diff options
author | 鞠明岐 <jumingqi@xiaomi.corp-partner.google.com> | 2023-07-24 10:59:58 +0800 |
---|---|---|
committer | 鞠明岐 <jumingqi@xiaomi.corp-partner.google.com> | 2023-08-03 14:39:25 +0800 |
commit | 9339e797ef411c3c47df19ab557552dae5c8b595 (patch) | |
tree | 8957b4dbf609ac90eff835d5a0043e97981ff859 | |
parent | 86340259e968f3cbb906e814b531fd2686ab5894 (diff) | |
download | libese-9339e797ef411c3c47df19ab557552dae5c8b595.tar.gz |
WeaverApplet:Increase failure count before key compare for security
Resist Cancle-After-Match-Fail and Match-After-Lock
Bug: https://issuetracker.google.com/issues/292464264
Test: N/A
Change-Id: If30e12dcc485127ee82bf3df465e28511396fcca
Signed-off-by: 鞠明岐 <jumingqi@xiaomi.corp-partner.google.com>
-rw-r--r-- | apps/weaver/card/src/com/android/weaver/core/CoreSlots.java | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/apps/weaver/card/src/com/android/weaver/core/CoreSlots.java b/apps/weaver/card/src/com/android/weaver/core/CoreSlots.java index b2ef6b7..4fb86cd 100644 --- a/apps/weaver/card/src/com/android/weaver/core/CoreSlots.java +++ b/apps/weaver/card/src/com/android/weaver/core/CoreSlots.java @@ -156,22 +156,11 @@ class CoreSlots implements Slots { return Consts.READ_BACK_OFF; } - // Check the key matches in constant time and copy out the value if it does - byte result = (Util.arrayCompare( - keyBuffer, keyOffset, mKey, (short) 0, Consts.SLOT_KEY_BYTES) == 0) ? - Consts.READ_SUCCESS : Consts.READ_WRONG_KEY; - - // Keep track of the number of failures - if (result == Consts.READ_WRONG_KEY) { - if (mFailureCount != 0x7fff) { - mFailureCount += 1; - } - } else { - // This read was successful so reset the failures - if (mFailureCount != 0) { // attempt to maintain constant time - mFailureCount = 0; - } + // Assume this read will fail + if (mFailureCount != 0x7fff) { + mFailureCount += 1; } + byte result = Consts.READ_WRONG_KEY; // Start the timer on a failure if (throttle(sRemainingBackoff, (short) 0, mFailureCount)) { @@ -182,6 +171,18 @@ class CoreSlots implements Slots { mBackoffTimer.stopTimer(); } + // Check the key matches in constant time and copy out the value if it does + result = (Util.arrayCompare( + keyBuffer, keyOffset, mKey, (short) 0, Consts.SLOT_KEY_BYTES) == 0) ? + Consts.READ_SUCCESS : result; + + // Keep track of the number of failures + if (result == Consts.READ_SUCCESS) { + // This read was successful so reset the failures + mFailureCount = 0; + mBackoffTimer.stopTimer(); + } + final byte[] data = (result == Consts.READ_SUCCESS) ? mValue : sRemainingBackoff; Util.arrayCopyNonAtomic(data, (short) 0, outBuffer, outOffset, Consts.SLOT_VALUE_BYTES); |