• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <memory>
18 #include <vector>
19 
20 #include <hardware/hw_auth_token.h>
21 #include <keymaster/authorization_set.h>
22 
23 #ifndef KEYSTORE_AUTH_TOKEN_TABLE_H_
24 #define KEYSTORE_AUTH_TOKEN_TABLE_H_
25 
26 namespace keymaster {
27 
28 namespace test {
29 class AuthTokenTableTest;
30 }  // namespace test
31 
32 time_t clock_gettime_raw();
33 
34 /**
35  * AuthTokenTable manages a set of received authorization tokens and can provide the appropriate
36  * token for authorizing a key operation.
37  *
38  * To keep the table from growing without bound, superseded entries are removed when possible, and
39  * least recently used entries are automatically pruned when when the table exceeds a size limit,
40  * which is expected to be relatively small, since the implementation uses a linear search.
41  */
42 class AuthTokenTable {
43   public:
44     AuthTokenTable(size_t max_entries = 32, time_t (*clock_function)() = clock_gettime_raw)
max_entries_(max_entries)45         : max_entries_(max_entries), last_off_body_(clock_function()), clock_function_(clock_function) {}
46 
47     enum Error {
48         OK,
49         AUTH_NOT_REQUIRED = -1,
50         AUTH_TOKEN_EXPIRED = -2,    // Found a matching token, but it's too old.
51         AUTH_TOKEN_WRONG_SID = -3,  // Found a token with the right challenge, but wrong SID.  This
52                                     // most likely indicates that the authenticator was updated
53                                     // (e.g. new fingerprint enrolled).
54         OP_HANDLE_REQUIRED = -4,    // The key requires auth per use but op_handle was zero.
55         AUTH_TOKEN_NOT_FOUND = -5,
56     };
57 
58     /**
59      * Add an authorization token to the table.  The table takes ownership of the argument.
60      */
61     void AddAuthenticationToken(const hw_auth_token_t* token);
62 
63     /**
64      * Find an authorization token that authorizes the operation specified by \p operation_handle on
65      * a key with the characteristics specified in \p key_info.
66      *
67      * This method is O(n * m), where n is the number of KM_TAG_USER_SECURE_ID entries in key_info
68      * and m is the number of entries in the table.  It could be made better, but n and m should
69      * always be small.
70      *
71      * The table retains ownership of the returned object.
72      */
73     Error FindAuthorization(const AuthorizationSet& key_info, keymaster_purpose_t purpose,
74                             keymaster_operation_handle_t op_handle, const hw_auth_token_t** found);
75 
76     /**
77      * Find an authorization token that authorizes the operation specified by \p operation_handle on
78      * a key with the characteristics specified in \p key_info.
79      *
80      * This method is O(n * m), where n is the number of KM_TAG_USER_SECURE_ID entries in key_info
81      * and m is the number of entries in the table.  It could be made better, but n and m should
82      * always be small.
83      *
84      * The table retains ownership of the returned object.
85      */
FindAuthorization(const keymaster_key_param_t * params,size_t params_count,keymaster_purpose_t purpose,keymaster_operation_handle_t op_handle,const hw_auth_token_t ** found)86     Error FindAuthorization(const keymaster_key_param_t* params, size_t params_count,
87                             keymaster_purpose_t purpose, keymaster_operation_handle_t op_handle,
88                             const hw_auth_token_t** found) {
89         return FindAuthorization(AuthorizationSet(params, params_count), purpose, op_handle, found);
90     }
91 
92     /**
93      * Mark operation completed.  This allows tokens associated with the specified operation to be
94      * superseded by new tokens.
95      */
96     void MarkCompleted(const keymaster_operation_handle_t op_handle);
97 
98     /**
99      * Update the last_off_body_ timestamp so that tokens which remain authorized only so long as
100      * the device stays on body can be revoked.
101      */
102     void onDeviceOffBody();
103 
104     void Clear();
105 
size()106     size_t size() { return entries_.size(); }
107 
108   private:
109     friend class AuthTokenTableTest;
110 
111     class Entry {
112       public:
113         Entry(const hw_auth_token_t* token, time_t current_time);
Entry(Entry && entry)114         Entry(Entry&& entry) { *this = std::move(entry); }
115 
116         void operator=(Entry&& rhs) {
117             token_ = std::move(rhs.token_);
118             time_received_ = rhs.time_received_;
119             last_use_ = rhs.last_use_;
120             operation_completed_ = rhs.operation_completed_;
121         }
122 
123         bool operator<(const Entry& rhs) const { return last_use_ < rhs.last_use_; }
124 
125         void UpdateLastUse(time_t time);
126 
127         bool Supersedes(const Entry& entry) const;
128         bool SatisfiesAuth(const std::vector<uint64_t>& sids, hw_authenticator_type_t auth_type);
129 
is_newer_than(const Entry * entry)130         bool is_newer_than(const Entry* entry) {
131             if (!entry)
132                 return true;
133             return timestamp_host_order() > entry->timestamp_host_order();
134         }
135 
mark_completed()136         void mark_completed() { operation_completed_ = true; }
137 
token()138         const hw_auth_token_t* token() { return token_.get(); }
time_received()139         time_t time_received() const { return time_received_; }
completed()140         bool completed() const { return operation_completed_; }
141         uint32_t timestamp_host_order() const;
142         hw_authenticator_type_t authenticator_type() const;
143 
144       private:
145         std::unique_ptr<const hw_auth_token_t> token_;
146         time_t time_received_;
147         time_t last_use_;
148         bool operation_completed_;
149     };
150 
151     Error FindAuthPerOpAuthorization(const std::vector<uint64_t>& sids,
152                                      hw_authenticator_type_t auth_type,
153                                      keymaster_operation_handle_t op_handle,
154                                      const hw_auth_token_t** found);
155     Error FindTimedAuthorization(const std::vector<uint64_t>& sids,
156                                  hw_authenticator_type_t auth_type,
157                                  const AuthorizationSet& key_info, const hw_auth_token_t** found);
158     void ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids);
159     void RemoveEntriesSupersededBy(const Entry& entry);
160     bool IsSupersededBySomeEntry(const Entry& entry);
161 
162     std::vector<Entry> entries_;
163     size_t max_entries_;
164     time_t last_off_body_;
165     time_t (*clock_function_)();
166 };
167 
168 }  // namespace keymaster
169 
170 #endif  // KEYSTORE_AUTH_TOKEN_TABLE_H_
171