keybox) { - // TODO(b/180530495): Implement this. + if (WTPI_GetProvisioningMethod() != OEMCrypto_Keybox && + WTPI_GetProvisioningMethod() != OEMCrypto_BootCertificateChain) { + // TODO(b/225216277): Implement this. return OEMCrypto_ERROR_NOT_IMPLEMENTED; } - if (*device_id_length < KEYBOX_DEVICE_ID_SIZE) { - *device_id_length = KEYBOX_DEVICE_ID_SIZE; + size_t actual_device_id_size = 0; + if (WTPI_GetDeviceIDLength(&actual_device_id_size) != OEMCrypto_SUCCESS) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + if (*device_id_length < actual_device_id_size) { + *device_id_length = actual_device_id_size; return OEMCrypto_ERROR_SHORT_BUFFER; } if (device_id == NULL) { return OEMCrypto_ERROR_INVALID_CONTEXT; } - *device_id_length = KEYBOX_DEVICE_ID_SIZE; - return WTPI_GetDeviceIDFromKeybox(device_id, *device_id_length); + *device_id_length = actual_device_id_size; + return WTPI_GetDeviceID(device_id, *device_id_length); } static OEMCryptoResult GetROTSignatureLength(size_t* signature_length) { @@ -353,10 +359,13 @@ static OEMCryptoResult GetROTSignatureLength(size_t* signature_length) { *signature_length = SHA256_DIGEST_LENGTH; return OEMCrypto_SUCCESS; } else if (provisioning_method == OEMCrypto_OEMCertificate) { - // TODO(b/180530495): implement this. + // TODO(b/225216277): implement this. + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } else if (provisioning_method == OEMCrypto_BootCertificateChain) { + // Provisioning 4 should not use this method. The signing happens in + // GenerateCertificateKeyPair only. return OEMCrypto_ERROR_NOT_IMPLEMENTED; } else { - // TODO(b/180530495): implement this. /* TODO: Add ECC support. */ return OEMCrypto_ERROR_NOT_IMPLEMENTED; } @@ -1103,17 +1112,12 @@ static OEMCryptoResult LoadKeysNoSignature( return OEMCrypto_ERROR_INVALID_CONTEXT; } - /* Key control block is not encrypted starting OEMCrypto 16.5 */ - bool allow_null_iv = (session->nonce_values.api_major_version > 16 || - (session->nonce_values.api_major_version == 16 && - session->nonce_values.api_minor_version > 4)); for (size_t i = 0; i < num_keys; i++) { if (!IsSubstrInRange(message_length, key_array[i].key_id, false) || !IsSubstrInRange(message_length, key_array[i].key_data, false) || !IsSubstrInRange(message_length, key_array[i].key_data_iv, false) || !IsSubstrInRange(message_length, key_array[i].key_control, false) || - !IsSubstrInRange(message_length, key_array[i].key_control_iv, - allow_null_iv) || + !IsSubstrInRange(message_length, key_array[i].key_control_iv, true) || key_array[i].key_id.length == 0 || key_array[i].key_id.length > KEY_ID_MAX_SIZE || key_array[i].key_data_iv.length < KEY_IV_SIZE || @@ -1199,12 +1203,17 @@ static OEMCryptoResult LoadKeysNoSignature( session->num_content_keys = 0; session->num_entitlement_keys = 0; for (size_t i = 0; i < num_keys; i++) { + /* Pass a NULL key_control_iv to OPKI_InstallKey to indicate that a clear + * key control block is used. */ + const uint8_t* key_control_iv = + key_array[i].key_control_iv.length > 0 + ? message + key_array[i].key_control_iv.offset + : NULL; result = OPKI_InstallKey( session, message + key_array[i].key_id.offset, key_array[i].key_id.length, message + key_array[i].key_data.offset, key_array[i].key_data.length, message + key_array[i].key_data_iv.offset, - message + key_array[i].key_control.offset, - message + key_array[i].key_control_iv.offset); + message + key_array[i].key_control.offset, key_control_iv); if (result != OEMCrypto_SUCCESS) { LOGE("Failed to install key with result: %u, index = %zu", result, i); break; @@ -2337,7 +2346,7 @@ OEMCryptoResult OEMCrypto_WrapKeyboxOrOEMCert( OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox, size_t length) { - // TODO(b/180530495): We currently only support keyboxes. + // TODO(b/225216277): We currently only support keyboxes. return WTPI_UnwrapValidateAndInstallKeybox(keybox, length); } @@ -2357,10 +2366,13 @@ OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void) { const OEMCrypto_ProvisioningMethod provisioning_method = WTPI_GetProvisioningMethod(); if (provisioning_method == OEMCrypto_OEMCertificate) { - // TODO(b/180530495): Implement this. + // TODO(b/225216277): Implement this. return OEMCrypto_ERROR_NOT_IMPLEMENTED; } else if (provisioning_method == OEMCrypto_Keybox) { return WTPI_ValidateKeybox(); + } else if (provisioning_method == OEMCrypto_BootCertificateChain) { + // Provisioning 4 does not use keybox or OEM cert as root. + return OEMCrypto_ERROR_NOT_IMPLEMENTED; } else { return OEMCrypto_ERROR_NOT_IMPLEMENTED; } @@ -2417,7 +2429,7 @@ OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer, size_t length) { OEMCryptoResult OEMCrypto_GetOEMPublicCertificate( uint8_t* public_cert UNUSED, size_t* public_cert_length UNUSED) { - // TODO(b/180530495): implement this. + // TODO(b/225216277): implement this. return OEMCrypto_ERROR_NOT_IMPLEMENTED; } @@ -2467,13 +2479,13 @@ uint32_t OEMCrypto_MinorAPIVersion(void) { return API_MINOR_VERSION; } OEMCryptoResult OEMCrypto_BuildInformation(char* buffer, size_t* buffer_length) { - RETURN_INVALID_CONTEXT_IF_NULL(buffer); RETURN_INVALID_CONTEXT_IF_NULL(buffer_length); const size_t max_length = strnlen(BUILD_INFO(), 128); if (*buffer_length < max_length) { *buffer_length = max_length; return OEMCrypto_ERROR_SHORT_BUFFER; } + RETURN_INVALID_CONTEXT_IF_NULL(buffer); *buffer_length = max_length; memcpy(buffer, BUILD_INFO(), *buffer_length); return OEMCrypto_SUCCESS; @@ -2674,7 +2686,7 @@ OEMCryptoResult OEMCrypto_GenerateRSASignature( // SignMessageWithOEMPrivateKey handles signature being NULL, so we // intentionally do not check it here. result = OEMCrypto_ERROR_NOT_IMPLEMENTED; - // TODO(b/180530495): implement this. + // TODO(b/225216277): implement this. // SignMessageWithOEMPrivateKey(message, message_length, signature, // signature_length); if (result != OEMCrypto_SUCCESS) return result; @@ -3476,13 +3488,10 @@ OEMCryptoResult OEMCrypto_ReassociateEntitledKeySession( } OEMCryptoResult OEMCrypto_LoadCasECMKeys( - OEMCrypto_SESSION session UNUSED, const uint8_t* message, + OEMCrypto_SESSION session UNUSED, const uint8_t* message UNUSED, size_t message_length UNUSED, - const OEMCrypto_EntitledContentKeyObject* even_key, - const OEMCrypto_EntitledContentKeyObject* odd_key) { - RETURN_INVALID_CONTEXT_IF_NULL(message); - RETURN_INVALID_CONTEXT_IF_NULL(even_key); - RETURN_INVALID_CONTEXT_IF_NULL(odd_key); + const OEMCrypto_EntitledContentKeyObject* even_key UNUSED, + const OEMCrypto_EntitledContentKeyObject* odd_key UNUSED) { return OEMCrypto_ERROR_NOT_IMPLEMENTED; } diff --git a/oemcrypto/opk/oemcrypto_ta/oemcrypto_api_macros.h b/oemcrypto/opk/oemcrypto_ta/oemcrypto_api_macros.h index 8016733..829a969 100644 --- a/oemcrypto/opk/oemcrypto_ta/oemcrypto_api_macros.h +++ b/oemcrypto/opk/oemcrypto_ta/oemcrypto_api_macros.h @@ -32,12 +32,6 @@ // v17.1.0 #define API_MAJOR_VERSION 17 #define API_MINOR_VERSION 0 -#define OPK_PATCH_VERSION 1 - -#define XSTR(s) STR(s) -#define STR(s) #s -#define BUILD_INFO() \ - "Widevine OPK v" XSTR(API_MAJOR_VERSION) "." XSTR( \ - API_MINOR_VERSION) "." XSTR(OPK_PATCH_VERSION) OPK_IS_DEBUG_STR +#define OPK_PATCH_VERSION 2 #endif /* OEMCRYPTO_TA_OEMCRYPTO_API_MACROS_H_ */ diff --git a/oemcrypto/opk/oemcrypto_ta/oemcrypto_build_info.h b/oemcrypto/opk/oemcrypto_ta/oemcrypto_build_info.h new file mode 100644 index 0000000..8205c48 --- /dev/null +++ b/oemcrypto/opk/oemcrypto_ta/oemcrypto_build_info.h @@ -0,0 +1,24 @@ +/* Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary + source code may only be used and distributed under the Widevine + License Agreement. */ + +#ifndef OEMCRYPTO_TA_OEMCRYPTO_BUILD_INFO_H_ +#define OEMCRYPTO_TA_OEMCRYPTO_BUILD_INFO_H_ + +#include "oemcrypto_api_macros.h" + +#define XSTR(s) STR(s) +#define STR(s) #s + +// WTPI_BUILD_INFO should be a string provided at compile time with any desired +// platform-specific information +#if !defined(WTPI_BUILD_INFO) +# error("WTPI_BUILD_INFO not defined") +#endif + +#define BUILD_INFO() \ + "Widevine OPK v" XSTR(API_MAJOR_VERSION) "." XSTR( \ + API_MINOR_VERSION) "." XSTR(OPK_PATCH_VERSION) OPK_IS_DEBUG_STR \ + " " WTPI_BUILD_INFO + +#endif /* OEMCRYPTO_TA_OEMCRYPTO_BUILD_INFO_H_ */ diff --git a/oemcrypto/opk/oemcrypto_ta/oemcrypto_entitled_key_session.c b/oemcrypto/opk/oemcrypto_ta/oemcrypto_entitled_key_session.c index 28f282e..c0d9036 100644 --- a/oemcrypto/opk/oemcrypto_ta/oemcrypto_entitled_key_session.c +++ b/oemcrypto/opk/oemcrypto_ta/oemcrypto_entitled_key_session.c @@ -14,16 +14,14 @@ OEMCryptoResult OPKI_InitializeEntitledKeySession( OEMCryptoEntitledKeySession* session, OEMCrypto_SESSION key_session_id, OEMCrypto_SESSION entitlement_session_id) { RETURN_INVALID_CONTEXT_IF_NULL(session); - session->key_session_id = key_session_id; - session->current_entitled_content_key_index = CONTENT_KEYS_PER_SESSION; - for (int i = 0; i < CONTENT_KEYS_PER_SESSION; i++) { - session->entitled_content_keys[i] = NULL; - session->entitlement_keys[i] = (EntitlementKeyInfo){0}; - } - session->num_entitled_content_keys = 0; - session->entitlement_session_id = entitlement_session_id; - session->decrypt_hash = (DecryptHash){ - .hash_error = OEMCrypto_SUCCESS, + *session = (OEMCryptoEntitledKeySession){ + .key_session_id = key_session_id, + .current_entitled_content_key_index = CONTENT_KEYS_PER_SESSION, + .entitlement_session_id = entitlement_session_id, + .decrypt_hash = + (DecryptHash){ + .hash_error = OEMCrypto_SUCCESS, + }, }; return OEMCrypto_SUCCESS; } diff --git a/oemcrypto/opk/oemcrypto_ta/oemcrypto_key_types.h b/oemcrypto/opk/oemcrypto_ta/oemcrypto_key_types.h index 570937d..0180ff8 100644 --- a/oemcrypto/opk/oemcrypto_ta/oemcrypto_key_types.h +++ b/oemcrypto/opk/oemcrypto_ta/oemcrypto_key_types.h @@ -47,7 +47,7 @@ typedef enum AsymmetricKeyType { DRM_ECC_PRIVATE_KEY = (int)0x539c3183, // ED25519 keys are used in provisioning 4.0. PROV40_ED25519_PRIVATE_KEY = (int)0x495ffa5c, - // TODO(b/180530495): Add OEM Cert private key. + // TODO(b/225216277): Add OEM Cert private key. } AsymmetricKeyType; /* The valid possible sizes of the crypto and private key. The name is the size diff --git a/oemcrypto/opk/oemcrypto_ta/oemcrypto_session.c b/oemcrypto/opk/oemcrypto_ta/oemcrypto_session.c index 9639ba7..19b5d10 100644 --- a/oemcrypto/opk/oemcrypto_ta/oemcrypto_session.c +++ b/oemcrypto/opk/oemcrypto_ta/oemcrypto_session.c @@ -30,42 +30,31 @@ NO_IGNORE_RESULT static bool IsSupportedDrmKeyType(AsymmetricKeyType key_type) { return key_type == DRM_RSA_PRIVATE_KEY || key_type == DRM_ECC_PRIVATE_KEY; } +/* In OEMCrypto version 16.5 and forward, key control blocks are expected to be + * clear. Caller ensures the pointer is not NULL. */ +NO_IGNORE_RESULT static bool IsExpectedClearKeyControlBlockVersion( + const ODK_NonceValues* nonce_values) { + if (nonce_values->api_major_version == 16) { + return nonce_values->api_minor_version >= 5; + } + return nonce_values->api_major_version >= 17; +} + OEMCryptoResult OPKI_InitializeSession(OEMCryptoSession* session, OEMCrypto_SESSION session_id) { - if (session == NULL) return OEMCrypto_ERROR_INVALID_CONTEXT; - session->session_id = session_id; - session->state = SESSION_INVALID; - session->drm_private_key = NULL; - session->prov40_oem_private_key = NULL; - session->mac_key_client = NULL; - session->mac_key_server = NULL; - session->encryption_key = NULL; - session->refresh_valid = false; - session->license_type = OEMCrypto_ContentLicense; - session->current_content_key_index = CONTENT_KEYS_PER_SESSION; - for (int i = 0; i < CONTENT_KEYS_PER_SESSION; i++) { - session->content_keys[i] = NULL; - } - session->num_content_keys = 0; - for (int i = 0; i < ENTITLEMENT_KEYS_PER_SESSION; i++) { - session->entitlement_keys[i] = NULL; - } - session->num_entitlement_keys = 0; - session->valid_srm_version = false; - session->timer_start = 0; - session->decrypt_hash.compute_hash = false; - session->decrypt_hash.current_hash = 0; - session->decrypt_hash.given_hash = 0; - session->decrypt_hash.current_frame_number = 0; - session->decrypt_hash.bad_frame_number = 0; - session->decrypt_hash.hash_error = OEMCrypto_SUCCESS; - session->allowed_schemes = kSign_RSASSA_PSS; - session->prov40_oem_allowed_schemes = kSign_RSASSA_PSS; - session->decrypt_started = false; - session->nonce_created = false; - session->request_signed = false; - session->response_loaded = false; - memset(session->license_request_hash, 0, ODK_SHA256_HASH_SIZE); + RETURN_INVALID_CONTEXT_IF_NULL(session); + *session = (OEMCryptoSession){ + .session_id = session_id, + .state = SESSION_INVALID, + .license_type = OEMCrypto_ContentLicense, + .current_content_key_index = CONTENT_KEYS_PER_SESSION, + .decrypt_hash = + (DecryptHash){ + .hash_error = OEMCrypto_SUCCESS, + }, + .allowed_schemes = kSign_RSASSA_PSS, + .prov40_oem_allowed_schemes = kSign_RSASSA_PSS, + }; OEMCryptoResult result = ODK_InitializeSessionValues( &session->timer_limits, &session->clock_values, &session->nonce_values, API_MAJOR_VERSION, session->session_id); @@ -614,7 +603,7 @@ OEMCryptoResult OPKI_GenerateCertSignature(OEMCryptoSession* session, } switch (signature_type) { case CERT_SIGNATURE_OEM: - // TODO(b/180530495): implement this. + // TODO(b/225216277): implement this. // return SignMessageWithOEMPrivateKey(message, message_length, signature, // signature_length); return OEMCrypto_ERROR_NOT_IMPLEMENTED; @@ -715,8 +704,7 @@ OEMCryptoResult OPKI_InstallKey(OEMCryptoSession* session, const uint8_t* key_control_iv) { if (session == NULL || key_id == NULL || key_id_length == 0 || key_id_length > KEY_ID_MAX_SIZE || key_data == NULL || - key_data_length == 0 || key_data_iv == NULL || key_control == NULL || - key_control_iv == NULL) { + key_data_length == 0 || key_data_iv == NULL || key_control == NULL) { return OEMCrypto_ERROR_INVALID_CONTEXT; } uint8_t raw_key_control[KEY_CONTROL_SIZE]; @@ -772,7 +760,23 @@ OEMCryptoResult OPKI_InstallKey(OEMCryptoSession* session, result = OEMCrypto_ERROR_UNKNOWN_FAILURE; goto cleanup; } - if (CheckApiVersionAtMost(&session->nonce_values, 16, 4)) { + /* To address backwards compatibility issues with a v16.x server SDK bug, the + * exact rules for determining whether a KCB is encrypted or clear have + * changed. + * + * Original behavior: + * - Version <= 16.4.x --> KCB encrypted + * - Version >= 16.5.x --> KCB clear + * New behavior: + * - No KCB IV --> KCB clear + * - KCB IV --> KCB encrypted + */ + if (key_control_iv != NULL) { + if (IsExpectedClearKeyControlBlockVersion(&session->nonce_values)) { + LOGW("Unexpected encrypted KCB: response_odk_version = %u.%u", + session->nonce_values.api_major_version, + session->nonce_values.api_minor_version); + } /* We use the first 128 bits regardless of the license type to decrypt the key control. */ result = WTPI_C1_AESCBCDecrypt(current_key->key_handle, KEY_SIZE_128, @@ -784,6 +788,11 @@ OEMCryptoResult OPKI_InstallKey(OEMCryptoSession* session, goto cleanup; } } else { + if (!IsExpectedClearKeyControlBlockVersion(&session->nonce_values)) { + LOGW("Unexpected clear KCB: response_odk_version = %u.%u", + session->nonce_values.api_major_version, + session->nonce_values.api_minor_version); + } memcpy(raw_key_control, key_control, KEY_CONTROL_SIZE); } diff --git a/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.gyp b/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.gyp index fccd686..f6f8c22 100644 --- a/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.gyp +++ b/oemcrypto/opk/oemcrypto_ta/oemcrypto_ta.gyp @@ -6,15 +6,12 @@ 'variables': { # Include directory that contains wtpi_config_macros.h. 'config_macros_header_dir%': 'wtpi_reference', + 'wtpi_build_info%': 'unspecified_platform', }, 'includes': [ '../strict_compiler_flags.gypi', ], - 'targets': [ - { - 'target_name': 'oemcrypto_ta', - 'type': 'static_library', - 'standalone_static_library': 1, + 'target_defaults': { 'include_dirs': [ '.', '../../include', @@ -52,5 +49,22 @@ ], }, }, + 'targets': [ + { + 'target_name': 'oemcrypto_ta', + 'type': 'static_library', + 'standalone_static_library': 1, + 'defines': [ + 'WTPI_BUILD_INFO="<(wtpi_build_info)"', + ], + }, + { + 'target_name': 'oemcrypto_ta_linux_tee', + 'type': 'static_library', + 'standalone_static_library': 1, + 'defines': [ + 'WTPI_BUILD_INFO="Linux_TEE_Simulator"', + ], + }, ], } diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_crypto_asymmetric_interface.h b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_crypto_asymmetric_interface.h index 7de7ba7..fe8b9ee 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_crypto_asymmetric_interface.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_crypto_asymmetric_interface.h @@ -240,9 +240,10 @@ OEMCryptoResult WTPI_ECCSign(WTPI_AsymmetricKey_Handle key, * Caller retains ownership of all pointers. * * @param[in] key: handle with ECC key, required for derivation. - * @param[in] key_source: an ephemeral ECC public key used in ECDH. + * @param[in] key_source: an ephemeral ECC public key used in ECDH. Encoded as + * a SubjectPublicKeyInfo type. * @param[in] key_source_length: length of |key_source| - * @param[out] session_key: destination buffer for derivated session key + * @param[out] session_key: destination buffer for derived session key * @param[in,out] session_key_length: size of |session_key| buffer, may * be modified based on used/required space of output. * @@ -279,32 +280,6 @@ OEMCryptoResult WTPI_ECCDeriveSessionKey(WTPI_AsymmetricKey_Handle key, OEMCryptoResult WTPI_GetSignatureSize(WTPI_AsymmetricKey_Handle key, size_t* signature_length); -/** - * Sign |message_length| bytes of |message| with the given ED25519 key handle - * and place the result in |signature|. |key| is a handle to the ED25519 key - * used for signing. - * - * Caller retains ownership of all pointers. - * - * @param[in] key: handle with ED25519 key, required for signing. - * @param[in] message: input data to be signed - * @param[in] message_length: length of input data in bytes - * @param[out] signature: destination buffer for signature - * @param[in,out] signature_length: size of |signature| buffer, may be - * modified based on used/required space of output. - * - * @retval OEMCrypto_ERROR_SHORT_BUFFER if |signature_length| is too small or if - * |signature| is NULL, in which case it sets |signature_length| to the - * appropriate length - * @retval OEMCrypto_ERROR_INVALID_CONTEXT if |message_length| is 0 or if any of - * the pointers except |signature| are NULL - * @retval OEMCrypto_ERROR_UNKNOWN_FAILURE if there are any other failures - * @retval OEMCrypto_SUCCESS otherwise - */ -OEMCryptoResult WTPI_ED25519Sign(WTPI_AsymmetricKey_Handle key, - const uint8_t* message, size_t message_length, - uint8_t* signature, size_t* signature_length); - /** * Writes the boot certificate chain (BCC) in provisioning 4.0 to |out|, with * number of bytes specified in |out_length|. @@ -328,6 +303,13 @@ OEMCryptoResult WTPI_GetBootCertificateChain(uint8_t* out, size_t* out_length); * signing request as specified in provisioning 4. The output key type must be * either RSA or ECC, which should be specified in |key_type|. * + * |public_key| must be encoded as an X.509 SubjectPublicKeyInfo type. + * + * |wrapped_private_key| must be encoded as a PKCS#8 PrivateKeyInfo type and + * then wrapped with an implementation-specific method. The resulting wrapped + * private key will be used by WTPI_UnwrapIntoAsymmetricKeyHandle() for crypto + * operations. + * * Returns * OEMCrypto_ERROR_SHORT_BUFFER if |wrapped_private_key_length| or * |public_key_length| is too small, or if |wrapped_private_key| or |public_key| diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_device_key_interface.h b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_device_key_interface.h index c401960..103bd39 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_device_key_interface.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_device_key_interface.h @@ -61,20 +61,20 @@ extern "C" { /** * Gets the size (in bytes) of the buffer needed by WTPI_EncryptAndSign to * handle a buffer of the given size (in bytes). The return value should - * include |in_size| in the result. + * include |in_length| in the result. * * Caller retains ownership of all pointers. * * @param[in] context: 32-bit identifier to act as context - * @param[in] in_size: size of the input buffer to be encrypted and signed - * @param[out] wrapped_size: output result with required wrapping size + * @param[in] in_length: size of the input buffer to be encrypted and signed + * @param[out] wrapped_length: output result with required wrapping size * - * @retval OEMCrypto_ERROR_INVALID_CONTEXT if |wrapped_size| is NULL, or if - * there is an overflow when computing the |wrapped_size| + * @retval OEMCrypto_ERROR_INVALID_CONTEXT if |wrapped_length| is NULL, or if + * there is an overflow when computing the |wrapped_length| * @retval OEMCrypto_SUCCESS otherwise */ -OEMCryptoResult WTPI_GetEncryptAndSignSize(uint32_t context, size_t in_size, - size_t* wrapped_size); +OEMCryptoResult WTPI_GetEncryptAndSignSize(uint32_t context, size_t in_length, + size_t* wrapped_length); /** * Encrypts the given buffer and signs it in a way that can be verified later. @@ -87,17 +87,17 @@ OEMCryptoResult WTPI_GetEncryptAndSignSize(uint32_t context, size_t in_size, * * @param[in] context: 32-bit identifier to act as context * @param[in] data: input buffer to be encrypted and signed - * @param[in] data_size: size of the input buffer + * @param[in] data_length: size of the input buffer * @param[out] out: output buffer - * @param[in,out] out_size: size of output buffer + * @param[in,out] out_length: size of output buffer * * @retval OEMCrypto_ERROR_INVALID_CONTEXT if any of the parameters are NULL - * @retval OEMCrypto_ERROR_SHORT_BUFFER if |out_size| is too small + * @retval OEMCrypto_ERROR_SHORT_BUFFER if |out_length| is too small * @retval OEMCrypto_SUCCESS otherwise */ OEMCryptoResult WTPI_EncryptAndSign(uint32_t context, const uint8_t* data, - size_t data_size, uint8_t* out, - size_t* out_size); + size_t data_length, uint8_t* out, + size_t* out_length); /** * Verifies the buffer has a valid signature and decrypts it into the given @@ -110,17 +110,17 @@ OEMCryptoResult WTPI_EncryptAndSign(uint32_t context, const uint8_t* data, * * @param[in] context: 32-bit identifier to act as context * @param[in] wrapped: input buffer which is encrypted and signed - * @param[in] wrapped_size: size of the input buffer + * @param[in] wrapped_length: size of the input buffer * @param[out] out: output buffer - * @param[in,out] out_size: size of output buffer + * @param[in,out] out_length: size of output buffer * * @retval OEMCrypto_ERROR_INVALID_CONTEXT if any of the parameters are NULL - * @retval OEMCrypto_ERROR_SHORT_BUFFER if |out_size| is too small + * @retval OEMCrypto_ERROR_SHORT_BUFFER if |out_length| is too small * @retval OEMCrypto_SUCCESS otherwise */ OEMCryptoResult WTPI_VerifyAndDecrypt(uint32_t context, const uint8_t* wrapped, - size_t wrapped_size, uint8_t* out, - size_t* out_size); + size_t wrapped_length, uint8_t* out, + size_t* out_length); /** * This function is only required to be implemented on devices that previously @@ -137,7 +137,7 @@ OEMCryptoResult WTPI_VerifyAndDecrypt(uint32_t context, const uint8_t* wrapped, * Caller retains ownership of all pointers. * * @param[in] wrapped: input buffer which is encrypted and signed - * @param[in] wrapped_size: size of the input buffer + * @param[in] wrapped_length: size of the input buffer * @param[in] signature: signature to be verified against * @param[in] iv: initialization vector for AES operation * @param[out] out: output buffer @@ -148,7 +148,7 @@ OEMCryptoResult WTPI_VerifyAndDecrypt(uint32_t context, const uint8_t* wrapped, * @retval OEMCrypto_SUCCESS otherwise */ OEMCryptoResult WTPI_VerifyAndDecryptUsageData_Legacy(const uint8_t* wrapped, - size_t wrapped_size, + size_t wrapped_length, const uint8_t* signature, const uint8_t* iv, uint8_t* out); diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_logging_interface.h b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_logging_interface.h index b377a7a..8a1702d 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_logging_interface.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_logging_interface.h @@ -29,6 +29,7 @@ extern "C" { typedef enum LogPriority { LOG_NONE = (int)0xf7bd0dc7, LOG_ERROR = (int)0x1098fa73, + LOG_WARN = (int)0x24425d50, LOG_DEBUG = (int)0x2b898c5a, } LogPriority; @@ -56,10 +57,13 @@ void WTPI_Log(const char* file, const char* function, int line, LogPriority leve #if OPK_IS_DEBUG # define LOGE(...) \ WTPI_Log(__FILE__, __func__, __LINE__, LOG_ERROR, __VA_ARGS__) +# define LOGW(...) \ + WTPI_Log(__FILE__, __func__, __LINE__, LOG_WARN, __VA_ARGS__) # define LOGD(...) \ WTPI_Log(__FILE__, __func__, __LINE__, LOG_DEBUG, __VA_ARGS__) #else # define LOGE(...) +# define LOGW(...) # define LOGD(...) #endif diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_root_of_trust_interface_layer1.h b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_root_of_trust_interface_layer1.h index 7815cd4..71fdfa1 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_root_of_trust_interface_layer1.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi/wtpi_root_of_trust_interface_layer1.h @@ -107,7 +107,8 @@ OEMCryptoResult WTPI_K1_CreateKeyHandleFromKeybox( /** * Gets the device id from the current provisioning method. If the keybox is - * used, sets |device_id| with the device id in keybox. + * used, sets |device_id| with the device id in keybox. If provisioning 4 is + * used, sets |device_id| to the hash of the encoded device public key. * * Caller retains ownership of all pointers. * @@ -116,10 +117,21 @@ OEMCryptoResult WTPI_K1_CreateKeyHandleFromKeybox( * * @retval OEMCrypto_SUCCESS success * @retval OEMCrypto_ERROR_INVALID_CONTEXT if |device_id| is NULL, or - * |device_id_length| is smaller than KEYBOX_DEVICE_ID_SIZE + * |device_id_length| is smaller than the required size. */ -OEMCryptoResult WTPI_GetDeviceIDFromKeybox(uint8_t* device_id, - size_t device_id_length); +OEMCryptoResult WTPI_GetDeviceID(uint8_t* device_id, size_t device_id_length); + +/** Gets the length of the device id that will be returned from + * WTPI_GetDeviceID. + * + * Caller retains ownership of all pointers. + * + * @param[out] device_id_length: size of device ID + * + * @retval OEMCrypto_SUCCESS success + * @retval OEMCrypto_ERROR_INVALID_CONTEXT if |device_id_length| is NULL + */ +OEMCryptoResult WTPI_GetDeviceIDLength(size_t* device_id_length); /// @} #ifdef __cplusplus diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.c index 2b84ebb..0fde11a 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.c @@ -4,9 +4,13 @@ #include "cose_util.h" +#include + +#include "dice/cbor_reader.h" #include "dice/cbor_writer.h" #include "dice/config.h" #include "dice/dice.h" +#include "ecc_util.h" #include "oemcrypto_check_macros.h" /****************************************************************************** @@ -137,11 +141,12 @@ static DiceResult EncodeCoseSign1(const uint8_t* protected_attributes, The codes above are copied from open-dice library cbor_cert_op.c *******************************************************************************/ -OEMCryptoResult DiceCoseSignAndEncodeSign1( - const uint8_t* payload, size_t payload_size, - WTPI_AsymmetricKey_Handle private_key, size_t buffer_size, uint8_t* buffer, - size_t* encoded_size) { - if (payload == NULL || payload_size == 0 || private_key == NULL || +OEMCryptoResult DiceCoseSignAndEncodeSign1(const uint8_t* payload, + size_t payload_size, + const uint8_t* ed25519_key, + size_t buffer_size, uint8_t* buffer, + size_t* encoded_size) { + if (payload == NULL || payload_size == 0 || ed25519_key == NULL || buffer_size == 0 || buffer == NULL || encoded_size == NULL) { return OEMCrypto_ERROR_INVALID_CONTEXT; } @@ -170,8 +175,8 @@ OEMCryptoResult DiceCoseSignAndEncodeSign1( // Sign the TBS with the authority key. uint8_t signature[DICE_SIGNATURE_SIZE]; size_t signature_length = sizeof(signature); - OEMCryptoResult result = WTPI_ED25519Sign(private_key, buffer, *encoded_size, - signature, &signature_length); + OEMCryptoResult result = ED25519Sign(ed25519_key, buffer, *encoded_size, + signature, &signature_length); if (result != OEMCrypto_SUCCESS) { return result; } @@ -223,9 +228,9 @@ static OEMCryptoResult GenerateEncodedBccPayload( OEMCryptoResult BuildBootCertificateChain(const uint8_t* public_key, size_t public_key_length, AsymmetricKeyType key_type, - WTPI_AsymmetricKey_Handle private_key, + const uint8_t* ed25519_key, uint8_t* out, size_t* out_length) { - if (public_key == NULL || out_length == NULL || private_key == NULL) { + if (public_key == NULL || out_length == NULL || ed25519_key == NULL) { return OEMCrypto_ERROR_INVALID_CONTEXT; } if (out == NULL || *out_length < BCC_TOTAL_LENGTH) { @@ -274,7 +279,7 @@ OEMCryptoResult BuildBootCertificateChain(const uint8_t* public_key, size_t encoded_cose_sign1_size = 0; result = DiceCoseSignAndEncodeSign1( - bcc_payload, bcc_payload_size, private_key, *out_length - out_cursor, + bcc_payload, bcc_payload_size, ed25519_key, *out_length - out_cursor, out + out_cursor, &encoded_cose_sign1_size); if (result != OEMCrypto_SUCCESS) return result; out_cursor += encoded_cose_sign1_size; @@ -282,3 +287,43 @@ OEMCryptoResult BuildBootCertificateChain(const uint8_t* public_key, *out_length = out_cursor; return OEMCrypto_SUCCESS; } + +OEMCryptoResult GetDevicePublicKeyFromBcc(const uint8_t* bcc, size_t bcc_length, + uint8_t* dk_pub, + size_t* dk_pub_length) { + if (bcc == NULL || bcc_length == 0 || dk_pub_length == NULL) { + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + + struct CborIn in; + CborInInit(bcc, bcc_length, &in); + size_t bcc_item_count = 0; + enum CborReadResult res = CborReadArray(&in, &bcc_item_count); + if (res != CBOR_READ_RESULT_OK) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + if (bcc_item_count < 2) { + // There should at least be the public key and one entry. + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + + // The first item in the BCC array is the device public key we want. + const size_t bcc_items_offset = CborInOffset(&in); + // Skip the first item to know the size of the first item. + res = CborReadSkip(&in); + if (res != CBOR_READ_RESULT_OK) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + const size_t bcc_first_item_size = CborInOffset(&in) - bcc_items_offset; + + if (*dk_pub_length < bcc_first_item_size) { + *dk_pub_length = bcc_first_item_size; + return OEMCrypto_ERROR_SHORT_BUFFER; + } + if (dk_pub == NULL) { + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + memcpy(dk_pub, bcc + bcc_items_offset, bcc_first_item_size); + *dk_pub_length = bcc_first_item_size; + return OEMCrypto_SUCCESS; +} diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.h b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.h index 3b16323..d573abe 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/cose_util.h @@ -6,28 +6,37 @@ #define OEMCRYPTO_TA_COSE_UTIL_H_ #include "OEMCryptoCENCCommon.h" -#include "wtpi_crypto_asymmetric_interface.h" +#include "oemcrypto_key_types.h" /** - * Generate a COSE_SIGN1 format signature of |payload| with |private_key| and + * Generate a COSE_SIGN1 format signature of |payload| with |ed25519_key| and * wirte the signature to |buffer|. Only ED25519 key is currently supported. * Caller retains ownership of all pointers and they must not be NULL. + * |ed25519_key| is expected to be size ED25519_PRIVATE_KEY_LEN. */ -OEMCryptoResult DiceCoseSignAndEncodeSign1( - const uint8_t* payload, size_t payload_size, - WTPI_AsymmetricKey_Handle private_key, size_t buffer_size, uint8_t* buffer, - size_t* encoded_size); +OEMCryptoResult DiceCoseSignAndEncodeSign1(const uint8_t* payload, + size_t payload_size, + const uint8_t* ed25519_key, + size_t buffer_size, uint8_t* buffer, + size_t* encoded_size); /** * Build a self signed boot certificate chain (BCC) with the provided - * |public_key| and |private_key|, and write the BCC to |out|. Only ED25519 key + * |public_key| and |ed25519_key|, and write the BCC to |out|. Only ED25519 key * is currently supported. Caller retains ownership of all pointers and they - * must not be NULL. + * must not be NULL. |ed25519_key| is expected to be size + * ED25519_PRIVATE_KEY_LEN. */ OEMCryptoResult BuildBootCertificateChain(const uint8_t* public_key, size_t public_key_length, AsymmetricKeyType key_type, - WTPI_AsymmetricKey_Handle private_key, + const uint8_t* ed25519_key, uint8_t* out, size_t* out_length); +/** + * Parse the input BCC and retrieve the encoded device public key (COSE_key). + */ +OEMCryptoResult GetDevicePublicKeyFromBcc(const uint8_t* bcc, size_t bcc_length, + uint8_t* dk_pub, + size_t* dk_pub_length); #endif /* OEMCRYPTO_TA_COSE_UTIL_H_ */ diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.c index b446c6d..8d0806d 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.c @@ -9,6 +9,7 @@ #include "oemcrypto_key_types.h" #include "openssl/bio.h" #include "openssl/crypto.h" +#include "openssl/curve25519.h" #include "openssl/ec.h" #include "openssl/ecdsa.h" #include "openssl/evp.h" @@ -333,3 +334,21 @@ cleanup: if (key_pair != NULL) EC_KEY_free(key_pair); return false; } + +OEMCryptoResult ED25519Sign(const uint8_t* ed25519_key, const uint8_t* message, + size_t message_length, uint8_t* signature, + size_t* signature_length) { + if (ed25519_key == NULL || message == NULL || message_length == 0 || + signature_length == NULL) { + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (signature == NULL || *signature_length < ED25519_SIGNATURE_LEN) { + *signature_length = ED25519_SIGNATURE_LEN; + return OEMCrypto_ERROR_SHORT_BUFFER; + } + if (ED25519_sign(signature, message, message_length, ed25519_key) != 1) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + *signature_length = ED25519_SIGNATURE_LEN; + return OEMCrypto_SUCCESS; +} diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.h b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.h index ddc5481..816063d 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/ecc_util.h @@ -8,6 +8,7 @@ #include "stdbool.h" #include "stdint.h" +#include "OEMCryptoCENCCommon.h" #include "openssl/ec.h" /* Checks to see that |ecc_key| is a valid ECC key. Returns false if not a @@ -72,4 +73,30 @@ bool ECCWidevineECDHSessionKey(EC_KEY* ecc_key, const uint8_t* key_source, bool NewEccKeyPair(uint8_t* private_key_data, size_t* private_key_data_length, uint8_t* public_key_data, size_t* public_key_data_length); +/** + * Sign |message_length| bytes of |message| with the given ED25519 key handle + * and place the result in |signature|. |key| is a handle to the ED25519 key + * used for signing. + * + * Caller retains ownership of all pointers. + * + * @param[in] ed25519_key: pointer to with ED25519 key required for signing. + * Assumed to be ED25519_PRIVATE_KEY_LEN size + * @param[in] message: input data to be signed + * @param[in] message_length: length of input data in bytes + * @param[out] signature: destination buffer for signature + * @param[in,out] signature_length: size of |signature| buffer, may be + * modified based on used/required space of output. + * + * @retval OEMCrypto_ERROR_SHORT_BUFFER if |signature_length| is too small or if + * |signature| is NULL, in which case it sets |signature_length| to the + * appropriate length + * @retval OEMCrypto_ERROR_INVALID_CONTEXT if |message_length| is 0 or if any of + * the pointers except |signature| are NULL + * @retval OEMCrypto_ERROR_UNKNOWN_FAILURE if there are any other failures + * @retval OEMCrypto_SUCCESS otherwise + */ +OEMCryptoResult ED25519Sign(const uint8_t* ed25519_key, const uint8_t* message, + size_t message_length, uint8_t* signature, + size_t* signature_length); #endif /* OEMCRYPTO_TA_ECC_UTIL_H_ */ diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_hw.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_hw.c index b141e12..cd15399 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_hw.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_hw.c @@ -142,6 +142,7 @@ static bool IsKeyValid(uint32_t index) { case MAC_KEY_CLIENT: return key->key_size == KEY_SIZE_256; case ENCRYPTION_KEY: + return key->key_size == KEY_SIZE_128; case DERIVING_KEY: return key->key_size == KEY_SIZE_128 || key->key_size == KEY_SIZE_256; } diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_openssl.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_openssl.c index 3220a0a..12b5bf3 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_openssl.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_and_key_management_layer1_openssl.c @@ -61,6 +61,10 @@ DEFINE_OBJECT_TABLE(key_table, WTPI_K1_SymmetricKey, MAX_NUMBER_OF_KEYS, NULL); static bool IsKeyValid(uint32_t index) { WTPI_K1_SymmetricKey* key = OPKI_GetFromObjectTable(&key_table, index); + if (key == NULL) { + LOGE("Key at index %u is null", index); + return false; + } switch (key->key_type) { case CONTENT_KEY: // We cheat a little here. We also call generic crypto keys "content @@ -71,6 +75,7 @@ static bool IsKeyValid(uint32_t index) { case MAC_KEY_CLIENT: return key->key_size == KEY_SIZE_256; case ENCRYPTION_KEY: + return key->key_size == KEY_SIZE_128; case DERIVING_KEY: return key->key_size == KEY_SIZE_128 || key->key_size == KEY_SIZE_256; } @@ -228,11 +233,11 @@ static OEMCryptoResult VerifyAndDecryptKey( } /* Caller to ensure the inputs are valid. */ -static OEMCryptoResult PrepareCachedKey(WTPI_K1_SymmetricKey_Handle key_handle, - size_t size) { +static OEMCryptoResult PrepareCachedKey( + WTPI_K1_SymmetricKey_Handle key_handle) { if (key_handle->is_key_cached) return OEMCrypto_SUCCESS; - OEMCryptoResult result = - VerifyAndDecryptKey(key_handle, key_handle->cached_key, size); + OEMCryptoResult result = VerifyAndDecryptKey( + key_handle, key_handle->cached_key, sizeof(key_handle->cached_key)); if (result != OEMCrypto_SUCCESS) { memset(key_handle->cached_key, 0, sizeof(key_handle->cached_key)); return result; @@ -268,7 +273,7 @@ OEMCryptoResult AESCTRDecryptWithKeyHandle( KeySize key_size; OEMCryptoResult result = WTPI_K1_GetKeySize(key_handle, &key_size); if (result != OEMCrypto_SUCCESS) return result; - result = PrepareCachedKey(key_handle, (size_t)key_size); + result = PrepareCachedKey(key_handle); if (result != OEMCrypto_SUCCESS) return result; if (!OPKI_AESCTRDecrypt(in, in_length, iv, key_handle->cached_key, (size_t)key_size, block_offset, out)) { @@ -296,7 +301,7 @@ OEMCryptoResult WTPI_C1_AESCBCDecrypt(WTPI_K1_SymmetricKey_Handle key_handle, if (!IsKeyHandleValid(key_handle)) { return OEMCrypto_ERROR_INVALID_CONTEXT; } - OEMCryptoResult result = PrepareCachedKey(key_handle, (size_t)key_size); + OEMCryptoResult result = PrepareCachedKey(key_handle); if (result != OEMCrypto_SUCCESS) return result; if (!OPKI_AESCBCDecrypt(in, in_length, iv, key_handle->cached_key, key_length, out)) { @@ -318,7 +323,7 @@ OEMCryptoResult WTPI_C1_AESCBCEncrypt(WTPI_K1_SymmetricKey_Handle key_handle, KeySize encryption_key_size; OEMCryptoResult result = WTPI_K1_GetKeySize(key_handle, &encryption_key_size); if (result != OEMCrypto_SUCCESS) return result; - result = PrepareCachedKey(key_handle, (size_t)encryption_key_size); + result = PrepareCachedKey(key_handle); if (result != OEMCrypto_SUCCESS) return result; if (!OPKI_AESCBCEncrypt(in, in_length, iv, key_handle->cached_key, (size_t)encryption_key_size, out)) { @@ -351,7 +356,7 @@ OEMCryptoResult WTPI_C1_HMAC_SHA1(WTPI_K1_SymmetricKey_Handle key_handle, KeySize hmac_key_size; OEMCryptoResult result = WTPI_K1_GetKeySize(key_handle, &hmac_key_size); if (result != OEMCrypto_SUCCESS) return result; - result = PrepareCachedKey(key_handle, (size_t)hmac_key_size); + result = PrepareCachedKey(key_handle); if (result != OEMCrypto_SUCCESS) return result; if (!OPKI_HMAC_SHA1(message, message_length, key_handle->cached_key, (size_t)hmac_key_size, out)) { @@ -373,7 +378,7 @@ OEMCryptoResult WTPI_C1_HMAC_SHA256(WTPI_K1_SymmetricKey_Handle key_handle, KeySize hmac_key_size; OEMCryptoResult result = WTPI_K1_GetKeySize(key_handle, &hmac_key_size); if (result != OEMCrypto_SUCCESS) return result; - result = PrepareCachedKey(key_handle, (size_t)hmac_key_size); + result = PrepareCachedKey(key_handle); if (result != OEMCrypto_SUCCESS) return result; if (!OPKI_HMAC_SHA256(message, message_length, key_handle->cached_key, (size_t)hmac_key_size, out)) { @@ -484,7 +489,7 @@ OEMCryptoResult WTPI_K1_AESDecryptAndCreateKeyHandle( OEMCryptoResult result = WTPI_K1_GetKeySize(decrypt_key_handle, &decryption_key_size); if (result != OEMCrypto_SUCCESS) return result; - result = PrepareCachedKey(decrypt_key_handle, (size_t)decryption_key_size); + result = PrepareCachedKey(decrypt_key_handle); if (result != OEMCrypto_SUCCESS) return result; uint8_t key[KEY_SIZE_256]; @@ -518,7 +523,7 @@ OEMCryptoResult WTPI_K1_AESDecryptAndCreateKeyHandleForMacKeys( OEMCryptoResult result = WTPI_K1_GetKeySize(decrypt_key_handle, &decryption_key_size); if (result != OEMCrypto_SUCCESS) return result; - result = PrepareCachedKey(decrypt_key_handle, (size_t)decryption_key_size); + result = PrepareCachedKey(decrypt_key_handle); if (result != OEMCrypto_SUCCESS) return result; uint8_t mac_keys[2 * MAC_KEY_SIZE]; @@ -557,7 +562,7 @@ OEMCryptoResult WTPI_K1_DeriveKeyFromKeyHandle( result = WTPI_K1_GetKeySize(key_handle, &key_size); if (result != OEMCrypto_SUCCESS) return result; - result = PrepareCachedKey(key_handle, (size_t)key_size); + result = PrepareCachedKey(key_handle); if (result != OEMCrypto_SUCCESS) return result; uint8_t derived_key[KEY_SIZE_256]; @@ -588,7 +593,7 @@ OEMCryptoResult WTPI_K1_WrapKey(uint32_t context, if (wrapped_key_length < (size_t)key_size) { return OEMCrypto_ERROR_INVALID_CONTEXT; } - result = PrepareCachedKey(key_handle, (size_t)key_size); + result = PrepareCachedKey(key_handle); if (result != OEMCrypto_SUCCESS) return result; /* TODO(b/158766099): encrypt the data instead of memcpy. */ diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_asymmetric.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_asymmetric.c index 3910709..1937cc6 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_asymmetric.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_asymmetric.c @@ -324,28 +324,6 @@ OEMCryptoResult WTPI_GetSignatureSize(WTPI_AsymmetricKey_Handle key_handle, return OEMCrypto_SUCCESS; } -OEMCryptoResult WTPI_ED25519Sign(WTPI_AsymmetricKey_Handle key, - const uint8_t* message, size_t message_length, - uint8_t* signature, size_t* signature_length) { - if (key == NULL || message == NULL || message_length == 0 || - signature_length == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } - ABORT_IF(!IsAsymmetricKeyHandleValid(key), "Impossible key handle."); - if (key->key_type != PROV40_ED25519_PRIVATE_KEY) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } - if (signature == NULL || *signature_length < ED25519_SIGNATURE_LEN) { - *signature_length = ED25519_SIGNATURE_LEN; - return OEMCrypto_ERROR_SHORT_BUFFER; - } - if (ED25519_sign(signature, message, message_length, key->ed25519_key) != 1) { - return OEMCrypto_ERROR_UNKNOWN_FAILURE; - } - *signature_length = ED25519_SIGNATURE_LEN; - return OEMCrypto_SUCCESS; -} - /** * Retrieves the device specific asymmetric key pair that is used in * provisioning 4. This key must be unique per individual device. The key must @@ -416,7 +394,8 @@ OEMCryptoResult WTPI_GetBootCertificateChain(uint8_t* out, size_t* out_length) { } result = BuildBootCertificateChain(public_key, public_key_length, key_type, - private_key_handle, out, out_length); + private_key_handle->ed25519_key, out, + out_length); WTPI_FreeAsymmetricKeyHandle(private_key_handle); return result; } @@ -509,9 +488,9 @@ OEMCryptoResult WTPI_DeviceKeyCoseSign1(const uint8_t* message, } size_t encoded_size = 0; - result = - DiceCoseSignAndEncodeSign1(message, message_length, private_key_handle, - *signature_length, signature, &encoded_size); + result = DiceCoseSignAndEncodeSign1( + message, message_length, private_key_handle->ed25519_key, + *signature_length, signature, &encoded_size); WTPI_FreeAsymmetricKeyHandle(private_key_handle); if (result != OEMCrypto_SUCCESS) return result; diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_key.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_key.c index 137535f..a774bf4 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_key.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_key.c @@ -104,9 +104,7 @@ static OEMCryptoResult VerifyAndDecrypt_V1(uint32_t context, const uint8_t* data, size_t data_size, uint8_t* out, size_t* out_size) { - // We explicitly defer checking |out| until later, to allow querying the size - // without an out buffer. - if (data == NULL || + if (data == NULL || out == NULL || data_size < sizeof(WrappedData) + sizeof(WrappedData_V1) || out_size == NULL) { return OEMCrypto_ERROR_INVALID_CONTEXT; @@ -143,8 +141,7 @@ static OEMCryptoResult VerifyAndDecrypt_V1(uint32_t context, *out_size = needed_size; return OEMCrypto_ERROR_SHORT_BUFFER; } - // We defer this check to allow querying the size without an out buffer. - if (out == NULL) return OEMCrypto_ERROR_INVALID_CONTEXT; + *out_size = needed_size; const WrappedData_V1* const wrapped_data = diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_logging.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_logging.c index d4c3ac6..94e6766 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_logging.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_logging.c @@ -22,14 +22,17 @@ static size_t LogPriorityToOrdering(LogPriority priority) { return 0; case LOG_ERROR: return 1; - case LOG_DEBUG: + case LOG_WARN: return 2; + case LOG_DEBUG: + return 3; } ABORT("invalid log priority"); } static const char* LogPriorityToName(LogPriority priority) { - static const char* const kPriorityNames[] = {"NONE", "ERROR", "DEBUG"}; + static const char* const kPriorityNames[] = {"NONE", "ERROR", "WARN", + "DEBUG"}; return kPriorityNames[LogPriorityToOrdering(priority)]; } diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_reference.gyp b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_reference.gyp index f407e4e..54ff484 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_reference.gyp +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_reference.gyp @@ -21,6 +21,15 @@ ], }, 'targets': [ + { + 'target_name': 'oemcrypto_ta_reference_cose_util', + 'sources': [ + 'cose_util.c', + ], + 'dependencies': [ + '../../../../third_party/open-dice.gyp:cbor', + ], + }, { 'target_name': 'oemcrypto_ta_reference_root_of_trust', 'sources': [ @@ -35,6 +44,8 @@ 'dependencies': [ '../../../odk/src/odk.gyp:odk', 'oemcrypto_ta_reference_renewal', + 'oemcrypto_ta_reference_cose_util', + '../../../../third_party/open-dice.gyp:cbor', ], }, { @@ -133,6 +144,7 @@ ], 'dependencies': [ '../../../odk/src/odk.gyp:odk', + 'oemcrypto_ta_reference_cose_util', '../../../../third_party/open-dice.gyp:cbor', ], }, diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_root_of_trust_layer1.c b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_root_of_trust_layer1.c index 689d32e..258056e 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_root_of_trust_layer1.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_root_of_trust_layer1.c @@ -10,6 +10,7 @@ #include #include +#include "cose_util.h" #include "odk_endian.h" #include "oemcrypto_key_types.h" #include "renewal_util.h" @@ -17,6 +18,7 @@ #include "wtpi_config_interface.h" #include "wtpi_crc32_interface.h" #include "wtpi_crypto_and_key_management_interface_layer1.h" +#include "wtpi_crypto_asymmetric_interface.h" #include "wtpi_device_renewal_interface_layer1.h" #include "wtpi_logging_interface.h" @@ -178,9 +180,41 @@ OEMCryptoResult WTPI_ValidateKeybox(void) { return OEMCrypto_SUCCESS; } -OEMCryptoResult WTPI_GetDeviceIDFromKeybox(uint8_t* device_id, - size_t device_id_length) { +static OEMCryptoResult GetProv4DeviceID(uint8_t* device_id, + size_t device_id_length) { if (device_id == NULL) return OEMCrypto_ERROR_INVALID_CONTEXT; + if (device_id_length < SHA256_DIGEST_LENGTH) { + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + + // Device ID with provisioning 4 in this reference implementation is hash of + // (encoded) device public key from BCC. + uint8_t bcc_buffer[1024]; // Make sure this is large enough to hold BCC. + size_t bcc_size = sizeof(bcc_buffer); + OEMCryptoResult result = WTPI_GetBootCertificateChain(bcc_buffer, &bcc_size); + if (result != OEMCrypto_SUCCESS) return OEMCrypto_ERROR_UNKNOWN_FAILURE; + + uint8_t dk_pub_buffer[1024]; + size_t dk_pub_size = sizeof(dk_pub_buffer); + result = GetDevicePublicKeyFromBcc(bcc_buffer, bcc_size, dk_pub_buffer, + &dk_pub_size); + if (result != OEMCrypto_SUCCESS) return OEMCrypto_ERROR_UNKNOWN_FAILURE; + + return WTPI_C1_SHA256(dk_pub_buffer, dk_pub_size, device_id); +} + +OEMCryptoResult WTPI_GetDeviceID(uint8_t* device_id, size_t device_id_length) { + if (device_id == NULL) return OEMCrypto_ERROR_INVALID_CONTEXT; + + if (WTPI_GetProvisioningMethod() == OEMCrypto_BootCertificateChain) { + return GetProv4DeviceID(device_id, device_id_length); + } + + if (WTPI_GetProvisioningMethod() != OEMCrypto_Keybox) { + // TODO(b/225216277): Implement this. + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + if (device_id_length < KEYBOX_DEVICE_ID_SIZE) { return OEMCrypto_ERROR_INVALID_CONTEXT; } @@ -188,6 +222,20 @@ OEMCryptoResult WTPI_GetDeviceIDFromKeybox(uint8_t* device_id, return OEMCrypto_SUCCESS; } +OEMCryptoResult WTPI_GetDeviceIDLength(size_t* device_id_length) { + if (device_id_length == NULL) { + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (WTPI_GetProvisioningMethod() == OEMCrypto_BootCertificateChain) { + *device_id_length = SHA256_DIGEST_LENGTH; + } else if (WTPI_GetProvisioningMethod() == OEMCrypto_Keybox) { + *device_id_length = KEYBOX_DEVICE_ID_SIZE; + } else { + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + return OEMCrypto_SUCCESS; +} + OEMCryptoResult WTPI_GetKeyDataFromKeybox(uint8_t* key_data, size_t length) { if (key_data == NULL) return OEMCrypto_ERROR_INVALID_CONTEXT; if (length != sizeof(gKeybox.data)) return OEMCrypto_ERROR_INVALID_CONTEXT; diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/README.md b/oemcrypto/opk/oemcrypto_ta/wtpi_test/README.md new file mode 100644 index 0000000..3819e12 --- /dev/null +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/README.md @@ -0,0 +1,41 @@ +The `wtpi_test` project is a platform-independent unit test suite for WTPI +functions. The goal is to act as a sanity check for new WTPI implementations. + +Where possible, WTPI functions are tested based on the requirements described in +their corresponding header file comments. For instance, if a function is +required to return an error if one of the parameters is NULL, then there should +be a unit test for that. Crypto functions are compared against +BoringSSL-generated data. + +Some functions are expected to run as "reboot tests", meaning that they test +persistence across device reboots. One example is the save/load generation +number functions. Running all tests in a single pass is useless from this reboot +perspective, though they will still succeed. To achieve the full utility, the +unit test executable should be run in two passes with appropriate gtest filter +flags for the desired tests. + +These tests are only for functions that are called by the OEMCrypto TA directly. +This excludes all "level 2" interface functions, since they are called by the +reference WTPI implementations and not by the OEMCrypto TA code directly. + +To add more WTPI tests for a new WTPI interface +- Add the WTPI header file name to + oemcrypto/opk/oemcrypto_ta/wtpi_test/generator/make_source.gyp in the + "make_model_json" recipe +- Ensure that doxygen comments are correct. Include @param with correct variable + names and keep note of serialized array tricks (eg “buffer” and “buffer_size” + parameters are automatically associated as the same array in the serialization + code) +- Add WTPI header file name to + oemcrypto/opk/serialization/generator/api_generator.cpp and + oemcrypto/opk/serialization/generator/dispatcher_generator.cpp +- Run jenkins/opk_tee_interface_tests as a quick check. It generates all of the + required serialization files before running the test, and will throw an error + if there is a problem with the above steps. +- Write test cases. If needed, create a new .cpp file and add it to the + wtpi_test.gyp recipe. For ports that use make, be sure to generate a new + makefile that includes the cpp file in its list of compilation objects. +- If something seems like it is mysteriously not working, check that the arrays + are being serialized correctly. Mismatched parameter names and in/out types + can cause only the first byte of an array to make it across the REE/TEE + boundary, rendering the rest of the array space useless. diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.c b/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.c index 1913e81..2f3f751 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.c @@ -130,6 +130,16 @@ bool Is_Valid_OEMCrypto_Usage_Entry_Status(uint32_t value) { } } +bool Is_Valid_OEMCrypto_ProvisioningRenewalType(uint32_t value) { + switch (value) { + case 0: /* OEMCrypto_NoRenewal */ + case 1: /* OEMCrypto_RenewalACert */ + return true; + default: + return false; + } +} + bool Is_Valid_OEMCrypto_LicenseType(uint32_t value) { switch (value) { case 0: /* OEMCrypto_ContentLicense */ diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.h b/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.h index 75bb085..1ed10d7 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/common/GEN_common_serializer.h @@ -23,6 +23,7 @@ extern "C" { bool SuccessResult(OEMCryptoResult result); bool Is_Valid_OEMCryptoResult(uint32_t value); bool Is_Valid_OEMCrypto_Usage_Entry_Status(uint32_t value); +bool Is_Valid_OEMCrypto_ProvisioningRenewalType(uint32_t value); bool Is_Valid_OEMCrypto_LicenseType(uint32_t value); bool Is_Valid_OEMCrypto_PrivateKeyType(uint32_t value); bool Is_Valid_OPK_OutputBuffer_Type(uint32_t value); diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/crypto_test.cpp b/oemcrypto/opk/oemcrypto_ta/wtpi_test/crypto_test.cpp index 188949c..2327a08 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/crypto_test.cpp +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/crypto_test.cpp @@ -16,6 +16,7 @@ #include "wtpi_crc32_interface.h" #include "wtpi_crypto_and_key_management_interface_layer1.h" #include "wtpi_crypto_asymmetric_interface.h" +#include "wtpi_device_key_interface.h" #define TEST_RSA_KEY_DER_LEN 1216 #define HELLO_WORLD_ENC_LEN 256 @@ -27,6 +28,16 @@ using wtpi_test::MakeEccPublicKey; using wtpi_test::NewEccPrivateKey; using wtpi_test::SerializeEccPrivateKey; using wtpi_test::SerializeEccPublicKey; +// +// Pre-define some types to help with key clean up. +using WtpiAsymmetircKeyType = + std::remove_pointer::type; +const auto wtpi_asymmetric_key_free = [](WtpiAsymmetircKeyType* key) { + WTPI_FreeAsymmetricKeyHandle(key); +}; +using WtpiAsymmetircKeyPtr = + std::unique_ptr>; class CryptoTest : public ::testing::Test { protected: @@ -1442,25 +1453,96 @@ TEST_F(CryptoTest, DeriveDeviceKeyIntoHandleFailsForBadInput) { KEY_SIZE_128)); } -TEST_F(CryptoTest, ED25519SignSuccess) { - uint8_t public_key[ED25519_PUBLIC_KEY_LEN]; - uint8_t private_key[ED25519_PRIVATE_KEY_LEN]; - ED25519_keypair(public_key, private_key); - const uint8_t message[3] = {'m', 's', 'g'}; +TEST_F(CryptoTest, WTPI_EncryptAndSignFailsForBadInput) { + uint32_t context = 0x1234; + std::vector input(32, 0); + std::vector output(128, 0); + size_t out_length = output.size(); - WTPI_AsymmetricKey_Handle handle; - ASSERT_EQ(OEMCrypto_SUCCESS, WTPI_CreateAsymmetricKeyHandle( - private_key, ED25519_PRIVATE_KEY_LEN, - PROV40_ED25519_PRIVATE_KEY, &handle)); - uint8_t signature[ED25519_SIGNATURE_LEN]; - size_t signature_length = sizeof(signature); + ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, + WTPI_EncryptAndSign(context, NULL, input.size(), output.data(), + &out_length)); + ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, + WTPI_EncryptAndSign(context, input.data(), input.size(), NULL, + &out_length)); + ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, + WTPI_EncryptAndSign(context, input.data(), input.size(), + output.data(), NULL)); +} + +TEST_F(CryptoTest, WTPI_EncryptAndSignFailsForShortBuffer) { + uint32_t context = 0x1234; + std::vector input(32, 0); + std::vector output(128, 0); + size_t bad_size = 1; + + ASSERT_EQ(OEMCrypto_ERROR_SHORT_BUFFER, + WTPI_EncryptAndSign(context, input.data(), input.size(), + output.data(), &bad_size)); + ASSERT_NE((size_t)1, bad_size); +} + +TEST_F(CryptoTest, WTPI_VerifyAndDecryptFailsForBadInput) { + uint32_t context = 0x1234; + std::vector input(128, 0); + std::vector output(32, 0); + size_t out_length = output.size(); + + ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, + WTPI_VerifyAndDecrypt(context, NULL, input.size(), output.data(), + &out_length)); + ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, + WTPI_VerifyAndDecrypt(context, input.data(), input.size(), NULL, + &out_length)); + ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, + WTPI_VerifyAndDecrypt(context, input.data(), input.size(), + output.data(), NULL)); +} + +TEST_F(CryptoTest, WTPI_VerifyAndDecryptFailsForShortBuffer) { + uint32_t context = 0x1234; + std::vector input(32, 0); + for (int i = 0; i < 32; i++) { + input[i] = i; + } + std::vector intermediate(1024, 0); + size_t intermediate_size = intermediate.size(); + std::vector output(32, 0); + + // Get a valid signature first ASSERT_EQ(OEMCrypto_SUCCESS, - WTPI_ED25519Sign(handle, message, sizeof(message), signature, - &signature_length)); - ASSERT_EQ(OEMCrypto_SUCCESS, WTPI_FreeAsymmetricKeyHandle(handle)); + WTPI_EncryptAndSign(context, input.data(), input.size(), + intermediate.data(), &intermediate_size)); + size_t bad_size = 1; + ASSERT_EQ(OEMCrypto_ERROR_SHORT_BUFFER, + WTPI_VerifyAndDecrypt(context, intermediate.data(), + intermediate_size, output.data(), &bad_size)); - ASSERT_EQ(ED25519_verify(message, sizeof(message), signature, public_key), 1); - ASSERT_EQ(signature_length, size_t(ED25519_SIGNATURE_LEN)); + ASSERT_NE(size_t(1), bad_size); +} + +TEST_F(CryptoTest, WTPI_EncryptAndSign_Then_VerifyAndDecrypt_Works) { + uint32_t context = 0x1234; + std::vector input(32, 0); + for (int i = 0; i < 32; i++) { + input[i] = i; + } + std::vector intermediate(1024, 0); + size_t intermediate_size = intermediate.size(); + std::vector output(32, 0); + size_t output_size = output.size(); + + ASSERT_EQ(OEMCrypto_SUCCESS, + WTPI_EncryptAndSign(context, input.data(), input.size(), + intermediate.data(), &intermediate_size)); + ASSERT_EQ( + OEMCrypto_SUCCESS, + WTPI_VerifyAndDecrypt(context, intermediate.data(), intermediate_size, + output.data(), &output_size)); + + for (size_t i = 0; i < input.size(); i++) { + ASSERT_EQ(input[i], output[i]); + } } TEST_F(CryptoTest, ECCSignFailsForBadInput) { @@ -1531,17 +1613,7 @@ TEST_F(CryptoTest, ECCLoadKeyAndSign) { ASSERT_EQ(WTPI_FreeAsymmetricKeyHandle(key_handle), OEMCrypto_SUCCESS); } -TEST_F(CryptoTest, ECCKeyExchange) { - // Pre-define some types to help with key clean up. - using WtpiAsymmetircKeyType = - std::remove_pointer::type; - const auto wtpi_asymmetric_key_free = [](WtpiAsymmetircKeyType* key) { - WTPI_FreeAsymmetricKeyHandle(key); - }; - using WtpiAsymmetircKeyPtr = - std::unique_ptr>; - +TEST_F(CryptoTest, ECCDeriveSessionKeySuccess) { // Create device private key. EcKeyPtr device_priv_key; ASSERT_TRUE(NewEccPrivateKey(&device_priv_key)); @@ -1552,7 +1624,7 @@ TEST_F(CryptoTest, ECCKeyExchange) { serialized_key.data(), serialized_key.size(), DRM_ECC_PRIVATE_KEY, &key_handle); ASSERT_EQ(result, OEMCrypto_SUCCESS) << "Failed to load device ECC key"; - // Assign to smare pointer for auto cleanup on failure. + // Assign to smart pointer for auto cleanup on failure. WtpiAsymmetircKeyPtr device_key_handle(key_handle, wtpi_asymmetric_key_free); key_handle = nullptr; @@ -1607,6 +1679,73 @@ TEST_F(CryptoTest, ECCKeyExchange) { << "Mismatch between server and device session key"; } +TEST_F(CryptoTest, ECCDeriveSessionKeyFailsForBadInput) { + // Create device private key. + EcKeyPtr device_priv_key; + ASSERT_TRUE(NewEccPrivateKey(&device_priv_key)); + std::vector serialized_key; + ASSERT_TRUE(SerializeEccPrivateKey(device_priv_key.get(), &serialized_key)); + WTPI_AsymmetricKey_Handle key_handle; + OEMCryptoResult result = WTPI_CreateAsymmetricKeyHandle( + serialized_key.data(), serialized_key.size(), DRM_ECC_PRIVATE_KEY, + &key_handle); + ASSERT_EQ(result, OEMCrypto_SUCCESS) << "Failed to load device ECC key"; + // Assign to smart pointer for auto cleanup on failure. + WtpiAsymmetircKeyPtr device_key_handle(key_handle, wtpi_asymmetric_key_free); + key_handle = nullptr; + + // Serialize device public key (view from server). + std::vector device_pub_key_data; + ASSERT_TRUE( + SerializeEccPublicKey(device_priv_key.get(), &device_pub_key_data)); + device_priv_key.reset(); + + // Create server private key. + EcKeyPtr server_priv_key; + ASSERT_TRUE(NewEccPrivateKey(&server_priv_key)); + ASSERT_TRUE(SerializeEccPrivateKey(server_priv_key.get(), &serialized_key)); + result = WTPI_CreateAsymmetricKeyHandle(serialized_key.data(), + serialized_key.size(), + DRM_ECC_PRIVATE_KEY, &key_handle); + ASSERT_EQ(result, OEMCrypto_SUCCESS) << "Failed to load server ECC key"; + WtpiAsymmetircKeyPtr server_key_handle(key_handle, wtpi_asymmetric_key_free); + key_handle = nullptr; + + // Serialize server public key (view from device). + size_t session_key_size = KEY_SIZE_256; + std::vector server_pub_key_data; + ASSERT_TRUE( + SerializeEccPublicKey(server_priv_key.get(), &server_pub_key_data)); + server_priv_key.reset(); + + std::vector device_session_key(session_key_size, 0); + ASSERT_EQ(WTPI_ECCDeriveSessionKey( + NULL, server_pub_key_data.data(), server_pub_key_data.size(), + device_session_key.data(), &session_key_size), + OEMCrypto_ERROR_INVALID_CONTEXT); + ASSERT_EQ(WTPI_ECCDeriveSessionKey( + device_key_handle.get(), NULL, server_pub_key_data.size(), + device_session_key.data(), &session_key_size), + OEMCrypto_ERROR_INVALID_CONTEXT); + ASSERT_EQ(WTPI_ECCDeriveSessionKey(device_key_handle.get(), + server_pub_key_data.data(), 0, + device_session_key.data(), NULL), + OEMCrypto_ERROR_INVALID_CONTEXT); + + size_t bad_size = 0; + ASSERT_EQ(WTPI_ECCDeriveSessionKey(device_key_handle.get(), + server_pub_key_data.data(), + server_pub_key_data.size(), + device_session_key.data(), &bad_size), + OEMCrypto_ERROR_SHORT_BUFFER); + EXPECT_GT(bad_size, size_t(0)); + + ASSERT_EQ(WTPI_ECCDeriveSessionKey( + device_key_handle.get(), server_pub_key_data.data(), + server_pub_key_data.size(), NULL, &session_key_size), + OEMCrypto_ERROR_SHORT_BUFFER); +} + TEST_F(CryptoTest, GetBootCertificateChainSuccess) { const size_t kExpectedBccSize = 180; std::vector buffer; @@ -1624,7 +1763,7 @@ TEST_F(CryptoTest, GetBootCertificateChainSuccess) { } TEST_F(CryptoTest, GenerateRandomCertificateKeyPairSuccess) { - const size_t kBufferSize = 1000; + const size_t kBufferSize = 2000; AsymmetricKeyType type; uint8_t public_key[kBufferSize]; size_t public_key_length = sizeof(public_key); @@ -1635,11 +1774,128 @@ TEST_F(CryptoTest, GenerateRandomCertificateKeyPairSuccess) { &type, wrapped_private_key, &wrapped_private_key_length, public_key, &public_key_length), OEMCrypto_SUCCESS); - EXPECT_EQ(type, DRM_ECC_PRIVATE_KEY); + EXPECT_TRUE(type == DRM_ECC_PRIVATE_KEY || type == DRM_RSA_PRIVATE_KEY); EXPECT_GT(public_key_length, size_t(0)); EXPECT_LT(public_key_length, kBufferSize); EXPECT_GT(wrapped_private_key_length, size_t(0)); EXPECT_LT(wrapped_private_key_length, kBufferSize); + + // Unwrap private key into key handle, use it to sign a message, then verify + // it with public key to ensure keypair is valid + WTPI_AsymmetricKey_Handle key_handle; + uint32_t allowed_schemes; + ASSERT_EQ(WTPI_UnwrapIntoAsymmetricKeyHandle(wrapped_private_key, + wrapped_private_key_length, type, + &key_handle, &allowed_schemes), + OEMCrypto_SUCCESS); + + size_t signature_size = 0; + ASSERT_EQ(WTPI_GetSignatureSize(key_handle, &signature_size), + OEMCrypto_SUCCESS); + const uint8_t kMessage[] = {'m', 'e', 's', 's', 'a', 'g', 'e'}; + std::vector signature(signature_size, 0); + + switch (type) { + case DRM_RSA_PRIVATE_KEY: { + // sign + ASSERT_EQ( + WTPI_RSASign(key_handle, kMessage, sizeof(kMessage), signature.data(), + &signature_size, RSA_Padding_Scheme(allowed_schemes)), + OEMCrypto_SUCCESS); + + signature.resize(signature_size); + + // Verify with generated public key + boringssl_ptr pkey(EVP_PKEY_new()); + const uint8_t* pos = public_key; + RSA* decoded_rsa = d2i_RSA_PUBKEY(NULL, &pos, public_key_length); + ASSERT_NE(nullptr, decoded_rsa) << "RSA pub key failed to decode"; + ASSERT_EQ(1, EVP_PKEY_set1_RSA(pkey.get(), decoded_rsa)); + + EXPECT_TRUE(VerifyPSSSignature(pkey.get(), kMessage, sizeof(kMessage), + signature.data(), signature_size)) + << "PSS signature check failed."; + ASSERT_EQ(WTPI_FreeAsymmetricKeyHandle(key_handle), OEMCrypto_SUCCESS); + } break; + case DRM_ECC_PRIVATE_KEY: { + // sign + ASSERT_EQ(WTPI_ECCSign(key_handle, kMessage, sizeof(kMessage), + signature.data(), &signature_size), + OEMCrypto_SUCCESS); + signature.resize(signature_size); + + // Verify with generated public key + EcKeyPtr ec_pub_key; + const uint8_t* pos = public_key; + EC_KEY* decoded_pub_key = d2i_EC_PUBKEY(NULL, &pos, public_key_length); + ASSERT_NE(nullptr, decoded_pub_key) << "ECC pub key failed to decode"; + ec_pub_key.reset(decoded_pub_key); + + uint8_t digest[SHA256_DIGEST_LENGTH]; + ASSERT_NE(SHA256(kMessage, sizeof(kMessage), digest), nullptr); + constexpr int kDefaultEcdsaType = 0; // Specific to OpenSSL. + constexpr int kSignatureValid = 1; + ASSERT_EQ( + ECDSA_verify(kDefaultEcdsaType, digest, SHA256_DIGEST_LENGTH, + signature.data(), static_cast(signature.size()), + ec_pub_key.get()), + kSignatureValid) + << "Signature verification failed"; + ASSERT_EQ(WTPI_FreeAsymmetricKeyHandle(key_handle), OEMCrypto_SUCCESS); + } break; + case PROV40_ED25519_PRIVATE_KEY: + default: + FAIL() << "Unsupported key type"; + break; + } +} + +TEST_F(CryptoTest, GenerateRandomCertificateKeyPairFailsForBadInput) { + const size_t kBufferSize = 1000; + AsymmetricKeyType type; + uint8_t public_key[kBufferSize]; + size_t public_key_length = sizeof(public_key); + uint8_t wrapped_private_key[kBufferSize]; + size_t wrapped_private_key_length = sizeof(wrapped_private_key); + + ASSERT_EQ(WTPI_GenerateRandomCertificateKeyPair( + NULL, wrapped_private_key, &wrapped_private_key_length, + public_key, &public_key_length), + OEMCrypto_ERROR_INVALID_CONTEXT); + + ASSERT_EQ( + WTPI_GenerateRandomCertificateKeyPair(&type, wrapped_private_key, NULL, + public_key, &public_key_length), + OEMCrypto_ERROR_INVALID_CONTEXT); + + ASSERT_EQ(WTPI_GenerateRandomCertificateKeyPair(&type, wrapped_private_key, + &wrapped_private_key_length, + public_key, NULL), + OEMCrypto_ERROR_INVALID_CONTEXT); + + size_t bad_size = 0; + ASSERT_EQ(WTPI_GenerateRandomCertificateKeyPair(&type, wrapped_private_key, + &bad_size, public_key, + &public_key_length), + OEMCrypto_ERROR_SHORT_BUFFER); + EXPECT_GT(bad_size, size_t(0)); + + bad_size = 0; + ASSERT_EQ(WTPI_GenerateRandomCertificateKeyPair(&type, wrapped_private_key, + &wrapped_private_key_length, + public_key, &bad_size), + OEMCrypto_ERROR_SHORT_BUFFER); + EXPECT_GT(bad_size, size_t(0)); + + ASSERT_EQ(WTPI_GenerateRandomCertificateKeyPair( + &type, NULL, &wrapped_private_key_length, public_key, + &public_key_length), + OEMCrypto_ERROR_SHORT_BUFFER); + + ASSERT_EQ(WTPI_GenerateRandomCertificateKeyPair(&type, wrapped_private_key, + &wrapped_private_key_length, + NULL, &public_key_length), + OEMCrypto_ERROR_SHORT_BUFFER); } TEST_F(CryptoTest, WTPI_DeviceKeyCoseSign1Success) { diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_oemcrypto_tee_test_api.c b/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_oemcrypto_tee_test_api.c index f78e4f1..362d118 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_oemcrypto_tee_test_api.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_oemcrypto_tee_test_api.c @@ -25,6 +25,7 @@ #include "wtpi_crc32_interface.h" #include "wtpi_crypto_and_key_management_interface_layer1.h" #include "wtpi_crypto_asymmetric_interface.h" +#include "wtpi_device_key_interface.h" OEMCryptoResult WTPI_PrepareGenerationNumber(void) { pthread_mutex_lock(&api_lock); @@ -989,37 +990,6 @@ cleanup_and_return: return result; } -OEMCryptoResult WTPI_ED25519Sign(WTPI_AsymmetricKey_Handle key, - const uint8_t* message, size_t message_length, - uint8_t* signature, size_t* signature_length) { - pthread_mutex_lock(&api_lock); - OEMCryptoResult result = OEMCrypto_ERROR_UNKNOWN_FAILURE; - ODK_Message request = ODK_Message_Create(NULL, 0); - ODK_Message response = ODK_Message_Create(NULL, 0); - API_Initialize(); - request = OPK_Pack_ED25519Sign_Request(key, message, message_length, - signature, signature_length); - if (ODK_Message_GetStatus(&request) != MESSAGE_STATUS_OK) { - api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; - goto cleanup_and_return; - } - response = API_Transact(&request); - OPK_Unpack_ED25519Sign_Response(&response, &result, &signature, - &signature_length); - - if (ODK_Message_GetStatus(&response) != MESSAGE_STATUS_OK) { - api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; - } -cleanup_and_return: - TOS_Transport_ReleaseMessage(&request); - TOS_Transport_ReleaseMessage(&response); - - API_Terminate(); - result = API_CheckResult(result); - pthread_mutex_unlock(&api_lock); - return result; -} - OEMCryptoResult WTPI_GetBootCertificateChain(uint8_t* out, size_t* out_length) { pthread_mutex_lock(&api_lock); OEMCryptoResult result = OEMCrypto_ERROR_UNKNOWN_FAILURE; @@ -1306,3 +1276,126 @@ cleanup_and_return: pthread_mutex_unlock(&api_lock); return result; } + +OEMCryptoResult WTPI_GetEncryptAndSignSize(uint32_t context, size_t in_length, + size_t* wrapped_length) { + pthread_mutex_lock(&api_lock); + OEMCryptoResult result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + ODK_Message request = ODK_Message_Create(NULL, 0); + ODK_Message response = ODK_Message_Create(NULL, 0); + API_Initialize(); + request = OPK_Pack_GetEncryptAndSignSize_Request(context, in_length, + wrapped_length); + if (ODK_Message_GetStatus(&request) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + goto cleanup_and_return; + } + response = API_Transact(&request); + OPK_Unpack_GetEncryptAndSignSize_Response(&response, &result, + &wrapped_length); + + if (ODK_Message_GetStatus(&response) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + } +cleanup_and_return: + TOS_Transport_ReleaseMessage(&request); + TOS_Transport_ReleaseMessage(&response); + + API_Terminate(); + result = API_CheckResult(result); + pthread_mutex_unlock(&api_lock); + return result; +} + +OEMCryptoResult WTPI_EncryptAndSign(uint32_t context, const uint8_t* data, + size_t data_length, uint8_t* out, + size_t* out_length) { + pthread_mutex_lock(&api_lock); + OEMCryptoResult result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + ODK_Message request = ODK_Message_Create(NULL, 0); + ODK_Message response = ODK_Message_Create(NULL, 0); + API_Initialize(); + request = OPK_Pack_EncryptAndSign_Request(context, data, data_length, out, + out_length); + if (ODK_Message_GetStatus(&request) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + goto cleanup_and_return; + } + response = API_Transact(&request); + OPK_Unpack_EncryptAndSign_Response(&response, &result, &out, &out_length); + + if (ODK_Message_GetStatus(&response) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + } +cleanup_and_return: + TOS_Transport_ReleaseMessage(&request); + TOS_Transport_ReleaseMessage(&response); + + API_Terminate(); + result = API_CheckResult(result); + pthread_mutex_unlock(&api_lock); + return result; +} + +OEMCryptoResult WTPI_VerifyAndDecrypt(uint32_t context, const uint8_t* wrapped, + size_t wrapped_length, uint8_t* out, + size_t* out_length) { + pthread_mutex_lock(&api_lock); + OEMCryptoResult result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + ODK_Message request = ODK_Message_Create(NULL, 0); + ODK_Message response = ODK_Message_Create(NULL, 0); + API_Initialize(); + request = OPK_Pack_VerifyAndDecrypt_Request(context, wrapped, wrapped_length, + out, out_length); + if (ODK_Message_GetStatus(&request) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + goto cleanup_and_return; + } + response = API_Transact(&request); + OPK_Unpack_VerifyAndDecrypt_Response(&response, &result, &out, &out_length); + + if (ODK_Message_GetStatus(&response) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + } +cleanup_and_return: + TOS_Transport_ReleaseMessage(&request); + TOS_Transport_ReleaseMessage(&response); + + API_Terminate(); + result = API_CheckResult(result); + pthread_mutex_unlock(&api_lock); + return result; +} + +OEMCryptoResult WTPI_VerifyAndDecryptUsageData_Legacy(const uint8_t* wrapped, + size_t wrapped_length, + const uint8_t* signature, + const uint8_t* iv, + uint8_t* out) { + pthread_mutex_lock(&api_lock); + OEMCryptoResult result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + ODK_Message request = ODK_Message_Create(NULL, 0); + ODK_Message response = ODK_Message_Create(NULL, 0); + API_Initialize(); + request = OPK_Pack_VerifyAndDecryptUsageData_Legacy_Request( + wrapped, wrapped_length, signature, iv, out); + if (ODK_Message_GetStatus(&request) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + goto cleanup_and_return; + } + response = API_Transact(&request); + OPK_Unpack_VerifyAndDecryptUsageData_Legacy_Response(&response, &result, + &out); + + if (ODK_Message_GetStatus(&response) != MESSAGE_STATUS_OK) { + api_result = OEMCrypto_ERROR_UNKNOWN_FAILURE; + } +cleanup_and_return: + TOS_Transport_ReleaseMessage(&request); + TOS_Transport_ReleaseMessage(&response); + + API_Terminate(); + result = API_CheckResult(result); + pthread_mutex_unlock(&api_lock); + return result; +} diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.c b/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.c index 0d2cb01..7d36e31 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.c @@ -1109,56 +1109,9 @@ void OPK_Unpack_GetSignatureSize_Response(ODK_Message* msg, } } -ODK_Message OPK_Pack_ED25519Sign_Request(WTPI_AsymmetricKey_Handle key, - const uint8_t* message, - size_t message_length, - const uint8_t* signature, - const size_t* signature_length) { - uint32_t api_value = 10032; /* from _tee10032 */ - ODK_Message msg = TOS_Transport_GetRequest(); - OPK_Pack_uint32_t(&msg, &api_value); - uint64_t timestamp = time(0); - OPK_Pack_uint64_t(&msg, ×tamp); - OPK_Pack_size_t(&msg, &message_length); - OPK_PackNullable_size_t(&msg, signature_length); - OPK_Pack_WTPI_AsymmetricKey_Handle(&msg, &key); - OPK_PackMemory(&msg, (const uint8_t*)message, - OPK_ToLengthType(message_length)); - OPK_PackAlloc(&msg, signature); - OPK_PackEOM(&msg); - OPK_SharedBuffer_FinalizePacking(); - return msg; -} - -void OPK_Unpack_ED25519Sign_Response(ODK_Message* msg, OEMCryptoResult* result, - uint8_t** signature, - size_t** signature_length) { - uint32_t api_value = UINT32_MAX; - OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10032) - ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); - OPK_UnpackNullable_size_t(msg, signature_length); - OPK_Unpack_uint32_t(msg, result); - if (!Is_Valid_OEMCryptoResult(*result)) { - ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_INVALID_ENUM_VALUE); - } - if (SuccessResult(*result)) { - uint8_t* p; - OPK_UnpackInPlace(msg, &p, OPK_FromSizeTPtrPtr(signature_length)); - if (p && *signature) { - memcpy(*signature, p, OPK_SafeDerefSizeTPtrPtr(signature_length)); - } - } - OPK_UnpackEOM(msg); - - if (SuccessResult(*result)) { - OPK_SharedBuffer_FinalizeUnpacking(); - } -} - ODK_Message OPK_Pack_GetBootCertificateChain_Request(const uint8_t* out, const size_t* out_length) { - uint32_t api_value = 10033; /* from _tee10033 */ + uint32_t api_value = 10032; /* from _tee10032 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1176,7 +1129,7 @@ void OPK_Unpack_GetBootCertificateChain_Response(ODK_Message* msg, size_t** out_length) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10033) + if (api_value != 10032) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_UnpackNullable_size_t(msg, out_length); OPK_Unpack_uint32_t(msg, result); @@ -1201,7 +1154,7 @@ ODK_Message OPK_Pack_GenerateRandomCertificateKeyPair_Request( const AsymmetricKeyType* key_type, const uint8_t* wrapped_private_key, const size_t* wrapped_private_key_length, const uint8_t* public_key, const size_t* public_key_length) { - uint32_t api_value = 10034; /* from _tee10034 */ + uint32_t api_value = 10033; /* from _tee10033 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1222,7 +1175,7 @@ void OPK_Unpack_GenerateRandomCertificateKeyPair_Response( uint8_t** public_key, size_t** public_key_length) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10034) + if (api_value != 10033) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_UnpackNullable_size_t(msg, wrapped_private_key_length); OPK_UnpackNullable_size_t(msg, public_key_length); @@ -1256,7 +1209,7 @@ void OPK_Unpack_GenerateRandomCertificateKeyPair_Response( ODK_Message OPK_Pack_DeviceKeyCoseSign1_Request( const uint8_t* message, size_t message_length, const uint8_t* signature, const size_t* signature_length) { - uint32_t api_value = 10035; /* from _tee10035 */ + uint32_t api_value = 10034; /* from _tee10034 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1277,7 +1230,7 @@ void OPK_Unpack_DeviceKeyCoseSign1_Response(ODK_Message* msg, size_t** signature_length) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10035) + if (api_value != 10034) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_UnpackNullable_size_t(msg, signature_length); OPK_Unpack_uint32_t(msg, result); @@ -1299,7 +1252,7 @@ void OPK_Unpack_DeviceKeyCoseSign1_Response(ODK_Message* msg, } ODK_Message OPK_Pack_Crc32Init_Request(const uint32_t* initial_hash) { - uint32_t api_value = 10036; /* from _tee10036 */ + uint32_t api_value = 10035; /* from _tee10035 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1314,7 +1267,7 @@ void OPK_Unpack_Crc32Init_Response(ODK_Message* msg, OEMCryptoResult* result, uint32_t** initial_hash) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10036) + if (api_value != 10035) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_Unpack_uint32_t(msg, result); if (!Is_Valid_OEMCryptoResult(*result)) { @@ -1331,7 +1284,7 @@ void OPK_Unpack_Crc32Init_Response(ODK_Message* msg, OEMCryptoResult* result, ODK_Message OPK_Pack_Crc32Cont_Request(const uint8_t* in, size_t in_length, uint32_t prev_crc, const uint32_t* new_crc) { - uint32_t api_value = 10037; /* from _tee10037 */ + uint32_t api_value = 10036; /* from _tee10036 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1349,7 +1302,7 @@ void OPK_Unpack_Crc32Cont_Response(ODK_Message* msg, OEMCryptoResult* result, uint32_t** new_crc) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10037) + if (api_value != 10036) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_Unpack_uint32_t(msg, result); if (!Is_Valid_OEMCryptoResult(*result)) { @@ -1368,7 +1321,7 @@ ODK_Message OPK_Pack_Crc32Cont_OutputBuffer_Request(const OPK_OutputBuffer* in, size_t in_length, uint32_t prev_crc, const uint32_t* new_crc) { - uint32_t api_value = 10038; /* from _tee10038 */ + uint32_t api_value = 10037; /* from _tee10037 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1399,7 +1352,7 @@ void OPK_Unpack_Crc32Cont_OutputBuffer_Response(ODK_Message* msg, uint32_t** new_crc) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10038) + if (api_value != 10037) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_Unpack_uint32_t(msg, result); if (!Is_Valid_OEMCryptoResult(*result)) { @@ -1414,7 +1367,7 @@ void OPK_Unpack_Crc32Cont_OutputBuffer_Response(ODK_Message* msg, } ODK_Message OPK_Pack_GetTrustedTime_Request(const uint64_t* time_in_s) { - uint32_t api_value = 10039; /* from _tee10039 */ + uint32_t api_value = 10038; /* from _tee10038 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1430,7 +1383,7 @@ void OPK_Unpack_GetTrustedTime_Response(ODK_Message* msg, uint64_t** time_in_s) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10039) + if (api_value != 10038) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_Unpack_uint32_t(msg, result); if (!Is_Valid_OEMCryptoResult(*result)) { @@ -1445,7 +1398,7 @@ void OPK_Unpack_GetTrustedTime_Response(ODK_Message* msg, } ODK_Message OPK_Pack_InitializeClock_Request(void) { - uint32_t api_value = 10040; /* from _tee10040 */ + uint32_t api_value = 10039; /* from _tee10039 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1459,6 +1412,34 @@ void OPK_Unpack_InitializeClock_Response(ODK_Message* msg, OEMCryptoResult* result) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10039) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + OPK_Unpack_uint32_t(msg, result); + if (!Is_Valid_OEMCryptoResult(*result)) { + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_INVALID_ENUM_VALUE); + } + OPK_UnpackEOM(msg); + + if (SuccessResult(*result)) { + OPK_SharedBuffer_FinalizeUnpacking(); + } +} + +ODK_Message OPK_Pack_TerminateClock_Request(void) { + uint32_t api_value = 10040; /* from _tee10040 */ + ODK_Message msg = TOS_Transport_GetRequest(); + OPK_Pack_uint32_t(&msg, &api_value); + uint64_t timestamp = time(0); + OPK_Pack_uint64_t(&msg, ×tamp); + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_TerminateClock_Response(ODK_Message* msg, + OEMCryptoResult* result) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); if (api_value != 10040) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_Unpack_uint32_t(msg, result); @@ -1472,36 +1453,8 @@ void OPK_Unpack_InitializeClock_Response(ODK_Message* msg, } } -ODK_Message OPK_Pack_TerminateClock_Request(void) { - uint32_t api_value = 10041; /* from _tee10041 */ - ODK_Message msg = TOS_Transport_GetRequest(); - OPK_Pack_uint32_t(&msg, &api_value); - uint64_t timestamp = time(0); - OPK_Pack_uint64_t(&msg, ×tamp); - OPK_PackEOM(&msg); - OPK_SharedBuffer_FinalizePacking(); - return msg; -} - -void OPK_Unpack_TerminateClock_Response(ODK_Message* msg, - OEMCryptoResult* result) { - uint32_t api_value = UINT32_MAX; - OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10041) - ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); - OPK_Unpack_uint32_t(msg, result); - if (!Is_Valid_OEMCryptoResult(*result)) { - ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_INVALID_ENUM_VALUE); - } - OPK_UnpackEOM(msg); - - if (SuccessResult(*result)) { - OPK_SharedBuffer_FinalizeUnpacking(); - } -} - ODK_Message OPK_Pack_GetClockType_Request(void) { - uint32_t api_value = 10042; /* from _tee10042 */ + uint32_t api_value = 10041; /* from _tee10041 */ ODK_Message msg = TOS_Transport_GetRequest(); OPK_Pack_uint32_t(&msg, &api_value); uint64_t timestamp = time(0); @@ -1515,9 +1468,173 @@ void OPK_Unpack_GetClockType_Response(ODK_Message* msg, OEMCrypto_Clock_Security_Level* result) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10042) + if (api_value != 10041) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); OPK_Unpack_OEMCrypto_Clock_Security_Level(msg, result); OPK_UnpackEOM(msg); OPK_SharedBuffer_FinalizeUnpacking(); } + +ODK_Message OPK_Pack_GetEncryptAndSignSize_Request( + uint32_t context, size_t in_length, const size_t* wrapped_length) { + uint32_t api_value = 10042; /* from _tee10042 */ + ODK_Message msg = TOS_Transport_GetRequest(); + OPK_Pack_uint32_t(&msg, &api_value); + uint64_t timestamp = time(0); + OPK_Pack_uint64_t(&msg, ×tamp); + OPK_Pack_uint32_t(&msg, &context); + OPK_Pack_size_t(&msg, &in_length); + OPK_PackIsNull(&msg, wrapped_length); + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_GetEncryptAndSignSize_Response(ODK_Message* msg, + OEMCryptoResult* result, + size_t** wrapped_length) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10042) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + OPK_Unpack_uint32_t(msg, result); + if (!Is_Valid_OEMCryptoResult(*result)) { + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_INVALID_ENUM_VALUE); + } + OPK_UnpackNullable_size_t(msg, wrapped_length); + OPK_UnpackEOM(msg); + + if (SuccessResult(*result)) { + OPK_SharedBuffer_FinalizeUnpacking(); + } +} + +ODK_Message OPK_Pack_EncryptAndSign_Request(uint32_t context, + const uint8_t* data, + size_t data_length, + const uint8_t* out, + const size_t* out_length) { + uint32_t api_value = 10043; /* from _tee10043 */ + ODK_Message msg = TOS_Transport_GetRequest(); + OPK_Pack_uint32_t(&msg, &api_value); + uint64_t timestamp = time(0); + OPK_Pack_uint64_t(&msg, ×tamp); + OPK_Pack_size_t(&msg, &data_length); + OPK_PackNullable_size_t(&msg, out_length); + OPK_Pack_uint32_t(&msg, &context); + OPK_PackMemory(&msg, (const uint8_t*)data, OPK_ToLengthType(data_length)); + OPK_PackAlloc(&msg, out); + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_EncryptAndSign_Response(ODK_Message* msg, + OEMCryptoResult* result, uint8_t** out, + size_t** out_length) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10043) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + OPK_UnpackNullable_size_t(msg, out_length); + OPK_Unpack_uint32_t(msg, result); + if (!Is_Valid_OEMCryptoResult(*result)) { + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_INVALID_ENUM_VALUE); + } + if (SuccessResult(*result)) { + uint8_t* p; + OPK_UnpackInPlace(msg, &p, OPK_FromSizeTPtrPtr(out_length)); + if (p && *out) { + memcpy(*out, p, OPK_SafeDerefSizeTPtrPtr(out_length)); + } + } + OPK_UnpackEOM(msg); + + if (SuccessResult(*result)) { + OPK_SharedBuffer_FinalizeUnpacking(); + } +} + +ODK_Message OPK_Pack_VerifyAndDecrypt_Request(uint32_t context, + const uint8_t* wrapped, + size_t wrapped_length, + const uint8_t* out, + const size_t* out_length) { + uint32_t api_value = 10044; /* from _tee10044 */ + ODK_Message msg = TOS_Transport_GetRequest(); + OPK_Pack_uint32_t(&msg, &api_value); + uint64_t timestamp = time(0); + OPK_Pack_uint64_t(&msg, ×tamp); + OPK_Pack_size_t(&msg, &wrapped_length); + OPK_PackNullable_size_t(&msg, out_length); + OPK_Pack_uint32_t(&msg, &context); + OPK_PackMemory(&msg, (const uint8_t*)wrapped, + OPK_ToLengthType(wrapped_length)); + OPK_PackAlloc(&msg, out); + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_VerifyAndDecrypt_Response(ODK_Message* msg, + OEMCryptoResult* result, + uint8_t** out, size_t** out_length) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10044) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + OPK_UnpackNullable_size_t(msg, out_length); + OPK_Unpack_uint32_t(msg, result); + if (!Is_Valid_OEMCryptoResult(*result)) { + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_INVALID_ENUM_VALUE); + } + if (SuccessResult(*result)) { + uint8_t* p; + OPK_UnpackInPlace(msg, &p, OPK_FromSizeTPtrPtr(out_length)); + if (p && *out) { + memcpy(*out, p, OPK_SafeDerefSizeTPtrPtr(out_length)); + } + } + OPK_UnpackEOM(msg); + + if (SuccessResult(*result)) { + OPK_SharedBuffer_FinalizeUnpacking(); + } +} + +ODK_Message OPK_Pack_VerifyAndDecryptUsageData_Legacy_Request( + const uint8_t* wrapped, size_t wrapped_length, const uint8_t* signature, + const uint8_t* iv, const uint8_t* out) { + uint32_t api_value = 10045; /* from _tee10045 */ + ODK_Message msg = TOS_Transport_GetRequest(); + OPK_Pack_uint32_t(&msg, &api_value); + uint64_t timestamp = time(0); + OPK_Pack_uint64_t(&msg, ×tamp); + OPK_Pack_size_t(&msg, &wrapped_length); + OPK_PackMemory(&msg, (const uint8_t*)wrapped, + OPK_ToLengthType(wrapped_length)); + OPK_PackNullable_uint8_t(&msg, signature); + OPK_PackArray(&msg, &iv[0], 16); + OPK_PackIsNull(&msg, out); + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_VerifyAndDecryptUsageData_Legacy_Response( + ODK_Message* msg, OEMCryptoResult* result, uint8_t** out) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10045) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + OPK_Unpack_uint32_t(msg, result); + if (!Is_Valid_OEMCryptoResult(*result)) { + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_INVALID_ENUM_VALUE); + } + OPK_UnpackNullable_uint8_t(msg, out); + OPK_UnpackEOM(msg); + + if (SuccessResult(*result)) { + OPK_SharedBuffer_FinalizeUnpacking(); + } +} diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.h b/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.h index 40a9fa5..b28fc05 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/GEN_ree_serializer.h @@ -191,14 +191,6 @@ ODK_Message OPK_Pack_GetSignatureSize_Request(WTPI_AsymmetricKey_Handle key, void OPK_Unpack_GetSignatureSize_Response(ODK_Message* msg, OEMCryptoResult* result, size_t** signature_length); -ODK_Message OPK_Pack_ED25519Sign_Request(WTPI_AsymmetricKey_Handle key, - const uint8_t* message, - size_t message_length, - const uint8_t* signature, - const size_t* signature_length); -void OPK_Unpack_ED25519Sign_Response(ODK_Message* msg, OEMCryptoResult* result, - uint8_t** signature, - size_t** signature_length); ODK_Message OPK_Pack_GetBootCertificateChain_Request(const uint8_t* out, const size_t* out_length); void OPK_Unpack_GetBootCertificateChain_Response(ODK_Message* msg, @@ -250,6 +242,32 @@ void OPK_Unpack_TerminateClock_Response(ODK_Message* msg, ODK_Message OPK_Pack_GetClockType_Request(void); void OPK_Unpack_GetClockType_Response(ODK_Message* msg, OEMCrypto_Clock_Security_Level* result); +ODK_Message OPK_Pack_GetEncryptAndSignSize_Request( + uint32_t context, size_t in_length, const size_t* wrapped_length); +void OPK_Unpack_GetEncryptAndSignSize_Response(ODK_Message* msg, + OEMCryptoResult* result, + size_t** wrapped_length); +ODK_Message OPK_Pack_EncryptAndSign_Request(uint32_t context, + const uint8_t* data, + size_t data_length, + const uint8_t* out, + const size_t* out_length); +void OPK_Unpack_EncryptAndSign_Response(ODK_Message* msg, + OEMCryptoResult* result, uint8_t** out, + size_t** out_length); +ODK_Message OPK_Pack_VerifyAndDecrypt_Request(uint32_t context, + const uint8_t* wrapped, + size_t wrapped_length, + const uint8_t* out, + const size_t* out_length); +void OPK_Unpack_VerifyAndDecrypt_Response(ODK_Message* msg, + OEMCryptoResult* result, + uint8_t** out, size_t** out_length); +ODK_Message OPK_Pack_VerifyAndDecryptUsageData_Legacy_Request( + const uint8_t* wrapped, size_t wrapped_length, const uint8_t* signature, + const uint8_t* iv, const uint8_t* out); +void OPK_Unpack_VerifyAndDecryptUsageData_Legacy_Response( + ODK_Message* msg, OEMCryptoResult* result, uint8_t** out); #ifdef __cplusplus } // extern "C" #endif diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_dispatcher.c b/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_dispatcher.c index 09dcd38..8102d89 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_dispatcher.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_dispatcher.c @@ -24,6 +24,7 @@ #include "tos_shared_memory_interface.h" #include "tos_transport_interface.h" #include "wtpi_clock_interface_layer1.h" +#include "wtpi_device_key_interface.h" #include "wtpi_generation_number_interface.h" static ODK_Message CreateEmptyMessage(void) { @@ -759,31 +760,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_GetSignatureSize_Response(result, signature_length); break; } - case 10032: /* WTPI_ED25519Sign */ - { - size_t message_length; - OPK_Init_size_t((size_t*)&message_length); - size_t* signature_length = (size_t*)OPK_VarAlloc(sizeof(size_t)); - OPK_Init_size_t(signature_length); - WTPI_AsymmetricKey_Handle key; - OPK_Init_WTPI_AsymmetricKey_Handle((WTPI_AsymmetricKey_Handle*)&key); - uint8_t* message; - OPK_InitPointer((uint8_t**)&message); - uint8_t* signature; - OPK_InitPointer((uint8_t**)&signature); - OPK_Unpack_ED25519Sign_Request(request, &key, &message, &message_length, - &signature, &signature_length); - if (!ODK_Message_IsValid(request)) goto handle_invalid_request; - OEMCryptoResult result; - OPK_Init_uint32_t((uint32_t*)&result); - LOGD("ED25519Sign"); - result = WTPI_ED25519Sign(key, message, message_length, signature, - signature_length); - *response = - OPK_Pack_ED25519Sign_Response(result, signature, signature_length); - break; - } - case 10033: /* WTPI_GetBootCertificateChain */ + case 10032: /* WTPI_GetBootCertificateChain */ { size_t* out_length = (size_t*)OPK_VarAlloc(sizeof(size_t)); OPK_Init_size_t(out_length); @@ -799,7 +776,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, OPK_Pack_GetBootCertificateChain_Response(result, out, out_length); break; } - case 10034: /* WTPI_GenerateRandomCertificateKeyPair */ + case 10033: /* WTPI_GenerateRandomCertificateKeyPair */ { size_t* wrapped_private_key_length = (size_t*)OPK_VarAlloc(sizeof(size_t)); @@ -827,7 +804,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, public_key, public_key_length); break; } - case 10035: /* WTPI_DeviceKeyCoseSign1 */ + case 10034: /* WTPI_DeviceKeyCoseSign1 */ { size_t message_length; OPK_Init_size_t((size_t*)&message_length); @@ -849,7 +826,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, signature_length); break; } - case 10036: /* WTPI_Crc32Init */ + case 10035: /* WTPI_Crc32Init */ { uint32_t* initial_hash; OPK_InitPointer((uint8_t**)&initial_hash); @@ -862,7 +839,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_Crc32Init_Response(result, initial_hash); break; } - case 10037: /* WTPI_Crc32Cont */ + case 10036: /* WTPI_Crc32Cont */ { size_t in_length; OPK_Init_size_t((size_t*)&in_length); @@ -882,7 +859,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_Crc32Cont_Response(result, new_crc); break; } - case 10038: /* WTPI_Crc32Cont_OutputBuffer */ + case 10037: /* WTPI_Crc32Cont_OutputBuffer */ { size_t in_length; OPK_Init_size_t((size_t*)&in_length); @@ -905,7 +882,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_Crc32Cont_OutputBuffer_Response(result, new_crc); break; } - case 10039: /* WTPI_GetTrustedTime */ + case 10038: /* WTPI_GetTrustedTime */ { uint64_t* time_in_s; OPK_InitPointer((uint8_t**)&time_in_s); @@ -918,7 +895,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_GetTrustedTime_Response(result, time_in_s); break; } - case 10040: /* WTPI_InitializeClock */ + case 10039: /* WTPI_InitializeClock */ { OPK_Unpack_InitializeClock_Request(request); if (!ODK_Message_IsValid(request)) goto handle_invalid_request; @@ -929,7 +906,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_InitializeClock_Response(result); break; } - case 10041: /* WTPI_TerminateClock */ + case 10040: /* WTPI_TerminateClock */ { OPK_Unpack_TerminateClock_Request(request); if (!ODK_Message_IsValid(request)) goto handle_invalid_request; @@ -940,7 +917,7 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_TerminateClock_Response(result); break; } - case 10042: /* WTPI_GetClockType */ + case 10041: /* WTPI_GetClockType */ { OPK_Unpack_GetClockType_Request(request); if (!ODK_Message_IsValid(request)) goto handle_invalid_request; @@ -952,6 +929,94 @@ ODK_MessageStatus OPK_DispatchMessage(ODK_Message* request, *response = OPK_Pack_GetClockType_Response(result); break; } + case 10042: /* WTPI_GetEncryptAndSignSize */ + { + uint32_t context; + OPK_Init_uint32_t((uint32_t*)&context); + size_t in_length; + OPK_Init_size_t((size_t*)&in_length); + size_t* wrapped_length; + OPK_InitPointer((uint8_t**)&wrapped_length); + OPK_Unpack_GetEncryptAndSignSize_Request(request, &context, &in_length, + &wrapped_length); + if (!ODK_Message_IsValid(request)) goto handle_invalid_request; + OEMCryptoResult result; + OPK_Init_uint32_t((uint32_t*)&result); + LOGD("GetEncryptAndSignSize"); + result = WTPI_GetEncryptAndSignSize(context, in_length, wrapped_length); + *response = + OPK_Pack_GetEncryptAndSignSize_Response(result, wrapped_length); + break; + } + case 10043: /* WTPI_EncryptAndSign */ + { + size_t data_length; + OPK_Init_size_t((size_t*)&data_length); + size_t* out_length = (size_t*)OPK_VarAlloc(sizeof(size_t)); + OPK_Init_size_t(out_length); + uint32_t context; + OPK_Init_uint32_t((uint32_t*)&context); + uint8_t* data; + OPK_InitPointer((uint8_t**)&data); + uint8_t* out; + OPK_InitPointer((uint8_t**)&out); + OPK_Unpack_EncryptAndSign_Request(request, &context, &data, &data_length, + &out, &out_length); + if (!ODK_Message_IsValid(request)) goto handle_invalid_request; + OEMCryptoResult result; + OPK_Init_uint32_t((uint32_t*)&result); + LOGD("EncryptAndSign"); + result = WTPI_EncryptAndSign(context, data, data_length, out, out_length); + *response = OPK_Pack_EncryptAndSign_Response(result, out, out_length); + break; + } + case 10044: /* WTPI_VerifyAndDecrypt */ + { + size_t wrapped_length; + OPK_Init_size_t((size_t*)&wrapped_length); + size_t* out_length = (size_t*)OPK_VarAlloc(sizeof(size_t)); + OPK_Init_size_t(out_length); + uint32_t context; + OPK_Init_uint32_t((uint32_t*)&context); + uint8_t* wrapped; + OPK_InitPointer((uint8_t**)&wrapped); + uint8_t* out; + OPK_InitPointer((uint8_t**)&out); + OPK_Unpack_VerifyAndDecrypt_Request(request, &context, &wrapped, + &wrapped_length, &out, &out_length); + if (!ODK_Message_IsValid(request)) goto handle_invalid_request; + OEMCryptoResult result; + OPK_Init_uint32_t((uint32_t*)&result); + LOGD("VerifyAndDecrypt"); + result = WTPI_VerifyAndDecrypt(context, wrapped, wrapped_length, out, + out_length); + *response = OPK_Pack_VerifyAndDecrypt_Response(result, out, out_length); + break; + } + case 10045: /* WTPI_VerifyAndDecryptUsageData_Legacy */ + { + size_t wrapped_length; + OPK_Init_size_t((size_t*)&wrapped_length); + uint8_t* wrapped; + OPK_InitPointer((uint8_t**)&wrapped); + uint8_t* signature = (uint8_t*)OPK_VarAlloc(sizeof(uint8_t)); + OPK_Init_uint8_t((uint8_t*)signature); + uint8_t iv[16]; + OPK_InitMemory(&iv[0], 16); + uint8_t* out; + OPK_InitPointer((uint8_t**)&out); + OPK_Unpack_VerifyAndDecryptUsageData_Legacy_Request( + request, &wrapped, &wrapped_length, &signature, &iv[0], &out); + if (!ODK_Message_IsValid(request)) goto handle_invalid_request; + OEMCryptoResult result; + OPK_Init_uint32_t((uint32_t*)&result); + LOGD("VerifyAndDecryptUsageData_Legacy"); + result = WTPI_VerifyAndDecryptUsageData_Legacy(wrapped, wrapped_length, + signature, iv, out); + *response = + OPK_Pack_VerifyAndDecryptUsageData_Legacy_Response(result, out); + break; + } default: return MESSAGE_STATUS_API_VALUE_ERROR; } diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.c b/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.c index e2b60ed..5019d6a 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.c @@ -906,49 +906,11 @@ ODK_Message OPK_Pack_GetSignatureSize_Response(OEMCryptoResult result, return msg; } -void OPK_Unpack_ED25519Sign_Request(ODK_Message* msg, - WTPI_AsymmetricKey_Handle* key, - uint8_t** message, size_t* message_length, - uint8_t** signature, - size_t** signature_length) { - uint32_t api_value = UINT32_MAX; - OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10032) - ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); - uint64_t timestamp; - OPK_Unpack_uint64_t(msg, ×tamp); - OPK_Unpack_size_t(msg, message_length); - OPK_UnpackNullable_size_t(msg, signature_length); - OPK_Unpack_WTPI_AsymmetricKey_Handle(msg, key); - OPK_UnpackInPlace(msg, (uint8_t**)message, OPK_FromSizeTPtr(message_length)); - *signature = (uint8_t*)OPK_UnpackAllocBuffer( - msg, OPK_FromSizeTPtrPtr(signature_length), sizeof(uint8_t)); - OPK_UnpackEOM(msg); - OPK_SharedBuffer_FinalizeUnpacking(); -} - -ODK_Message OPK_Pack_ED25519Sign_Response(OEMCryptoResult result, - const uint8_t* signature, - const size_t* signature_length) { - uint32_t api_value = 10032; /* from _tee10032 */ - ODK_Message msg = TOS_Transport_GetResponse(); - OPK_Pack_uint32_t(&msg, &api_value); - OPK_PackNullable_size_t(&msg, signature_length); - OPK_Pack_uint32_t(&msg, &result); - if (SuccessResult(result)) { - OPK_PackMemory(&msg, (const uint8_t*)signature, - OPK_FromSizeTPtr(signature_length)); - } - OPK_PackEOM(&msg); - OPK_SharedBuffer_FinalizePacking(); - return msg; -} - void OPK_Unpack_GetBootCertificateChain_Request(ODK_Message* msg, uint8_t** out, size_t** out_length) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10033) + if (api_value != 10032) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -961,7 +923,7 @@ void OPK_Unpack_GetBootCertificateChain_Request(ODK_Message* msg, uint8_t** out, ODK_Message OPK_Pack_GetBootCertificateChain_Response( OEMCryptoResult result, const uint8_t* out, const size_t* out_length) { - uint32_t api_value = 10033; /* from _tee10033 */ + uint32_t api_value = 10032; /* from _tee10032 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_PackNullable_size_t(&msg, out_length); @@ -980,7 +942,7 @@ void OPK_Unpack_GenerateRandomCertificateKeyPair_Request( uint8_t** public_key, size_t** public_key_length) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10034) + if (api_value != 10033) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1001,7 +963,7 @@ ODK_Message OPK_Pack_GenerateRandomCertificateKeyPair_Response( const uint8_t* wrapped_private_key, const size_t* wrapped_private_key_length, const uint8_t* public_key, const size_t* public_key_length) { - uint32_t api_value = 10034; /* from _tee10034 */ + uint32_t api_value = 10033; /* from _tee10033 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_PackNullable_size_t(&msg, wrapped_private_key_length); @@ -1027,7 +989,7 @@ void OPK_Unpack_DeviceKeyCoseSign1_Request(ODK_Message* msg, uint8_t** message, size_t** signature_length) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10035) + if (api_value != 10034) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1043,7 +1005,7 @@ void OPK_Unpack_DeviceKeyCoseSign1_Request(ODK_Message* msg, uint8_t** message, ODK_Message OPK_Pack_DeviceKeyCoseSign1_Response( OEMCryptoResult result, const uint8_t* signature, const size_t* signature_length) { - uint32_t api_value = 10035; /* from _tee10035 */ + uint32_t api_value = 10034; /* from _tee10034 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_PackNullable_size_t(&msg, signature_length); @@ -1060,7 +1022,7 @@ ODK_Message OPK_Pack_DeviceKeyCoseSign1_Response( void OPK_Unpack_Crc32Init_Request(ODK_Message* msg, uint32_t** initial_hash) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10036) + if (api_value != 10035) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1071,7 +1033,7 @@ void OPK_Unpack_Crc32Init_Request(ODK_Message* msg, uint32_t** initial_hash) { ODK_Message OPK_Pack_Crc32Init_Response(OEMCryptoResult result, const uint32_t* initial_hash) { - uint32_t api_value = 10036; /* from _tee10036 */ + uint32_t api_value = 10035; /* from _tee10035 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_Pack_uint32_t(&msg, &result); @@ -1086,7 +1048,7 @@ void OPK_Unpack_Crc32Cont_Request(ODK_Message* msg, uint8_t** in, uint32_t** new_crc) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10037) + if (api_value != 10036) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1100,7 +1062,7 @@ void OPK_Unpack_Crc32Cont_Request(ODK_Message* msg, uint8_t** in, ODK_Message OPK_Pack_Crc32Cont_Response(OEMCryptoResult result, const uint32_t* new_crc) { - uint32_t api_value = 10037; /* from _tee10037 */ + uint32_t api_value = 10036; /* from _tee10036 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_Pack_uint32_t(&msg, &result); @@ -1115,7 +1077,7 @@ void OPK_Unpack_Crc32Cont_OutputBuffer_Request( size_t* in_length, uint32_t* prev_crc, uint32_t** new_crc) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10038) + if (api_value != 10037) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1155,7 +1117,7 @@ void OPK_Unpack_Crc32Cont_OutputBuffer_Request( ODK_Message OPK_Pack_Crc32Cont_OutputBuffer_Response(OEMCryptoResult result, const uint32_t* new_crc) { - uint32_t api_value = 10038; /* from _tee10038 */ + uint32_t api_value = 10037; /* from _tee10037 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_Pack_uint32_t(&msg, &result); @@ -1168,7 +1130,7 @@ ODK_Message OPK_Pack_Crc32Cont_OutputBuffer_Response(OEMCryptoResult result, void OPK_Unpack_GetTrustedTime_Request(ODK_Message* msg, uint64_t** time_in_s) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10039) + if (api_value != 10038) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1179,7 +1141,7 @@ void OPK_Unpack_GetTrustedTime_Request(ODK_Message* msg, uint64_t** time_in_s) { ODK_Message OPK_Pack_GetTrustedTime_Response(OEMCryptoResult result, const uint64_t* time_in_s) { - uint32_t api_value = 10039; /* from _tee10039 */ + uint32_t api_value = 10038; /* from _tee10038 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_Pack_uint32_t(&msg, &result); @@ -1192,7 +1154,7 @@ ODK_Message OPK_Pack_GetTrustedTime_Response(OEMCryptoResult result, void OPK_Unpack_InitializeClock_Request(ODK_Message* msg) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10040) + if (api_value != 10039) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1201,7 +1163,7 @@ void OPK_Unpack_InitializeClock_Request(ODK_Message* msg) { } ODK_Message OPK_Pack_InitializeClock_Response(OEMCryptoResult result) { - uint32_t api_value = 10040; /* from _tee10040 */ + uint32_t api_value = 10039; /* from _tee10039 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_Pack_uint32_t(&msg, &result); @@ -1213,7 +1175,7 @@ ODK_Message OPK_Pack_InitializeClock_Response(OEMCryptoResult result) { void OPK_Unpack_TerminateClock_Request(ODK_Message* msg) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10041) + if (api_value != 10040) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1222,7 +1184,7 @@ void OPK_Unpack_TerminateClock_Request(ODK_Message* msg) { } ODK_Message OPK_Pack_TerminateClock_Response(OEMCryptoResult result) { - uint32_t api_value = 10041; /* from _tee10041 */ + uint32_t api_value = 10040; /* from _tee10040 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_Pack_uint32_t(&msg, &result); @@ -1234,7 +1196,7 @@ ODK_Message OPK_Pack_TerminateClock_Response(OEMCryptoResult result) { void OPK_Unpack_GetClockType_Request(ODK_Message* msg) { uint32_t api_value = UINT32_MAX; OPK_Unpack_uint32_t(msg, &api_value); - if (api_value != 10042) + if (api_value != 10041) ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); uint64_t timestamp; OPK_Unpack_uint64_t(msg, ×tamp); @@ -1244,7 +1206,7 @@ void OPK_Unpack_GetClockType_Request(ODK_Message* msg) { ODK_Message OPK_Pack_GetClockType_Response( OEMCrypto_Clock_Security_Level result) { - uint32_t api_value = 10042; /* from _tee10042 */ + uint32_t api_value = 10041; /* from _tee10041 */ ODK_Message msg = TOS_Transport_GetResponse(); OPK_Pack_uint32_t(&msg, &api_value); OPK_Pack_OEMCrypto_Clock_Security_Level(&msg, &result); @@ -1252,3 +1214,133 @@ ODK_Message OPK_Pack_GetClockType_Response( OPK_SharedBuffer_FinalizePacking(); return msg; } + +void OPK_Unpack_GetEncryptAndSignSize_Request(ODK_Message* msg, + uint32_t* context, + size_t* in_length, + size_t** wrapped_length) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10042) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + uint64_t timestamp; + OPK_Unpack_uint64_t(msg, ×tamp); + OPK_Unpack_uint32_t(msg, context); + OPK_Unpack_size_t(msg, in_length); + *wrapped_length = (size_t*)OPK_UnpackAlloc(msg, sizeof(size_t)); + OPK_UnpackEOM(msg); + OPK_SharedBuffer_FinalizeUnpacking(); +} + +ODK_Message OPK_Pack_GetEncryptAndSignSize_Response( + OEMCryptoResult result, const size_t* wrapped_length) { + uint32_t api_value = 10042; /* from _tee10042 */ + ODK_Message msg = TOS_Transport_GetResponse(); + OPK_Pack_uint32_t(&msg, &api_value); + OPK_Pack_uint32_t(&msg, &result); + OPK_PackNullable_size_t(&msg, wrapped_length); + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_EncryptAndSign_Request(ODK_Message* msg, uint32_t* context, + uint8_t** data, size_t* data_length, + uint8_t** out, size_t** out_length) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10043) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + uint64_t timestamp; + OPK_Unpack_uint64_t(msg, ×tamp); + OPK_Unpack_size_t(msg, data_length); + OPK_UnpackNullable_size_t(msg, out_length); + OPK_Unpack_uint32_t(msg, context); + OPK_UnpackInPlace(msg, (uint8_t**)data, OPK_FromSizeTPtr(data_length)); + *out = (uint8_t*)OPK_UnpackAllocBuffer(msg, OPK_FromSizeTPtrPtr(out_length), + sizeof(uint8_t)); + OPK_UnpackEOM(msg); + OPK_SharedBuffer_FinalizeUnpacking(); +} + +ODK_Message OPK_Pack_EncryptAndSign_Response(OEMCryptoResult result, + const uint8_t* out, + const size_t* out_length) { + uint32_t api_value = 10043; /* from _tee10043 */ + ODK_Message msg = TOS_Transport_GetResponse(); + OPK_Pack_uint32_t(&msg, &api_value); + OPK_PackNullable_size_t(&msg, out_length); + OPK_Pack_uint32_t(&msg, &result); + if (SuccessResult(result)) { + OPK_PackMemory(&msg, (const uint8_t*)out, OPK_FromSizeTPtr(out_length)); + } + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_VerifyAndDecrypt_Request(ODK_Message* msg, uint32_t* context, + uint8_t** wrapped, + size_t* wrapped_length, uint8_t** out, + size_t** out_length) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10044) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + uint64_t timestamp; + OPK_Unpack_uint64_t(msg, ×tamp); + OPK_Unpack_size_t(msg, wrapped_length); + OPK_UnpackNullable_size_t(msg, out_length); + OPK_Unpack_uint32_t(msg, context); + OPK_UnpackInPlace(msg, (uint8_t**)wrapped, OPK_FromSizeTPtr(wrapped_length)); + *out = (uint8_t*)OPK_UnpackAllocBuffer(msg, OPK_FromSizeTPtrPtr(out_length), + sizeof(uint8_t)); + OPK_UnpackEOM(msg); + OPK_SharedBuffer_FinalizeUnpacking(); +} + +ODK_Message OPK_Pack_VerifyAndDecrypt_Response(OEMCryptoResult result, + const uint8_t* out, + const size_t* out_length) { + uint32_t api_value = 10044; /* from _tee10044 */ + ODK_Message msg = TOS_Transport_GetResponse(); + OPK_Pack_uint32_t(&msg, &api_value); + OPK_PackNullable_size_t(&msg, out_length); + OPK_Pack_uint32_t(&msg, &result); + if (SuccessResult(result)) { + OPK_PackMemory(&msg, (const uint8_t*)out, OPK_FromSizeTPtr(out_length)); + } + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} + +void OPK_Unpack_VerifyAndDecryptUsageData_Legacy_Request( + ODK_Message* msg, uint8_t** wrapped, size_t* wrapped_length, + uint8_t** signature, uint8_t* iv, uint8_t** out) { + uint32_t api_value = UINT32_MAX; + OPK_Unpack_uint32_t(msg, &api_value); + if (api_value != 10045) + ODK_MESSAGE_SETSTATUS(msg, MESSAGE_STATUS_API_VALUE_ERROR); + uint64_t timestamp; + OPK_Unpack_uint64_t(msg, ×tamp); + OPK_Unpack_size_t(msg, wrapped_length); + OPK_UnpackInPlace(msg, (uint8_t**)wrapped, OPK_FromSizeTPtr(wrapped_length)); + OPK_UnpackNullable_uint8_t(msg, signature); + OPK_UnpackArray(msg, &iv[0], 16); + *out = (uint8_t*)OPK_UnpackAlloc(msg, sizeof(uint8_t)); + OPK_UnpackEOM(msg); + OPK_SharedBuffer_FinalizeUnpacking(); +} + +ODK_Message OPK_Pack_VerifyAndDecryptUsageData_Legacy_Response( + OEMCryptoResult result, const uint8_t* out) { + uint32_t api_value = 10045; /* from _tee10045 */ + ODK_Message msg = TOS_Transport_GetResponse(); + OPK_Pack_uint32_t(&msg, &api_value); + OPK_Pack_uint32_t(&msg, &result); + OPK_PackNullable_uint8_t(&msg, out); + OPK_PackEOM(&msg); + OPK_SharedBuffer_FinalizePacking(); + return msg; +} diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.h b/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.h index b159a8d..065215a 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.h +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee/GEN_tee_serializer.h @@ -175,14 +175,6 @@ void OPK_Unpack_GetSignatureSize_Request(ODK_Message* msg, size_t** signature_length); ODK_Message OPK_Pack_GetSignatureSize_Response(OEMCryptoResult result, const size_t* signature_length); -void OPK_Unpack_ED25519Sign_Request(ODK_Message* msg, - WTPI_AsymmetricKey_Handle* key, - uint8_t** message, size_t* message_length, - uint8_t** signature, - size_t** signature_length); -ODK_Message OPK_Pack_ED25519Sign_Response(OEMCryptoResult result, - const uint8_t* signature, - const size_t* signature_length); void OPK_Unpack_GetBootCertificateChain_Request(ODK_Message* msg, uint8_t** out, size_t** out_length); ODK_Message OPK_Pack_GetBootCertificateChain_Response(OEMCryptoResult result, @@ -227,6 +219,30 @@ ODK_Message OPK_Pack_TerminateClock_Response(OEMCryptoResult result); void OPK_Unpack_GetClockType_Request(ODK_Message* msg); ODK_Message OPK_Pack_GetClockType_Response( OEMCrypto_Clock_Security_Level result); +void OPK_Unpack_GetEncryptAndSignSize_Request(ODK_Message* msg, + uint32_t* context, + size_t* in_length, + size_t** wrapped_length); +ODK_Message OPK_Pack_GetEncryptAndSignSize_Response( + OEMCryptoResult result, const size_t* wrapped_length); +void OPK_Unpack_EncryptAndSign_Request(ODK_Message* msg, uint32_t* context, + uint8_t** data, size_t* data_length, + uint8_t** out, size_t** out_length); +ODK_Message OPK_Pack_EncryptAndSign_Response(OEMCryptoResult result, + const uint8_t* out, + const size_t* out_length); +void OPK_Unpack_VerifyAndDecrypt_Request(ODK_Message* msg, uint32_t* context, + uint8_t** wrapped, + size_t* wrapped_length, uint8_t** out, + size_t** out_length); +ODK_Message OPK_Pack_VerifyAndDecrypt_Response(OEMCryptoResult result, + const uint8_t* out, + const size_t* out_length); +void OPK_Unpack_VerifyAndDecryptUsageData_Legacy_Request( + ODK_Message* msg, uint8_t** wrapped, size_t* wrapped_length, + uint8_t** signature, uint8_t* iv, uint8_t** out); +ODK_Message OPK_Pack_VerifyAndDecryptUsageData_Legacy_Response( + OEMCryptoResult result, const uint8_t* out); #ifdef __cplusplus } // extern "C" #endif diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_useless/README.md b/oemcrypto/opk/oemcrypto_ta/wtpi_useless/README.md index 44d31bf..fbb1413 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_useless/README.md +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_useless/README.md @@ -1,4 +1,5 @@ The files in this directory implement some of the WTPI functions required by -the OEMCrypto TA. These implementations will pass unit tests, but they are not +the OEMCrypto TA. These implementations will pass most of the unit tests +except for reboot tests and provisioning 4.0 tests, but they are not useful for production. To emphasize this, we have named this directory "useless". Partners should NOT include this code for production builds. diff --git a/oemcrypto/opk/oemcrypto_ta/wtpi_useless/wtpi_device_key_access.c b/oemcrypto/opk/oemcrypto_ta/wtpi_useless/wtpi_device_key_access.c index 94e2815..8dbc6f8 100644 --- a/oemcrypto/opk/oemcrypto_ta/wtpi_useless/wtpi_device_key_access.c +++ b/oemcrypto/opk/oemcrypto_ta/wtpi_useless/wtpi_device_key_access.c @@ -10,8 +10,9 @@ #include "wtpi_crypto_and_key_management_interface_layer1.h" /* This implementation generates a new device key on reboot. This is good enough - * to pass the unit tests but won't work for an actual device, since the device - * key needs to be constant across reboots. You should replace this file with an + * to pass most of the unit tests except for reboot tests and provisioning 4.0 + * tests. But it won't work for an actual device, since the device key needs to + * be constant across reboots. You should replace this file with an * implementation that accesses a real device-unique secret on your device, * preferably a key derived from your device's actual device-unique key. */ diff --git a/oemcrypto/opk/ports/optee/Makefile b/oemcrypto/opk/ports/optee/Makefile new file mode 100644 index 0000000..7285563 --- /dev/null +++ b/oemcrypto/opk/ports/optee/Makefile @@ -0,0 +1,114 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# +ifndef OPTEE_DIR + $(error OPTEE_DIR is undefined) +endif + +# $CDM_DIR must be defined as the path to the top level of the OPK release +ifndef CDM_DIR + $(error CDM_DIR is undefined) +endif + +.EXPORT_ALL_VARIABLES: + +# Set platform-specific toolchain flags for OP-TEE +# +# Run make with the OPTEE_PLATFORM variable set to one of the following values: +# qemu (QEMU v7) +# stm32mp1 (STM32MP157 DK1 eval kit) +# nxpimx8m (NXP iMX8M eval kit) +# +# Note that each platform requires a separate OPTEE repo setup. One OP-TEE repo +# cannot work for all platforms. + +# Default is QEMU +OPTEE_PLATFORM ?= qemu +CFG_TEE_TA_MALLOC_DEBUG:=y + +# Default toolchain dir from the optee repositories +OPTEE_TOOLCHAIN_DIR ?= $(OPTEE_DIR)/toolchains + +ifeq ($(OPTEE_PLATFORM),qemu) +PLATFORM ?= vexpress-qemu_virt +ARCH := 32 +TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec +OPTEE_TOOLCHAIN := $(OPTEE_TOOLCHAIN_DIR)/aarch32 +TA_DEV_KIT_DIR := $(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32 +CROSS_COMPILE := arm-linux-gnueabihf- +WTPI_BUILD_INFO := OPTEE_QEMU +CPPFLAGS := \ + -I$(OPTEE_TOOLCHAIN)/arm-none-linux-gnueabihf/libc/usr/include \ + +else ifeq ($(OPTEE_PLATFORM),stm32mp1) +PLATFORM ?= stm32mp1-157A-DK1 +ARCH := 32 +TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec +OPTEE_TOOLCHAIN := $(OPTEE_TOOLCHAIN_DIR)/aarch32 +TA_DEV_KIT_DIR := $(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32 +CROSS_COMPILE := arm-linux-gnueabihf- +WTPI_BUILD_INFO := OPTEE_STM32MP1 +CPPFLAGS := \ + -I$(OPTEE_TOOLCHAIN)/arm-none-linux-gnueabihf/libc/usr/include \ + +else ifeq ($(OPTEE_PLATFORM),nxpimx8m) +PLATFORM ?= imx-mx8mqevk +ARCH := 64 +TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec +OPTEE_TOOLCHAIN := $(OPTEE_TOOLCHAIN_DIR)/aarch64 +TA_DEV_KIT_DIR := $(OPTEE_DIR)/optee_os/out/arm/export-ta_arm64 +CROSS_COMPILE := aarch64-linux-gnu- +WTPI_BUILD_INFO := OPTEE_IMX8 +CPPFLAGS := \ + -I$(OPTEE_TOOLCHAIN)/aarch64-none-linux-gnu/libc/usr/include \ + +else +$(error Unknown OPTEE_PLATFORM "$(OPTEE_PLATFORM)" Check makefile for possible options.) +endif + +PATH := $(OPTEE_TOOLCHAIN)/bin:$(PATH) + +.PHONY: all +all: host ta + +.PHONY: ta +ta: oemcrypto_ta wtpi_ta + +.PHONY: host +host: oemcrypto_helloworld oemcrypto_unittests wtpi_unittests + +.PHONY: oemcrypto_ta +oemcrypto_ta: + +$(MAKE) -C ta/oemcrypto_ta + +.PHONY: wtpi_ta +wtpi_ta: + +$(MAKE) -C ta/wtpi_test_ta + +.PHONY: liboemcrypto +liboemcrypto: + +$(MAKE) -C host/liboemcrypto + +.PHONY: oemcrypto_helloworld +oemcrypto_helloworld: liboemcrypto + +$(MAKE) -C host/oemcrypto_helloworld + +.PHONY: oemcrypto_unittests +oemcrypto_unittests: liboemcrypto + +$(MAKE) -C host/oemcrypto_unittests + +.PHONY: wtpi_unittests +wtpi_unittests: + +$(MAKE) -C host/wtpi_unittests + +.PHONY: clean +clean: + +$(MAKE) -C ta/oemcrypto_ta clean + +$(MAKE) -C ta/wtpi_test_ta clean + +$(MAKE) -C host/liboemcrypto clean + +$(MAKE) -C host/oemcrypto_helloworld clean + +$(MAKE) -C host/oemcrypto_unittests clean + +$(MAKE) -C host/wtpi_unittests clean + diff --git a/oemcrypto/opk/ports/optee/README.md b/oemcrypto/opk/ports/optee/README.md index 293a067..064b3ba 100644 --- a/oemcrypto/opk/ports/optee/README.md +++ b/oemcrypto/opk/ports/optee/README.md @@ -23,23 +23,18 @@ This is a port of the OEMCrypto Trusted App for OP-TEE using the OPK. $ python ./src/util/generate_build_files.py gyp ``` 2. From the top level of this repo (CDM), run `make -j32 -C - ./oemcrypto/opk/build -f Makefile.optee` + ./oemcrypto/opk/ports/optee host ta` The resulting artifacts will run on QEMU, but due to performance constraints not all tests will pass there. For best results the executables should be built for -NXP and run on the iMX8 dev kit (see Makefile.optee for the variables that -specify the NXP target). Currently the following tests are expected to fail, -with fixes expected in future updates: +NXP and run on the iMX8 dev kit (see Makefile for the variables that specify the +NXP target). Currently the following tests are expected to fail, with fixes +expected in future updates: WTPI unit tests that do not pass -- CryptoTest.ED25519SignSuccess -- CryptoTest.ECCKeyExchange - CryptoTest.GenerateRandomCertificateKeyPairSuccess - CryptoTest.WTPI_DeviceKeyCoseSign1Success -OEMCrypto unit tests that do not pass -- OEMCryptoLoadsCertificate.TestMaxDRMKeys - ### Background In general, an end-to-end system consists of the following components on @@ -159,7 +154,7 @@ make QEMU_VIRTFS_ENABLE=y run-only # Use this subsequently # Build the OP-TEE port. This includes the OEMCrypto TA and host apps, as well # as the WTPI test TA and host app. cd $CDM_DIR -make -j32 -C ./oemcrypto/opk/build -f Makefile.optee +make -j32 -C ./oemcrypto/opk/ports/optee host ta # Push the build artifacts to to $OPTEE_DIR, which is the virtfs directory for QEMU cd oemcrypto/opk/ports/optee @@ -176,5 +171,5 @@ cd /mnt/host/oemcrypto/test ./wtpi_unittests # run OEMCrypto unit tests -./oemcrypto_unittest +./oemcrypto_unittests ``` diff --git a/oemcrypto/opk/ports/optee/build/helloworld.gyp b/oemcrypto/opk/ports/optee/build/helloworld.gyp deleted file mode 100644 index 0fb33e0..0000000 --- a/oemcrypto/opk/ports/optee/build/helloworld.gyp +++ /dev/null @@ -1,27 +0,0 @@ -# This target is in its own file since it depends on the liboemcrypto host.gyp file. -# Since other targets in this directory's host.gyp file depend on the liboemcrypto host.gyp, -# we need to move this out to avoid circular dependency errors -{ - 'includes' : [ - '../../../serialization/settings.gypi', - ], - 'variables': { - 'optee_port_dir': '<(oemcrypto_dir)/opk/ports/optee', - }, - 'targets' : [ - { - 'target_name' : 'oemcrypto_helloworld', - 'toolsets' : [ 'target' ], - 'type' : 'executable', - 'sources' : [ - '<(optee_port_dir)/host/oemcrypto_helloworld/main.c', - ], - 'include_dirs' : [ - '<(optee_port_dir)/ta/wtpi_test_ta/include', - ], - 'dependencies': [ - '<(oemcrypto_dir)/opk/build/host.gyp:liboemcrypto', - ], - }, - ], -} diff --git a/oemcrypto/opk/ports/optee/build/host.gyp b/oemcrypto/opk/ports/optee/build/host.gyp deleted file mode 100644 index 690db7e..0000000 --- a/oemcrypto/opk/ports/optee/build/host.gyp +++ /dev/null @@ -1,48 +0,0 @@ -{ - 'includes' : [ - '../../../serialization/settings.gypi', - ], - 'variables': { - 'optee_port_dir': '<(oemcrypto_dir)/opk/ports/optee', - 'tos_src_dir': '<(optee_port_dir)/host/common/tos', - 'optee_repo_dir': '$(OPTEE_DIR)', - }, - 'targets' : [ - { - # Transport layer implementation, REE side, for OEMCrypto TA - 'target_name' : 'ree_tos', - 'toolsets' : [ 'target' ], - 'type' : 'static_library', - 'standalone_static_library' : 1, - 'sources' : [ - '<(tos_src_dir)/load_library.c', - '<(tos_src_dir)/optee_ree_tos.c', - '<(tos_src_dir)/optee_secure_buffers.c', - '<(tos_src_dir)/optee_tos_log.c', - ], - 'include_dirs' : [ - '<(optee_port_dir)/ta/oemcrypto_ta/include', - '<(optee_repo_dir)/optee_client/public', - ] - }, - { - # Transport layer implementation, REE side. For WTPI unit tests. - # This differs from the `ree_tos` target in two ways. - # 1. No `load_library.c`, since OPK_Init is called from the unit tests - # 2. Including headers from wtpi_test_ta directory, so we target a different TA UUID - 'target_name' : 'ree_tos_wtpi', - 'toolsets' : [ 'target' ], - 'type' : 'static_library', - 'standalone_static_library' : 1, - 'sources' : [ - '<(tos_src_dir)/optee_ree_tos.c', - '<(tos_src_dir)/optee_secure_buffers.c', - '<(tos_src_dir)/optee_tos_log.c', - ], - 'include_dirs' : [ - '<(optee_port_dir)/ta/wtpi_test_ta/include', - '<(optee_repo_dir)/optee_client/public', - ] - }, - ], -} diff --git a/oemcrypto/opk/ports/optee/build/ta.gyp b/oemcrypto/opk/ports/optee/build/ta.gyp deleted file mode 100644 index bfbf6a8..0000000 --- a/oemcrypto/opk/ports/optee/build/ta.gyp +++ /dev/null @@ -1,70 +0,0 @@ -{ - 'includes' : [ - '../../../serialization/settings.gypi', - ], - 'variables': { - 'optee_port_dir': '<(DEPTH)/oemcrypto/opk/ports/optee', - 'common': '<(optee_port_dir)/ta/common', - 'wtpi_impl': '<(optee_port_dir)/ta/common/wtpi_impl', - 'wtpi_ref': '<(oemcrypto_ta_dir)/wtpi_reference', - 'wtpi_stub': '<(DEPTH)/oemcrypto/opk/oemcrypto_ta/wtpi_useless', - 'optee_dir': '$(OPTEE_DIR)', - }, - 'targets' : [ - { - # WTPI implementation, packed into a shared library - 'target_name' : 'wtpi_impl', - 'toolsets' : [ 'target' ], - 'type' : 'static_library', - 'standalone_static_library' : 1, - 'sources' : [ - '<(common)/ta_log.c', - '<(common)/der_parse.c', - '<(optee_port_dir)/host/common/tos/optee_secure_buffers.c', - '<(wtpi_impl)/wtpi_abort.c', - '<(wtpi_impl)/wtpi_clock_layer2.c', - '<(wtpi_impl)/wtpi_config.c', - '<(wtpi_impl)/wtpi_crypto_and_key_management_layer1.c', - '<(wtpi_impl)/wtpi_crypto_asymmetric.c', - '<(wtpi_impl)/wtpi_decrypt_sample.c', - '<(wtpi_impl)/wtpi_initialize_terminate_interface.c', - '<(wtpi_impl)/wtpi_logging.c', - '<(wtpi_impl)/wtpi_persistent_storage_layer2.c', - '<(wtpi_stub)/wtpi_root_of_trust_layer2.c', - '<(wtpi_stub)/wtpi_secure_buffer_access.c', - '<(wtpi_ref)/renewal_util.c', - '<(wtpi_ref)/wtpi_clock_and_gn_layer1.c', - '<(wtpi_ref)/wtpi_crc32.c', - '<(wtpi_ref)/wtpi_crypto_wrap_asymmetric.c', - '<(wtpi_ref)/wtpi_device_key.c', - '<(wtpi_ref)/wtpi_idle.c', - '<(wtpi_ref)/wtpi_device_renewal_layer1.c', - '<(wtpi_ref)/wtpi_device_renewal_layer2.c', - '<(wtpi_ref)/wtpi_root_of_trust_layer1.c', - ], - 'defines': [ - # Needed for to work. - '_DEFAULT_SOURCE', - '__USE_MISC', - ], - 'include_dirs': [ - '<(wtpi_impl)', - '<(wtpi_ref)', - '<(DEPTH)/oemcrypto/include', - '<(DEPTH)/oemcrypto/odk/include', - '<(DEPTH)/oemcrypto/odk/src', - '<(DEPTH)/oemcrypto/opk/serialization/common/include', - '<(DEPTH)/oemcrypto/opk/serialization/os_interfaces', - '<(oemcrypto_ta_dir)', - '<(oemcrypto_ta_dir)/wtpi', - '<(common)', - '<(optee_dir)/optee_os/out/arm/export-ta_arm32/include', - '<(optee_dir)/optee_os/out/arm/export-ta_arm32/include/mbedtls', - ], - 'ldflags': [ - '-L<(optee_dir)/optee_os/out/arm/export-ta_arm32/lib', - '-lmbedtls', - ], - }, - ], -} diff --git a/oemcrypto/opk/ports/optee/host/common/tos/ree_tos.target.mk b/oemcrypto/opk/ports/optee/host/common/tos/ree_tos.target.mk deleted file mode 100644 index 98a6a5a..0000000 --- a/oemcrypto/opk/ports/optee/host/common/tos/ree_tos.target.mk +++ /dev/null @@ -1,162 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := ree_tos -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/include \ - -I$(OPTEE_DIR)/optee_client/public - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/include \ - -I$(OPTEE_DIR)/optee_client/public - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/load_library.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/optee_ree_tos.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/optee_secure_buffers.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/optee_tos_log.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a -# Add target alias -.PHONY: ree_tos -ree_tos: $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a - -# Add target alias to "all" target. -.PHONY: all -all: ree_tos - -# Add target alias -.PHONY: ree_tos -ree_tos: $(builddir)/libree_tos.a - -# Copy this to the static library output path. -$(builddir)/libree_tos.a: TOOLSET := $(TOOLSET) -$(builddir)/libree_tos.a: $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libree_tos.a -# Short alias for building this static library. -.PHONY: libree_tos.a -libree_tos.a: $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos.a $(builddir)/libree_tos.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libree_tos.a - diff --git a/oemcrypto/opk/ports/optee/host/common/tos/ree_tos_wtpi.target.mk b/oemcrypto/opk/ports/optee/host/common/tos/ree_tos_wtpi.target.mk deleted file mode 100644 index f31fb9f..0000000 --- a/oemcrypto/opk/ports/optee/host/common/tos/ree_tos_wtpi.target.mk +++ /dev/null @@ -1,161 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := ree_tos_wtpi -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/include \ - -I$(OPTEE_DIR)/optee_client/public - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/include \ - -I$(OPTEE_DIR)/optee_client/public - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/optee_ree_tos.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/optee_secure_buffers.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/optee_tos_log.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a -# Add target alias -.PHONY: ree_tos_wtpi -ree_tos_wtpi: $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a - -# Add target alias to "all" target. -.PHONY: all -all: ree_tos_wtpi - -# Add target alias -.PHONY: ree_tos_wtpi -ree_tos_wtpi: $(builddir)/libree_tos_wtpi.a - -# Copy this to the static library output path. -$(builddir)/libree_tos_wtpi.a: TOOLSET := $(TOOLSET) -$(builddir)/libree_tos_wtpi.a: $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libree_tos_wtpi.a -# Short alias for building this static library. -.PHONY: libree_tos_wtpi.a -libree_tos_wtpi.a: $(obj).target/oemcrypto/opk/ports/optee/build/libree_tos_wtpi.a $(builddir)/libree_tos_wtpi.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libree_tos_wtpi.a - diff --git a/oemcrypto/opk/ports/optee/host/liboemcrypto/Makefile b/oemcrypto/opk/ports/optee/host/liboemcrypto/Makefile new file mode 100644 index 0000000..0b3bf90 --- /dev/null +++ b/oemcrypto/opk/ports/optee/host/liboemcrypto/Makefile @@ -0,0 +1,40 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This file expects the following definitions +# - CDM_DIR: absolute path to top of CDM repo. +# - TEEC_EXPORT: absolute path to libteec.so +# - PLATFORM: optee platform name, eg vexpress-qemu_virt + +# Place outputs in $CDM_DIR/out/optee/// +project := $(shell basename $(CURDIR)) +srcdir := $(shell realpath --relative-to=$(CURDIR) $(CDM_DIR)) +builddir := $(srcdir)/out/optee/$(PLATFORM)/$(project)/ +output = $(project).so + +# All file locations are relative to the $CDM_DIR path. +OPK_REPO_TOP := +include $(srcdir)/oemcrypto/opk/build/ree-sources.mk + +srcs += \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos/load_library.c \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos/optee_ree_tos.c \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos/optee_secure_buffers.c \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos/optee_tos_log.c \ + $(liboemcrypto_sources) \ + +incs += \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/include \ + $(liboemcrypto_includes) \ + +global-incs += \ + $(TEEC_EXPORT)/include \ + $(TEEC_EXPORT)/../public \ + +ldflags = -lpthread -lteec -L$(TEEC_EXPORT) -shared + +include ../rules.mk + diff --git a/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/Makefile b/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/Makefile new file mode 100644 index 0000000..e5be44a --- /dev/null +++ b/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/Makefile @@ -0,0 +1,34 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This file expects the following definitions +# - CDM_DIR: absolute path to top of CDM repo. +# - TEEC_EXPORT: absolute path to libteec.so +# - PLATFORM: optee platform name, eg vexpress-qemu_virt + +# Place outputs in $CDM_DIR/out/optee/// +project := $(shell basename $(CURDIR)) +srcdir := $(shell realpath --relative-to=$(CURDIR) $(CDM_DIR)) +builddir := $(srcdir)/out/optee/$(PLATFORM)/$(project)/ +output = $(project) + +# All file locations are relative to the $CDM_DIR path. +OPK_REPO_TOP := +include $(srcdir)/oemcrypto/opk/build/ree-sources.mk + +srcs += \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/main.c \ + +incs += \ + $(OPK_REPO_TOP)/oemcrypto/include \ + +ldflags = \ + -L$(builddir)/../liboemcrypto/ -loemcrypto \ + -L$(TEEC_EXPORT) -lteec \ + +include ../rules.mk + + diff --git a/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/oemcrypto_helloworld.target.mk b/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/oemcrypto_helloworld.target.mk deleted file mode 100644 index a994023..0000000 --- a/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/oemcrypto_helloworld.target.mk +++ /dev/null @@ -1,149 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := oemcrypto_helloworld -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/include - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/oemcrypto_helloworld/main.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# Make sure our dependencies are built before any of us. -$(OBJS): | $(builddir)/lib.target/liboemcrypto.so $(obj).target/oemcrypto/opk/build/liboemcrypto.so - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := \ - -Wl,-rpath=\$$ORIGIN/lib.target/ \ - -Wl,-rpath-link=\$(builddir)/lib.target/ - -LDFLAGS_release := \ - -O2 \ - -Wl,--strip-debug \ - -Wl,-rpath=\$$ORIGIN/lib.target/ \ - -Wl,-rpath-link=\$(builddir)/lib.target/ - -LIBS := \ - $(TRUSTED_OS_SDK_LIBS) \ - $(builddir)/libree_tos.a - -$(builddir)/oemcrypto_helloworld: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(builddir)/oemcrypto_helloworld: LIBS := $(LIBS) -$(builddir)/oemcrypto_helloworld: LD_INPUTS := $(OBJS) $(obj).target/oemcrypto/opk/build/liboemcrypto.so -$(builddir)/oemcrypto_helloworld: TOOLSET := $(TOOLSET) -$(builddir)/oemcrypto_helloworld: $(OBJS) $(obj).target/oemcrypto/opk/build/liboemcrypto.so FORCE_DO_CMD - $(call do_cmd,link) - -all_deps += $(builddir)/oemcrypto_helloworld -# Add target alias -.PHONY: oemcrypto_helloworld -oemcrypto_helloworld: $(builddir)/oemcrypto_helloworld - -# Add executable to "all" target. -.PHONY: all -all: $(builddir)/oemcrypto_helloworld - diff --git a/oemcrypto/opk/ports/optee/host/oemcrypto_unittests/Makefile b/oemcrypto/opk/ports/optee/host/oemcrypto_unittests/Makefile new file mode 100644 index 0000000..466a045 --- /dev/null +++ b/oemcrypto/opk/ports/optee/host/oemcrypto_unittests/Makefile @@ -0,0 +1,38 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This file expects the following definitions +# - CDM_DIR: absolute path to top of CDM repo. +# - TEEC_EXPORT: absolute path to libteec.so +# - PLATFORM: optee platform name, eg vexpress-qemu_virt + +# Place outputs in $CDM_DIR/out/optee/// +project := $(shell basename $(CURDIR)) +srcdir := $(shell realpath --relative-to=$(CURDIR) $(CDM_DIR)) +builddir := $(srcdir)/out/optee/$(PLATFORM)/$(project)/ +output = $(project) + +# All file locations are relative to the $CDM_DIR path. +OPK_REPO_TOP := +include $(srcdir)/oemcrypto/opk/build/ree-sources.mk + +srcs += \ + $(oemcrypto_unittests_sources) \ + +incs += \ + $(oemcrypto_unittests_includes) \ + +ldflags = \ + -lpthread \ + -L$(TEEC_EXPORT) -lteec \ + -L$(builddir)/../liboemcrypto/ -loemcrypto \ + -static-libstdc++ \ + +cppflags += \ + -DOPENSSL_NO_ASM \ + -Wnon-virtual-dtor \ + +include ../rules.mk diff --git a/oemcrypto/opk/ports/optee/host/oemcrypto_unittests/oemcrypto_unittests.target.mk b/oemcrypto/opk/ports/optee/host/oemcrypto_unittests/oemcrypto_unittests.target.mk deleted file mode 100644 index 945a36b..0000000 --- a/oemcrypto/opk/ports/optee/host/oemcrypto_unittests/oemcrypto_unittests.target.mk +++ /dev/null @@ -1,199 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := oemcrypto_unittests -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-DOEMCRYPTO_TESTS' \ - '-D_DEFAULT_SOURCE' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/util/include \ - -I$(srcdir)/util/test \ - -I$(srcdir)/oemcrypto/ref/src \ - -I$(srcdir)/oemcrypto/test \ - -I$(srcdir)/oemcrypto/test/fuzz_tests \ - -I$(srcdir)/oemcrypto/util/include \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DOEMCRYPTO_TESTS' \ - '-D_DEFAULT_SOURCE' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/util/include \ - -I$(srcdir)/util/test \ - -I$(srcdir)/oemcrypto/ref/src \ - -I$(srcdir)/oemcrypto/test \ - -I$(srcdir)/oemcrypto/test/fuzz_tests \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/util/include \ - -I$(srcdir)/third_party/boringssl/kit/src/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/test/oemcrypto_test_main.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/core_message_deserialize.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/core_message_serialize.o \ - $(obj).target/$(TARGET)/linux/src/file_store.o \ - $(obj).target/$(TARGET)/linux/src/log.o \ - $(obj).target/$(TARGET)/util/src/cdm_random.o \ - $(obj).target/$(TARGET)/util/src/platform.o \ - $(obj).target/$(TARGET)/util/src/rw_lock.o \ - $(obj).target/$(TARGET)/util/src/string_conversions.o \ - $(obj).target/$(TARGET)/util/test/test_sleep.o \ - $(obj).target/$(TARGET)/util/test/test_clock.o \ - $(obj).target/$(TARGET)/oemcrypto/odk/src/core_message_features.o \ - $(obj).target/$(TARGET)/oemcrypto/test/oec_device_features.o \ - $(obj).target/$(TARGET)/oemcrypto/test/oec_decrypt_fallback_chain.o \ - $(obj).target/$(TARGET)/oemcrypto/test/oec_key_deriver.o \ - $(obj).target/$(TARGET)/oemcrypto/test/oec_session_util.o \ - $(obj).target/$(TARGET)/oemcrypto/test/oemcrypto_corpus_generator_helper.o \ - $(obj).target/$(TARGET)/oemcrypto/test/oemcrypto_session_tests_helper.o \ - $(obj).target/$(TARGET)/oemcrypto/test/oemcrypto_test.o \ - $(obj).target/$(TARGET)/oemcrypto/test/wvcrc.o \ - $(obj).target/$(TARGET)/oemcrypto/util/src/oemcrypto_ecc_key.o \ - $(obj).target/$(TARGET)/oemcrypto/util/src/oemcrypto_rsa_key.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# Make sure our dependencies are built before any of us. -$(OBJS): | $(builddir)/lib.target/liboemcrypto.so $(obj).target/third_party/libgtest.a $(obj).target/third_party/libgmock.a $(builddir)/libodk.a $(builddir)/libssl.a $(builddir)/libcrypto.a $(obj).target/oemcrypto/opk/build/liboemcrypto.so $(obj).target/oemcrypto/odk/src/libodk.a $(obj).target/third_party/boringssl/libssl.a $(obj).target/third_party/boringssl/libcrypto.a - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := \ - $(OEMCRYPTO_UNITTEST_LDFLAGS) \ - -Wl,-rpath=\$$ORIGIN/lib.target/ \ - -Wl,-rpath-link=\$(builddir)/lib.target/ - -LDFLAGS_release := \ - $(OEMCRYPTO_UNITTEST_LDFLAGS) \ - -O2 \ - -Wl,--strip-debug \ - -Wl,-rpath=\$$ORIGIN/lib.target/ \ - -Wl,-rpath-link=\$(builddir)/lib.target/ - -LIBS := \ - $(TRUSTED_OS_SDK_LIBS) \ - $(builddir)/libree_tos.a \ - -lpthread - -$(builddir)/oemcrypto_unittests: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(builddir)/oemcrypto_unittests: LIBS := $(LIBS) -$(builddir)/oemcrypto_unittests: LD_INPUTS := $(OBJS) $(obj).target/oemcrypto/opk/build/liboemcrypto.so $(obj).target/third_party/libgtest.a $(obj).target/third_party/libgmock.a $(obj).target/oemcrypto/odk/src/libodk.a $(obj).target/third_party/boringssl/libssl.a $(obj).target/third_party/boringssl/libcrypto.a -$(builddir)/oemcrypto_unittests: TOOLSET := $(TOOLSET) -$(builddir)/oemcrypto_unittests: $(OBJS) $(obj).target/oemcrypto/opk/build/liboemcrypto.so $(obj).target/third_party/libgtest.a $(obj).target/third_party/libgmock.a $(obj).target/oemcrypto/odk/src/libodk.a $(obj).target/third_party/boringssl/libssl.a $(obj).target/third_party/boringssl/libcrypto.a FORCE_DO_CMD - $(call do_cmd,link) - -all_deps += $(builddir)/oemcrypto_unittests -# Add target alias -.PHONY: oemcrypto_unittests -oemcrypto_unittests: $(builddir)/oemcrypto_unittests - -# Add executable to "all" target. -.PHONY: all -all: $(builddir)/oemcrypto_unittests - diff --git a/oemcrypto/opk/ports/optee/host/rules.mk b/oemcrypto/opk/ports/optee/host/rules.mk new file mode 100644 index 0000000..6ae3a69 --- /dev/null +++ b/oemcrypto/opk/ports/optee/host/rules.mk @@ -0,0 +1,84 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This makefile is a simple set of rules for compiling host apps for OP-TEE. +# Feel free to use any other system. +# +# Inputs: +# - srcdir: Relative path from parent Makefile to source file directory, eg top +# of repo. +# - builddir: Relative path from parent Makefile to destination directory. +# - srcs: List of source .c/.cpp/.cc/.S files. All entries in $(srcs) +# must be relative to $(srcdir) +# - incs: List of include paths. Must be relative to $(srcdir). +# - CROSS_COMPILE: prefix for gcc, eg arm-none-gnueabihf- +# +# Can optionally provide additional ldflags, cflags, cppflags, and global-incs + +ifneq ($V,1) +q := @ +cmd-echo := true +cmd-echo-silent := echo +else +q := +cmd-echo := echo +cmd-echo-silent := true +endif + +cc := $(CROSS_COMPILE)gcc +cxx := $(CROSS_COMPILE)g++ + +ssrc := $(patsubst %.S, %.o, $(filter %.S, $(srcs))) +csrc := $(patsubst %.c, %.o, $(filter %.c, $(srcs))) +cppsrc := $(patsubst %.cpp, %.o, $(filter %.cpp, $(srcs))) +ccsrc := $(patsubst %.cc, %.o, $(filter %.cc, $(srcs))) +objs = $(sort $(addprefix $(builddir), $(csrc) $(cppsrc) $(ccsrc) $(ssrc))) + +includes += $(addprefix -I, $(addprefix $(srcdir)/, $(incs)) $(global-incs)) + +cflags += -Wall \ + -Werror \ + -fPIC \ + $(includes) \ + +cflags_c += $(cflags) \ + -std=c11 \ + -D_POSIX_C_SOURCE=200809L + +cppflags += $(cflags) \ + $(CPPFLAGS) \ + +all: $(builddir)$(output) + +$(builddir)$(output): $(objs) + @$(cmd-echo-silent) ' LD $@' + ${q}$(cxx) $(ldflags) -o $@ $(objs) $(ldadd) + +.PHONY: clean +clean: + @$(cmd-echo-silent) ' CLEAN $(builddir)' + ${q}rm -f $(objs) $(output) + @if [ -d $(builddir) ]; then rm -r $(builddir); fi + +$(builddir)%.o: $(srcdir)%.c + ${q}mkdir -p $(shell dirname $@) + @$(cmd-echo-silent) ' CC $@' + ${q}$(cc) $(cflags_c) -c $< -o $@ + +$(builddir)%.o: $(srcdir)%.cc + ${q}mkdir -p $(shell dirname $@) + @$(cmd-echo-silent) ' CPP $@' + ${q}$(cxx) $(cppflags) -c $< -o $@ + +$(builddir)%.o: $(srcdir)%.cpp + ${q}mkdir -p $(shell dirname $@) + @$(cmd-echo-silent) ' CPP $@' + ${q}$(cxx) $(cppflags) -c $< -o $@ + +$(builddir)%.o: $(srcdir)%.S + ${q}mkdir -p $(shell dirname $@) + @$(cmd-echo-silent) ' CC $@' + ${q}$(cc) $(cflags_c) -c $< -o $@ diff --git a/oemcrypto/opk/ports/optee/host/wtpi_unittests/Makefile b/oemcrypto/opk/ports/optee/host/wtpi_unittests/Makefile new file mode 100644 index 0000000..378782d --- /dev/null +++ b/oemcrypto/opk/ports/optee/host/wtpi_unittests/Makefile @@ -0,0 +1,46 @@ +# +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This file expects the following definitions +# - CDM_DIR: absolute path to top of CDM repo. +# - TEEC_EXPORT: absolute path to libteec.so +# - PLATFORM: optee platform name, eg vexpress-qemu_virt + +# Place outputs in $CDM_DIR/out/optee/// +project := $(shell basename $(CURDIR)) +srcdir := $(shell realpath --relative-to=$(CURDIR) $(CDM_DIR)) +builddir := $(srcdir)/out/optee/$(PLATFORM)/$(project)/ +output = $(project) + +# All file locations are relative to the $CDM_DIR path. +OPK_REPO_TOP := +include $(srcdir)/oemcrypto/opk/build/ree-sources.mk + +srcs += \ + $(OPK_REPO_TOP)/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_main.cpp \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos/optee_ree_tos.c \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos/optee_secure_buffers.c \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos/optee_tos_log.c \ + $(wtpi_unittests_sources) \ + +incs += \ + $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/include \ + $(wtpi_unittests_includes) \ + +global-incs += \ + $(TEEC_EXPORT)/include \ + $(TEEC_EXPORT)/../public \ + +ldflags = \ + -lpthread \ + -L$(TEEC_EXPORT) -lteec \ + -static-libstdc++ \ + +cppflags += \ + -DOPENSSL_NO_ASM \ + -Wnon-virtual-dtor \ + +include ../rules.mk diff --git a/oemcrypto/opk/ports/optee/host/wtpi_unittests/wtpi_unittests.target.mk b/oemcrypto/opk/ports/optee/host/wtpi_unittests/wtpi_unittests.target.mk deleted file mode 100644 index 2076fcc..0000000 --- a/oemcrypto/opk/ports/optee/host/wtpi_unittests/wtpi_unittests.target.mk +++ /dev/null @@ -1,148 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := wtpi_unittests -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest/include - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/third_party/googletest/googlemock/include \ - -I$(srcdir)/third_party/googletest/googletest/include - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_test/wtpi_test_main.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# Make sure our dependencies are built before any of us. -$(OBJS): | $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a $(builddir)/libwtpi_test_lib.a $(obj).target/third_party/libgtest.a $(obj).target/third_party/libgmock.a $(builddir)/libcrypto.a $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a $(obj).target/third_party/boringssl/libcrypto.a - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.cpp FORCE_DO_CMD - @$(call do_cmd,cxx,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := \ - $(WTPI_UNITTEST_LDFLAGS) - -LDFLAGS_release := \ - $(WTPI_UNITTEST_LDFLAGS) \ - -O2 \ - -Wl,--strip-debug - -LIBS := \ - -lpthread - -$(builddir)/wtpi_unittests: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(builddir)/wtpi_unittests: LIBS := $(LIBS) -$(builddir)/wtpi_unittests: LD_INPUTS := $(OBJS) $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a $(obj).target/third_party/libgtest.a $(obj).target/third_party/libgmock.a $(obj).target/third_party/boringssl/libcrypto.a -$(builddir)/wtpi_unittests: TOOLSET := $(TOOLSET) -$(builddir)/wtpi_unittests: $(OBJS) $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/ree/libopk_ree_api.a $(obj).target/oemcrypto/opk/oemcrypto_ta/wtpi_test/libwtpi_test_lib.a $(obj).target/third_party/libgtest.a $(obj).target/third_party/libgmock.a $(obj).target/third_party/boringssl/libcrypto.a FORCE_DO_CMD - $(call do_cmd,link) - -all_deps += $(builddir)/wtpi_unittests -# Add target alias -.PHONY: wtpi_unittests -wtpi_unittests: $(builddir)/wtpi_unittests - -# Add executable to "all" target. -.PHONY: all -all: $(builddir)/wtpi_unittests - diff --git a/oemcrypto/opk/ports/optee/push.sh b/oemcrypto/opk/ports/optee/push.sh index 40787e1..b5c6474 100755 --- a/oemcrypto/opk/ports/optee/push.sh +++ b/oemcrypto/opk/ports/optee/push.sh @@ -1,21 +1,26 @@ #!/bin/bash +PLATFORM=vexpress-qemu_virt [ -z "${OPTEE_DIR}" ] && echo "Set \$OPTEE_DIR to your OPTEE SDK root. See README.md" && exit [ -z "${CDM_DIR}" ] && echo "Set \$CDM_DIR to your CDM_DIR repo root" && exit -echo "copy oemcrypto_ta (a92d116c-ce27-4917-b30c-4a416e2d9351) to $OPTEE_DIR/oemcrypto/test" -cp ta/oemcrypto_ta/out/a92d116c-ce27-4917-b30c-4a416e2d9351.ta $OPTEE_DIR/oemcrypto/test -cp $CDM_DIR/out/opk_optee/debug/oemcrypto_helloworld $OPTEE_DIR/oemcrypto/test +OUT_DIR=$CDM_DIR/out/optee/$PLATFORM +VIRTFS_DIR=$OPTEE_DIR/oemcrypto/test -echo "copy wtpi_test_ta (b0f42504-01ec-11ec-9a03-0242ac130003) to $OPTEE_DIR/oemcrypto/test" -cp ta/wtpi_test_ta/out/b0f42504-01ec-11ec-9a03-0242ac130003.ta $OPTEE_DIR/oemcrypto/test -cp $CDM_DIR/out/opk_optee/debug/wtpi_unittests $OPTEE_DIR/oemcrypto/test +test -d $VIRTFS_DIR || mkdir -p $VIRTFS_DIR -test -d $OPTEE_DIR/oemcrypto/host || mkdir -p $OPTEE_DIR/oemcrypto/test -echo "copy oemcrypto unit tests to $OPTEE_DIR/oemcrypto/test" -cp $CDM_DIR/out/opk_optee/debug/oemcrypto_unittests $OPTEE_DIR/oemcrypto/test +echo "copy oemcrypto_ta (a92d116c-ce27-4917-b30c-4a416e2d9351) to $VIRTFS_DIR" +cp $OUT_DIR/oemcrypto_ta/a92d116c-ce27-4917-b30c-4a416e2d9351.ta $VIRTFS_DIR +cp $OUT_DIR/oemcrypto_helloworld/oemcrypto_helloworld $VIRTFS_DIR -echo "copy liboemcrypto.so $OPTEE_DIR/oemcrypto/test" -cp $CDM_DIR/out/opk_optee/debug/lib.target/liboemcrypto.so $OPTEE_DIR/oemcrypto/test +echo "copy wtpi_test_ta (b0f42504-01ec-11ec-9a03-0242ac130003) to $VIRTFS_DIR" +cp $OUT_DIR/wtpi_test_ta/b0f42504-01ec-11ec-9a03-0242ac130003.ta $VIRTFS_DIR +cp $OUT_DIR/wtpi_unittests/wtpi_unittests $VIRTFS_DIR -echo "copy install_ta.sh $OPTEE_DIR/oemcrypto/test" -cp ./install_ta.sh $OPTEE_DIR/oemcrypto/test +echo "copy oemcrypto unit tests to $VIRTFS_DIR" +cp $OUT_DIR/oemcrypto_unittests/oemcrypto_unittests $VIRTFS_DIR + +echo "copy liboemcrypto.so to $VIRTFS_DIR" +cp $OUT_DIR/liboemcrypto/liboemcrypto.so $VIRTFS_DIR + +echo "copy install_ta.sh to $VIRTFS_DIR" +cp ./install_ta.sh $VIRTFS_DIR diff --git a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/sources.mk b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/sources.mk new file mode 100644 index 0000000..2f8336c --- /dev/null +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/sources.mk @@ -0,0 +1,63 @@ +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +# source code may only be used and distributed under the Widevine +# License Agreement. +# + +# This file lists out the files that implement the WTPI and transport layer for +# the OPTEE port. This includes a few reference files from `wtpi_reference`, as +# well as stubs from `wtpi_useless` that must be replaced for a production +# build. +# +# This is not necessary for other ports. This only exists to consoldiate all of +# the OPTEE-specific code in one place for use in sub.mk + +OPK_REPO_TOP ?= $(CDM_DIR) + +wtpi_impl_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl +wtpi_stub_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/oemcrypto_ta/wtpi_useless +wtpi_ref_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/oemcrypto_ta/wtpi_reference +tos_impl_dir ?= $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/host/common/tos + +# optee_inc_dir points to the location of the OPTEE headers, typically +# /optee_os/out/arm/export_ta/include +ifndef optee_inc_dir + $(error wtpi_impl/sources.mk included without setting optee_inc_dir) +endif + +wtpi_impl_sources += \ + $(wtpi_impl_dir)/util/ta_log.c \ + $(wtpi_impl_dir)/util/der_parse.c \ + $(wtpi_impl_dir)/wtpi_abort.c \ + $(wtpi_impl_dir)/wtpi_clock_layer2.c \ + $(wtpi_impl_dir)/wtpi_config.c \ + $(wtpi_impl_dir)/wtpi_crypto_and_key_management_layer1.c \ + $(wtpi_impl_dir)/wtpi_crypto_asymmetric.c \ + $(wtpi_impl_dir)/wtpi_decrypt_sample.c \ + $(wtpi_impl_dir)/wtpi_initialize_terminate_interface.c \ + $(wtpi_impl_dir)/wtpi_logging.c \ + $(wtpi_impl_dir)/wtpi_persistent_storage_layer2.c \ + $(wtpi_impl_dir)/wtpi_root_of_trust_layer1.c \ + $(wtpi_stub_dir)/wtpi_root_of_trust_layer2.c \ + $(wtpi_stub_dir)/wtpi_secure_buffer_access.c \ + $(wtpi_ref_dir)/renewal_util.c \ + $(wtpi_ref_dir)/wtpi_clock_and_gn_layer1.c \ + $(wtpi_ref_dir)/wtpi_crc32.c \ + $(wtpi_ref_dir)/wtpi_crypto_wrap_asymmetric.c \ + $(wtpi_ref_dir)/wtpi_device_key.c \ + $(wtpi_ref_dir)/wtpi_idle.c \ + $(wtpi_ref_dir)/wtpi_device_renewal_layer1.c \ + $(wtpi_ref_dir)/wtpi_device_renewal_layer2.c \ + $(tos_impl_dir)/optee_secure_buffers.c \ + +wtpi_impl_includes += \ + $(wtpi_impl_dir) \ + $(wtpi_impl_dir)/util \ + $(wtpi_ref_dir) \ + $(wtpi_ref_dir)/../wtpi \ + $(optee_inc_dir) \ + $(optee_inc_dir)/mbedtls \ + $(oemcrypto_dir)/include \ + +wtpi_impl_libs += \ + mbedtls + diff --git a/oemcrypto/opk/ports/optee/ta/common/der_parse.c b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/der_parse.c similarity index 72% rename from oemcrypto/opk/ports/optee/ta/common/der_parse.c rename to oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/der_parse.c index 12f7648..6e82f04 100644 --- a/oemcrypto/opk/ports/optee/ta/common/der_parse.c +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/der_parse.c @@ -71,6 +71,7 @@ OEMCryptoResult DecodePKCS8RSAPrivateKey(const uint8_t* input, mbedtls_pk_context pk_ctx; mbedtls_pk_init(&pk_ctx); + int ret = mbedtls_pk_parse_key(&pk_ctx, input, input_length, NULL, 0); if (ret != 0) { return OEMCrypto_ERROR_UNKNOWN_FAILURE; @@ -154,6 +155,75 @@ cleanup: return res; } +static OEMCryptoResult Helper_EncodeRSAKey( + const pkcs1_rsa* key, uint8_t* output, size_t* output_length, + int (*mbedtls_write_fn)(mbedtls_pk_context* ctx, unsigned char* buf, + size_t size)) { + // import RSA data as raw values into mbedtls_rsa_context + mbedtls_rsa_context rsa_ctx; + mbedtls_rsa_init(&rsa_ctx, MBEDTLS_RSA_PKCS_V15, 0); + + int result = + mbedtls_rsa_import_raw(&rsa_ctx, key->modulus, key->modulus_len, NULL, 0, + NULL, 0, key->private_exp, key->private_exp_len, + key->public_exp, key->public_exp_len); + if (result < 0) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + + // calculate remaining RSA parameters (P, Q) + result = mbedtls_rsa_complete(&rsa_ctx); + if (result < 0) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + + // assign RSA data to generic mbedtls_pk_context type + mbedtls_pk_context pk_ctx; + const mbedtls_pk_info_t* info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA); + mbedtls_pk_setup(&pk_ctx, info); + pk_ctx.pk_ctx = &rsa_ctx; + + // write RSA data in DER encoding to output + size_t original_output_length = *output_length; + int bytes_written = mbedtls_write_fn(&pk_ctx, output, *output_length); + if (bytes_written <= 0) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + *output_length = bytes_written; + + // mbedtls ASN1 write functions write backwards from the end of the buffer. + // Re-align memory to the beginning of the buffer. + TEE_MemMove(output, output + original_output_length - *output_length, + *output_length); + + return OEMCrypto_SUCCESS; +} + +OEMCryptoResult EncodeRSAPrivateKey(const pkcs1_rsa* key, uint8_t* output, + size_t* output_length) { + if (key == NULL || key->modulus == NULL || key->private_exp == NULL || + key->public_exp == NULL || key->modulus_len == 0 || + key->private_exp_len == 0 || key->public_exp_len == 0 || output == NULL || + output_length == NULL) { + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + + return Helper_EncodeRSAKey(key, output, output_length, + mbedtls_pk_write_key_der); +} + +OEMCryptoResult EncodeRSAPublicKey(const pkcs1_rsa* key, uint8_t* output, + size_t* output_length) { + if (key == NULL || key->modulus == NULL || key->public_exp == NULL || + key->modulus_len == 0 || key->public_exp_len == 0 || output == NULL || + output_length == NULL) { + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + + return Helper_EncodeRSAKey(key, output, output_length, + mbedtls_pk_write_pubkey_der); +} + static uint32_t GlobalPlatformCurveId(mbedtls_ecp_group_id id) { switch (id) { case MBEDTLS_ECP_DP_SECP192R1: @@ -287,6 +357,39 @@ cleanup: return res; } +OEMCryptoResult DecodeECCPublicKey(const uint8_t* input, size_t input_length, + rfc5915_eckey* output) { + OEMCryptoResult res; + + mbedtls_pk_context pk_ctx; + mbedtls_pk_init(&pk_ctx); + int ret = mbedtls_pk_parse_public_key(&pk_ctx, input, input_length); + if (ret != 0) { + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + + mbedtls_ecp_keypair* ec_ctx = mbedtls_pk_ec(pk_ctx); + + output->ecc_curve_type = GlobalPlatformCurveId(ec_ctx->grp.id); + output->ecc_curve_bits = CurveNumBits(ec_ctx->grp.id); + output->max_signature_size = ECCSize(output->ecc_curve_bits); + + if ((res = extract_mbedtls_mpi_param(&(ec_ctx->Q.X), &output->public_x, + &output->public_x_len)) != + OEMCrypto_SUCCESS) + goto cleanup; + if ((res = extract_mbedtls_mpi_param(&(ec_ctx->Q.Y), &output->public_y, + &output->public_y_len)) != + OEMCrypto_SUCCESS) + goto cleanup; + + res = OEMCrypto_SUCCESS; + +cleanup: + mbedtls_pk_free(&pk_ctx); + return res; +} + // OP-TEE does not DER-encode the ECDSA signature. Instead it writes the raw // R and S values of the signature to a buffer of key_size*2 length. The values // are front-padded with zero so that they are each key_size in length. diff --git a/oemcrypto/opk/ports/optee/ta/common/der_parse.h b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/der_parse.h similarity index 75% rename from oemcrypto/opk/ports/optee/ta/common/der_parse.h rename to oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/der_parse.h index 5831302..1e88856 100644 --- a/oemcrypto/opk/ports/optee/ta/common/der_parse.h +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/der_parse.h @@ -46,6 +46,24 @@ typedef struct pkcs1_rsa { OEMCryptoResult DecodePKCS8RSAPrivateKey(const uint8_t* input, size_t input_length, pkcs1_rsa* output); +/* + * Encodes the RSA key data as a PKCS8 PrivateKey structure in |output|. The + * input pkcs1_rsa data must have the modulus, public exponent, and private + * exponent values set. + * + * Sets |output_length| to number of bytes written. + */ +OEMCryptoResult EncodeRSAPrivateKey(const pkcs1_rsa* key, uint8_t* output, + size_t* output_length); + +/* + * Encodes the RSA key data as a SubjectPublicKeyData struct. The input + * pkcs1_rsa data must have the modulus and public exponent values set. + * + * Sets |output_length| to number of bytes written. + */ +OEMCryptoResult EncodeRSAPublicKey(const pkcs1_rsa* key, uint8_t* output, + size_t* output_length); typedef struct rfc5915_eckey { uint8_t* private_val; @@ -77,6 +95,12 @@ OEMCryptoResult DecodePKCS8ECCPrivateKey(const uint8_t* input, size_t input_length, rfc5915_eckey* output); +/* + * Parses |input| data, which is a DER-encoded SubjectPublicKeyInfo type. + */ +OEMCryptoResult DecodeECCPublicKey(const uint8_t* input, size_t input_length, + rfc5915_eckey* output); + /* * Takes the raw ECDSA signature data from |sig| and encodes it as an ASN1 * SEQUENCE of two INTEGERs as specified by RFC 3279. Assumes that the |sig| diff --git a/oemcrypto/opk/ports/optee/ta/common/ta_log.c b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/ta_log.c similarity index 100% rename from oemcrypto/opk/ports/optee/ta/common/ta_log.c rename to oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/ta_log.c diff --git a/oemcrypto/opk/ports/optee/ta/common/ta_log.h b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/ta_log.h similarity index 100% rename from oemcrypto/opk/ports/optee/ta/common/ta_log.h rename to oemcrypto/opk/ports/optee/ta/common/wtpi_impl/util/ta_log.h diff --git a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_clock_layer2.c b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_clock_layer2.c index e6dcab9..c121e22 100644 --- a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_clock_layer2.c +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_clock_layer2.c @@ -5,12 +5,11 @@ */ #include +#include "oemcrypto_check_macros.h" #include "wtpi_clock_interface_layer2.h" OEMCryptoResult WTPI_GetSecureTimer(uint64_t* time_in_s) { - if (time_in_s == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(time_in_s); TEE_Time current_time; TEE_Result res = TEE_GetTAPersistentTime(¤t_time); diff --git a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_and_key_management_layer1.c b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_and_key_management_layer1.c index dcde3b7..5ea7bd9 100644 --- a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_and_key_management_layer1.c +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_and_key_management_layer1.c @@ -9,6 +9,7 @@ #include #include "der_parse.h" #include "malloc.h" +#include "oemcrypto_check_macros.h" #include "oemcrypto_compiler_attributes.h" #include "oemcrypto_key_types.h" #include "oemcrypto_math.h" @@ -58,7 +59,7 @@ typedef struct wtpi_k1_symmetric_key_handle { OEMCryptoResult WTPI_K1_GetKeySize(WTPI_K1_SymmetricKey_Handle key, KeySize* size) { - if (size == NULL) return OEMCrypto_ERROR_INVALID_CONTEXT; + RETURN_INVALID_CONTEXT_IF_NULL(size); *size = OPK_LengthToKeySize(key->key_size); return OEMCrypto_SUCCESS; } @@ -66,9 +67,9 @@ OEMCryptoResult WTPI_K1_GetKeySize(WTPI_K1_SymmetricKey_Handle key, OEMCryptoResult Helper_AESEncryptBlock_ECB(WTPI_K1_SymmetricKey_Handle key, const uint8_t* input, uint8_t* output) { - if (input == NULL || output == NULL || key == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(input); + RETURN_INVALID_CONTEXT_IF_NULL(output); + RETURN_INVALID_CONTEXT_IF_NULL(key); TEE_OperationHandle op_handle; TEE_ObjectHandle key_handle; @@ -204,8 +205,12 @@ OEMCryptoResult WTPI_C1_AESCBCDecrypt(WTPI_K1_SymmetricKey_Handle key, OEMCryptoResult WTPI_C1_AESCBCEncrypt(WTPI_K1_SymmetricKey_Handle key, const uint8_t* in, size_t in_length, const uint8_t* iv, uint8_t* out) { - if (key == NULL || in == NULL || in_length == 0 || - in_length % AES_BLOCK_SIZE != 0 || iv == NULL || out == NULL) { + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(in); + RETURN_INVALID_CONTEXT_IF_ZERO(in_length); + RETURN_INVALID_CONTEXT_IF_NULL(iv); + RETURN_INVALID_CONTEXT_IF_NULL(out); + if (in_length % AES_BLOCK_SIZE != 0) { return OEMCrypto_ERROR_INVALID_CONTEXT; } return Helper_AESCBC(key, key->key_size, in, in_length, iv, out, @@ -215,9 +220,10 @@ OEMCryptoResult WTPI_C1_AESCBCEncrypt(WTPI_K1_SymmetricKey_Handle key, OEMCryptoResult WTPI_C1_HMAC_SHA1(WTPI_K1_SymmetricKey_Handle key, const uint8_t* message, size_t message_length, uint8_t* out) { - if (key == NULL || message == NULL || message_length == 0 || out == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(message); + RETURN_INVALID_CONTEXT_IF_ZERO(message_length); + RETURN_INVALID_CONTEXT_IF_NULL(out); TEE_OperationHandle op_handle; TEE_ObjectHandle key_handle; @@ -275,9 +281,9 @@ err: OEMCryptoResult WTPI_C1_SHA256(const uint8_t* message, size_t message_length, uint8_t* out) { - if (message == NULL || message_length == 0 || out == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(message); + RETURN_INVALID_CONTEXT_IF_ZERO(message_length); + RETURN_INVALID_CONTEXT_IF_NULL(out); TEE_Result res; @@ -323,9 +329,10 @@ err: OEMCryptoResult WTPI_C1_HMAC_SHA256(WTPI_K1_SymmetricKey_Handle key, const uint8_t* message, size_t message_length, uint8_t* out) { - if (key == NULL || message == NULL || message_length == 0 || out == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(message); + RETURN_INVALID_CONTEXT_IF_ZERO(message_length); + RETURN_INVALID_CONTEXT_IF_NULL(out); TEE_OperationHandle op_handle; TEE_ObjectHandle key_handle; @@ -385,9 +392,7 @@ OEMCryptoResult WTPI_C1_HMAC_SHA256_Verify(WTPI_K1_SymmetricKey_Handle key, const uint8_t* message, size_t message_length, const uint8_t* signature) { - if (signature == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(signature); uint8_t computed_signature[SHA256_DIGEST_LENGTH]; OEMCryptoResult result = @@ -408,7 +413,10 @@ OEMCryptoResult WTPI_C1_CopyToOutputBuffer(const uint8_t* in, size_t size, return OEMCrypto_ERROR_INVALID_CONTEXT; } - if (in == NULL || out == NULL || size == 0 || total_size > out->size) { + RETURN_INVALID_CONTEXT_IF_NULL(in); + RETURN_INVALID_CONTEXT_IF_NULL(out); + RETURN_INVALID_CONTEXT_IF_ZERO(size); + if (total_size > out->size) { return OEMCrypto_ERROR_INVALID_CONTEXT; } @@ -426,9 +434,8 @@ OEMCryptoResult WTPI_C1_CopyToOutputBuffer(const uint8_t* in, size_t size, } OEMCryptoResult WTPI_C1_RandomBytes(uint8_t* out, size_t size) { - if (out == NULL || size == 0) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(out); + RETURN_INVALID_CONTEXT_IF_ZERO(size); // TODO: running into memory access issues for values greater than 4096, // causing TA to panic. I don't think there's a reason to have random bytes @@ -452,9 +459,9 @@ OEMCryptoResult WTPI_K1_TerminateKeyManagement(void) { OEMCryptoResult WTPI_K1_CreateKeyHandle( const uint8_t* serialized_bytes, size_t size, SymmetricKeyType key_type, WTPI_K1_SymmetricKey_Handle* out_key_handle) { - if (serialized_bytes == NULL || size == 0 || out_key_handle == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(serialized_bytes); + RETURN_INVALID_CONTEXT_IF_ZERO(size); + RETURN_INVALID_CONTEXT_IF_NULL(out_key_handle); if (size != KEY_SIZE_128 && size != KEY_SIZE_256) { return OEMCrypto_ERROR_INVALID_CONTEXT; @@ -518,10 +525,11 @@ OEMCryptoResult WTPI_K1_AESDecryptAndCreateKeyHandle( WTPI_K1_SymmetricKey_Handle decrypt_key_handle, const uint8_t* enc_key, size_t enc_key_length, const uint8_t* iv, SymmetricKeyType key_type, WTPI_K1_SymmetricKey_Handle* out_key_handle) { - if (decrypt_key_handle == NULL || enc_key == NULL || enc_key_length == 0 || - iv == NULL || out_key_handle == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(decrypt_key_handle); + RETURN_INVALID_CONTEXT_IF_NULL(enc_key); + RETURN_INVALID_CONTEXT_IF_ZERO(enc_key_length); + RETURN_INVALID_CONTEXT_IF_NULL(iv); + RETURN_INVALID_CONTEXT_IF_NULL(out_key_handle); uint32_t size; OEMCryptoResult res = WTPI_K1_GetKeySize(decrypt_key_handle, &size); @@ -545,11 +553,12 @@ OEMCryptoResult WTPI_K1_AESDecryptAndCreateKeyHandleForMacKeys( size_t enc_mac_keys_length, const uint8_t* iv, WTPI_K1_SymmetricKey_Handle* out_mac_key_server, WTPI_K1_SymmetricKey_Handle* out_mac_key_client) { - if (decrypt_key_handle == NULL || enc_mac_keys == NULL || - enc_mac_keys_length == 0 || iv == NULL || out_mac_key_server == NULL || - out_mac_key_client == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(decrypt_key_handle); + RETURN_INVALID_CONTEXT_IF_NULL(enc_mac_keys); + RETURN_INVALID_CONTEXT_IF_ZERO(enc_mac_keys_length); + RETURN_INVALID_CONTEXT_IF_NULL(iv); + RETURN_INVALID_CONTEXT_IF_NULL(out_mac_key_server); + RETURN_INVALID_CONTEXT_IF_NULL(out_mac_key_client); uint32_t size; OEMCryptoResult res = WTPI_K1_GetKeySize(decrypt_key_handle, &size); @@ -577,9 +586,11 @@ OEMCryptoResult WTPI_K1_DeriveKeyFromKeyHandle( WTPI_K1_SymmetricKey_Handle key, uint8_t counter, const uint8_t* context, size_t context_length, SymmetricKeyType out_key_type, KeySize out_key_size, WTPI_K1_SymmetricKey_Handle* out_key_handle) { - if (key == NULL || context == NULL || context_length == 0 || - out_key_handle == NULL || - (out_key_size != KEY_SIZE_256 && out_key_size != KEY_SIZE_128)) { + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(context); + RETURN_INVALID_CONTEXT_IF_ZERO(context_length); + RETURN_INVALID_CONTEXT_IF_NULL(out_key_handle); + if (out_key_size != KEY_SIZE_256 && out_key_size != KEY_SIZE_128) { return OEMCrypto_ERROR_INVALID_CONTEXT; } @@ -655,9 +666,9 @@ OEMCryptoResult WTPI_K1_WrapKey(UNUSED uint32_t context, WTPI_K1_SymmetricKey_Handle key, SymmetricKeyType key_type, uint8_t* wrapped_key, size_t wrapped_key_length) { - if (key == NULL || wrapped_key == NULL || wrapped_key_length == 0) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(wrapped_key); + RETURN_INVALID_CONTEXT_IF_ZERO(wrapped_key_length); if (wrapped_key_length != key->key_size) { /* The caller should give us the correct buffer size. */ @@ -674,10 +685,10 @@ OEMCryptoResult WTPI_K1_UnwrapIntoKeyHandle( UNUSED uint32_t context, const uint8_t* wrapped_key, size_t wrapped_key_length, SymmetricKeyType key_type, WTPI_K1_SymmetricKey_Handle* out_key_handle) { - if (wrapped_key == NULL || wrapped_key_length == 0 || - out_key_handle == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(wrapped_key); + RETURN_INVALID_CONTEXT_IF_ZERO(wrapped_key_length); + RETURN_INVALID_CONTEXT_IF_NULL(out_key_handle); + if (wrapped_key_length != KEY_SIZE_128 && wrapped_key_length != KEY_SIZE_256) { return OEMCrypto_ERROR_INVALID_CONTEXT; diff --git a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_asymmetric.c b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_asymmetric.c index 06fb63b..df6e0f9 100644 --- a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_asymmetric.c +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_asymmetric.c @@ -9,21 +9,26 @@ #include #include "der_parse.h" #include "malloc.h" +#include "oemcrypto_check_macros.h" #include "oemcrypto_compiler_attributes.h" #include "oemcrypto_key_types.h" #include "oemcrypto_math.h" #include "oemcrypto_overflow.h" #include "tos_shared_memory_interface.h" #include "wtpi_abort_interface.h" +#include "wtpi_config_macros.h" #include "wtpi_crypto_asymmetric_interface.h" #define ECC_KEY_MAX_BITS 521 #define ECC_KEY_MAX_BYTES ((ECC_KEY_MAX_BITS + 7) / 8 + 1) +#define PKCS8_2048BIT_RSA_KEY_MAX_SIZE 1300 typedef struct tee_asymmetric_key_handle { TEE_ObjectHandle key_handle; uint32_t max_signature_size; - uint32_t ecc_curve_type; // only used for ECC operations + uint32_t ecc_curve_type; // only used for ECC operations + TEE_ObjectHandle ecdh_key; // used for ECDH, distinguish between default + // key_handle ECDSA operations } tee_asymmetric_key_handle; static OEMCryptoResult Helper_CreateRSAKeyHandle( @@ -54,7 +59,7 @@ static OEMCryptoResult Helper_CreateRSAKeyHandle( sess->max_signature_size = sess_key->modulus_len; sess->ecc_curve_type = 0; - res = TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, 2048, + res = TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, KEY_SIZE_2048 * 8, &sess->key_handle); if (res != TEE_SUCCESS) { EMSG("TEE_AllocateTransientObject() failed with result 0x%x", res); @@ -143,6 +148,12 @@ static OEMCryptoResult Helper_CreateECCKeyHandle( EMSG("TEE_AllocateTransientObject() failed with result 0x%x", res); goto cleanup; } + res = TEE_AllocateTransientObject( + TEE_TYPE_ECDH_KEYPAIR, sess_key->private_val_len * 8, &sess->ecdh_key); + if (res != TEE_SUCCESS) { + EMSG("TEE_AllocateTransientObject() failed with result 0x%x", res); + goto cleanup; + } DMSG("Private key length is %d", sess_key->private_val_len); @@ -162,6 +173,12 @@ static OEMCryptoResult Helper_CreateECCKeyHandle( EMSG("TEE_PopulateTransientObject() failed with result 0x%x", res); goto cleanup; } + res = TEE_PopulateTransientObject(sess->ecdh_key, + (const TEE_Attribute*)(&attrs), 4); + if (res != TEE_SUCCESS) { + EMSG("TEE_PopulateTransientObject() failed with result 0x%x", res); + goto cleanup; + } cleanup: if (sess_key != TEE_HANDLE_NULL) { @@ -183,9 +200,9 @@ cleanup: OEMCryptoResult WTPI_CreateAsymmetricKeyHandle( const uint8_t* serialized_bytes, size_t size, AsymmetricKeyType key_type, WTPI_AsymmetricKey_Handle* key_handle) { - if (serialized_bytes == NULL || size == 0 || key_handle == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(serialized_bytes); + RETURN_INVALID_CONTEXT_IF_ZERO(size); + RETURN_INVALID_CONTEXT_IF_NULL(key_handle); switch (key_type) { case DRM_RSA_PRIVATE_KEY: @@ -213,6 +230,7 @@ OEMCryptoResult WTPI_FreeAsymmetricKeyHandle( } TEE_FreeTransientObject(key_handle->key_handle); + TEE_FreeTransientObject(key_handle->ecdh_key); TEE_Free(key_handle); @@ -223,10 +241,10 @@ OEMCryptoResult WTPI_RSASign(WTPI_AsymmetricKey_Handle key, const uint8_t* message, size_t message_length, uint8_t* signature, size_t* signature_length, RSA_Padding_Scheme padding_scheme) { - if (key == NULL || message == NULL || message_length == 0 || - signature_length == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(message); + RETURN_INVALID_CONTEXT_IF_ZERO(message_length); + RETURN_INVALID_CONTEXT_IF_NULL(signature_length); size_t private_key_size = key->max_signature_size; if (signature == NULL || *signature_length < private_key_size) { @@ -298,10 +316,11 @@ OEMCryptoResult WTPI_RSASign(WTPI_AsymmetricKey_Handle key, OEMCryptoResult WTPI_RSADecrypt(WTPI_AsymmetricKey_Handle key, const uint8_t* in, size_t in_length, uint8_t* out, size_t* out_length) { - if (key == NULL || in == NULL || in_length == 0 || out == NULL || - out_length == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(in); + RETURN_INVALID_CONTEXT_IF_ZERO(in_length); + RETURN_INVALID_CONTEXT_IF_NULL(out); + RETURN_INVALID_CONTEXT_IF_NULL(out_length); size_t private_key_size = key->max_signature_size; if (out == NULL || *out_length < private_key_size) { @@ -346,10 +365,8 @@ OEMCryptoResult WTPI_RSADecrypt(WTPI_AsymmetricKey_Handle key, OEMCryptoResult WTPI_GetSignatureSize(WTPI_AsymmetricKey_Handle key, size_t* key_size) { - if (key == NULL || key_size == NULL) { - DMSG("Returning result %d", OEMCrypto_ERROR_INVALID_CONTEXT); - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(key_size); *key_size = key->max_signature_size; @@ -359,10 +376,10 @@ OEMCryptoResult WTPI_GetSignatureSize(WTPI_AsymmetricKey_Handle key, OEMCryptoResult WTPI_ECCSign(WTPI_AsymmetricKey_Handle key, const uint8_t* message, size_t message_length, uint8_t* signature, size_t* signature_length) { - if (key == NULL || message == NULL || message_length == 0 || - signature_length == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(message); + RETURN_INVALID_CONTEXT_IF_ZERO(message_length); + RETURN_INVALID_CONTEXT_IF_NULL(signature_length); size_t max_signature_size = key->max_signature_size; if (signature == NULL || *signature_length < max_signature_size) { @@ -454,18 +471,109 @@ OEMCryptoResult WTPI_ECCSign(WTPI_AsymmetricKey_Handle key, return encode_res; } -OEMCryptoResult WTPI_ECCDeriveSessionKey(UNUSED WTPI_AsymmetricKey_Handle key, - UNUSED const uint8_t* key_source, - UNUSED size_t key_source_length, - UNUSED uint8_t* session_key, - UNUSED size_t* session_key_length) { - return OEMCrypto_ERROR_NOT_IMPLEMENTED; -} +OEMCryptoResult WTPI_ECCDeriveSessionKey(WTPI_AsymmetricKey_Handle key, + const uint8_t* key_source, + size_t key_source_length, + uint8_t* session_key, + size_t* session_key_length) { + RETURN_INVALID_CONTEXT_IF_NULL(key); + RETURN_INVALID_CONTEXT_IF_NULL(key_source); + RETURN_INVALID_CONTEXT_IF_NULL(session_key_length); -OEMCryptoResult WTPI_ED25519Sign(WTPI_AsymmetricKey_Handle key, - const uint8_t* message, size_t message_length, - uint8_t* signature, size_t* signature_length) { - return OEMCrypto_ERROR_NOT_IMPLEMENTED; + // Determine algorithm type and required key size based on incoming public key + // curve parameters + uint32_t alg_type = 0; + KeySize key_size_bytes = 0; + switch (key->ecc_curve_type) { + case TEE_ECC_CURVE_NIST_P256: + alg_type = TEE_ALG_ECDH_P256; + key_size_bytes = KEY_SIZE_256; + break; + case TEE_ECC_CURVE_NIST_P384: + alg_type = TEE_ALG_ECDH_P384; + key_size_bytes = KEY_SIZE_384; + break; + case TEE_ECC_CURVE_NIST_P521: + alg_type = TEE_ALG_ECDH_P521; + key_size_bytes = KEY_SIZE_512; + break; + default: + alg_type = 0; + key_size_bytes = 0; + EMSG("Unsupported curve type %d", key->ecc_curve_type); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + + // Check for short buffer + if (session_key == NULL || *session_key_length < key_size_bytes) { + *session_key_length = key_size_bytes; + return OEMCrypto_ERROR_SHORT_BUFFER; + } + + // Allocate operation handle for ECDH + TEE_OperationHandle ecdh_op; + TEE_Result res = TEE_AllocateOperation(&ecdh_op, alg_type, TEE_MODE_DERIVE, + key_size_bytes * 8); + if (res != TEE_SUCCESS) { + EMSG("TEE_AllocateOperation failed with result 0x%x, %d", res, alg_type); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + + // Assign private key to ECDH operation handle + res = TEE_SetOperationKey(ecdh_op, key->ecdh_key); + if (res != TEE_SUCCESS) { + EMSG("TEE_SetOperationKey failed with result 0x%x", res); + goto cleanup; + } + + // Decode public key data into struct object defined by der_parse.h + // This step will allocate memory for public key x and y values, so be sure to + // free them + rfc5915_eckey ecc_key; + OEMCryptoResult result = + DecodeECCPublicKey(key_source, key_source_length, &ecc_key); + if (result != OEMCrypto_SUCCESS) { + EMSG("DecodeECCPublicKey failed with result 0x%x", res); + goto cleanup; + } + + // Copy public x and y values into attribute arrays + TEE_Attribute attrs[2]; + TEE_InitRefAttribute(&attrs[0], TEE_ATTR_ECC_PUBLIC_VALUE_X, ecc_key.public_x, + ecc_key.public_x_len); + TEE_InitRefAttribute(&attrs[1], TEE_ATTR_ECC_PUBLIC_VALUE_Y, ecc_key.public_y, + ecc_key.public_y_len); + + TEE_Free(ecc_key.public_x); + TEE_Free(ecc_key.public_y); + + // Allocate object handle for derived key + TEE_ObjectHandle derived_key; + res = + TEE_AllocateTransientObject(TEE_TYPE_GENERIC_SECRET, 2048, &derived_key); + if (res != TEE_SUCCESS) { + EMSG("TEE_AllocateTransientObject failed with result 0x%x", res); + goto cleanup; + } + + // Perform ECDH operation + TEE_DeriveKey(ecdh_op, attrs, 2, derived_key); + + // Extract generated secret value from derived key handle + res = TEE_GetObjectBufferAttribute(derived_key, TEE_ATTR_SECRET_VALUE, + session_key, session_key_length); + TEE_FreeTransientObject(derived_key); + if (res != TEE_SUCCESS) { + EMSG("TEE_GetObjectBufferAttribute failed with result 0x%x", res); + goto cleanup; + } + + TEE_FreeOperation(ecdh_op); + return OEMCrypto_SUCCESS; + +cleanup: + TEE_FreeOperation(ecdh_op); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; } OEMCryptoResult WTPI_GetBootCertificateChain(uint8_t* out, size_t* out_length) { @@ -476,7 +584,129 @@ OEMCryptoResult WTPI_GenerateRandomCertificateKeyPair( AsymmetricKeyType* key_type, uint8_t* wrapped_private_key, size_t* wrapped_private_key_length, uint8_t* public_key, size_t* public_key_length) { - return OEMCrypto_ERROR_NOT_IMPLEMENTED; + RETURN_INVALID_CONTEXT_IF_NULL(key_type); + RETURN_INVALID_CONTEXT_IF_NULL(wrapped_private_key_length); + RETURN_INVALID_CONTEXT_IF_NULL(public_key_length); + + // This implementation generates RSA key. An alternative is ECC key. + *key_type = DRM_RSA_PRIVATE_KEY; + + // Check buffer sizes. + size_t required_wrapped_private_key_length = 0; + OEMCryptoResult result = WTPI_GetWrappedAsymmetricKeySize( + PKCS8_2048BIT_RSA_KEY_MAX_SIZE, *key_type, + &required_wrapped_private_key_length); + if (result != OEMCrypto_SUCCESS) return result; + + const size_t required_public_key_length = KEY_SIZE_2048; + if (wrapped_private_key == NULL || + *wrapped_private_key_length < required_wrapped_private_key_length || + public_key == NULL || *public_key_length < required_public_key_length) { + *wrapped_private_key_length = required_wrapped_private_key_length; + *public_key_length = required_public_key_length; + return OEMCrypto_ERROR_SHORT_BUFFER; + } + + TEE_Result tee_res; + TEE_ObjectHandle key; + tee_res = TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, KEY_SIZE_2048 * 8, + &key); + if (tee_res != TEE_SUCCESS) { + EMSG("TEE_AllocateTransientObject failed with result 0x%x", tee_res); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + + tee_res = TEE_GenerateKey(key, KEY_SIZE_2048 * 8, NULL, 0); + if (tee_res != TEE_SUCCESS) { + EMSG("TEE_GenerateKey failed with result 0x%x", tee_res); + goto cleanup; + } + + // temporary buffers to hold the raw RSA data generated by GlobalPlatform + uint8_t raw_modulus[KEY_SIZE_2048]; + size_t raw_modulus_len = sizeof(raw_modulus); + uint8_t raw_pub[KEY_SIZE_2048]; + size_t raw_pub_len = sizeof(raw_pub); + uint8_t raw_priv[KEY_SIZE_2048]; + size_t raw_priv_len = sizeof(raw_priv); + + tee_res = TEE_GetObjectBufferAttribute(key, TEE_ATTR_RSA_MODULUS, raw_modulus, + &raw_modulus_len); + if (tee_res != TEE_SUCCESS) { + EMSG("TEE_GetObjectBufferAttribute failed with result 0x%x", tee_res); + goto cleanup; + } + + tee_res = TEE_GetObjectBufferAttribute(key, TEE_ATTR_RSA_PUBLIC_EXPONENT, + raw_pub, &raw_pub_len); + if (tee_res != TEE_SUCCESS) { + EMSG("TEE_GetObjectBufferAttribute failed with result 0x%x", tee_res); + goto cleanup; + } + + tee_res = TEE_GetObjectBufferAttribute(key, TEE_ATTR_RSA_PRIVATE_EXPONENT, + raw_priv, &raw_priv_len); + if (tee_res != TEE_SUCCESS) { + EMSG("TEE_GetObjectBufferAttribute failed with result 0x%x", tee_res); + goto cleanup; + } + + pkcs1_rsa rsa_key = { + .modulus = raw_modulus, + .modulus_len = raw_modulus_len, + .public_exp = raw_pub, + .public_exp_len = raw_pub_len, + .private_exp = raw_priv, + .private_exp_len = raw_priv_len, + }; + + // Encode public key directly to output parameters + result = EncodeRSAPublicKey(&rsa_key, public_key, public_key_length); + if (result != OEMCrypto_SUCCESS) { + EMSG("EncodeRSAPublicKey failed"); + goto cleanup; + } + + // Encode private key to temporary buffer before wrapping + uint8_t encoded_priv[MAX_WRAPPED_ASYMMETRIC_KEY_SIZE]; + size_t encoded_priv_len = MAX_WRAPPED_ASYMMETRIC_KEY_SIZE; + + result = EncodeRSAPrivateKey(&rsa_key, encoded_priv, &encoded_priv_len); + if (result != OEMCrypto_SUCCESS) { + EMSG("EncodeRSAPrivateKey failed"); + goto cleanup; + } + + // If the encoded key length is not a multiple of the AES block size, pad + // until it is. This is required for the WrapAsymmetricKey step + while (encoded_priv_len % AES_BLOCK_SIZE != 0 && + encoded_priv_len < MAX_WRAPPED_ASYMMETRIC_KEY_SIZE) { + encoded_priv[encoded_priv_len++] = 0; + } + + size_t required_size = 0; + result = WTPI_GetWrappedAsymmetricKeySize( + encoded_priv_len, DRM_RSA_PRIVATE_KEY, &required_size); + if (result != OEMCrypto_SUCCESS) { + EMSG("WTPI_GetWrappedAsymmetricKeySize failed with result %d", result); + goto cleanup; + } + *wrapped_private_key_length = required_size; + + result = + WTPI_WrapAsymmetricKey(wrapped_private_key, *wrapped_private_key_length, + *key_type, encoded_priv, encoded_priv_len); + if (result != OEMCrypto_SUCCESS) { + EMSG("WTPI_WrapAsymmetricKey failed with result %d", result); + goto cleanup; + } + + TEE_FreeTransientObject(key); + return OEMCrypto_SUCCESS; + +cleanup: + TEE_FreeTransientObject(key); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; } OEMCryptoResult WTPI_DeviceKeyCoseSign1(const uint8_t* message, diff --git a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_decrypt_sample.c b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_decrypt_sample.c index 1d94a12..363361d 100644 --- a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_decrypt_sample.c +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_decrypt_sample.c @@ -3,10 +3,12 @@ * source code may only be used and distributed under the Widevine * License Agreement. */ +#include #include #include #include #include "malloc.h" +#include "oemcrypto_check_macros.h" #include "oemcrypto_key_types.h" #include "oemcrypto_math.h" #include "oemcrypto_output.h" @@ -29,10 +31,16 @@ static OEMCryptoResult WTPI_DecryptToOutputBuffer_CTR( } size_t block_offset = initial_block_offset; - if (initial_iv == NULL || block_offset >= AES_BLOCK_SIZE || in == NULL || - size == 0 || out == NULL || total_size > out->size || key == NULL) { + + RETURN_INVALID_CONTEXT_IF_NULL(initial_iv); + RETURN_INVALID_CONTEXT_IF_NULL(in); + RETURN_INVALID_CONTEXT_IF_ZERO(size); + RETURN_INVALID_CONTEXT_IF_NULL(out); + RETURN_INVALID_CONTEXT_IF_NULL(key); + if (block_offset >= AES_BLOCK_SIZE || total_size > out->size) { return OEMCrypto_ERROR_INVALID_CONTEXT; } + if (out->type == OPK_SECURE_OUTPUT_BUFFER) { return OEMCrypto_ERROR_NOT_IMPLEMENTED; } else if (out->type != OPK_CLEAR_INSECURE_OUTPUT_BUFFER) { @@ -66,8 +74,14 @@ static OEMCryptoResult WTPI_DecryptToOutputBuffer_CBC( if (OPK_AddOverflowUX(output_offset, size, &total_size)) { return OEMCrypto_ERROR_INVALID_CONTEXT; } - if (initial_iv == NULL || pattern == NULL || in == NULL || size == 0 || - out == NULL || total_size > out->size || key == NULL) { + + RETURN_INVALID_CONTEXT_IF_NULL(initial_iv); + RETURN_INVALID_CONTEXT_IF_NULL(pattern); + RETURN_INVALID_CONTEXT_IF_NULL(in); + RETURN_INVALID_CONTEXT_IF_ZERO(size); + RETURN_INVALID_CONTEXT_IF_NULL(out); + RETURN_INVALID_CONTEXT_IF_NULL(key); + if (total_size > out->size) { return OEMCrypto_ERROR_INVALID_CONTEXT; } @@ -139,7 +153,8 @@ UBSAN_IGNORE_UNSIGNED_OVERFLOW static void AdvanceIVandCounter( /* The truncation here is intentional. */ const size_t increment = bytes / AES_BLOCK_SIZE; /* The potential overflow here is intentional. */ - counter = (counter) + increment; + counter = be64toh(counter) + increment; + counter = htobe64(counter); TEE_MemMove(&(*subsample_iv)[kCounterIndex], &counter, kCounterSize); } @@ -149,10 +164,13 @@ static OEMCryptoResult DecryptSubsample( const OEMCrypto_CENCEncryptPatternDesc* pattern, const uint8_t* cipher_data, const uint8_t* iv, const OPK_OutputBuffer* output_buffer, size_t output_offset, OEMCryptoCipherMode cipher_mode) { - if (key_handle == NULL || subsample == NULL || pattern == NULL || - cipher_data == NULL || iv == NULL || output_buffer == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key_handle); + RETURN_INVALID_CONTEXT_IF_NULL(subsample); + RETURN_INVALID_CONTEXT_IF_NULL(pattern); + RETURN_INVALID_CONTEXT_IF_NULL(cipher_data); + RETURN_INVALID_CONTEXT_IF_NULL(iv); + RETURN_INVALID_CONTEXT_IF_NULL(output_buffer); + size_t subsample_length; if (OPK_AddOverflowUX(subsample->num_bytes_clear, subsample->num_bytes_encrypted, &subsample_length)) { @@ -214,10 +232,11 @@ OEMCryptoResult WTPI_DecryptSample( const OEMCrypto_CENCEncryptPatternDesc* pattern, const OPK_OutputBuffer* output_buffer, size_t output_offset, OEMCryptoCipherMode cipher_mode) { - if (key_handle == NULL || sample == NULL || pattern == NULL || - output_buffer == NULL) { - return OEMCrypto_ERROR_INVALID_CONTEXT; - } + RETURN_INVALID_CONTEXT_IF_NULL(key_handle); + RETURN_INVALID_CONTEXT_IF_NULL(sample); + RETURN_INVALID_CONTEXT_IF_NULL(pattern); + RETURN_INVALID_CONTEXT_IF_NULL(output_buffer); + OEMCryptoResult result = OEMCrypto_SUCCESS; size_t starting_output_offset = output_offset; diff --git a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_impl.target.mk b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_impl.target.mk deleted file mode 100644 index e348846..0000000 --- a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_impl.target.mk +++ /dev/null @@ -1,195 +0,0 @@ -# -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary -# source code may only be used and distributed under the Widevine -# License Agreement. -# - -# This file is generated by gyp; do not edit. - -TOOLSET := target -TARGET := wtpi_impl -DEFS_debug := \ - '-DENABLE_LOGGING=1' \ - '-D_DEFAULT_SOURCE' \ - '-D__USE_MISC' \ - '-D_DEBUG' \ - '-D_GLIBCXX_DEBUG' - -# Flags passed to all source files. -CFLAGS_debug := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -g \ - -Og - -# Flags passed to only C files. -CFLAGS_C_debug := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_debug := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_debug := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_reference \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/common \ - -I$(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32/include \ - -I$(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32/include/mbedtls - -DEFS_release := \ - '-DENABLE_LOGGING=1' \ - '-D_DEFAULT_SOURCE' \ - '-D__USE_MISC' \ - '-DNDEBUG' - -# Flags passed to all source files. -CFLAGS_release := \ - -fPIC \ - -fvisibility=hidden \ - -fno-common \ - -g \ - -Werror=all \ - -O2 \ - -g0 - -# Flags passed to only C files. -CFLAGS_C_release := \ - -std=c11 \ - -D_POSIX_C_SOURCE=200809L - -# Flags passed to only C++ files. -CFLAGS_CC_release := \ - -std=c++11 \ - -Wnon-virtual-dtor \ - -fno-exceptions \ - -fno-rtti - -INCS_release := \ - -I$(srcdir)/oemcrypto/opk/serialization \ - -I$(srcdir)/oemcrypto/opk/serialization/common \ - -I$(srcdir)/oemcrypto/opk/serialization/common/include \ - -I$(srcdir)/third_party/nlohmann-json/single_include \ - -I$(srcdir)/oemcrypto/odk/include \ - -I$(srcdir)/oemcrypto/odk/src \ - -I$(srcdir)/oemcrypto/include \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi \ - -I$(srcdir)/oemcrypto/opk/serialization/os_interfaces \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl \ - -I$(srcdir)/oemcrypto/opk/oemcrypto_ta/wtpi_reference \ - -I$(srcdir)/oemcrypto/opk/ports/optee/ta/common \ - -I$(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32/include \ - -I$(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32/include/mbedtls - -OBJS := \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/ta_log.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/der_parse.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/host/common/tos/optee_secure_buffers.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_abort.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_clock_layer2.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_config.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_and_key_management_layer1.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_crypto_asymmetric.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_decrypt_sample.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_initialize_terminate_interface.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_logging.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_persistent_storage_layer2.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_useless/wtpi_root_of_trust_layer2.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_useless/wtpi_secure_buffer_access.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/renewal_util.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_clock_and_gn_layer1.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crc32.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_crypto_wrap_asymmetric.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_key.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_idle.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_renewal_layer1.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_device_renewal_layer2.o \ - $(obj).target/$(TARGET)/oemcrypto/opk/oemcrypto_ta/wtpi_reference/wtpi_root_of_trust_layer1.o - -# Add to the list of files we specially track dependencies for. -all_deps += $(OBJS) - -# CFLAGS et al overrides must be target-local. -# See "Target-specific Variable Values" in the GNU Make manual. -$(OBJS): TOOLSET := $(TOOLSET) -$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE)) -$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE)) $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE)) - -# Suffix rules, putting all outputs into $(obj). - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# Try building from generated source, too. - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD - @$(call do_cmd,cc,1) - -# End of this set of suffix rules -### Rules for final target. -LDFLAGS_debug := \ - -L$(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32/lib \ - -lmbedtls - -LDFLAGS_release := \ - -L$(OPTEE_DIR)/optee_os/out/arm/export-ta_arm32/lib \ - -lmbedtls \ - -O2 \ - -Wl,--strip-debug - -LIBS := - -$(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE)) -$(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a: LIBS := $(LIBS) -$(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a: TOOLSET := $(TOOLSET) -$(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a: $(OBJS) FORCE_DO_CMD - $(call do_cmd,alink) - -all_deps += $(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a -# Add target alias -.PHONY: wtpi_impl -wtpi_impl: $(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a - -# Add target alias to "all" target. -.PHONY: all -all: wtpi_impl - -# Add target alias -.PHONY: wtpi_impl -wtpi_impl: $(builddir)/libwtpi_impl.a - -# Copy this to the static library output path. -$(builddir)/libwtpi_impl.a: TOOLSET := $(TOOLSET) -$(builddir)/libwtpi_impl.a: $(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a FORCE_DO_CMD - $(call do_cmd,copy) - -all_deps += $(builddir)/libwtpi_impl.a -# Short alias for building this static library. -.PHONY: libwtpi_impl.a -libwtpi_impl.a: $(obj).target/oemcrypto/opk/ports/optee/build/libwtpi_impl.a $(builddir)/libwtpi_impl.a - -# Add static library to "all" target. -.PHONY: all -all: $(builddir)/libwtpi_impl.a - diff --git a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_persistent_storage_layer2.c b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_persistent_storage_layer2.c index e5fc7a7..6d93271 100644 --- a/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_persistent_storage_layer2.c +++ b/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/wtpi_persistent_storage_layer2.c @@ -111,7 +111,7 @@ OEMCryptoResult WTPI_PrepareStoredPersistentData(void) { OEMCryptoResult WTPI_LoadPersistentData(uint8_t* data, size_t* data_length) { TEE_Result res; - size_t bytes_read; + size_t bytes_read = 0; size_t short_buf_expected_size; res = read_raw_object(kDataId, kDataIdLength, data, *data_length, &bytes_read, diff --git a/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/Makefile b/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/Makefile index 50dba94..803a114 100644 --- a/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/Makefile +++ b/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/Makefile @@ -1,26 +1,28 @@ # -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary # source code may only be used and distributed under the Widevine # License Agreement. # -CFG_TEE_TA_LOG_LEVEL := 4 -# The UUID for the Trusted Application -BINARY=a92d116c-ce27-4917-b30c-4a416e2d9351 - -# OP-TEE-specifc defines for the target build -# Must have the following defined for OP-TEE's build system. These are defined -# by the top level makefile, but can be overridden locally if desired. +# This Makefile is not intended to be invoked on its own. It is possible +# though. Be sure to set the following variables. # - CROSS_COMPILE: prefix of compiler, eg arm-linux-gnueabihf- # - PLATFORM: OP-TEE platform enumeration, eg vexpress-qemu_virt # - TEEC_EXPORT: path to libteec.so in OP-TEE client build output # - TA_DEV_KIT_DIR: path to OP-TEE TA dev kit makefiles -# - O: optional output directory specification -.EXPORT_ALL_VARIABLES: -TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec -PATH := $(PATH):$(OPTEE_DIR)/toolchains/aarch32/bin/:$(OPTEE_DIR)/toolchains/aarch64/bin/ -O := ./out +# - CDM_DIR: path to top of CDM repo + +# The UUID for the Trusted Application +BINARY=a92d116c-ce27-4917-b30c-4a416e2d9351 CFG_TEE_TA_MALLOC_DEBUG:=y +CFG_TEE_TA_LOG_LEVEL := 4 + +# Place outputs in $CDM_DIR/out/optee/// +CDM_DIR_REL := $(shell realpath --relative-to=$(CURDIR) $(CDM_DIR)) +CURDIR_REL := $(shell realpath --relative-to=$(CDM_DIR) $(CURDIR)) +PROJ_NAME := $(shell basename $(CURDIR)) +O_BASE := $(CDM_DIR_REL)/out/optee/$(PLATFORM)/$(PROJ_NAME) +O := $(O_BASE)/$(CURDIR_REL) include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk @@ -29,3 +31,8 @@ clean: @echo 'Note: $$(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA' @echo 'Note: TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR)' endif + +.DEFAULT_GOAL := build_and_copy +.PHONY: build_and_copy +build_and_copy: all + -cp $(O)/*.{elf,ta,dmp,map} $(O_BASE)/ diff --git a/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/sub.mk b/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/sub.mk index ea100b4..cee202f 100644 --- a/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/sub.mk +++ b/oemcrypto/opk/ports/optee/ta/oemcrypto_ta/sub.mk @@ -3,46 +3,39 @@ # source code may only be used and distributed under the Widevine # License Agreement. # -OEMCRYPTO=../../../../.. -ODK=$(OEMCRYPTO)/odk -OPK=$(OEMCRYPTO)/opk -SER=$(OPK)/serialization -OEMCRYPTO_TA=$(OPK)/oemcrypto_ta -OPTEE_PORT=$(OPK)/ports/optee -MAIN_TA=$(OPTEE_PORT)/ta/oemcrypto_ta -COMMON=$(OPTEE_PORT)/ta/common -global-incdirs-y += $(OEMCRYPTO)/include -global-incdirs-y += $(ODK)/include -global-incdirs-y += $(ODK)/src -global-incdirs-y += $(SER)/common/include -global-incdirs-y += $(SER)/os_interfaces -global-incdirs-y += $(OEMCRYPTO_TA) -global-incdirs-y += $(OEMCRYPTO_TA)/wtpi -global-incdirs-y += $(MAIN_TA)/include -global-incdirs-y += $(COMMON) +# Requires definitions for +# TA_DEV_KIT_DIR: path to OP-TEE TA dev kit files +# CDM_DIR: path to top of CDM repo -srcs-y += oemcrypto_ta.c +# Define this for tee-sources.mk, which uses it as a prefix for source file +# locations +OPK_REPO_TOP := $(shell realpath --relative-to=./ $(CDM_DIR)) -libdirs += $(OEMCRYPTO)/../out/opk_optee/debug +# tee-sources.mk provides opk_base_ta_sources and opk_base_ta_includes +include $(CDM_DIR)/oemcrypto/opk/build/tee-sources.mk -libnames += odk -libnames += opk_tee -libnames += oemcrypto_ta -libnames += wtpi_impl +# Definitions for wtpi_impl sources.mk +wtpi_impl_dir := $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl +optee_inc_dir := $(shell realpath --relative-to=./ $(TA_DEV_KIT_DIR))/include -ifeq ($(USE_TA_REFERENCE_CRYPTO),yes) - libnames += oemcrypto_ta_reference_crypto -endif +# Provides wtpi_impl_sources and wtpi_impl_includes +include $(CDM_DIR)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/sources.mk -ifeq ($(USE_TA_REFERENCE_CLOCK),yes) - libnames += oemcrypto_ta_reference_clock -endif +# srcs-y, global-incdirs-y, and libnames are used by the OP-TEE TA dev kit +# build system +srcs-y += \ + oemcrypto_ta.c \ + $(opk_base_ta_sources) \ + $(wtpi_impl_sources) \ -ifeq ($(USE_TA_REFERENCE_RENEWAL),yes) - libnames += oemcrypto_ta_reference_renewal -endif +global-incdirs-y += \ + $(opk_base_ta_includes) \ + $(wtpi_impl_includes) \ + +cppflags-y += \ + -DWTPI_BUILD_INFO=\"$(WTPI_BUILD_INFO)\" \ + +libnames += \ + $(wtpi_impl_libs) -ifeq ($(USE_TA_REFERENCE_ROOT_OF_TRUST),yes) - libnames += oemcrypto_ta_reference_root_of_trust -endif diff --git a/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/Makefile b/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/Makefile index 14c27a9..580531b 100644 --- a/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/Makefile +++ b/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/Makefile @@ -1,25 +1,28 @@ # -# Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary +# Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary # source code may only be used and distributed under the Widevine # License Agreement. # -CFG_TEE_TA_LOG_LEVEL ?= 4 -# The UUID for the Trusted Application -BINARY=b0f42504-01ec-11ec-9a03-0242ac130003 - -# OP-TEE-specifc defines for the target build -# Must have the following defined for OP-TEE's build system. These are defined -# by the top level makefile, but can be overridden locally if desired. +# This Makefile is not intended to be invoked on its own. It is possible +# though. Be sure to set the following variables. # - CROSS_COMPILE: prefix of compiler, eg arm-linux-gnueabihf- # - PLATFORM: OP-TEE platform enumeration, eg vexpress-qemu_virt # - TEEC_EXPORT: path to libteec.so in OP-TEE client build output # - TA_DEV_KIT_DIR: path to OP-TEE TA dev kit makefiles -# - O: optional output directory specification -.EXPORT_ALL_VARIABLES: -TEEC_EXPORT ?= $(OPTEE_DIR)/out-br/build/optee_client_ext-1.0/libteec -PATH := $(PATH):$(OPTEE_DIR)/toolchains/aarch32/bin/:$(OPTEE_DIR)/toolchains/aarch64/bin/ -O := ./out +# - CDM_DIR: path to top of CDM repo + +# The UUID for the Trusted Application +BINARY=b0f42504-01ec-11ec-9a03-0242ac130003 +CFG_TEE_TA_MALLOC_DEBUG:=y +CFG_TEE_TA_LOG_LEVEL := 4 + +# Place outputs in $CDM_DIR/out/optee/// +CDM_DIR_REL := $(shell realpath --relative-to=$(CURDIR) $(CDM_DIR)) +CURDIR_REL := $(shell realpath --relative-to=$(CDM_DIR) $(CURDIR)) +PROJ_NAME := $(shell basename $(CURDIR)) +O_BASE := $(CDM_DIR_REL)/out/optee/$(PLATFORM)/$(PROJ_NAME) +O := $(O_BASE)/$(CURDIR_REL) include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk @@ -28,3 +31,8 @@ clean: @echo 'Note: $$(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA' @echo 'Note: TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR)' endif + +.DEFAULT_GOAL := build_and_copy +.PHONY: build_and_copy +build_and_copy: all + -cp $(O)/*.{elf,ta,dmp,map} $(O_BASE)/ diff --git a/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/sub.mk b/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/sub.mk index 49898ac..540dcb7 100644 --- a/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/sub.mk +++ b/oemcrypto/opk/ports/optee/ta/wtpi_test_ta/sub.mk @@ -3,32 +3,38 @@ # source code may only be used and distributed under the Widevine # License Agreement. # -OEMCRYPTO=../../../../.. -ODK=$(OEMCRYPTO)/odk -OPK=$(OEMCRYPTO)/opk -SER=$(OPK)/serialization -OEMCRYPTO_TA=$(OPK)/oemcrypto_ta -OPTEE_PORT=$(OPK)/ports/optee -TEST_TA=$(OPTEE_PORT)/ta/wtpi_test_ta -COMMON=$(OPTEE_PORT)/ta/common -global-incdirs-y += $(OEMCRYPTO)/include -global-incdirs-y += $(ODK)/include -global-incdirs-y += $(ODK)/src -global-incdirs-y += $(SER)/common/include -global-incdirs-y += $(SER)/os_interfaces -global-incdirs-y += $(OEMCRYPTO_TA) -global-incdirs-y += $(OEMCRYPTO_TA)/wtpi -global-incdirs-y += $(TEST_TA)/include -global-incdirs-y += $(COMMON) +# Requires definitions for +# TA_DEV_KIT_DIR: path to OP-TEE TA dev kit files +# CDM_DIR: path to top of CDM repo -srcs-y += wtpi_test_ta.c -srcs-y += $(SER)/tee/tee_tos_stubs.c +# Define this for tee-sources.mk, which uses it as a prefix for source file +# locations +OPK_REPO_TOP := $(shell realpath --relative-to=./ $(CDM_DIR)) -libdirs += $(OEMCRYPTO)/../out/opk_optee/debug -libdirs += $(OEMCRYPTO)/../out/opk_optee/debug/obj.target/oemcrypto/opk/oemcrypto_ta/wtpi_test/tee +# tee-sources.mk provides opk_base_wtpi_ta_sources, opk_base_wtpi_ta_includes, +# serialization_dir and oemcrypto_ta_includes +include $(CDM_DIR)/oemcrypto/opk/build/tee-sources.mk -libnames += odk -libnames += opk_tee_wtpi_test -libnames += oemcrypto_ta -libnames += wtpi_impl +# Definitions for wtpi_impl sources.mk +wtpi_impl_dir := $(OPK_REPO_TOP)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl +optee_inc_dir := $(shell realpath --relative-to=./ $(TA_DEV_KIT_DIR))/include + +# Provides wtpi_impl_sources and wtpi_impl_includes +include $(CDM_DIR)/oemcrypto/opk/ports/optee/ta/common/wtpi_impl/sources.mk + +# srcs-y, global-incdirs-y, and libnames are used by the OP-TEE TA dev kit +# build system +srcs-y += \ + wtpi_test_ta.c \ + $(serialization_dir)/tee/tee_tos_stubs.c \ + $(opk_base_wtpi_ta_sources) \ + $(wtpi_impl_sources) \ + +global-incdirs-y += \ + $(opk_base_wtpi_ta_includes) \ + $(wtpi_impl_includes) \ + $(oemcrypto_ta_includes) \ + +libnames += \ + $(wtpi_impl_libs) diff --git a/oemcrypto/opk/ports/trusty/ta/interface_impls/wtpi_crypto_and_key_management_layer1_openssl.c b/oemcrypto/opk/ports/trusty/ta/interface_impls/wtpi_crypto_and_key_management_layer1_openssl.c index ac1f22c..36ce71b 100644 --- a/oemcrypto/opk/ports/trusty/ta/interface_impls/wtpi_crypto_and_key_management_layer1_openssl.c +++ b/oemcrypto/opk/ports/trusty/ta/interface_impls/wtpi_crypto_and_key_management_layer1_openssl.c @@ -84,8 +84,9 @@ static bool IsKeyValid(uint32_t index) { case MAC_KEY_CLIENT: return key->key_size == KEY_SIZE_256; case ENCRYPTION_KEY: - case DERIVING_KEY: return key->key_size == KEY_SIZE_128; + case DERIVING_KEY: + return key->key_size == KEY_SIZE_128 || key->key_size == KEY_SIZE_256; } } diff --git a/oemcrypto/test/common.mk b/oemcrypto/test/common.mk index d154967..bf5a1a2 100644 --- a/oemcrypto/test/common.mk +++ b/oemcrypto/test/common.mk @@ -6,7 +6,7 @@ HIDL_EXTENSION := _hidl LIB_BINDER := libhidlbase else HIDL_EXTENSION := -LIB_BINDER := libbinder +LIB_BINDER := libbinder_ndk endif ifeq ($(filter mips mips64, $(TARGET_ARCH)),) @@ -28,10 +28,10 @@ LOCAL_SRC_FILES:= \ oemcrypto_test_android.cpp \ oemcrypto_test_main.cpp \ ota_keybox_test.cpp \ - wvcrc.cpp \ ../../cdm/util/test/test_sleep.cpp \ ../util/src/oemcrypto_ecc_key.cpp \ ../util/src/oemcrypto_rsa_key.cpp \ + ../util/src/wvcrc.cpp \ LOCAL_C_INCLUDES += \ $(LOCAL_PATH)/fuzz_tests \ @@ -39,6 +39,7 @@ LOCAL_C_INCLUDES += \ $(LOCAL_PATH)/../odk/include \ $(LOCAL_PATH)/../odk/kdo/include \ $(LOCAL_PATH)/../ref/src \ + $(LOCAL_PATH)/../util/include \ vendor/widevine/libwvdrmengine/cdm/core/include \ vendor/widevine/libwvdrmengine/cdm/util/include \ vendor/widevine/libwvdrmengine/cdm/util/test \ diff --git a/oemcrypto/test/fuzz_tests/build_oemcrypto_fuzztests b/oemcrypto/test/fuzz_tests/build_oemcrypto_fuzztests index 2ebcc9d..2b8c902 100755 --- a/oemcrypto/test/fuzz_tests/build_oemcrypto_fuzztests +++ b/oemcrypto/test/fuzz_tests/build_oemcrypto_fuzztests @@ -1,15 +1,8 @@ #!/bin/bash -echo "XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX" -echo "XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX" -echo "TODO(b/192560463): The OPK does not build because it expects an" -echo "older version of the ODK library. The ipc_ref tests do not work because" -echo "the reference code is v17 but OPK is v16." -# Also, if you are fixing this script, it should probably be moved to the jenkins -# directory, so that it is next to all the other scripts that Luci runs. -echo "XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX" -echo "XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX---XXX" -exit 0 +# Also, if you are fixing this script, it should probably be moved to the +# jenkins directory, so that it is next to all the other scripts that LUCI +# runs. set -ex diff --git a/oemcrypto/test/fuzz_tests/oemcrypto_fuzztests.gypi b/oemcrypto/test/fuzz_tests/oemcrypto_fuzztests.gypi index 686b56e..cdbeadd 100644 --- a/oemcrypto/test/fuzz_tests/oemcrypto_fuzztests.gypi +++ b/oemcrypto/test/fuzz_tests/oemcrypto_fuzztests.gypi @@ -49,6 +49,7 @@ 'dependencies': [ '../../../third_party/googletest.gyp:gtest', '../../../third_party/googletest.gyp:gmock', + '<(oemcrypto_dir)/util/oec_ref_util.gyp:oec_ref_util', ], 'defines': [ 'OEMCRYPTO_FUZZ_TESTS', diff --git a/oemcrypto/test/fuzz_tests/partner_oemcrypto_fuzztests.gypi b/oemcrypto/test/fuzz_tests/partner_oemcrypto_fuzztests.gypi index 581727d..18eb2ad 100644 --- a/oemcrypto/test/fuzz_tests/partner_oemcrypto_fuzztests.gypi +++ b/oemcrypto/test/fuzz_tests/partner_oemcrypto_fuzztests.gypi @@ -47,6 +47,7 @@ 'dependencies': [ '../../../third_party/googletest.gyp:gtest', '../../../third_party/googletest.gyp:gmock', + '<(oemcrypto_dir)/util/oec_ref_util.gyp:oec_ref_util', ], 'defines': [ 'OEMCRYPTO_FUZZ_TESTS', diff --git a/oemcrypto/test/oec_device_features.cpp b/oemcrypto/test/oec_device_features.cpp index 4023081..9db9c00 100644 --- a/oemcrypto/test/oec_device_features.cpp +++ b/oemcrypto/test/oec_device_features.cpp @@ -63,6 +63,10 @@ void DeviceFeatures::Initialize() { OEMCrypto_Generic_Encrypt(session, buffer, 0, iv, OEMCrypto_AES_CBC_128_NO_PADDING, buffer)); printf("generic_crypto = %s.\n", generic_crypto ? "true" : "false"); + supports_cas = + (OEMCrypto_ERROR_NOT_IMPLEMENTED != + OEMCrypto_LoadCasECMKeys(session, nullptr, 0, nullptr, nullptr)); + printf("supports_cas = %s.\n", supports_cas ? "true" : "false"); OEMCrypto_CloseSession(session); api_version = OEMCrypto_APIVersion(); printf("api_version = %u.\n", api_version); @@ -137,6 +141,7 @@ std::string DeviceFeatures::RestrictFilter(const std::string& initial_filter) { FilterOut(&filter, "OEMCryptoLoadsCert*"); if (!generic_crypto) FilterOut(&filter, "*GenericCrypto*"); if (!cast_receiver) FilterOut(&filter, "*CastReceiver*"); + if (!supports_cas) FilterOut(&filter, "*CasOnly*"); if (derive_key_method == NO_METHOD) FilterOut(&filter, "*SessionTest*"); if (provisioning_method != OEMCrypto_OEMCertificate) FilterOut(&filter, "*Prov30*"); diff --git a/oemcrypto/test/oec_device_features.h b/oemcrypto/test/oec_device_features.h index 06c7b58..a65eef1 100644 --- a/oemcrypto/test/oec_device_features.h +++ b/oemcrypto/test/oec_device_features.h @@ -51,6 +51,7 @@ class DeviceFeatures { uint32_t resource_rating; // Device's resource rating tier. bool supports_crc; // Supported decrypt hash type CRC. bool test_secure_buffers; // If we can create a secure buffer for testing. + bool supports_cas; // Device supports CAS (Condition Access System). uint32_t api_version; OEMCrypto_ProvisioningMethod provisioning_method; diff --git a/oemcrypto/test/oec_session_util.cpp b/oemcrypto/test/oec_session_util.cpp index b85d870..7977a7f 100644 --- a/oemcrypto/test/oec_session_util.cpp +++ b/oemcrypto/test/oec_session_util.cpp @@ -22,13 +22,13 @@ #include #include #include +#include #include #include #include "OEMCryptoCENC.h" #include "clock.h" #include "core_message_deserialize.h" -#include "core_message_features.h" #include "core_message_serialize.h" #include "disallow_copy_and_assign.h" #include "log.h" @@ -237,6 +237,9 @@ RoundTrip:: // We need to fill in core request and verify signature only for calls other // than OEMCryptoMemory buffer overflow test. Any test other than buffer // overflow will pass true. + if (result == OEMCrypto_SUCCESS) { + gen_signature.resize(gen_signature_length); + } if (!verify_request || result != OEMCrypto_SUCCESS) return result; if (global_features.api_version >= kCoreMessagesAPI) { std::string core_message(reinterpret_cast(data.data()), @@ -247,6 +250,24 @@ RoundTrip:: return result; } +template +void RoundTrip::SetEncryptAndSignResponseLengths() { + encrypted_response_length_ = encrypted_response_.size(); + response_signature_length_ = response_signature_.size(); +} + +template +void RoundTrip::VerifyEncryptAndSignResponseLengths() const { + EXPECT_NE(encrypted_response_length_, 0u); + EXPECT_EQ(encrypted_response_length_, encrypted_response_.size()); + EXPECT_NE(response_signature_length_, 0u); + EXPECT_EQ(response_signature_length_, response_signature_.size()); +} + template void GetDefaultRequestSignatureAndCoreMessageLengths( uint32_t& session_id, const size_t& small_size, @@ -434,6 +455,7 @@ void ProvisioningRoundTrip::SignResponse() { session()->key_deriver().ServerSignBuffer(encrypted_response_.data(), encrypted_response_.size(), &response_signature_); + SetEncryptAndSignResponseLengths(); } void ProvisioningRoundTrip::InjectFuzzedResponseData(const uint8_t* data, @@ -466,11 +488,14 @@ OEMCryptoResult ProvisioningRoundTrip::LoadResponse(Session* session) { sizeof(response_data_)); } size_t wrapped_key_length = 0; - const OEMCryptoResult sts = LoadResponseNoRetry(session, &wrapped_key_length); + OEMCryptoResult sts = LoadResponseNoRetry(session, &wrapped_key_length); if (sts != OEMCrypto_ERROR_SHORT_BUFFER) return sts; - wrapped_rsa_key_.clear(); wrapped_rsa_key_.assign(wrapped_key_length, 0); - return LoadResponseNoRetry(session, &wrapped_key_length); + sts = LoadResponseNoRetry(session, &wrapped_key_length); + if (sts == OEMCrypto_SUCCESS) { + wrapped_rsa_key_.resize(wrapped_key_length); + } + return sts; } #ifdef TEST_OEMCRYPTO_V15 @@ -514,12 +539,14 @@ OEMCryptoResult ProvisioningRoundTrip::LoadResponseNoRetry( Session* session, size_t* wrapped_key_length) { EXPECT_NE(session, nullptr); if (global_features.api_version >= kCoreMessagesAPI) { + VerifyEncryptAndSignResponseLengths(); return OEMCrypto_LoadProvisioning( session->session_id(), encrypted_response_.data(), encrypted_response_.size(), serialized_core_message_.size(), response_signature_.data(), response_signature_.size(), wrapped_rsa_key_.data(), wrapped_key_length); } else if (global_features.provisioning_method == OEMCrypto_Keybox) { + VerifyEncryptAndSignResponseLengths(); return OEMCrypto_RewrapDeviceRSAKey_V15( session->session_id(), encrypted_response_.data(), encrypted_response_.size(), response_signature_.data(), @@ -764,7 +791,7 @@ void LicenseRoundTrip::FillCoreResponseSubstrings() { } } -void LicenseRoundTrip::EncryptAndSignResponse() { +void LicenseRoundTrip::EncryptResponse(bool force_clear_kcb) { ASSERT_NO_FATAL_FAILURE(session_->GenerateDerivedKeysFromSessionKey()); encrypted_response_data_ = response_data_; uint8_t iv_buffer[KEY_IV_SIZE]; @@ -780,7 +807,8 @@ void LicenseRoundTrip::EncryptAndSignResponse() { // Fuzzing skip encryption: key_data_length being a random value will // encrypt data which is not expected to, there by leading to inefficient // fuzzing. - if (response_data_.keys[i].key_data_length <= + if (!force_clear_kcb && + response_data_.keys[i].key_data_length <= sizeof(response_data_.keys[i].key_data) && response_data_.keys[i].key_data_length % 16 == 0) { memcpy(iv_buffer, &response_data_.keys[i].control_iv[0], KEY_IV_SIZE); @@ -805,6 +833,10 @@ void LicenseRoundTrip::EncryptAndSignResponse() { response_data_.keys[i].key_iv); } } +} + +void LicenseRoundTrip::CreateCoreLicenseResponseWithFeatures( + const CoreMessageFeatures& features) { if (api_version_ < kCoreMessagesAPI) { serialized_core_message_.resize(0); } else { @@ -817,11 +849,6 @@ void LicenseRoundTrip::EncryptAndSignResponse() { } std::string request_hash_string( reinterpret_cast(request_hash_), sizeof(request_hash_)); - // We might try to test a future api_version_, but we can only make a core - // message with at most the current ODK version. This is only done to verify - // that OEMCrypto does not attempt to load a future version. - CoreMessageFeatures features = CoreMessageFeatures::DefaultFeatures( - std::min(api_version_, static_cast(ODK_MAJOR_VERSION))); ASSERT_TRUE(oemcrypto_core_message::serialize::CreateCoreLicenseResponse( features, core_response_, core_request_, request_hash_string, &serialized_core_message_)); @@ -830,7 +857,9 @@ void LicenseRoundTrip::EncryptAndSignResponse() { serialized_core_message_.resize( std::max(required_core_message_size_, serialized_core_message_.size())); } +} +void LicenseRoundTrip::SignEncryptedResponse() { // Make the message buffer a just big enough, or the // required size, whichever is larger. const size_t message_size = @@ -852,6 +881,25 @@ void LicenseRoundTrip::EncryptAndSignResponse() { session()->key_deriver().ServerSignBuffer(encrypted_response_.data(), encrypted_response_.size(), &response_signature_); + SetEncryptAndSignResponseLengths(); +} + +void LicenseRoundTrip::EncryptAndSignResponse() { + EncryptResponse(); + // We might try to test a future api_version_, but we can only make a core + // message with at most the current ODK version. This is only done to verify + // that OEMCrypto does not attempt to load a future version. + CoreMessageFeatures features = CoreMessageFeatures::DefaultFeatures( + std::min(api_version_, static_cast(ODK_MAJOR_VERSION))); + CreateCoreLicenseResponseWithFeatures(features); + SignEncryptedResponse(); +} + +void LicenseRoundTrip::EncryptAndSignResponseWithCoreMessageFeatures( + const CoreMessageFeatures& features, bool force_clear_kcb) { + EncryptResponse(force_clear_kcb); + CreateCoreLicenseResponseWithFeatures(features); + SignEncryptedResponse(); } OEMCryptoResult LicenseRoundTrip::LoadResponse(Session* session) { @@ -884,6 +932,7 @@ OEMCryptoResult LicenseRoundTrip::LoadResponse(Session* session, // garbage. Since the memory after the message buffer is an exact copy of the // message, we can increment the offset by the message size and get valid // data. + VerifyEncryptAndSignResponseLengths(); std::vector double_message = encrypted_response_; double_message.insert( double_message.end(), @@ -1050,14 +1099,20 @@ OEMCrypto_Substring EntitledMessage::FindSubstring(const void* ptr, return substring; } -void EntitledMessage::LoadKeys(OEMCryptoResult expected_sts) { +void EntitledMessage::LoadKeys(bool expected_success) { EncryptContentKey(); - ASSERT_EQ(expected_sts, - OEMCrypto_LoadEntitledContentKeys( - entitled_key_session_, - reinterpret_cast(entitled_key_data_), - sizeof(entitled_key_data_), num_keys_, entitled_key_array_)); - if (expected_sts != OEMCrypto_SUCCESS) { + if (expected_success) { + ASSERT_EQ(OEMCrypto_SUCCESS, + OEMCrypto_LoadEntitledContentKeys( + entitled_key_session_, + reinterpret_cast(entitled_key_data_), + sizeof(entitled_key_data_), num_keys_, entitled_key_array_)); + } else { + ASSERT_NE(OEMCrypto_SUCCESS, + OEMCrypto_LoadEntitledContentKeys( + entitled_key_session_, + reinterpret_cast(entitled_key_data_), + sizeof(entitled_key_data_), num_keys_, entitled_key_array_)); return; } VerifyKCBs(); @@ -1337,6 +1392,7 @@ void RenewalRoundTrip::EncryptAndSignResponse() { session()->key_deriver().ServerSignBuffer(encrypted_response_.data(), encrypted_response_.size(), &response_signature_); + SetEncryptAndSignResponseLengths(); } void RenewalRoundTrip::InjectFuzzedResponseData( @@ -1384,6 +1440,7 @@ OEMCryptoResult RenewalRoundTrip::LoadResponse(Session* session) { reinterpret_cast(&encrypted_response_data_), sizeof(encrypted_response_data_)); } + VerifyEncryptAndSignResponseLengths(); if (license_messages_->api_version() < kCoreMessagesAPI) { return OEMCrypto_RefreshKeys( session->session_id(), encrypted_response_.data(), @@ -1397,6 +1454,11 @@ OEMCryptoResult RenewalRoundTrip::LoadResponse(Session* session) { } } +std::unordered_map, + std::hash> + Session::server_ephemeral_keys_; +std::mutex Session::ephemeral_key_map_lock_; + Session::Session() {} Session::~Session() { @@ -1585,6 +1647,7 @@ void Session::LoadOEMCert(bool verify_cert) { public_cert.resize(public_cert_length); ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_GetOEMPublicCertificate( public_cert.data(), &public_cert_length)); + public_cert.resize(public_cert_length); ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_LoadOEMPrivateKey(session_id())); // The cert is a PKCS7 signed data type. First, parse it into an OpenSSL @@ -1772,15 +1835,21 @@ bool Session::GenerateEccSessionKey(vector* session_key, cerr << "No public ECC key loaded in test code\n"; return false; } - auto ephemeral_key = util::EccPrivateKey::New(public_ec_->curve()); - if (!ephemeral_key) { + std::unique_lock lock(Session::ephemeral_key_map_lock_); + const util::EccCurve curve = public_ec_->curve(); + if (server_ephemeral_keys_.count(curve) == 0) { + server_ephemeral_keys_[curve] = util::EccPrivateKey::New(curve); + } + if (server_ephemeral_keys_.count(curve) == 0) { + cerr << "Failed to find/create server ECC key for curve " + << util::EccCurveToString(curve) << std::endl; return false; } - *session_key = ephemeral_key->DeriveSessionKey(*public_ec_); + *session_key = server_ephemeral_keys_[curve]->DeriveSessionKey(*public_ec_); if (session_key->empty()) { return false; } - *ecdh_public_key_data = ephemeral_key->SerializeAsPublicKey(); + *ecdh_public_key_data = server_ephemeral_keys_[curve]->SerializeAsPublicKey(); if (ecdh_public_key_data->empty()) { session_key->clear(); return false; @@ -1842,6 +1911,8 @@ void Session::UpdateUsageEntry(std::vector* header_buffer) { OEMCrypto_UpdateUsageEntry( session_id(), header_buffer->data(), &header_buffer_length, encrypted_usage_entry_.data(), &entry_buffer_length)); + header_buffer->resize(header_buffer_length); + encrypted_usage_entry_.resize(entry_buffer_length); } void Session::LoadUsageEntry(uint32_t index, const vector& buffer) { @@ -1886,6 +1957,7 @@ void Session::GenerateReport(const std::string& pst, if (expected_result != OEMCrypto_SUCCESS) { return; } + pst_report_buffer_.resize(length); EXPECT_EQ(wvutil::Unpacked_PST_Report::report_size(pst.length()), length); vector computed_signature(SHA_DIGEST_LENGTH); key_deriver_.ClientSignPstReport(pst_report_buffer_, &computed_signature); diff --git a/oemcrypto/test/oec_session_util.h b/oemcrypto/test/oec_session_util.h index ebe69ef..bd67d58 100644 --- a/oemcrypto/test/oec_session_util.h +++ b/oemcrypto/test/oec_session_util.h @@ -9,11 +9,13 @@ // #include #include +#include #include #include #include "core_message_deserialize.h" +#include "core_message_features.h" #include "core_message_serialize.h" #include "odk.h" #include "oec_device_features.h" @@ -152,7 +154,9 @@ class RoundTrip { encrypted_response_data_(), required_message_size_(0), required_core_message_size_(0), - required_request_signature_size_(0) {} + required_request_signature_size_(0), + encrypted_response_length_(0), + response_signature_length_(0) {} virtual ~RoundTrip() {} // Have OEMCrypto sign a request message and then verify the signature and the @@ -229,6 +233,11 @@ class RoundTrip { // Find the given pointer in the response_data_. virtual OEMCrypto_Substring FindSubstring(const void* pointer, size_t length); + // Set EncryptAndSignResponse output lengths for later verification. + void SetEncryptAndSignResponseLengths(); + // Verify EncryptAndSignResponse output lengths are unchanged. + void VerifyEncryptAndSignResponseLengths() const; + // ---------------------------------------------------------------------- // Member variables. Session* session_; @@ -243,6 +252,11 @@ class RoundTrip { std::vector response_signature_; std::string serialized_core_message_; std::vector encrypted_response_; + + private: + // EncryptAndSignResponse output lengths. + size_t encrypted_response_length_; + size_t response_signature_length_; }; class ProvisioningRoundTrip @@ -342,6 +356,18 @@ class LicenseRoundTrip // Fill the |core_response| substrings. virtual void FillCoreResponseSubstrings(); void EncryptAndSignResponse() override; + // Encrypt and sign license response created from a specific odk version. + void EncryptAndSignResponseWithCoreMessageFeatures( + const oemcrypto_core_message::features::CoreMessageFeatures& features, + bool force_clear_kcb); + // Encrypt license response. This is used in EncryptAndSignResponse(). + void EncryptResponse(bool force_clear_kcb = false); + // Create core license response with a specific ODK version. This is used in + // EncryptAndSignResponse(). + void CreateCoreLicenseResponseWithFeatures( + const oemcrypto_core_message::features::CoreMessageFeatures& features); + // Sign license response. This is used in EncryptAndSignResponse(). + void SignEncryptedResponse(); OEMCryptoResult LoadResponse() override { return LoadResponse(session_); } OEMCryptoResult LoadResponse(Session* session) override; OEMCryptoResult LoadResponse(Session* session, bool verify_keys); @@ -473,7 +499,7 @@ class EntitledMessage { void SetEntitledKeySession(uint32_t key_session) { entitled_key_session_ = key_session; } - void LoadKeys(OEMCryptoResult expected_sts); + void LoadKeys(bool expected_success); OEMCryptoResult LoadKeys(const vector& message); OEMCryptoResult LoadKeys(); void EncryptContentKey(); @@ -708,6 +734,19 @@ class Session { // Only one of RSA or EC should be set. std::unique_ptr public_rsa_; std::unique_ptr public_ec_; + // In provisioning 4.0, the shared session key is derived from either + // 1. (client side) client private key + server ephemeral public key, or + // 2. (server side) server ephemeral private key + client public key + // Encryption key and mac keys are derived from the shared session key, and + // are inserted in to the default license response which simulates the + // response from a license server. In order for these keys to be deterministic + // across multiple test calls of GenerateDerivedKeysFromSessionKey(), which + // simulates how the server derives keys, the ephemeral keys used by the + // "server" need to be stored for re-use. + static std::unordered_map< + util::EccCurve, std::unique_ptr, std::hash> + server_ephemeral_keys_; + static std::mutex ephemeral_key_map_lock_; vector pst_report_buffer_; MessageData license_ = {}; diff --git a/oemcrypto/test/oemcrypto_session_tests_helper.cpp b/oemcrypto/test/oemcrypto_session_tests_helper.cpp index 31b46a1..f84e37c 100644 --- a/oemcrypto/test/oemcrypto_session_tests_helper.cpp +++ b/oemcrypto/test/oemcrypto_session_tests_helper.cpp @@ -75,28 +75,35 @@ void SessionUtil::EnsureTestKeys() { // are installed in OEMCrypto and in the test session. void SessionUtil::InstallTestRSAKey(Session* s) { if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { - const size_t buffer_size = 5000; // Make sure it is large enough. - std::vector public_key(buffer_size); - size_t public_key_size = buffer_size; - std::vector public_key_signature(buffer_size); - size_t public_key_signature_size = buffer_size; - std::vector wrapped_private_key(buffer_size); - size_t wrapped_private_key_size = buffer_size; - OEMCrypto_PrivateKeyType key_type; - // Assume OEM cert has been loaded. - ASSERT_EQ( - OEMCrypto_SUCCESS, - OEMCrypto_GenerateCertificateKeyPair( - s->session_id(), public_key.data(), &public_key_size, - public_key_signature.data(), &public_key_signature_size, - wrapped_private_key.data(), &wrapped_private_key_size, &key_type)); - // Assume the public key has been verified by the server and the DRM cert is - // returned. - wrapped_private_key.resize(wrapped_private_key_size); - ASSERT_NO_FATAL_FAILURE( - s->LoadWrappedDrmKey(key_type, wrapped_private_key)); + if (wrapped_rsa_key_.size() == 0) { + // If we don't have a wrapped key yet, create one. + // This wrapped key will be shared by all sessions in the test. + const size_t buffer_size = 5000; // Make sure it is large enough. + std::vector public_key(buffer_size); + size_t public_key_size = buffer_size; + std::vector public_key_signature(buffer_size); + size_t public_key_signature_size = buffer_size; + std::vector wrapped_private_key(buffer_size); + size_t wrapped_private_key_size = buffer_size; + OEMCrypto_PrivateKeyType key_type; + // Assume OEM cert has been loaded. + ASSERT_EQ(OEMCrypto_SUCCESS, + OEMCrypto_GenerateCertificateKeyPair( + s->session_id(), public_key.data(), &public_key_size, + public_key_signature.data(), &public_key_signature_size, + wrapped_private_key.data(), &wrapped_private_key_size, + &key_type)); + // Assume the public key has been verified by the server and the DRM cert + // is returned. + wrapped_private_key.resize(wrapped_private_key_size); + public_key.resize(public_key_size); + wrapped_rsa_key_ = wrapped_private_key; + drm_public_key_ = public_key; + key_type_ = key_type; + } + ASSERT_NO_FATAL_FAILURE(s->LoadWrappedDrmKey(key_type_, wrapped_rsa_key_)); ASSERT_NO_FATAL_FAILURE(s->SetPublicKeyFromSubjectPublicKey( - key_type, public_key.data(), public_key_size)); + key_type_, drm_public_key_.data(), drm_public_key_.size())); return; } diff --git a/oemcrypto/test/oemcrypto_session_tests_helper.h b/oemcrypto/test/oemcrypto_session_tests_helper.h index 1089843..6ceb03a 100644 --- a/oemcrypto/test/oemcrypto_session_tests_helper.h +++ b/oemcrypto/test/oemcrypto_session_tests_helper.h @@ -1,38 +1,40 @@ #include -#include -#include #include #include +#include +#include +#include "OEMCryptoCENC.h" #include "oec_session_util.h" #include "oec_test_data.h" -#include "OEMCryptoCENC.h" namespace wvoec { class SessionUtil { -public: - SessionUtil() - : encoded_rsa_key_(kTestRSAPKCS8PrivateKeyInfo2_2048, - kTestRSAPKCS8PrivateKeyInfo2_2048 + - sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048)) {} + public: + SessionUtil() + : encoded_rsa_key_(kTestRSAPKCS8PrivateKeyInfo2_2048, + kTestRSAPKCS8PrivateKeyInfo2_2048 + + sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048)) {} - // Create a new wrapped DRM Certificate. - void CreateWrappedRSAKey(); + // Create a new wrapped DRM Certificate. + void CreateWrappedRSAKey(); - // This is used to force installation of a keybox. This overwrites the - // production keybox -- it does NOT use OEMCrypto_LoadTestKeybox. - void InstallKeybox(const wvoec::WidevineKeybox& keybox, bool good); + // This is used to force installation of a keybox. This overwrites the + // production keybox -- it does NOT use OEMCrypto_LoadTestKeybox. + void InstallKeybox(const wvoec::WidevineKeybox& keybox, bool good); - // This loads the test keybox or the test RSA key, using LoadTestKeybox or - // LoadTestRSAKey as needed. - void EnsureTestKeys(); + // This loads the test keybox or the test RSA key, using LoadTestKeybox or + // LoadTestRSAKey as needed. + void EnsureTestKeys(); - void InstallTestRSAKey(Session* s); + void InstallTestRSAKey(Session* s); - std::vector encoded_rsa_key_; - std::vector wrapped_rsa_key_; - wvoec::WidevineKeybox keybox_; + std::vector encoded_rsa_key_; + std::vector wrapped_rsa_key_; + OEMCrypto_PrivateKeyType key_type_; + std::vector drm_public_key_; + wvoec::WidevineKeybox keybox_; }; } // namespace wvoec diff --git a/oemcrypto/test/oemcrypto_test.cpp b/oemcrypto/test/oemcrypto_test.cpp index 56be420..2ae9f8c 100644 --- a/oemcrypto/test/oemcrypto_test.cpp +++ b/oemcrypto/test/oemcrypto_test.cpp @@ -266,7 +266,7 @@ TEST_F(OEMCryptoClientTest, FreeUnallocatedSecureBufferNoFailure) { */ TEST_F(OEMCryptoClientTest, VersionNumber) { const std::string log_message = - "OEMCrypto unit tests for API 17. Tests last updated 2022-04-13"; + "OEMCrypto unit tests for API 17.1. Tests last updated 2022-06-17"; cout << " " << log_message << "\n"; cout << " " << "These tests are part of Android T." @@ -275,7 +275,7 @@ TEST_F(OEMCryptoClientTest, VersionNumber) { // If any of the following fail, then it is time to update the log message // above. EXPECT_EQ(ODK_MAJOR_VERSION, 17); - EXPECT_EQ(ODK_MINOR_VERSION, 0); + EXPECT_EQ(ODK_MINOR_VERSION, 1); EXPECT_EQ(kCurrentAPI, 17u); OEMCrypto_Security_Level level = OEMCrypto_SecurityLevel(); EXPECT_GT(level, OEMCrypto_Level_Unknown); @@ -308,6 +308,9 @@ TEST_F(OEMCryptoClientTest, VersionNumber) { sts = OEMCrypto_BuildInformation(&build_info[0], &buf_length); } ASSERT_EQ(OEMCrypto_SUCCESS, sts); + if (build_info.size() != buf_length) { + build_info.resize(buf_length); + } cout << " BuildInformation: " << build_info << endl; OEMCrypto_WatermarkingSupport support = OEMCrypto_GetWatermarkingSupport(); cout << " WatermarkingSupport: " << support << endl; @@ -484,7 +487,23 @@ TEST_F(OEMCryptoClientTest, CheckNullBuildInformationAPI17) { ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, sts); size_t buf_length = 0; sts = OEMCrypto_BuildInformation(nullptr, &buf_length); - ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, sts); + // Previous versions of the test expected the wrong error code. + // Although OEMCrypto_ERROR_INVALID_CONTEXT is still accepted by + // the tests, vendors should return OEMCrypto_ERROR_SHORT_BUFFER if + // |buffer| is null and |buf_length| is zero, assigning + // the correct length to |buf_length|. + // TODO(231514699): Remove case for ERROR_INVALID_CONTEXT. + ASSERT_TRUE(OEMCrypto_ERROR_SHORT_BUFFER == sts || + OEMCrypto_ERROR_INVALID_CONTEXT == sts); + if (sts == OEMCrypto_ERROR_INVALID_CONTEXT) { + printf( + "Warning: OEMCrypto_BuildInformation should return " + "ERROR_SHORT_BUFFER.\n"); + } + if (sts == OEMCrypto_ERROR_SHORT_BUFFER) { + constexpr size_t kZero = 0; + ASSERT_GT(buf_length, kZero); + } } TEST_F(OEMCryptoClientTest, CheckMaxNumberOfSessionsAPI10) { @@ -988,9 +1007,9 @@ TEST_F(OEMCryptoKeyboxTest, NormalGetDeviceId) { uint8_t dev_id[128] = {0}; size_t dev_id_len = 128; sts = OEMCrypto_GetDeviceID(dev_id, &dev_id_len); + ASSERT_EQ(OEMCrypto_SUCCESS, sts); cout << " NormalGetDeviceId: dev_id = " << MaybeHex(dev_id, dev_id_len) << " len = " << dev_id_len << endl; - ASSERT_EQ(OEMCrypto_SUCCESS, sts); } TEST_F(OEMCryptoKeyboxTest, OEMCryptoMemoryGetDeviceIdForHugeIdLength) { @@ -1133,7 +1152,6 @@ TEST_F(OEMCryptoProv30Test, GetDeviceId) { dev_id.resize(dev_id_len); cout << " NormalGetDeviceId: dev_id = " << MaybeHex(dev_id) << " len = " << dev_id_len << endl; - ASSERT_EQ(OEMCrypto_SUCCESS, sts); } // The OEM certificate must be valid. @@ -1333,6 +1351,9 @@ TEST_F(OEMCryptoProv40Test, GenerateCertificateKeyPairSuccess) { public_key_signature.data(), &public_key_signature_size, wrapped_private_key.data(), &wrapped_private_key_size, &key_type), OEMCrypto_SUCCESS); + public_key.resize(public_key_size); + public_key_signature.resize(public_key_signature_size); + wrapped_private_key.resize(wrapped_private_key_size); // Parse the public key generated to make sure it is correctly formatted. ASSERT_NO_FATAL_FAILURE(s.SetPublicKeyFromSubjectPublicKey( key_type, public_key.data(), public_key_size)); @@ -1509,6 +1530,27 @@ TEST_F(OEMCryptoProv40Test, InstallOemPrivateKeyCanBeUsed) { } } +TEST_F(OEMCryptoProv40Test, GetDeviceId) { + OEMCryptoResult sts; + std::vector dev_id; + size_t dev_id_len = dev_id.size(); + sts = OEMCrypto_GetDeviceID(dev_id.data(), &dev_id_len); + if (sts == OEMCrypto_ERROR_SHORT_BUFFER) { + ASSERT_GT(dev_id_len, 0u); + dev_id.resize(dev_id_len); + sts = OEMCrypto_GetDeviceID(dev_id.data(), &dev_id_len); + } + ASSERT_EQ(OEMCrypto_SUCCESS, sts); + dev_id.resize(dev_id_len); + cout << " NormalGetDeviceId: dev_id = " << MaybeHex(dev_id) + << " len = " << dev_id_len << endl; + // Device id should be stable. Query again. + std::vector dev_id2(dev_id_len); + sts = OEMCrypto_GetDeviceID(dev_id2.data(), &dev_id_len); + ASSERT_EQ(OEMCrypto_SUCCESS, sts); + ASSERT_EQ(dev_id2, dev_id); +} + // // AddKey Tests // @@ -1544,6 +1586,7 @@ class OEMCryptoSessionTests : public OEMCryptoClientTest { &header_buffer_length); if (expect_success) { ASSERT_EQ(OEMCrypto_SUCCESS, sts); + encrypted_usage_header_.resize(header_buffer_length); } else { ASSERT_NE(OEMCrypto_SUCCESS, sts); } @@ -2037,11 +2080,11 @@ TEST_P(OEMCryptoEntitlementLicenseTest, LoadEntitlementKeysAPI17) { EntitledMessage entitled_message_1(&license_messages_); entitled_message_1.FillKeyArray(); entitled_message_1.SetEntitledKeySession(key_session_id); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(true)); EntitledMessage entitled_message_2(&license_messages_); entitled_message_2.FillKeyArray(); entitled_message_2.SetEntitledKeySession(key_session_id); - ASSERT_NO_FATAL_FAILURE(entitled_message_2.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_2.LoadKeys(true)); } TEST_P(OEMCryptoEntitlementLicenseTest, CasOnlyLoadCasKeysAPI17) { @@ -2078,6 +2121,7 @@ TEST_P(OEMCryptoEntitlementLicenseTest, ASSERT_NO_FATAL_FAILURE(license_messages_.SignAndVerifyRequest()); ASSERT_NO_FATAL_FAILURE(license_messages_.CreateDefaultResponse()); ASSERT_NO_FATAL_FAILURE(license_messages_.EncryptAndSignResponse()); + uint32_t key_session_id = 0; ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_CreateEntitledKeySession( session_.session_id(), &key_session_id)); @@ -2086,8 +2130,7 @@ TEST_P(OEMCryptoEntitlementLicenseTest, EntitledMessage entitled_message_1(&license_messages_); entitled_message_1.FillKeyArray(); entitled_message_1.SetEntitledKeySession(key_session_id); - ASSERT_NO_FATAL_FAILURE( - entitled_message_1.LoadKeys(OEMCrypto_ERROR_INVALID_CONTEXT)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(false)); } // This verifies that entitled content keys cannot be loaded if we have loaded @@ -2125,8 +2168,7 @@ TEST_P(OEMCryptoEntitlementLicenseTest, const std::string key_id = "no_key"; entitled_message_1.SetEntitlementKeyId(0, key_id); entitled_message_1.SetEntitledKeySession(key_session_id); - ASSERT_NO_FATAL_FAILURE( - entitled_message_1.LoadKeys(OEMCrypto_KEY_NOT_ENTITLED)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(false)); } TEST_P(OEMCryptoEntitlementLicenseTest, @@ -2159,8 +2201,7 @@ TEST_P(OEMCryptoEntitlementLicenseTest, EntitledMessage entitled_message_1(&license_messages_); entitled_message_1.FillKeyArray(); entitled_message_1.SetEntitledKeySession(0); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys( - OEMCrypto_ERROR_INVALID_ENTITLED_KEY_SESSION)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(false)); } TEST_P(OEMCryptoEntitlementLicenseTest, @@ -2192,8 +2233,7 @@ TEST_P(OEMCryptoEntitlementLicenseTest, EntitledMessage entitled_message_1(&license_messages_); entitled_message_1.FillKeyArray(); entitled_message_1.SetEntitledKeySession(session_.session_id()); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys( - OEMCrypto_ERROR_INVALID_ENTITLED_KEY_SESSION)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(false)); } TEST_P(OEMCryptoEntitlementLicenseTest, @@ -2911,7 +2951,7 @@ TEST_P(OEMCryptoLicenseTest, } TEST_P(OEMCryptoLicenseTest, - OEMCryptoMemoryDecryptCENCForOutOfRangeNumBytesEncrypted) { + OEMCryptoMemoryDecryptCENCForOutOfRangeNumBytesEncryptedAPI16) { TestDecryptCENCForOutOfRangeOffsetsAndLengths( [](OEMCrypto_SampleDescription* sample_description) { OEMCrypto_SubSampleDescription* sub_samples = @@ -3002,7 +3042,7 @@ TEST_P(OEMCryptoLicenseTest, SelectKeyEntitledKeyAPI17) { entitled_message_1.SetEntitledKeySession(key_session_id); const char* content_key_id = "content_key_id"; entitled_message_1.SetContentKeyId(0, content_key_id); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(true)); ASSERT_EQ( OEMCrypto_SUCCESS, @@ -3026,7 +3066,7 @@ TEST_P(OEMCryptoLicenseTest, SelectKeyEntitledKeyNotThereAPI17) { EntitledMessage entitled_message_1(&license_messages_); entitled_message_1.FillKeyArray(); entitled_message_1.SetEntitledKeySession(key_session_id); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(true)); const char* content_key_id = "no_key"; ASSERT_EQ( @@ -3036,7 +3076,7 @@ TEST_P(OEMCryptoLicenseTest, SelectKeyEntitledKeyNotThereAPI17) { strlen(content_key_id), OEMCrypto_CipherMode_CENC)); } -// Select key with entitlement license fails if the key id is entitilement key +// Select key with entitlement license fails if the key id is entitlement key // id. TEST_P(OEMCryptoLicenseTest, SelectKeyEntitlementKeyAPI17) { license_messages_.set_license_type(OEMCrypto_EntitlementLicense); @@ -3051,13 +3091,13 @@ TEST_P(OEMCryptoLicenseTest, SelectKeyEntitlementKeyAPI17) { EntitledMessage entitled_message_1(&license_messages_); entitled_message_1.FillKeyArray(); entitled_message_1.SetEntitledKeySession(key_session_id); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(true)); - ASSERT_EQ(OEMCrypto_ERROR_INVALID_CONTEXT, - OEMCrypto_SelectKey(session_.session_id(), - session_.license().keys[0].key_id, - session_.license().keys[0].key_id_length, - OEMCrypto_CipherMode_CENC)); + OEMCryptoResult res = OEMCrypto_SelectKey( + session_.session_id(), session_.license().keys[0].key_id, + session_.license().keys[0].key_id_length, OEMCrypto_CipherMode_CENC); + EXPECT_TRUE(res == OEMCrypto_ERROR_INVALID_CONTEXT || + res == OEMCrypto_ERROR_NO_CONTENT_KEY); } // This verifies that entitled key sessions can be created and removed. @@ -3103,7 +3143,7 @@ TEST_P(OEMCryptoLicenseTest, EntitledKeySessionMultipleKeySessionsAPI17) { entitled_message_1.SetEntitledKeySession(key_session_id_1); const char* content_key_id_1 = "content_key_id_1"; entitled_message_1.SetContentKeyId(0, content_key_id_1); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(true)); // We can select content key 1 in entitled key session 1. ASSERT_EQ( OEMCrypto_SUCCESS, @@ -3122,7 +3162,7 @@ TEST_P(OEMCryptoLicenseTest, EntitledKeySessionMultipleKeySessionsAPI17) { entitled_message_2.SetEntitledKeySession(key_session_id_2); const char* content_key_id_2 = "content_key_id_2"; entitled_message_2.SetContentKeyId(0, content_key_id_2); - ASSERT_NO_FATAL_FAILURE(entitled_message_2.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_2.LoadKeys(true)); // We can select content key 2 in entitled key session 2. ASSERT_EQ( OEMCrypto_SUCCESS, @@ -3162,7 +3202,7 @@ TEST_P(OEMCryptoLicenseTest, entitled_message_1.SetEntitledKeySession(key_session_id); const char* content_key_id_1 = "content_key_id_1"; entitled_message_1.SetContentKeyId(0, content_key_id_1); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(true)); // We can select content key 1 in entitled key session. ASSERT_EQ( OEMCrypto_SUCCESS, @@ -3172,7 +3212,7 @@ TEST_P(OEMCryptoLicenseTest, // Load content key with new content id. const char* content_key_id_2 = "content_key_id_2"; entitled_message_1.SetContentKeyId(0, content_key_id_2); - ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message_1.LoadKeys(true)); // We can select content key 2 in entitled key session. ASSERT_EQ( OEMCrypto_SUCCESS, @@ -3208,7 +3248,7 @@ TEST_P(OEMCryptoLicenseTest, entitled_message.SetEntitledKeySession(key_session_id); const char* content_key_id = "content_key_id"; entitled_message.SetContentKeyId(0, content_key_id); - ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(true)); ASSERT_EQ( OEMCrypto_SUCCESS, OEMCrypto_SelectKey(key_session_id, @@ -3235,7 +3275,7 @@ TEST_P(OEMCryptoLicenseTest, // This verifies that an entitled key session can be reassociated to an // OEMCrypto session. -TEST_P(OEMCryptoLicenseTest, ReassociateEntitledKeySessionAPI17) { +TEST_P(OEMCryptoEntitlementLicenseTest, ReassociateEntitledKeySessionAPI17) { license_messages_.set_license_type(OEMCrypto_EntitlementLicense); ASSERT_NO_FATAL_FAILURE(license_messages_.SignAndVerifyRequest()); ASSERT_NO_FATAL_FAILURE(license_messages_.CreateDefaultResponse()); @@ -3254,20 +3294,19 @@ TEST_P(OEMCryptoLicenseTest, ReassociateEntitledKeySessionAPI17) { EntitledMessage entitled_message(&license_messages_); entitled_message.FillKeyArray(); entitled_message.SetEntitledKeySession(key_session_id); - ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(true)); // Now reassociate the entitled key session to the second OEMCrypto session. ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_ReassociateEntitledKeySession( key_session_id, session2.session_id())); // session2 does not have entitlement keys. - ASSERT_NO_FATAL_FAILURE( - entitled_message.LoadKeys(OEMCrypto_ERROR_INVALID_CONTEXT)); + ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(false)); // Now reassociate the entitled key session back to the first OEMCrypto // session. ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_ReassociateEntitledKeySession( key_session_id, session_.session_id())); - ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(OEMCrypto_SUCCESS)); + ASSERT_NO_FATAL_FAILURE(entitled_message.LoadKeys(true)); } // 'cens' mode is no longer supported in v16 @@ -3424,6 +3463,39 @@ TEST_P(OEMCryptoLicenseTest, QueryKeyControl) { strlen(key_id), reinterpret_cast(&block), &size)); } +// This case tests against the issue where certain 16.4.x SDK versions return a +// clear key control block (KCB) in the license response. An OEMCrypto v17.1+ +// implementation should be able to handle the clear KCB in the 16.4.x response +// and load the license correctly. +TEST_F(OEMCryptoSessionTests, ClearKcbAPI16_4) { + Session s; + ASSERT_NO_FATAL_FAILURE(s.open()); + ASSERT_NO_FATAL_FAILURE(InstallTestRSAKey(&s)); + LicenseRoundTrip license_messages(&s); + ASSERT_NO_FATAL_FAILURE(license_messages.SignAndVerifyRequest()); + ASSERT_NO_FATAL_FAILURE(license_messages.CreateDefaultResponse()); + // Set odk version in the license response to be 16.4 + oemcrypto_core_message::features::CoreMessageFeatures features = {}; + features.maximum_major_version = 16; + features.maximum_minor_version = 4; + constexpr bool kForceClearKcb = true; + ASSERT_NO_FATAL_FAILURE( + license_messages.EncryptAndSignResponseWithCoreMessageFeatures( + features, kForceClearKcb)); + ASSERT_EQ(OEMCrypto_SUCCESS, license_messages.LoadResponse()); + + KeyControlBlock block; + size_t size = sizeof(block); + OEMCryptoResult sts = OEMCrypto_QueryKeyControl( + s.session_id(), license_messages.response_data().keys[0].key_id, + license_messages.response_data().keys[0].key_id_length, + reinterpret_cast(&block), &size); + if (sts == OEMCrypto_ERROR_NOT_IMPLEMENTED) { + return; + } + ASSERT_EQ(OEMCrypto_SUCCESS, sts); +} + TEST_F(OEMCryptoSessionTests, OEMCryptoMemoryLoadLicenseForHugeSignatureLength) { auto oemcrypto_function = [&](size_t signature_size) { @@ -3590,7 +3662,7 @@ TEST_P( TEST_P( OEMCryptoLicenseOverflowTest, - OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlIvLength) { + OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlIvLengthAPI16) { TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths( [](size_t response_message_length, LicenseRoundTrip* license_messages) { auto& key_control_iv = @@ -3634,7 +3706,7 @@ TEST_P(OEMCryptoLicenseOverflowTest, TEST_P( OEMCryptoLicenseOverflowTest, - OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlLength) { + OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlLengthAPI16) { TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths( [](size_t response_message_length, LicenseRoundTrip* license_messages) { auto& key_control = @@ -4741,7 +4813,7 @@ class OEMCryptoSessionTestsDecryptTests const TestSample& sample = samples_[0]; uint32_t hash = - wvcrc32(sample.truth_buffer.data(), sample.truth_buffer.size()); + util::wvcrc32(sample.truth_buffer.data(), sample.truth_buffer.size()); OEMCrypto_SetDecryptHash(session_.session_id(), 1, reinterpret_cast(&hash), sizeof(hash)); @@ -5614,7 +5686,7 @@ TEST_F(OEMCryptoLoadsCertificate, TEST_F( OEMCryptoLoadsCertificate, - OEMCryptoMemoryLoadProvisioningForOutOfRangeCoreMessageEncPrivateKeyIvLength) { + OEMCryptoMemoryLoadProvisioningForOutOfRangeCoreMessageEncPrivateKeyIvLengthAPI16) { TestLoadProvisioningForOutOfRangeSubstringOffsetAndLengths( [](size_t response_message_length, ProvisioningRoundTrip* provisioning_messages) { @@ -5660,7 +5732,7 @@ TEST_F(OEMCryptoLoadsCertificate, TEST_F( OEMCryptoLoadsCertificate, - OEMCryptoMemoryLoadProvisioningForOutOfRangeCoreMessageEncMessageKeyLength) { + OEMCryptoMemoryLoadProvisioningForOutOfRangeCoreMessageEncMessageKeyLengthProv30) { TestLoadProvisioningForOutOfRangeSubstringOffsetAndLengths( [](size_t response_message_length, ProvisioningRoundTrip* provisioning_messages) { @@ -5673,7 +5745,7 @@ TEST_F( TEST_F( OEMCryptoLoadsCertificate, - OEMCryptoMemoryLoadProvisioningForOutOfRangeCoreMessageEncMessageKeyOffset) { + OEMCryptoMemoryLoadProvisioningForOutOfRangeCoreMessageEncMessageKeyOffsetProv30) { TestLoadProvisioningForOutOfRangeSubstringOffsetAndLengths( [](size_t response_message_length, ProvisioningRoundTrip* provisioning_messages) { @@ -5922,9 +5994,9 @@ TEST_F(OEMCryptoLoadsCertificate, TestMaxDRMKeys) { // Attempts to load one more key than the kMaxTotalDRMPrivateKeys Session s; - encoded_rsa_key_.assign(kTestRSAPKCS8PrivateKeyInfo3_3072, - kTestRSAPKCS8PrivateKeyInfo3_3072 + - sizeof(kTestRSAPKCS8PrivateKeyInfo3_3072)); + encoded_rsa_key_.assign(kTestRSAPKCS8PrivateKeyInfo2_2048, + kTestRSAPKCS8PrivateKeyInfo2_2048 + + sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048)); Session ps; ProvisioningRoundTrip provisioning_messages(&ps, encoded_rsa_key_); provisioning_messages.PrepareSession(keybox_); @@ -6055,11 +6127,10 @@ TEST_F(OEMCryptoLoadsCertificate, RSAPerformance) { licenseRequest.size()); } - uint8_t* signature = new uint8_t[signature_length]; - sts = OEMCrypto_GenerateRSASignature(s.session_id(), licenseRequest.data(), - licenseRequest.size(), signature, - &signature_length, kSign_RSASSA_PSS); - delete[] signature; + std::vector signature(signature_length, 0); + sts = OEMCrypto_GenerateRSASignature( + s.session_id(), licenseRequest.data(), licenseRequest.size(), + signature.data(), &signature_length, kSign_RSASSA_PSS); ASSERT_EQ(OEMCrypto_SUCCESS, sts); count++; } @@ -6121,7 +6192,7 @@ TEST_F(OEMCryptoLoadsCertificate, RSAPerformance) { TEST_F(OEMCryptoUsesCertificate, GenerateDerivedKeysLargeBuffer) { vector session_key; vector enc_session_key; - ASSERT_TRUE(session_.GenerateRsaSessionKey(&session_key, &enc_session_key)); + ASSERT_TRUE(session_.GenerateSessionKey(&session_key, &enc_session_key)); const size_t max_size = GetResourceValue(kLargeMessageSize); vector mac_context(max_size); vector enc_context(max_size); @@ -6141,7 +6212,7 @@ TEST_F(OEMCryptoUsesCertificate, OEMCryptoMemoryDeriveKeysFromSessionKeyForHugeMacContext) { vector session_key; vector enc_session_key; - ASSERT_TRUE(session_.GenerateRsaSessionKey(&session_key, &enc_session_key)); + ASSERT_TRUE(session_.GenerateSessionKey(&session_key, &enc_session_key)); vector mac_context; vector enc_context; session_.FillDefaultContext(&mac_context, &enc_context); @@ -6161,7 +6232,7 @@ TEST_F(OEMCryptoUsesCertificate, OEMCryptoMemoryDeriveKeysFromSessionKeyForHugeEncContext) { vector session_key; vector enc_session_key; - ASSERT_TRUE(session_.GenerateRsaSessionKey(&session_key, &enc_session_key)); + ASSERT_TRUE(session_.GenerateSessionKey(&session_key, &enc_session_key)); vector mac_context; vector enc_context; session_.FillDefaultContext(&mac_context, &enc_context); @@ -6181,7 +6252,7 @@ TEST_F(OEMCryptoUsesCertificate, OEMCryptoMemoryDeriveKeysFromSessionKeyForHugeEncSessionKey) { vector session_key; vector enc_session_key; - ASSERT_TRUE(session_.GenerateRsaSessionKey(&session_key, &enc_session_key)); + ASSERT_TRUE(session_.GenerateSessionKey(&session_key, &enc_session_key)); vector mac_context; vector enc_context; session_.FillDefaultContext(&mac_context, &enc_context); @@ -6227,7 +6298,7 @@ class OEMCryptoLoadsCertificateAlternates : public OEMCryptoLoadsCertificate { EXPECT_NE(OEMCrypto_SUCCESS, sts) << "Signed with forbidden padding scheme=" << (int)scheme << ", size=" << (int)size; - vector zero(signature_length, 0); + const vector zero(signature.size(), 0); ASSERT_EQ(zero, signature); // signature should not be computed. } @@ -6245,19 +6316,19 @@ class OEMCryptoLoadsCertificateAlternates : public OEMCryptoLoadsCertificate { ASSERT_EQ(OEMCrypto_ERROR_SHORT_BUFFER, sts); ASSERT_NE(static_cast(0), signature_length); - uint8_t* signature = new uint8_t[signature_length]; - sts = OEMCrypto_GenerateRSASignature(s.session_id(), licenseRequest.data(), - licenseRequest.size(), signature, - &signature_length, scheme); + std::vector signature(signature_length, 0); + sts = OEMCrypto_GenerateRSASignature( + s.session_id(), licenseRequest.data(), licenseRequest.size(), + signature.data(), &signature_length, scheme); ASSERT_EQ(OEMCrypto_SUCCESS, sts) << "Failed to sign with padding scheme=" << (int)scheme - << ", size=" << (int)size; + << ", size=" << size; + signature.resize(signature_length); ASSERT_NO_FATAL_FAILURE(s.SetRsaPublicKeyFromPrivateKeyInfo( encoded_rsa_key_.data(), encoded_rsa_key_.size())); - ASSERT_NO_FATAL_FAILURE(s.VerifyRsaSignature(licenseRequest, signature, - signature_length, scheme)); - delete[] signature; + ASSERT_NO_FATAL_FAILURE(s.VerifyRsaSignature( + licenseRequest, signature.data(), signature_length, scheme)); } void DisallowDeriveKeys() { @@ -6588,7 +6659,8 @@ class OEMCryptoCastReceiverTest : public OEMCryptoLoadsCertificateAlternates { ASSERT_EQ(OEMCrypto_SUCCESS, sts) << "Failed to sign with padding scheme=" << (int)scheme - << ", size=" << (int)message.size(); + << ", size=" << message.size(); + signature.resize(signature_length); ASSERT_NO_FATAL_FAILURE(s.SetRsaPublicKeyFromPrivateKeyInfo( encoded_rsa_key_.data(), encoded_rsa_key_.size())); @@ -9359,6 +9431,9 @@ class OEMCryptoUsageTableDefragTest : public OEMCryptoUsageTableTest { new_size, encrypted_usage_header_.data(), &header_buffer_length); // For the second call, we always demand the expected result. ASSERT_EQ(expected_result, sts); + if (sts == OEMCrypto_SUCCESS) { + encrypted_usage_header_.resize(header_buffer_length); + } } }; diff --git a/oemcrypto/test/oemcrypto_unittests.gypi b/oemcrypto/test/oemcrypto_unittests.gypi index c3cf344..3fbd0e4 100644 --- a/oemcrypto/test/oemcrypto_unittests.gypi +++ b/oemcrypto/test/oemcrypto_unittests.gypi @@ -17,7 +17,6 @@ 'oemcrypto_corpus_generator_helper.cpp', 'oemcrypto_session_tests_helper.cpp', 'oemcrypto_test.cpp', - 'wvcrc.cpp', ], 'conditions': [ ['test_opk_serialization_version=="true"', { @@ -53,6 +52,7 @@ ], 'dependencies': [ '<(oemcrypto_dir)/odk/src/odk.gyp:odk', + '<(oemcrypto_dir)/util/oec_ref_util.gyp:oec_ref_util', ], 'includes': [ '../../util/libssl_dependency.gypi' ], } diff --git a/oemcrypto/test/wvcrc.cpp b/oemcrypto/test/wvcrc.cpp deleted file mode 100644 index ea6de41..0000000 --- a/oemcrypto/test/wvcrc.cpp +++ /dev/null @@ -1,88 +0,0 @@ -// Copyright 2018 Google LLC. All Rights Reserved. This file and proprietary -// source code may only be used and distributed under the Widevine -// License Agreement. -// -// Compute CRC32 Checksum. Needed for verification of WV Keybox. -// -#include "platform.h" -#include "wvcrc32.h" - -namespace wvoec { - -#define INIT_CRC32 0xffffffff - -uint32_t wvrunningcrc32(const uint8_t* p_begin, size_t i_count, - uint32_t i_crc) { - constexpr uint32_t CRC32[256] = { - 0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc, 0x17c56b6b, - 0x1a864db2, 0x1e475005, 0x2608edb8, 0x22c9f00f, 0x2f8ad6d6, 0x2b4bcb61, - 0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd, 0x4c11db70, 0x48d0c6c7, - 0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75, - 0x6a1936c8, 0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3, - 0x709f7b7a, 0x745e66cd, 0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039, - 0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5, 0xbe2b5b58, 0xbaea46ef, - 0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d, - 0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb, - 0xceb42022, 0xca753d95, 0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1, - 0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d, 0x34867077, 0x30476dc0, - 0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072, - 0x128e9dcf, 0x164f8078, 0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4, - 0x0808d07d, 0x0cc9cdca, 0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde, - 0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02, 0x5e9f46bf, 0x5a5e5b08, - 0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d, 0x40d816ba, - 0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc, - 0xb6238b25, 0xb2e29692, 0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6, - 0x99a95df3, 0x9d684044, 0x902b669d, 0x94ea7b2a, 0xe0b41de7, 0xe4750050, - 0xe9362689, 0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2, - 0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683, 0xd1799b34, - 0xdc3abded, 0xd8fba05a, 0x690ce0ee, 0x6dcdfd59, 0x608edb80, 0x644fc637, - 0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb, 0x4f040d56, 0x4bc510e1, - 0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53, - 0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5, - 0x3f9b762c, 0x3b5a6b9b, 0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff, - 0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623, 0xf12f560e, 0xf5ee4bb9, - 0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2, 0xe6ea3d65, 0xeba91bbc, 0xef68060b, - 0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd, - 0xcda1f604, 0xc960ebb3, 0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7, - 0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b, 0x9b3660c6, 0x9ff77d71, - 0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3, - 0x5d8a9099, 0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2, - 0x470cdd2b, 0x43cdc09c, 0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8, - 0x68860bfd, 0x6c47164a, 0x61043093, 0x65c52d24, 0x119b4be9, 0x155a565e, - 0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b, 0x0fdc1bec, - 0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d, 0x2056cd3a, - 0x2d15ebe3, 0x29d4f654, 0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0, - 0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c, 0xe3a1cbc1, 0xe760d676, - 0xea23f0af, 0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4, - 0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662, - 0x933eb0bb, 0x97ffad0c, 0xafb010b1, 0xab710d06, 0xa6322bdf, 0xa2f33668, - 0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4}; - - /* Calculate the CRC */ - while (i_count > 0) { - i_crc = (i_crc << 8) ^ CRC32[(i_crc >> 24) ^ ((uint32_t) * p_begin)]; - p_begin++; - i_count--; - } - - return(i_crc); -} - -uint32_t wvcrc32(const uint8_t* p_begin, size_t i_count) { - return(wvrunningcrc32(p_begin, i_count, INIT_CRC32)); -} - -uint32_t wvcrc32Init() { - return INIT_CRC32; -} - -uint32_t wvcrc32Cont(const uint8_t* p_begin, size_t i_count, - uint32_t prev_crc) { - return(wvrunningcrc32(p_begin, i_count, prev_crc)); -} - -uint32_t wvcrc32n(const uint8_t* p_begin, size_t i_count) { - return htonl(wvrunningcrc32(p_begin, i_count, INIT_CRC32)); -} - -} // namespace wvoec diff --git a/oemcrypto/test/wvcrc32.h b/oemcrypto/test/wvcrc32.h deleted file mode 100644 index bf00505..0000000 --- a/oemcrypto/test/wvcrc32.h +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2018 Google LLC. All Rights Reserved. This file and proprietary -// source code may only be used and distributed under the Widevine -// License Agreement. -// -// Compute CRC32 Checksum. Needed for verification of WV Keybox. -// -#ifndef CDM_WVCRC32_H_ -#define CDM_WVCRC32_H_ - -#include - -namespace wvoec { - -uint32_t wvcrc32(const uint8_t* p_begin, size_t i_count); -uint32_t wvcrc32Init(); -uint32_t wvcrc32Cont(const uint8_t* p_begin, size_t i_count, uint32_t prev_crc); - -// Convert to network byte order -uint32_t wvcrc32n(const uint8_t* p_begin, size_t i_count); - -} // namespace wvoec - -#endif // CDM_WVCRC32_H_ diff --git a/oemcrypto/util/include/hmac.h b/oemcrypto/util/include/hmac.h new file mode 100644 index 0000000..279cbbf --- /dev/null +++ b/oemcrypto/util/include/hmac.h @@ -0,0 +1,139 @@ +// Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +// source code may only be used and distributed under the Widevine License +// Agreement. +// +// Reference implementation utilities of OEMCrypto APIs +// +#ifndef WVOEC_UTIL_HMAC_H_ +#define WVOEC_UTIL_HMAC_H_ + +#include +#include + +#include +#include + +#include "OEMCryptoCENCCommon.h" + +namespace wvoec { +namespace util { +// Size of an HMAC-SHA-1 signature. Same size as a SHA-1 digest. +static constexpr size_t kHmacSha1SignatureSize = 20; +// Size of an HMAC-SHA-256 signature. Same size as a SHA-256 digest. +static constexpr size_t kHmacSha256SignatureSize = 32; + +// == Signature Generate == + +// Generates a HMAC-SHA-1 signature using the provided |key| and +// |message|. Both |key| and |message| must be non-zero length. +// The input/output |signature_length| should initially contain the +// size of the |signature| buffer, and the function will assign +// the final length of the signature. +// +// Return values: +// OEMCrypto_SUCCESS if signature is generated successfully; +// |signature_length| may be updated with the actual +// signature size +// OEMCrypto_ERROR_SHORT_BUFFER if the provided |signature| buffer +// is too small to fit an HMAC-SHA-1 signature; +// |signature_length| is updated with the require size +// OEMCrypto_ERROR_INVALID_CONTEXT if any the parameters are +// incorrect +// OEMCrypto_ERROR_UNKNOWN_FAILURE otherwise +OEMCryptoResult HmacSha1(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length); +OEMCryptoResult HmacSha1(const std::vector& key, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length); + +std::vector HmacSha1(const std::vector& key, + const std::vector& message); + +// Generates a HMAC-SHA-256 signature using the provided |key| and +// |message|. Both |key| and |message| must be non-zero length. +// The input/output |signature_length| should initially contain the +// size of the |signature| buffer, and the function will assign +// the final length of the signature. +// +// Return values: +// OEMCrypto_SUCCESS if signature is generated successfully; +// |signature_length| may be updated with the actual +// signature size +// OEMCrypto_ERROR_SHORT_BUFFER if the provided |signature| buffer +// is too small to fit an HMAC-SHA-256 signature; +// |signature_length| is updated with the require size +// OEMCrypto_ERROR_INVALID_CONTEXT if any the parameters are +// incorrect +// OEMCrypto_ERROR_UNKNOWN_FAILURE otherwise +OEMCryptoResult HmacSha256(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length); +OEMCryptoResult HmacSha256(const std::vector& key, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length); + +bool HmacSha256(const std::vector& key, + const std::vector& message, + std::vector* signature); + +bool HmacSha256(const std::vector& key, const std::string& message, + std::vector* signature); + +std::vector HmacSha256(const std::vector& key, + const uint8_t* message, size_t message_length); +std::vector HmacSha256(const std::vector& key, + const std::vector& message); +std::vector HmacSha256(const std::vector& key, + const std::string& message); + +// == Signature Verification == + +// Verifies an HMAC-SHA-1 signature using the provided |key| and +// |message| against the provided |signature|. +// +// Return values: +// OEMCrypto_SUCCESS if signature is valid +// OEMCrypto_ERROR_SIGNATURE_FAILURE if signature is invalid +// OEMCrypto_ERROR_INVALID_CONTEXT if any the parameters are +// incorrect +// OEMCrypto_ERROR_UNKNOWN_FAILURE otherwise +OEMCryptoResult HmacSha1Verify(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length); +OEMCryptoResult HmacSha1Verify(const std::vector& key, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length); + +OEMCryptoResult HmacSha1Verify(const std::vector& key, + const std::vector& message, + const std::vector& signature); + +// Verifies an HMAC-SHA-256 signature using the provided |key| and +// |message| against the provided |signature|. +// +// Return values: +// OEMCrypto_SUCCESS if signature is valid +// OEMCrypto_ERROR_SIGNATURE_FAILURE if signature is invalid +// OEMCrypto_ERROR_INVALID_CONTEXT if any the parameters are +// incorrect +// OEMCrypto_ERROR_UNKNOWN_FAILURE otherwise +OEMCryptoResult HmacSha256Verify(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length); +OEMCryptoResult HmacSha256Verify(const std::vector& key, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length); +OEMCryptoResult HmacSha256Verify(const std::vector& key, + const std::vector& message, + const std::vector& signature); +OEMCryptoResult HmacSha256Verify(const std::vector& key, + const std::string& message, + const std::vector& signature); +} // namespace util +} // namespace wvoec +#endif // WVOEC_UTIL_HMAC_H_ diff --git a/oemcrypto/util/oec_ref_util.gypi b/oemcrypto/util/oec_ref_util.gypi index e238fda..9c1e1e9 100644 --- a/oemcrypto/util/oec_ref_util.gypi +++ b/oemcrypto/util/oec_ref_util.gypi @@ -19,6 +19,7 @@ }, 'sources': [ '<(oemcrypto_dir)/util/src/cmac.cpp', + '<(oemcrypto_dir)/util/src/hmac.cpp', '<(oemcrypto_dir)/util/src/oemcrypto_drm_key.cpp', '<(oemcrypto_dir)/util/src/oemcrypto_ecc_key.cpp', '<(oemcrypto_dir)/util/src/oemcrypto_key_deriver.cpp', diff --git a/oemcrypto/util/oec_ref_util_unittests.gypi b/oemcrypto/util/oec_ref_util_unittests.gypi index fd50119..095f901 100644 --- a/oemcrypto/util/oec_ref_util_unittests.gypi +++ b/oemcrypto/util/oec_ref_util_unittests.gypi @@ -16,6 +16,7 @@ }, 'sources': [ '<(oemcrypto_dir)/util/test/cmac_unittest.cpp', + '<(oemcrypto_dir)/util/test/hmac_unittest.cpp', '<(oemcrypto_dir)/util/test/oem_cert_test.cpp', '<(oemcrypto_dir)/util/test/oemcrypto_ecc_key_unittest.cpp', '<(oemcrypto_dir)/util/test/oemcrypto_oem_cert_unittest.cpp', diff --git a/oemcrypto/util/src/hmac.cpp b/oemcrypto/util/src/hmac.cpp new file mode 100644 index 0000000..8d665e5 --- /dev/null +++ b/oemcrypto/util/src/hmac.cpp @@ -0,0 +1,269 @@ +// Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +// source code may only be used and distributed under the Widevine License +// Agreement. +// +// Reference implementation utilities of OEMCrypto APIs +// +#include "hmac.h" + +#include +#include +#include + +#include "log.h" +#include "string_conversions.h" + +namespace wvoec { +namespace util { +namespace { +constexpr bool kHmacSha256 = true; +constexpr bool kHmacSha1 = false; +const std::vector kEmptyVector; + +// Assumes all parameters are valid. +inline bool HmacShaInternal(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + uint8_t* signature, bool sha256) { + return HMAC(sha256 ? EVP_sha256() : EVP_sha1(), key, + static_cast(key_length), message, message_length, signature, + nullptr) != nullptr; +} + +OEMCryptoResult GenerateSignatureInternal(const uint8_t* key, size_t key_length, + const uint8_t* message, + size_t message_length, + uint8_t* signature, + size_t* signature_length, + bool sha256) { + if (key == nullptr || key_length == 0) { + LOGE("Input |key| is %s", key_length == 0 ? "empty" : "null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (message == nullptr || message_length == 0) { + LOGE("Input |message| is %s", message_length == 0 ? "empty" : "null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (signature_length == nullptr) { + LOGE("Input/output |signature_length| is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (signature == nullptr && *signature_length > 0) { + LOGE("Output |signature| is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + const size_t required_signature_size = + sha256 ? kHmacSha256SignatureSize : kHmacSha1SignatureSize; + if (*signature_length < required_signature_size) { + *signature_length = required_signature_size; + return OEMCrypto_ERROR_SHORT_BUFFER; + } + if (!HmacShaInternal(key, key_length, message, message_length, signature, + sha256)) { + LOGE("Failed to generate signature"); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + *signature_length = required_signature_size; + return OEMCrypto_SUCCESS; +} + +bool GenerateSignatureInternal(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + std::vector* signature, bool sha256) { + if (signature == nullptr) { + LOGE("Output |signature| is null"); + return false; + } + size_t signature_length = + sha256 ? kHmacSha256SignatureSize : kHmacSha1SignatureSize; + signature->resize(signature_length); + const OEMCryptoResult res = + GenerateSignatureInternal(key, key_length, message, message_length, + signature->data(), &signature_length, sha256); + if (res != OEMCrypto_SUCCESS) { + signature->clear(); + return false; + } + return true; +} + +// Assumes signature pointers are valid. +inline bool CompareSignatures(const uint8_t* signature_a, + const uint8_t* signature_b, bool sha256) { + const size_t signature_size = + sha256 ? kHmacSha256SignatureSize : kHmacSha1SignatureSize; + return CRYPTO_memcmp(signature_a, signature_b, signature_size) == 0; +} + +OEMCryptoResult VerifySignatureInternal(const uint8_t* key, size_t key_length, + const uint8_t* message, + size_t message_length, + const uint8_t* signature, + size_t signature_length, bool sha256) { + if (signature == nullptr && signature_length > 0) { + LOGE("Input |signature| is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + size_t expected_signature_length = + sha256 ? kHmacSha256SignatureSize : kHmacSha1SignatureSize; + if (signature_length != expected_signature_length) { + LOGE("Invalid signature length: expected = %zu, actual = %zu", + expected_signature_length, signature_length); + return OEMCrypto_ERROR_SIGNATURE_FAILURE; + } + // Allocate for the larger of the two. + uint8_t expected_signature[kHmacSha256SignatureSize]; + const OEMCryptoResult res = GenerateSignatureInternal( + key, key_length, message, message_length, expected_signature, + &expected_signature_length, sha256); + if (res != OEMCrypto_SUCCESS) return res; + if (!CompareSignatures(signature, expected_signature, sha256)) { + LOGD("Signatures do not match: type = HMAC-SHA-%s", sha256 ? "256" : "1"); + LOGD("provided = %s", + wvutil::HexEncode(signature, signature_length).c_str()); + LOGD("expected = %s", + wvutil::HexEncode(expected_signature, expected_signature_length) + .c_str()); + return OEMCrypto_ERROR_SIGNATURE_FAILURE; + } + return OEMCrypto_SUCCESS; +} +} // namespace + +OEMCryptoResult HmacSha1(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length) { + return GenerateSignatureInternal(key, key_length, message, message_length, + signature, signature_length, kHmacSha1); +} + +OEMCryptoResult HmacSha1(const std::vector& key, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length) { + return GenerateSignatureInternal(key.data(), key.size(), message, + message_length, signature, signature_length, + kHmacSha1); +} + +std::vector HmacSha1(const std::vector& key, + const std::vector& message) { + std::vector signature; + const bool res = + GenerateSignatureInternal(key.data(), key.size(), message.data(), + message.size(), &signature, kHmacSha1); + return res ? signature : kEmptyVector; +} + +OEMCryptoResult HmacSha256(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length) { + return GenerateSignatureInternal(key, key_length, message, message_length, + signature, signature_length, kHmacSha256); +} + +OEMCryptoResult HmacSha256(const std::vector& key, + const uint8_t* message, size_t message_length, + uint8_t* signature, size_t* signature_length) { + return GenerateSignatureInternal(key.data(), key.size(), message, + message_length, signature, signature_length, + kHmacSha256); +} + +bool HmacSha256(const std::vector& key, + const std::vector& message, + std::vector* signature) { + return GenerateSignatureInternal(key.data(), key.size(), message.data(), + message.size(), signature, kHmacSha256); +} + +bool HmacSha256(const std::vector& key, const std::string& message, + std::vector* signature) { + return GenerateSignatureInternal( + key.data(), key.size(), reinterpret_cast(message.data()), + message.size(), signature, kHmacSha256); +} + +std::vector HmacSha256(const std::vector& key, + const uint8_t* message, size_t message_length) { + std::vector signature; + const bool res = GenerateSignatureInternal( + key.data(), key.size(), message, message_length, &signature, kHmacSha256); + return res ? signature : kEmptyVector; +} + +std::vector HmacSha256(const std::vector& key, + const std::vector& message) { + std::vector signature; + const bool res = + GenerateSignatureInternal(key.data(), key.size(), message.data(), + message.size(), &signature, kHmacSha256); + return res ? signature : kEmptyVector; +} + +std::vector HmacSha256(const std::vector& key, + const std::string& message) { + std::vector signature; + const bool res = GenerateSignatureInternal( + key.data(), key.size(), reinterpret_cast(message.data()), + message.size(), &signature, kHmacSha256); + return res ? signature : kEmptyVector; +} + +OEMCryptoResult HmacSha1Verify(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length) { + return VerifySignatureInternal(key, key_length, message, message_length, + signature, signature_length, kHmacSha1); +} + +OEMCryptoResult HmacSha1Verify(const std::vector& key, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length) { + return VerifySignatureInternal(key.data(), key.size(), message, + message_length, signature, signature_length, + kHmacSha1); +} + +OEMCryptoResult HmacSha1Verify(const std::vector& key, + const std::vector& message, + const std::vector& signature) { + return VerifySignatureInternal(key.data(), key.size(), message.data(), + message.size(), signature.data(), + signature.size(), kHmacSha1); +} + +OEMCryptoResult HmacSha256Verify(const uint8_t* key, size_t key_length, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length) { + return VerifySignatureInternal(key, key_length, message, message_length, + signature, signature_length, kHmacSha256); +} + +OEMCryptoResult HmacSha256Verify(const std::vector& key, + const uint8_t* message, size_t message_length, + const uint8_t* signature, + size_t signature_length) { + return VerifySignatureInternal(key.data(), key.size(), message, + message_length, signature, signature_length, + kHmacSha256); +} + +OEMCryptoResult HmacSha256Verify(const std::vector& key, + const std::vector& message, + const std::vector& signature) { + return VerifySignatureInternal(key.data(), key.size(), message.data(), + message.size(), signature.data(), + signature.size(), kHmacSha256); +} + +OEMCryptoResult HmacSha256Verify(const std::vector& key, + const std::string& message, + const std::vector& signature) { + return VerifySignatureInternal( + key.data(), key.size(), reinterpret_cast(message.data()), + message.size(), signature.data(), signature.size(), kHmacSha256); +} +} // namespace util +} // namespace wvoec diff --git a/oemcrypto/util/test/hmac_unittest.cpp b/oemcrypto/util/test/hmac_unittest.cpp new file mode 100644 index 0000000..bc4f355 --- /dev/null +++ b/oemcrypto/util/test/hmac_unittest.cpp @@ -0,0 +1,597 @@ +// Copyright 2022 Google LLC. All Rights Reserved. This file and proprietary +// source code may only be used and distributed under the Widevine License +// Agreement. +// +// Reference implementation utilities of OEMCrypto APIs +// +#include + +#include + +#include "hmac.h" +#include "string_conversions.h" + +namespace wvoec { +namespace util { +namespace { +struct HmacTestVector { + std::vector key; + std::vector message; + std::vector signature; + std::vector signature_sha1; +}; + +void PrintTo(const HmacTestVector& v, std::ostream* os) { + constexpr size_t kMaxSize = 32; + *os << "{"; + if (v.key.size() > kMaxSize) { + std::vector short_short(v.key.begin(), v.key.begin() + kMaxSize); + *os << "key = " << wvutil::b2a_hex(short_short); + *os << "... (size = " << std::to_string(v.key.size()) << "), "; + } else { + *os << "key = " << wvutil::b2a_hex(v.key) << ", "; + } + if (v.message.size() > kMaxSize) { + std::vector short_message(v.message.begin(), + v.message.begin() + kMaxSize); + *os << "message = " << wvutil::b2a_hex(short_message); + *os << "... (size = " << std::to_string(v.message.size()) << "), "; + } else { + *os << "message = " << wvutil::b2a_hex(v.message) << ", "; + } + *os << "signature = " << wvutil::b2a_hex(v.signature) << ", "; + *os << "signature_sha1 = " << wvutil::b2a_hex(v.signature_sha1) << "}"; +} + +std::vector FromString(const std::string& s) { + return std::vector(s.begin(), s.end()); +} + +// Test vectors come from RFC4231 Section 4 (test case 5 is omitted). +const HmacTestVector kHmacTestVectorList[] = { + {/* key = */ wvutil::a2b_hex("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), + /* message = */ FromString("Hi There"), + /* signature = */ + wvutil::a2b_hex( + "b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7"), + /* signature_sha1 = */ + wvutil::a2b_hex("b617318655057264e28bc0b6fb378c8ef146be00")}, + {/* key = */ FromString("Jefe"), + /* message = */ FromString("what do ya want for nothing?"), + /* signature = */ + wvutil::a2b_hex( + "5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843"), + /* signature_sha1 = */ + wvutil::a2b_hex("effcdf6ae5eb2fa2d27416d5f184df9c259a7c79")}, + {/* key = */ std::vector(20, 0xaa), + /* message = */ std::vector(50, 0xdd), + /* signature = */ + wvutil::a2b_hex( + "773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe"), + /* signature_sha1 = */ + wvutil::a2b_hex("125d7342b9ac11cd91a39af48aa17b4f63f175d3")}, + {/* key = */ wvutil::a2b_hex( + "0102030405060708090a0b0c0d0e0f10111213141516171819"), + /* message = */ std::vector(50, 0xcd), + /* signature = */ + wvutil::a2b_hex( + "82558a389a443c0ea4cc819899f2083a85f0faa3e578f8077a2e3ff46729665b"), + /* signature_sha1 = */ + wvutil::a2b_hex("4c9007f4026250c6bc8414f9bf50c86c2d7235da")}, + {/* key = */ std::vector(131, 0xaa), + /* message = */ + FromString("Test Using Larger Than Block-Size Key - Hash Key First"), + /* signature = */ + wvutil::a2b_hex( + "60e431591ee0b67f0d8a26aacbf5b77f8e0bc6213728c5140546040f0ee37f54"), + /* signature_sha1 = */ + wvutil::a2b_hex("90d0dace1c1bdc957339307803160335bde6df2b")}, + {/* key = */ std::vector(131, 0xaa), + /* message = */ + FromString( + "This is a test using a larger than block-size key and a larger " + "than block-size data. The key needs to be hashed before being " + "used by the HMAC algorithm."), + /* signature = */ + wvutil::a2b_hex( + "9b09ffa71b942fcb27635fbcd5b0e944bfdc63644f0713938a7f51535c3a35e2"), + /* signature_sha1 = */ + wvutil::a2b_hex("217e44bb08b6e06a2d6c30f3cb9f537f97c63356")}}; + +const std::vector kEmptyVector; +const std::string kEmptyString; +} // namespace + +TEST(OEMCryptoHmacApiTest, GenerateSignatureSha1_InvalidParameters) { + const std::vector key = kHmacTestVectorList[0].key; + const std::vector message = kHmacTestVectorList[0].message; + // Pointers only. + size_t signature_length = kHmacSha256SignatureSize; + std::vector signature(signature_length); + OEMCryptoResult result = + HmacSha1(nullptr, key.size(), message.data(), message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = nullptr"; + result = HmacSha1(key.data(), 0, message.data(), message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key_length = 0"; + result = HmacSha1(key.data(), key.size(), nullptr, message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = HmacSha1(key.data(), key.size(), message.data(), 0, signature.data(), + &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = HmacSha1(key.data(), key.size(), message.data(), message.size(), + nullptr, &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = HmacSha1(key.data(), key.size(), message.data(), message.size(), + signature.data(), nullptr); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) + << "signature_length = nullptr"; + + // Vector key. + result = HmacSha1(kEmptyVector, message.data(), message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = "; + result = HmacSha1(key, nullptr, message.size(), signature.data(), + &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = + HmacSha1(key, message.data(), 0, signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = + HmacSha1(key, message.data(), message.size(), nullptr, &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = + HmacSha1(key, message.data(), message.size(), signature.data(), nullptr); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) + << "signature_length = nullptr"; + + // Vector message, vector output. + signature = HmacSha1(kEmptyVector, message); + EXPECT_TRUE(signature.empty()) << "key = "; + signature = HmacSha1(key, kEmptyVector); + EXPECT_TRUE(signature.empty()) << "message = "; +} + +TEST(OEMCryptoHmacApiTest, GenerateSignature_InvalidParameters) { + const std::vector key = kHmacTestVectorList[0].key; + const std::vector message = kHmacTestVectorList[0].message; + // Pointers only. + size_t signature_length = kHmacSha256SignatureSize; + std::vector signature(signature_length); + OEMCryptoResult result = + HmacSha256(nullptr, key.size(), message.data(), message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = nullptr"; + result = HmacSha256(key.data(), 0, message.data(), message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key_length = 0"; + result = HmacSha256(key.data(), key.size(), nullptr, message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = HmacSha256(key.data(), key.size(), message.data(), 0, + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = HmacSha256(key.data(), key.size(), message.data(), message.size(), + nullptr, &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = HmacSha256(key.data(), key.size(), message.data(), message.size(), + signature.data(), nullptr); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) + << "signature_length = nullptr"; + + // Vector key. + result = HmacSha256(kEmptyVector, message.data(), message.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = "; + result = HmacSha256(key, nullptr, message.size(), signature.data(), + &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = + HmacSha256(key, message.data(), 0, signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = HmacSha256(key, message.data(), message.size(), nullptr, + &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = HmacSha256(key, message.data(), message.size(), signature.data(), + nullptr); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) + << "signature_length = nullptr"; + + // Vector message, vector output signature parameter. + signature.clear(); + EXPECT_FALSE(HmacSha256(kEmptyVector, message, &signature)) + << "key = "; + EXPECT_FALSE(HmacSha256(key, kEmptyVector, &signature)) + << "message = "; + EXPECT_FALSE(HmacSha256(key, message, nullptr)) << "signature = nullptr"; + + // String message, vector output signature parameter. + const std::string message_str(message.begin(), message.end()); + EXPECT_FALSE(HmacSha256(kEmptyVector, message_str, &signature)) + << "key = "; + EXPECT_FALSE(HmacSha256(key, kEmptyString, &signature)) + << "message = "; + EXPECT_FALSE(HmacSha256(key, message_str, nullptr)) << "signature = nullptr"; + + // Pointer message, vector output. + signature = HmacSha256(kEmptyVector, message.data(), message.size()); + EXPECT_TRUE(signature.empty()) << "key = "; + signature = HmacSha256(key, nullptr, message.size()); + EXPECT_TRUE(signature.empty()) << "message = nullptr"; + signature = HmacSha256(key, message.data(), 0); + EXPECT_TRUE(signature.empty()) << "message_length = 0"; + + // Vector message, vector output. + signature = HmacSha256(kEmptyVector, message); + EXPECT_TRUE(signature.empty()) << "key = "; + signature = HmacSha256(key, kEmptyVector); + EXPECT_TRUE(signature.empty()) << "message = "; + + // String message, vector output. + signature = HmacSha256(kEmptyVector, message_str); + EXPECT_TRUE(signature.empty()) << "key = "; + signature = HmacSha256(key, kEmptyString); + EXPECT_TRUE(signature.empty()) << "message = "; +} + +TEST(OEMCryptoHmacApiTest, VerifySignatureSha1_InvalidParameters) { + const std::vector key = kHmacTestVectorList[0].key; + const std::vector message = kHmacTestVectorList[0].message; + const std::vector signature = kHmacTestVectorList[0].signature_sha1; + + // Pointers only. + OEMCryptoResult result = + HmacSha1Verify(nullptr, key.size(), message.data(), message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = nullptr"; + result = HmacSha1Verify(key.data(), 0, message.data(), message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key_length = 0"; + result = HmacSha1Verify(key.data(), key.size(), nullptr, message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = HmacSha1Verify(key.data(), key.size(), message.data(), 0, + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = HmacSha1Verify(key.data(), key.size(), message.data(), + message.size(), nullptr, signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = HmacSha1Verify(key.data(), key.size(), message.data(), + message.size(), signature.data(), 0); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE) + << "signature_length = 0"; + + // Vector key, pointer others. + result = HmacSha1Verify(kEmptyVector, message.data(), message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = "; + result = HmacSha1Verify(key, nullptr, message.size(), signature.data(), + signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = HmacSha1Verify(key, message.data(), 0, signature.data(), + signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = HmacSha1Verify(key, message.data(), message.size(), nullptr, + signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = + HmacSha1Verify(key, message.data(), message.size(), signature.data(), 0); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE) + << "signature_length = 0"; + + // Vector only. + result = HmacSha1Verify(kEmptyVector, message, signature); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = "; + result = HmacSha1Verify(key, kEmptyVector, signature); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = "; + result = HmacSha1Verify(key, message, kEmptyVector); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE) << "signature = "; +} + +TEST(OEMCryptoHmacApiTest, VerifySignature_InvalidParameters) { + const std::vector key = kHmacTestVectorList[0].key; + const std::vector message = kHmacTestVectorList[0].message; + const std::vector signature = kHmacTestVectorList[0].signature; + + // Pointers only. + OEMCryptoResult result = + HmacSha256Verify(nullptr, key.size(), message.data(), message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = nullptr"; + result = HmacSha256Verify(key.data(), 0, message.data(), message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key_length = 0"; + result = HmacSha256Verify(key.data(), key.size(), nullptr, message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = HmacSha256Verify(key.data(), key.size(), message.data(), 0, + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = HmacSha256Verify(key.data(), key.size(), message.data(), + message.size(), nullptr, signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = HmacSha256Verify(key.data(), key.size(), message.data(), + message.size(), signature.data(), 0); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE) + << "signature_length = 0"; + + // Vector key, pointer others. + result = HmacSha256Verify(kEmptyVector, message.data(), message.size(), + signature.data(), signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = "; + result = HmacSha256Verify(key, nullptr, message.size(), signature.data(), + signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = nullptr"; + result = HmacSha256Verify(key, message.data(), 0, signature.data(), + signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message_length = 0"; + result = HmacSha256Verify(key, message.data(), message.size(), nullptr, + signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "signature = nullptr"; + result = HmacSha256Verify(key, message.data(), message.size(), + signature.data(), 0); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE) + << "signature_length = 0"; + + // Vector only. + result = HmacSha256Verify(kEmptyVector, message, signature); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = "; + result = HmacSha256Verify(key, kEmptyVector, signature); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = "; + result = HmacSha256Verify(key, message, kEmptyVector); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE) << "signature = "; + + // String message, vector others. + const std::string message_str(message.begin(), message.end()); + result = HmacSha256Verify(kEmptyVector, message_str, signature); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "key = "; + result = HmacSha256Verify(key, kEmptyString, signature); + EXPECT_EQ(result, OEMCrypto_ERROR_INVALID_CONTEXT) << "message = "; + result = HmacSha256Verify(key, message_str, kEmptyVector); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE) << "signature = "; +} + +class OEMCryptoHmacTest : public testing::TestWithParam { + public: + void SetUp() override { + HmacTestVector v = GetParam(); + key_ = std::move(v.key); + message_ = std::move(v.message); + expected_signature_ = std::move(v.signature); + expected_signature_sha1_ = std::move(v.signature_sha1); + ASSERT_FALSE(key_.empty()) << "Missing test key"; + ASSERT_FALSE(message_.empty()) << "Missing test message"; + ASSERT_EQ(expected_signature_.size(), kHmacSha256SignatureSize) + << "Invalid test HMAC-SHA-256 signature"; + ASSERT_EQ(expected_signature_sha1_.size(), kHmacSha1SignatureSize) + << "Invalid test HMAC-SHA-1 signature"; + } + + void TearDown() override { + key_.clear(); + message_.clear(); + expected_signature_.clear(); + expected_signature_sha1_.clear(); + } + + std::string GetStringMessage() const { + return std::string(message_.begin(), message_.end()); + } + + std::vector GenerateBadSignature() const { + std::vector bad_signature = expected_signature_; + bad_signature[kHmacSha256SignatureSize / 2] ^= 0x87; + return bad_signature; + } + + std::vector GenerateBadSignatureSha1() const { + std::vector bad_signature = expected_signature_sha1_; + bad_signature[kHmacSha1SignatureSize / 2] ^= 0x87; + return bad_signature; + } + + protected: + std::vector key_; + std::vector message_; + std::vector expected_signature_; + std::vector expected_signature_sha1_; +}; + +TEST_P(OEMCryptoHmacTest, GenerateSignatureSha1_PointersOnly) { + size_t signature_length = 0; + OEMCryptoResult result = + HmacSha1(key_.data(), key_.size(), message_.data(), message_.size(), + nullptr, &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_SHORT_BUFFER); + EXPECT_EQ(signature_length, kHmacSha1SignatureSize); + + signature_length = kHmacSha1SignatureSize * 2; + std::vector signature(signature_length); + result = HmacSha1(key_.data(), key_.size(), message_.data(), message_.size(), + signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + EXPECT_EQ(signature_length, kHmacSha1SignatureSize); + signature.resize(kHmacSha1SignatureSize); + EXPECT_EQ(signature, expected_signature_sha1_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignatureSha1_VectorKeyPointerOther) { + size_t signature_length = 0; + OEMCryptoResult result = HmacSha1(key_, message_.data(), message_.size(), + nullptr, &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_SHORT_BUFFER); + EXPECT_EQ(signature_length, kHmacSha1SignatureSize); + + signature_length = kHmacSha1SignatureSize * 2; + std::vector signature(signature_length); + result = HmacSha1(key_, message_.data(), message_.size(), signature.data(), + &signature_length); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + EXPECT_EQ(signature_length, kHmacSha1SignatureSize); + signature.resize(kHmacSha1SignatureSize); + EXPECT_EQ(signature, expected_signature_sha1_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignatureSha1_VectorMessageVectorResult) { + const std::vector signature = HmacSha1(key_, message_); + EXPECT_EQ(signature.size(), kHmacSha1SignatureSize); + EXPECT_EQ(signature, expected_signature_sha1_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignature_PointersOnly) { + size_t signature_length = 0; + OEMCryptoResult result = + HmacSha256(key_.data(), key_.size(), message_.data(), message_.size(), + nullptr, &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_SHORT_BUFFER); + EXPECT_EQ(signature_length, kHmacSha256SignatureSize); + + signature_length = kHmacSha256SignatureSize * 2; + std::vector signature(signature_length); + result = HmacSha256(key_.data(), key_.size(), message_.data(), + message_.size(), signature.data(), &signature_length); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + EXPECT_EQ(signature_length, kHmacSha256SignatureSize); + signature.resize(kHmacSha256SignatureSize); + EXPECT_EQ(signature, expected_signature_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignature_VectorKeyPointerOther) { + size_t signature_length = 0; + OEMCryptoResult result = HmacSha256(key_, message_.data(), message_.size(), + nullptr, &signature_length); + EXPECT_EQ(result, OEMCrypto_ERROR_SHORT_BUFFER); + EXPECT_EQ(signature_length, kHmacSha256SignatureSize); + + signature_length = kHmacSha256SignatureSize * 2; + std::vector signature(signature_length); + result = HmacSha256(key_, message_.data(), message_.size(), signature.data(), + &signature_length); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + EXPECT_EQ(signature_length, kHmacSha256SignatureSize); + signature.resize(kHmacSha256SignatureSize); + EXPECT_EQ(signature, expected_signature_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignature_VectorMessageVectorOutputArgument) { + std::vector signature; + EXPECT_TRUE(HmacSha256(key_, message_, &signature)); + EXPECT_EQ(signature.size(), kHmacSha256SignatureSize); + EXPECT_EQ(signature, expected_signature_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignature_StringMessageVectorOutputArgument) { + const std::string message_str = GetStringMessage(); + std::vector signature; + EXPECT_TRUE(HmacSha256(key_, message_str, &signature)); + EXPECT_EQ(signature.size(), kHmacSha256SignatureSize); + EXPECT_EQ(signature, expected_signature_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignature_PointerMessageVectorResult) { + const std::vector signature = + HmacSha256(key_, message_.data(), message_.size()); + EXPECT_EQ(signature.size(), kHmacSha256SignatureSize); + EXPECT_EQ(signature, expected_signature_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignature_VectorMessageVectorResult) { + const std::vector signature = HmacSha256(key_, message_); + EXPECT_EQ(signature.size(), kHmacSha256SignatureSize); + EXPECT_EQ(signature, expected_signature_); +} + +TEST_P(OEMCryptoHmacTest, GenerateSignature_StringMessageVectorResult) { + const std::string message_str = GetStringMessage(); + const std::vector signature = HmacSha256(key_, message_str); + EXPECT_EQ(signature.size(), kHmacSha256SignatureSize); + EXPECT_EQ(signature, expected_signature_); +} + +TEST_P(OEMCryptoHmacTest, VerifySignatureSha1_PointersOnly) { + OEMCryptoResult result = HmacSha1Verify( + key_.data(), key_.size(), message_.data(), message_.size(), + expected_signature_sha1_.data(), expected_signature_sha1_.size()); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + + const std::vector bad_signature = GenerateBadSignatureSha1(); + result = + HmacSha1Verify(key_.data(), key_.size(), message_.data(), message_.size(), + bad_signature.data(), bad_signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE); +} + +TEST_P(OEMCryptoHmacTest, VerifySignatureSha1_VectorKeyPointerOther) { + OEMCryptoResult result = HmacSha1Verify( + key_, message_.data(), message_.size(), expected_signature_sha1_.data(), + expected_signature_sha1_.size()); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + + const std::vector bad_signature = GenerateBadSignatureSha1(); + result = HmacSha1Verify(key_, message_.data(), message_.size(), + bad_signature.data(), bad_signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE); +} + +TEST_P(OEMCryptoHmacTest, VerifySignatureSha1_VectorsOnly) { + OEMCryptoResult result = + HmacSha1Verify(key_, message_, expected_signature_sha1_); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + + const std::vector bad_signature = GenerateBadSignatureSha1(); + result = HmacSha1Verify(key_, message_, bad_signature); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE); +} + +TEST_P(OEMCryptoHmacTest, VerifySignature_PointersOnly) { + OEMCryptoResult result = HmacSha256Verify( + key_.data(), key_.size(), message_.data(), message_.size(), + expected_signature_.data(), expected_signature_.size()); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + + const std::vector bad_signature = GenerateBadSignature(); + result = HmacSha256Verify(key_.data(), key_.size(), message_.data(), + message_.size(), bad_signature.data(), + bad_signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE); +} + +TEST_P(OEMCryptoHmacTest, VerifySignature_VectorKeyPointerOther) { + OEMCryptoResult result = + HmacSha256Verify(key_, message_.data(), message_.size(), + expected_signature_.data(), expected_signature_.size()); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + + const std::vector bad_signature = GenerateBadSignature(); + result = HmacSha256Verify(key_, message_.data(), message_.size(), + bad_signature.data(), bad_signature.size()); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE); +} + +TEST_P(OEMCryptoHmacTest, VerifySignature_VectorsOnly) { + OEMCryptoResult result = + HmacSha256Verify(key_, message_, expected_signature_); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + + const std::vector bad_signature = GenerateBadSignature(); + result = HmacSha256Verify(key_, message_, bad_signature); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE); +} + +TEST_P(OEMCryptoHmacTest, VerifySignature_StringMessageVectorOther) { + const std::string message_str = GetStringMessage(); + OEMCryptoResult result = + HmacSha256Verify(key_, message_str, expected_signature_); + EXPECT_EQ(result, OEMCrypto_SUCCESS); + + const std::vector bad_signature = GenerateBadSignature(); + result = HmacSha256Verify(key_, message_str, bad_signature); + EXPECT_EQ(result, OEMCrypto_ERROR_SIGNATURE_FAILURE); +} + +INSTANTIATE_TEST_SUITE_P(HmacVectors, OEMCryptoHmacTest, + testing::ValuesIn(kHmacTestVectorList)); +} // namespace util +} // namespace wvoec