keymaster_defs.h revision c3ab05c3c40311cdae88eed35dc8884ecb5b1fd9
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#ifndef ANDROID_HARDWARE_KEYMASTER_DEFS_H 18#define ANDROID_HARDWARE_KEYMASTER_DEFS_H 19 20#include <stdint.h> 21#include <stdlib.h> 22#include <string.h> 23 24__BEGIN_DECLS 25 26/** 27 * Authorization tags each have an associated type. This enumeration facilitates tagging each with 28 * a type, by using the high four bits (of an implied 32-bit unsigned enum value) to specify up to 29 * 16 data types. These values are ORed with tag IDs to generate the final tag ID values. 30 */ 31typedef enum { 32 KM_INVALID = 0 << 28, /* Invalid type, used to designate a tag as uninitialized */ 33 KM_ENUM = 1 << 28, 34 KM_ENUM_REP = 2 << 28, /* Repeatable enumeration value. */ 35 KM_INT = 3 << 28, 36 KM_INT_REP = 4 << 28, /* Repeatable integer value */ 37 KM_LONG = 5 << 28, 38 KM_DATE = 6 << 28, 39 KM_BOOL = 7 << 28, 40 KM_BIGNUM = 8 << 28, 41 KM_BYTES = 9 << 28, 42} keymaster_tag_type_t; 43 44typedef enum { 45 KM_TAG_INVALID = KM_INVALID | 0, 46 47 /* 48 * Tags that must be semantically enforced by hardware and software implementations. 49 */ 50 51 /* Crypto parameters */ 52 KM_TAG_PURPOSE = KM_ENUM_REP | 1, /* keymaster_purpose_t. */ 53 KM_TAG_ALGORITHM = KM_ENUM | 2, /* keymaster_algorithm_t. */ 54 KM_TAG_KEY_SIZE = KM_INT | 3, /* Key size in bits. */ 55 KM_TAG_BLOCK_MODE = KM_ENUM | 4, /* keymaster_block_mode_t. */ 56 KM_TAG_DIGEST = KM_ENUM | 5, /* keymaster_digest_t. */ 57 KM_TAG_MAC_LENGTH = KM_INT | 6, /* MAC or AEAD authentication tag length in bits. */ 58 KM_TAG_PADDING = KM_ENUM | 7, /* keymaster_padding_t. */ 59 KM_TAG_RETURN_UNAUTHED = KM_BOOL | 8, /* Allow AEAD decryption to return plaintext before it has 60 been authenticated. WARNING: Not recommended. */ 61 KM_TAG_CALLER_NONCE = KM_BOOL | 9, /* Allow caller to specify nonce or IV. */ 62 63 /* Other hardware-enforced. */ 64 KM_TAG_RESCOPING_ADD = KM_ENUM_REP | 101, /* Tags authorized for addition via rescoping. */ 65 KM_TAG_RESCOPING_DEL = KM_ENUM_REP | 102, /* Tags authorized for removal via rescoping. */ 66 KM_TAG_BLOB_USAGE_REQUIREMENTS = KM_ENUM | 705, /* keymaster_key_blob_usage_requirements_t */ 67 68 /* Algorithm-specific. */ 69 KM_TAG_RSA_PUBLIC_EXPONENT = KM_LONG | 200, /* Defaults to 2^16+1 */ 70 KM_TAG_DSA_GENERATOR = KM_BIGNUM | 201, 71 KM_TAG_DSA_P = KM_BIGNUM | 202, 72 KM_TAG_DSA_Q = KM_BIGNUM | 203, 73 /* Note there are no EC-specific params. Field size is defined by KM_TAG_KEY_SIZE, and the 74 curve is chosen from NIST recommendations for field size */ 75 76 /* 77 * Tags that should be semantically enforced by hardware if possible and will otherwise be 78 * enforced by software (keystore). 79 */ 80 81 /* Key validity period */ 82 KM_TAG_ACTIVE_DATETIME = KM_DATE | 400, /* Start of validity */ 83 KM_TAG_ORIGINATION_EXPIRE_DATETIME = KM_DATE | 401, /* Date when new "messages" should no 84 longer be created. */ 85 KM_TAG_USAGE_EXPIRE_DATETIME = KM_DATE | 402, /* Date when existing "messages" should no 86 longer be trusted. */ 87 KM_TAG_MIN_SECONDS_BETWEEN_OPS = KM_INT | 403, /* Minimum elapsed time between 88 cryptographic operations with the key. */ 89 KM_TAG_MAX_USES_PER_BOOT = KM_INT | 404, /* Number of times the key can be used per 90 boot. */ 91 92 /* User authentication */ 93 KM_TAG_ALL_USERS = KM_BOOL | 500, /* If key is usable by all users. */ 94 KM_TAG_USER_ID = KM_INT | 501, /* ID of authorized user. Disallowed if 95 KM_TAG_ALL_USERS is present. */ 96 KM_TAG_NO_AUTH_REQUIRED = KM_BOOL | 502, /* If key is usable without authentication. */ 97 KM_TAG_USER_AUTH_ID = KM_INT_REP | 503, /* ID of the authenticator to use (e.g. password, 98 fingerprint, etc.). Repeatable to support 99 multi-factor auth. Disallowed if 100 KM_TAG_NO_AUTH_REQUIRED is present. */ 101 KM_TAG_AUTH_TIMEOUT = KM_INT | 504, /* Required freshness of user authentication for 102 private/secret key operations, in seconds. 103 Public key operations require no authentication. 104 If absent, authentication is required for every 105 use. Authentication state is lost when the 106 device is powered off. */ 107 108 /* Application access control */ 109 KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600, /* If key is usable by all applications. */ 110 KM_TAG_APPLICATION_ID = KM_BYTES | 601, /* ID of authorized application. Disallowed if 111 KM_TAG_ALL_APPLICATIONS is present. */ 112 113 /* 114 * Semantically unenforceable tags, either because they have no specific meaning or because 115 * they're informational only. 116 */ 117 KM_TAG_APPLICATION_DATA = KM_BYTES | 700, /* Data provided by authorized application. */ 118 KM_TAG_CREATION_DATETIME = KM_DATE | 701, /* Key creation time */ 119 KM_TAG_ORIGIN = KM_ENUM | 702, /* keymaster_key_origin_t. */ 120 KM_TAG_ROLLBACK_RESISTANT = KM_BOOL | 703, /* Whether key is rollback-resistant. */ 121 KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704, /* Root of trust ID. Empty array means usable by all 122 roots. */ 123 124 /* Tags used only to provide data to or receive data from operations */ 125 KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000, /* Used to provide associated data for AEAD modes. */ 126 KM_TAG_NONCE = KM_BYTES | 1001, /* Nonce or Initialization Vector */ 127 KM_TAG_CHUNK_LENGTH = KM_INT | 1002, /* AEAD mode chunk size, in bytes. 0 means no limit, 128 which requires KM_TAG_RETURN_UNAUTHED. */ 129 KM_TAG_AUTH_TOKEN = KM_BYTES | 1003, /* Authentication token that proves secure user 130 authentication has been performed. Structure 131 defined in hw_auth_token_t in hw_auth_token.h. */ 132} keymaster_tag_t; 133 134/** 135 * Algorithms that may be provided by keymaster implementations. Those that must be provided by all 136 * implementations are tagged as "required". 137 */ 138typedef enum { 139 /* Asymmetric algorithms. */ 140 KM_ALGORITHM_RSA = 1, /* required */ 141 KM_ALGORITHM_DSA = 2, 142 KM_ALGORITHM_ECDSA = 3, /* required */ 143 KM_ALGORITHM_ECIES = 4, 144 /* FIPS Approved Ciphers */ 145 KM_ALGORITHM_AES = 32, /* required */ 146 KM_ALGORITHM_3DES = 33, 147 KM_ALGORITHM_SKIPJACK = 34, 148 /* AES Finalists */ 149 KM_ALGORITHM_MARS = 48, 150 KM_ALGORITHM_RC6 = 49, 151 KM_ALGORITHM_SERPENT = 50, 152 KM_ALGORITHM_TWOFISH = 51, 153 /* Other common block ciphers */ 154 KM_ALGORITHM_IDEA = 52, 155 KM_ALGORITHM_RC5 = 53, 156 KM_ALGORITHM_CAST5 = 54, 157 KM_ALGORITHM_BLOWFISH = 55, 158 /* Common stream ciphers */ 159 KM_ALGORITHM_RC4 = 64, 160 KM_ALGORITHM_CHACHA20 = 65, 161 /* MAC algorithms */ 162 KM_ALGORITHM_HMAC = 128, /* required */ 163} keymaster_algorithm_t; 164 165/** 166 * Symmetric block cipher modes that may be provided by keymaster implementations. Those that must 167 * be provided by all implementations are tagged as "required". This type is new in 0_4. 168 * 169 * KM_MODE_FIRST_UNAUTHENTICATED, KM_MODE_FIRST_AUTHENTICATED and KM_MODE_FIRST_MAC are not modes, 170 * but markers used to separate the available modes into classes. 171 */ 172typedef enum { 173 /* Unauthenticated modes, usable only for encryption/decryption and not generally recommended 174 * except for compatibility with existing other protocols. */ 175 KM_MODE_FIRST_UNAUTHENTICATED = 1, 176 KM_MODE_ECB = KM_MODE_FIRST_UNAUTHENTICATED, /* required */ 177 KM_MODE_CBC = 2, /* required */ 178 KM_MODE_CBC_CTS = 3, /* recommended */ 179 KM_MODE_CTR = 4, /* recommended */ 180 KM_MODE_OFB = 5, 181 KM_MODE_CFB = 6, 182 KM_MODE_XTS = 7, /* Note: requires double-length keys */ 183 /* Authenticated modes, usable for encryption/decryption and signing/verification. Recommended 184 * over unauthenticated modes for all purposes. One of KM_MODE_GCM and KM_MODE_OCB is 185 * required. */ 186 KM_MODE_FIRST_AUTHENTICATED = 32, 187 KM_MODE_GCM = KM_MODE_FIRST_AUTHENTICATED, 188 KM_MODE_OCB = 33, 189 KM_MODE_CCM = 34, 190 /* MAC modes -- only for signing/verification */ 191 KM_MODE_FIRST_MAC = 128, 192 KM_MODE_CMAC = KM_MODE_FIRST_MAC, 193 KM_MODE_POLY1305 = 129, 194} keymaster_block_mode_t; 195 196/** 197 * Padding modes that may be applied to plaintext for encryption operations. This list includes 198 * padding modes for both symmetric and asymmetric algorithms. Note that implementations should not 199 * provide all possible combinations of algorithm and padding, only the 200 * cryptographically-appropriate pairs. 201 */ 202typedef enum { 203 KM_PAD_NONE = 1, /* required, deprecated */ 204 KM_PAD_RSA_OAEP = 2, /* required */ 205 KM_PAD_RSA_PSS = 3, /* required */ 206 KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4, 207 KM_PAD_RSA_PKCS1_1_5_SIGN = 5, 208 KM_PAD_ANSI_X923 = 32, 209 KM_PAD_ISO_10126 = 33, 210 KM_PAD_ZERO = 64, /* required */ 211 KM_PAD_PKCS7 = 65, /* required */ 212 KM_PAD_ISO_7816_4 = 66, 213} keymaster_padding_t; 214 215/** 216 * Digests that may be provided by keymaster implementations. Those that must be provided by all 217 * implementations are tagged as "required". Those that have been added since version 0_2 of the 218 * API are tagged as "new". 219 */ 220typedef enum { 221 KM_DIGEST_NONE = 0, /* new, required */ 222 KM_DIGEST_MD5 = 1, /* new, for compatibility with old protocols only */ 223 KM_DIGEST_SHA1 = 2, /* new */ 224 KM_DIGEST_SHA_2_224 = 3, /* new */ 225 KM_DIGEST_SHA_2_256 = 4, /* new, required */ 226 KM_DIGEST_SHA_2_384 = 5, /* new, recommended */ 227 KM_DIGEST_SHA_2_512 = 6, /* new, recommended */ 228 KM_DIGEST_SHA_3_256 = 7, /* new */ 229 KM_DIGEST_SHA_3_384 = 8, /* new */ 230 KM_DIGEST_SHA_3_512 = 9, /* new */ 231} keymaster_digest_t; 232 233/** 234 * The origin of a key (or pair), i.e. where it was generated. Origin and can be used together to 235 * determine whether a key may have existed outside of secure hardware. This type is new in 0_4. 236 */ 237typedef enum { 238 KM_ORIGIN_HARDWARE = 0, /* Generated in secure hardware */ 239 KM_ORIGIN_SOFTWARE = 1, /* Generated in non-secure software */ 240 KM_ORIGIN_IMPORTED = 2, /* Imported, origin unknown */ 241} keymaster_key_origin_t; 242 243/** 244 * Usability requirements of key blobs. This defines what system functionality must be available 245 * for the key to function. For example, key "blobs" which are actually handles referencing 246 * encrypted key material stored in the file system cannot be used until the file system is 247 * available, and should have BLOB_REQUIRES_FILE_SYSTEM. Other requirements entries will be added 248 * as needed for implementations. This type is new in 0_4. 249 */ 250typedef enum { 251 KM_BLOB_STANDALONE = 0, 252 KM_BLOB_REQUIRES_FILE_SYSTEM = 1, 253} keymaster_key_blob_usage_requirements_t; 254 255/** 256 * Possible purposes of a key (or pair). This type is new in 0_4. 257 */ 258typedef enum { 259 KM_PURPOSE_ENCRYPT = 0, 260 KM_PURPOSE_DECRYPT = 1, 261 KM_PURPOSE_SIGN = 2, 262 KM_PURPOSE_VERIFY = 3, 263} keymaster_purpose_t; 264 265typedef struct { 266 const uint8_t* data; 267 size_t data_length; 268} keymaster_blob_t; 269 270typedef struct { 271 keymaster_tag_t tag; 272 union { 273 uint32_t enumerated; /* KM_ENUM and KM_ENUM_REP */ 274 bool boolean; /* KM_BOOL */ 275 uint32_t integer; /* KM_INT and KM_INT_REP */ 276 uint64_t long_integer; /* KM_LONG */ 277 uint64_t date_time; /* KM_DATE */ 278 keymaster_blob_t blob; /* KM_BIGNUM and KM_BYTES*/ 279 }; 280} keymaster_key_param_t; 281 282typedef struct { 283 keymaster_key_param_t* params; /* may be NULL if length == 0 */ 284 size_t length; 285} keymaster_key_param_set_t; 286 287/** 288 * Parameters that define a key's characteristics, including authorized modes of usage and access 289 * control restrictions. The parameters are divided into two categories, those that are enforced by 290 * secure hardware, and those that are not. For a software-only keymaster implementation the 291 * enforced array must NULL. Hardware implementations must enforce everything in the enforced 292 * array. 293 */ 294typedef struct { 295 keymaster_key_param_set_t hw_enforced; 296 keymaster_key_param_set_t sw_enforced; 297} keymaster_key_characteristics_t; 298 299typedef struct { 300 const uint8_t* key_material; 301 size_t key_material_size; 302} keymaster_key_blob_t; 303 304/** 305 * Formats for key import and export. At present, only asymmetric key import/export is supported. 306 * In the future this list will expand greatly to accommodate asymmetric key import/export. 307 */ 308typedef enum { 309 KM_KEY_FORMAT_X509 = 0, /* for public key export, required */ 310 KM_KEY_FORMAT_PKCS8 = 1, /* for asymmetric key pair import, required */ 311 KM_KEY_FORMAT_PKCS12 = 2, /* for asymmetric key pair import, not required */ 312 KM_KEY_FORMAT_RAW = 3, /* for symmetric key import, required */ 313} keymaster_key_format_t; 314 315/** 316 * The keymaster operation API consists of begin, update, finish and abort. This is the type of the 317 * handle used to tie the sequence of calls together. A 64-bit value is used because it's important 318 * that handles not be predictable. Implementations must use strong random numbers for handle 319 * values. 320 */ 321typedef uint64_t keymaster_operation_handle_t; 322 323typedef enum { 324 KM_ERROR_OK = 0, 325 KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1, 326 KM_ERROR_UNSUPPORTED_PURPOSE = -2, 327 KM_ERROR_INCOMPATIBLE_PURPOSE = -3, 328 KM_ERROR_UNSUPPORTED_ALGORITHM = -4, 329 KM_ERROR_INCOMPATIBLE_ALGORITHM = -5, 330 KM_ERROR_UNSUPPORTED_KEY_SIZE = -6, 331 KM_ERROR_UNSUPPORTED_BLOCK_MODE = -7, 332 KM_ERROR_INCOMPATIBLE_BLOCK_MODE = -8, 333 KM_ERROR_UNSUPPORTED_MAC_LENGTH = -9, 334 KM_ERROR_UNSUPPORTED_PADDING_MODE = -10, 335 KM_ERROR_INCOMPATIBLE_PADDING_MODE = -11, 336 KM_ERROR_UNSUPPORTED_DIGEST = -12, 337 KM_ERROR_INCOMPATIBLE_DIGEST = -13, 338 KM_ERROR_INVALID_EXPIRATION_TIME = -14, 339 KM_ERROR_INVALID_USER_ID = -15, 340 KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT = -16, 341 KM_ERROR_UNSUPPORTED_KEY_FORMAT = -17, 342 KM_ERROR_INCOMPATIBLE_KEY_FORMAT = -18, 343 KM_ERROR_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /* For PKCS8 & PKCS12 */ 344 KM_ERROR_UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20, /* For PKCS8 & PKCS12 */ 345 KM_ERROR_INVALID_INPUT_LENGTH = -21, 346 KM_ERROR_KEY_EXPORT_OPTIONS_INVALID = -22, 347 KM_ERROR_DELEGATION_NOT_ALLOWED = -23, 348 KM_ERROR_KEY_NOT_YET_VALID = -24, 349 KM_ERROR_KEY_EXPIRED = -25, 350 KM_ERROR_KEY_USER_NOT_AUTHENTICATED = -26, 351 KM_ERROR_OUTPUT_PARAMETER_NULL = -27, 352 KM_ERROR_INVALID_OPERATION_HANDLE = -28, 353 KM_ERROR_INSUFFICIENT_BUFFER_SPACE = -29, 354 KM_ERROR_VERIFICATION_FAILED = -30, 355 KM_ERROR_TOO_MANY_OPERATIONS = -31, 356 KM_ERROR_UNEXPECTED_NULL_POINTER = -32, 357 KM_ERROR_INVALID_KEY_BLOB = -33, 358 KM_ERROR_IMPORTED_KEY_NOT_ENCRYPTED = -34, 359 KM_ERROR_IMPORTED_KEY_DECRYPTION_FAILED = -35, 360 KM_ERROR_IMPORTED_KEY_NOT_SIGNED = -36, 361 KM_ERROR_IMPORTED_KEY_VERIFICATION_FAILED = -37, 362 KM_ERROR_INVALID_ARGUMENT = -38, 363 KM_ERROR_UNSUPPORTED_TAG = -39, 364 KM_ERROR_INVALID_TAG = -40, 365 KM_ERROR_MEMORY_ALLOCATION_FAILED = -41, 366 KM_ERROR_INVALID_RESCOPING = -42, 367 KM_ERROR_INVALID_DSA_PARAMS = -43, 368 KM_ERROR_IMPORT_PARAMETER_MISMATCH = -44, 369 KM_ERROR_SECURE_HW_ACCESS_DENIED = -45, 370 KM_ERROR_OPERATION_CANCELLED = -46, 371 KM_ERROR_CONCURRENT_ACCESS_CONFLICT = -47, 372 KM_ERROR_SECURE_HW_BUSY = -48, 373 KM_ERROR_SECURE_HW_COMMUNICATION_FAILED = -49, 374 KM_ERROR_UNSUPPORTED_EC_FIELD = -50, 375 KM_ERROR_MISSING_NONCE = -51, 376 KM_ERROR_INVALID_NONCE = -52, 377 KM_ERROR_UNSUPPORTED_CHUNK_LENGTH = -53, 378 KM_ERROR_RESCOPABLE_KEY_NOT_USABLE = -54, 379 380 KM_ERROR_UNIMPLEMENTED = -100, 381 KM_ERROR_VERSION_MISMATCH = -101, 382 383 /* Additional error codes may be added by implementations, but implementers should coordinate 384 * with Google to avoid code collision. */ 385 KM_ERROR_UNKNOWN_ERROR = -1000, 386} keymaster_error_t; 387 388/* Convenience functions for manipulating keymaster tag types */ 389 390static inline keymaster_tag_type_t keymaster_tag_get_type(keymaster_tag_t tag) { 391 return (keymaster_tag_type_t)(tag & (0xF << 28)); 392} 393 394static inline uint32_t keymaster_tag_mask_type(keymaster_tag_t tag) { 395 return tag & 0x0FFFFFFF; 396} 397 398static inline bool keymaster_tag_type_repeatable(keymaster_tag_type_t type) { 399 switch (type) { 400 case KM_INT_REP: 401 case KM_ENUM_REP: 402 return true; 403 default: 404 return false; 405 } 406} 407 408static inline bool keymaster_tag_repeatable(keymaster_tag_t tag) { 409 return keymaster_tag_type_repeatable(keymaster_tag_get_type(tag)); 410} 411 412/* Convenience functions for manipulating keymaster_key_param_t structs */ 413 414inline keymaster_key_param_t keymaster_param_enum(keymaster_tag_t tag, uint32_t value) { 415 // assert(keymaster_tag_get_type(tag) == KM_ENUM || keymaster_tag_get_type(tag) == KM_ENUM_REP); 416 keymaster_key_param_t param; 417 memset(¶m, 0, sizeof(param)); 418 param.tag = tag; 419 param.enumerated = value; 420 return param; 421} 422 423inline keymaster_key_param_t keymaster_param_int(keymaster_tag_t tag, uint32_t value) { 424 // assert(keymaster_tag_get_type(tag) == KM_INT || keymaster_tag_get_type(tag) == KM_INT_REP); 425 keymaster_key_param_t param; 426 memset(¶m, 0, sizeof(param)); 427 param.tag = tag; 428 param.integer = value; 429 return param; 430} 431 432inline keymaster_key_param_t keymaster_param_long(keymaster_tag_t tag, uint64_t value) { 433 // assert(keymaster_tag_get_type(tag) == KM_LONG); 434 keymaster_key_param_t param; 435 memset(¶m, 0, sizeof(param)); 436 param.tag = tag; 437 param.long_integer = value; 438 return param; 439} 440 441inline keymaster_key_param_t keymaster_param_blob(keymaster_tag_t tag, const uint8_t* bytes, 442 size_t bytes_len) { 443 // assert(keymaster_tag_get_type(tag) == KM_BYTES || keymaster_tag_get_type(tag) == KM_BIGNUM); 444 keymaster_key_param_t param; 445 memset(¶m, 0, sizeof(param)); 446 param.tag = tag; 447 param.blob.data = (uint8_t*)bytes; 448 param.blob.data_length = bytes_len; 449 return param; 450} 451 452inline keymaster_key_param_t keymaster_param_bool(keymaster_tag_t tag) { 453 // assert(keymaster_tag_get_type(tag) == KM_BOOL); 454 keymaster_key_param_t param; 455 memset(¶m, 0, sizeof(param)); 456 param.tag = tag; 457 param.boolean = true; 458 return param; 459} 460 461inline keymaster_key_param_t keymaster_param_date(keymaster_tag_t tag, uint64_t value) { 462 // assert(keymaster_tag_get_type(tag) == KM_DATE); 463 keymaster_key_param_t param; 464 memset(¶m, 0, sizeof(param)); 465 param.tag = tag; 466 param.date_time = value; 467 return param; 468} 469 470#define KEYMASTER_SIMPLE_COMPARE(a, b) (a < b) ? -1 : ((a > b) ? 1 : 0) 471inline int keymaster_param_compare(const keymaster_key_param_t* a, const keymaster_key_param_t* b) { 472 int retval = KEYMASTER_SIMPLE_COMPARE(a->tag, b->tag); 473 if (retval != 0) 474 return retval; 475 476 switch (keymaster_tag_get_type(a->tag)) { 477 case KM_INVALID: 478 case KM_BOOL: 479 return 0; 480 case KM_ENUM: 481 case KM_ENUM_REP: 482 return KEYMASTER_SIMPLE_COMPARE(a->enumerated, b->enumerated); 483 case KM_INT: 484 case KM_INT_REP: 485 return KEYMASTER_SIMPLE_COMPARE(a->integer, b->integer); 486 case KM_LONG: 487 return KEYMASTER_SIMPLE_COMPARE(a->long_integer, b->long_integer); 488 case KM_DATE: 489 return KEYMASTER_SIMPLE_COMPARE(a->date_time, b->date_time); 490 case KM_BIGNUM: 491 case KM_BYTES: 492 // Handle the empty cases. 493 if (a->blob.data_length != 0 && b->blob.data_length == 0) 494 return -1; 495 if (a->blob.data_length == 0 && b->blob.data_length == 0) 496 return 0; 497 if (a->blob.data_length == 0 && b->blob.data_length > 0) 498 return 1; 499 500 retval = memcmp(a->blob.data, b->blob.data, a->blob.data_length < b->blob.data_length 501 ? a->blob.data_length 502 : b->blob.data_length); 503 if (retval != 0) 504 return retval; 505 else if (a->blob.data_length != b->blob.data_length) { 506 // Equal up to the common length; longer one is larger. 507 if (a->blob.data_length < b->blob.data_length) 508 return -1; 509 if (a->blob.data_length > b->blob.data_length) 510 return 1; 511 }; 512 } 513 514 return 0; 515} 516#undef KEYMASTER_SIMPLE_COMPARE 517 518inline void keymaster_free_param_values(keymaster_key_param_t* param, size_t param_count) { 519 while (param_count-- > 0) { 520 switch (keymaster_tag_get_type(param->tag)) { 521 case KM_BIGNUM: 522 case KM_BYTES: 523 free((void*)param->blob.data); 524 param->blob.data = NULL; 525 break; 526 default: 527 // NOP 528 break; 529 } 530 ++param; 531 } 532} 533 534inline void keymaster_free_param_set(keymaster_key_param_set_t* set) { 535 if (set) { 536 keymaster_free_param_values(set->params, set->length); 537 free(set->params); 538 set->params = NULL; 539 } 540} 541 542inline void keymaster_free_characteristics(keymaster_key_characteristics_t* characteristics) { 543 if (characteristics) { 544 keymaster_free_param_set(&characteristics->hw_enforced); 545 keymaster_free_param_set(&characteristics->sw_enforced); 546 } 547} 548 549__END_DECLS 550 551#endif // ANDROID_HARDWARE_KEYMASTER_DEFS_H 552