diff --git a/caam-blob-example/README.md b/caam-blob-example/README.md index 805cc82..67b898d 100644 --- a/caam-blob-example/README.md +++ b/caam-blob-example/README.md @@ -5,7 +5,7 @@ This example application shows how to encapsulate/decapsulate data to/from CAAM CAAM blobs are a way to protect sensitive data by encrypting their contents. You can think of CAAM blobs as data encrypted with an internal unreadable device-specific key which is protected by the hardware. Data encapsulated in a CAAM blob can only be decapsulated by the device that created it. -When creating CAAM blobs, the input data size is limited to 1048527 bytes. +When creating CAAM blobs, the input data size is limited to 65487 bytes. Note that CAAM blobs are slightly bigger than the input data (48 bytes bigger). A key modifier may be used to further differentiate the key used in a particular blob. @@ -65,7 +65,7 @@ For more information, see the [Digi Embedded Yocto online documentation](https:/ License ------- -Copyright 2019, Digi International Inc. +Copyright 2019-2021, Digi International Inc. Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice diff --git a/caam-blob-example/caam_ops.h b/caam-blob-example/caam_ops.h index a1d6d55..71c3835 100644 --- a/caam-blob-example/caam_ops.h +++ b/caam-blob-example/caam_ops.h @@ -1,7 +1,7 @@ /* * caam_ops.h * - * Copyright (C) 2019 by Digi International Inc. + * Copyright (C) 2019-2021, by Digi International Inc. * All rights reserved. * * This program is free software; you can redistribute it and/or modify it @@ -32,10 +32,13 @@ /* Key modifier: 16 bytes for a general memory blob (see SRM 5.8.4.7.1) */ #define KEY_MODIFIER_SIZE 16 +#define SZ_1K 1024 + /* - * Testing shows that input sizes bigger than this value usually fail. + * The input size is stored in 16 bits in the CAAM job descriptor, which means + * the upper limit is 64 KiB minus one byte */ -#define BLOB_MAX_INPUT_SIZE (1024 * 1024 - BLOB_OVERHEAD) +#define BLOB_MAX_INPUT_SIZE (64 * SZ_1K - 1) int caamblob_encrypt(const uint8_t *data, size_t size, diff --git a/caam-blob-example/main.c b/caam-blob-example/main.c index e1fe848..feac161 100644 --- a/caam-blob-example/main.c +++ b/caam-blob-example/main.c @@ -1,7 +1,7 @@ /* * main.c * - * Copyright (C) 2019 by Digi International Inc. + * Copyright (C) 2019-2021 by Digi International Inc. * All rights reserved. * * This program is free software; you can redistribute it and/or modify it @@ -168,6 +168,7 @@ int main(int argc, char *argv[]) size_t output_len; uint8_t key_modifier[KEY_MODIFIER_SIZE]; int ret = EXIT_SUCCESS; + size_t max_input_len = BLOB_MAX_INPUT_SIZE; if (argc > 0) program_name = argv[0]; @@ -187,10 +188,20 @@ int main(int argc, char *argv[]) return EXIT_FAILURE; } + /* + * if we're going to encrypt a file, subtract the blob overhead from + * the maximum allowed size so that the output blob size can fit in the + * CAAM encryption job descriptor + */ + max_input_len -= op == ENCRYPT ? BLOB_OVERHEAD : 0; + /* this is a limitation of the current driver implementation */ - if (input_len >= BLOB_MAX_INPUT_SIZE) - fprintf(stderr, "[WARNING] Input is too big, %s may fail\n", - op == ENCRYPT ? "encryption" : "decryption"); + if (input_len > max_input_len) { + fprintf(stderr, "[ERROR] Input is too big, continuing may result in unexpected behavior.\n" + "[ERROR] The maximum input size for %s is %u bytes.\n", + op == ENCRYPT ? "encryption" : "decryption", max_input_len); + return EXIT_FAILURE; + } input_data = mmap(NULL, input_len, PROT_READ, MAP_PRIVATE | MAP_POPULATE, input_fd, 0);