1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/keymaster_enforcement.h>
18
19 #include <assert.h>
20 #include <limits.h>
21 #include <string.h>
22
23 #include <openssl/evp.h>
24
25 #include <hardware/hw_auth_token.h>
26 #include <keymaster/android_keymaster_utils.h>
27 #include <keymaster/logger.h>
28
29 #include "List.h"
30
31 using android::List;
32
33 namespace keymaster {
34
35 class AccessTimeMap {
36 public:
AccessTimeMap(uint32_t max_size)37 explicit AccessTimeMap(uint32_t max_size) : max_size_(max_size) {}
38
39 /* If the key is found, returns true and fills \p last_access_time. If not found returns
40 * false. */
41 bool LastKeyAccessTime(km_id_t keyid, uint32_t* last_access_time) const;
42
43 /* Updates the last key access time with the currentTime parameter. Adds the key if
44 * needed, returning false if key cannot be added because list is full. */
45 bool UpdateKeyAccessTime(km_id_t keyid, uint32_t current_time, uint32_t timeout);
46
47 private:
48 struct AccessTime {
49 km_id_t keyid;
50 uint32_t access_time;
51 uint32_t timeout;
52 };
53 android::List<AccessTime> last_access_list_;
54 const uint32_t max_size_;
55 };
56
57 class AccessCountMap {
58 public:
AccessCountMap(uint32_t max_size)59 explicit AccessCountMap(uint32_t max_size) : max_size_(max_size) {}
60
61 /* If the key is found, returns true and fills \p count. If not found returns
62 * false. */
63 bool KeyAccessCount(km_id_t keyid, uint32_t* count) const;
64
65 /* Increments key access count, adding an entry if the key has never been used. Returns
66 * false if the list has reached maximum size. */
67 bool IncrementKeyAccessCount(km_id_t keyid);
68
69 private:
70 struct AccessCount {
71 km_id_t keyid;
72 uint64_t access_count;
73 };
74 android::List<AccessCount> access_count_list_;
75 const uint32_t max_size_;
76 };
77
is_public_key_algorithm(const AuthorizationSet & auth_set)78 bool is_public_key_algorithm(const AuthorizationSet& auth_set) {
79 keymaster_algorithm_t algorithm;
80 return auth_set.GetTagValue(TAG_ALGORITHM, &algorithm) &&
81 (algorithm == KM_ALGORITHM_RSA || algorithm == KM_ALGORITHM_EC);
82 }
83
authorized_purpose(const keymaster_purpose_t purpose,const AuthorizationSet & auth_set)84 static keymaster_error_t authorized_purpose(const keymaster_purpose_t purpose,
85 const AuthorizationSet& auth_set) {
86 switch (purpose) {
87 case KM_PURPOSE_VERIFY:
88 case KM_PURPOSE_ENCRYPT:
89 case KM_PURPOSE_SIGN:
90 case KM_PURPOSE_DECRYPT:
91 if (auth_set.Contains(TAG_PURPOSE, purpose))
92 return KM_ERROR_OK;
93 return KM_ERROR_INCOMPATIBLE_PURPOSE;
94
95 default:
96 return KM_ERROR_UNSUPPORTED_PURPOSE;
97 }
98 }
99
is_origination_purpose(keymaster_purpose_t purpose)100 inline bool is_origination_purpose(keymaster_purpose_t purpose) {
101 return purpose == KM_PURPOSE_ENCRYPT || purpose == KM_PURPOSE_SIGN;
102 }
103
is_usage_purpose(keymaster_purpose_t purpose)104 inline bool is_usage_purpose(keymaster_purpose_t purpose) {
105 return purpose == KM_PURPOSE_DECRYPT || purpose == KM_PURPOSE_VERIFY;
106 }
107
KeymasterEnforcement(uint32_t max_access_time_map_size,uint32_t max_access_count_map_size)108 KeymasterEnforcement::KeymasterEnforcement(uint32_t max_access_time_map_size,
109 uint32_t max_access_count_map_size)
110 : access_time_map_(new (std::nothrow) AccessTimeMap(max_access_time_map_size)),
111 access_count_map_(new (std::nothrow) AccessCountMap(max_access_count_map_size)) {}
112
~KeymasterEnforcement()113 KeymasterEnforcement::~KeymasterEnforcement() {
114 delete access_time_map_;
115 delete access_count_map_;
116 }
117
AuthorizeOperation(const keymaster_purpose_t purpose,const km_id_t keyid,const AuthorizationSet & auth_set,const AuthorizationSet & operation_params,keymaster_operation_handle_t op_handle,bool is_begin_operation)118 keymaster_error_t KeymasterEnforcement::AuthorizeOperation(const keymaster_purpose_t purpose,
119 const km_id_t keyid,
120 const AuthorizationSet& auth_set,
121 const AuthorizationSet& operation_params,
122 keymaster_operation_handle_t op_handle,
123 bool is_begin_operation) {
124 if (is_public_key_algorithm(auth_set)) {
125 switch (purpose) {
126 case KM_PURPOSE_ENCRYPT:
127 case KM_PURPOSE_VERIFY:
128 /* Public key operations are always authorized. */
129 return KM_ERROR_OK;
130
131 case KM_PURPOSE_DECRYPT:
132 case KM_PURPOSE_SIGN:
133 case KM_PURPOSE_DERIVE_KEY:
134 break;
135 };
136 };
137
138 if (is_begin_operation)
139 return AuthorizeBegin(purpose, keyid, auth_set, operation_params);
140 else
141 return AuthorizeUpdateOrFinish(auth_set, operation_params, op_handle);
142 }
143
144 // For update and finish the only thing to check is user authentication, and then only if it's not
145 // timeout-based.
146 keymaster_error_t
AuthorizeUpdateOrFinish(const AuthorizationSet & auth_set,const AuthorizationSet & operation_params,keymaster_operation_handle_t op_handle)147 KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
148 const AuthorizationSet& operation_params,
149 keymaster_operation_handle_t op_handle) {
150 int auth_type_index = -1;
151 for (size_t pos = 0; pos < auth_set.size(); ++pos) {
152 switch (auth_set[pos].tag) {
153 case KM_TAG_NO_AUTH_REQUIRED:
154 case KM_TAG_AUTH_TIMEOUT:
155 // If no auth is required or if auth is timeout-based, we have nothing to check.
156 return KM_ERROR_OK;
157
158 case KM_TAG_USER_AUTH_TYPE:
159 auth_type_index = pos;
160 break;
161
162 default:
163 break;
164 }
165 }
166
167 // Note that at this point we should be able to assume that authentication is required, because
168 // authentication is required if KM_TAG_NO_AUTH_REQUIRED is absent. However, there are legacy
169 // keys which have no authentication-related tags, so we assume that absence is equivalent to
170 // presence of KM_TAG_NO_AUTH_REQUIRED.
171 //
172 // So, if we found KM_TAG_USER_AUTH_TYPE or if we find KM_TAG_USER_SECURE_ID then authentication
173 // is required. If we find neither, then we assume authentication is not required and return
174 // success.
175 bool authentication_required = (auth_type_index != -1);
176 for (auto& param : auth_set) {
177 if (param.tag == KM_TAG_USER_SECURE_ID) {
178 authentication_required = true;
179 int auth_timeout_index = -1;
180 if (AuthTokenMatches(auth_set, operation_params, param.long_integer, auth_type_index,
181 auth_timeout_index, op_handle, false /* is_begin_operation */))
182 return KM_ERROR_OK;
183 }
184 }
185
186 if (authentication_required)
187 return KM_ERROR_KEY_USER_NOT_AUTHENTICATED;
188
189 return KM_ERROR_OK;
190 }
191
AuthorizeBegin(const keymaster_purpose_t purpose,const km_id_t keyid,const AuthorizationSet & auth_set,const AuthorizationSet & operation_params)192 keymaster_error_t KeymasterEnforcement::AuthorizeBegin(const keymaster_purpose_t purpose,
193 const km_id_t keyid,
194 const AuthorizationSet& auth_set,
195 const AuthorizationSet& operation_params) {
196 // Find some entries that may be needed to handle KM_TAG_USER_SECURE_ID
197 int auth_timeout_index = -1;
198 int auth_type_index = -1;
199 int no_auth_required_index = -1;
200 for (size_t pos = 0; pos < auth_set.size(); ++pos) {
201 switch (auth_set[pos].tag) {
202 case KM_TAG_AUTH_TIMEOUT:
203 auth_timeout_index = pos;
204 break;
205 case KM_TAG_USER_AUTH_TYPE:
206 auth_type_index = pos;
207 break;
208 case KM_TAG_NO_AUTH_REQUIRED:
209 no_auth_required_index = pos;
210 break;
211 default:
212 break;
213 }
214 }
215
216 keymaster_error_t error = authorized_purpose(purpose, auth_set);
217 if (error != KM_ERROR_OK)
218 return error;
219
220 // If successful, and if key has a min time between ops, this will be set to the time limit
221 uint32_t min_ops_timeout = UINT32_MAX;
222
223 bool update_access_count = false;
224 bool caller_nonce_authorized_by_key = false;
225 bool authentication_required = false;
226 bool auth_token_matched = false;
227
228 for (auto& param : auth_set) {
229
230 // KM_TAG_PADDING_OLD and KM_TAG_DIGEST_OLD aren't actually members of the enum, so we can't
231 // switch on them. There's nothing to validate for them, though, so just ignore them.
232 if (param.tag == KM_TAG_PADDING_OLD || param.tag == KM_TAG_DIGEST_OLD)
233 continue;
234
235 switch (param.tag) {
236
237 case KM_TAG_ACTIVE_DATETIME:
238 if (!activation_date_valid(param.date_time))
239 return KM_ERROR_KEY_NOT_YET_VALID;
240 break;
241
242 case KM_TAG_ORIGINATION_EXPIRE_DATETIME:
243 if (is_origination_purpose(purpose) && expiration_date_passed(param.date_time))
244 return KM_ERROR_KEY_EXPIRED;
245 break;
246
247 case KM_TAG_USAGE_EXPIRE_DATETIME:
248 if (is_usage_purpose(purpose) && expiration_date_passed(param.date_time))
249 return KM_ERROR_KEY_EXPIRED;
250 break;
251
252 case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
253 min_ops_timeout = param.integer;
254 if (!MinTimeBetweenOpsPassed(min_ops_timeout, keyid))
255 return KM_ERROR_KEY_RATE_LIMIT_EXCEEDED;
256 break;
257
258 case KM_TAG_MAX_USES_PER_BOOT:
259 update_access_count = true;
260 if (!MaxUsesPerBootNotExceeded(keyid, param.integer))
261 return KM_ERROR_KEY_MAX_OPS_EXCEEDED;
262 break;
263
264 case KM_TAG_USER_SECURE_ID:
265 if (no_auth_required_index != -1) {
266 // Key has both KM_TAG_USER_SECURE_ID and KM_TAG_NO_AUTH_REQUIRED
267 return KM_ERROR_INVALID_KEY_BLOB;
268 }
269
270 if (auth_timeout_index != -1) {
271 authentication_required = true;
272 if (AuthTokenMatches(auth_set, operation_params, param.long_integer,
273 auth_type_index, auth_timeout_index, 0 /* op_handle */,
274 true /* is_begin_operation */))
275 auth_token_matched = true;
276 }
277 break;
278
279 case KM_TAG_CALLER_NONCE:
280 caller_nonce_authorized_by_key = true;
281 break;
282
283 /* Tags should never be in key auths. */
284 case KM_TAG_INVALID:
285 case KM_TAG_AUTH_TOKEN:
286 case KM_TAG_ROOT_OF_TRUST:
287 case KM_TAG_APPLICATION_DATA:
288 case KM_TAG_ATTESTATION_CHALLENGE:
289 case KM_TAG_ATTESTATION_APPLICATION_ID:
290 case KM_TAG_ATTESTATION_ID_BRAND:
291 case KM_TAG_ATTESTATION_ID_DEVICE:
292 case KM_TAG_ATTESTATION_ID_PRODUCT:
293 case KM_TAG_ATTESTATION_ID_SERIAL:
294 case KM_TAG_ATTESTATION_ID_IMEI:
295 case KM_TAG_ATTESTATION_ID_MEID:
296 case KM_TAG_ATTESTATION_ID_MANUFACTURER:
297 case KM_TAG_ATTESTATION_ID_MODEL:
298 return KM_ERROR_INVALID_KEY_BLOB;
299
300 /* Tags used for cryptographic parameters in keygen. Nothing to enforce. */
301 case KM_TAG_PURPOSE:
302 case KM_TAG_ALGORITHM:
303 case KM_TAG_KEY_SIZE:
304 case KM_TAG_BLOCK_MODE:
305 case KM_TAG_DIGEST:
306 case KM_TAG_MAC_LENGTH:
307 case KM_TAG_PADDING:
308 case KM_TAG_NONCE:
309 case KM_TAG_MIN_MAC_LENGTH:
310 case KM_TAG_KDF:
311 case KM_TAG_EC_CURVE:
312
313 /* Tags not used for operations. */
314 case KM_TAG_BLOB_USAGE_REQUIREMENTS:
315 case KM_TAG_EXPORTABLE:
316
317 /* Algorithm specific parameters not used for access control. */
318 case KM_TAG_RSA_PUBLIC_EXPONENT:
319 case KM_TAG_ECIES_SINGLE_HASH_MODE:
320
321 /* Informational tags. */
322 case KM_TAG_CREATION_DATETIME:
323 case KM_TAG_ORIGIN:
324 case KM_TAG_ROLLBACK_RESISTANT:
325
326 /* Tags handled when KM_TAG_USER_SECURE_ID is handled */
327 case KM_TAG_NO_AUTH_REQUIRED:
328 case KM_TAG_USER_AUTH_TYPE:
329 case KM_TAG_AUTH_TIMEOUT:
330
331 /* Tag to provide data to operations. */
332 case KM_TAG_ASSOCIATED_DATA:
333
334 /* Tags that are implicitly verified by secure side */
335 case KM_TAG_ALL_APPLICATIONS:
336 case KM_TAG_APPLICATION_ID:
337 case KM_TAG_OS_VERSION:
338 case KM_TAG_OS_PATCHLEVEL:
339
340 /* Ignored pending removal */
341 case KM_TAG_USER_ID:
342 case KM_TAG_ALL_USERS:
343
344 /* TODO(swillden): Handle these */
345 case KM_TAG_INCLUDE_UNIQUE_ID:
346 case KM_TAG_UNIQUE_ID:
347 case KM_TAG_RESET_SINCE_ID_ROTATION:
348 case KM_TAG_ALLOW_WHILE_ON_BODY:
349 break;
350
351 case KM_TAG_BOOTLOADER_ONLY:
352 return KM_ERROR_INVALID_KEY_BLOB;
353 }
354 }
355
356 if (authentication_required && !auth_token_matched) {
357 LOG_E("Auth required but no matching auth token found", 0);
358 return KM_ERROR_KEY_USER_NOT_AUTHENTICATED;
359 }
360
361 if (!caller_nonce_authorized_by_key && is_origination_purpose(purpose) &&
362 operation_params.find(KM_TAG_NONCE) != -1)
363 return KM_ERROR_CALLER_NONCE_PROHIBITED;
364
365 if (min_ops_timeout != UINT32_MAX) {
366 if (!access_time_map_) {
367 LOG_S("Rate-limited keys table not allocated. Rate-limited keys disabled", 0);
368 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
369 }
370
371 if (!access_time_map_->UpdateKeyAccessTime(keyid, get_current_time(), min_ops_timeout)) {
372 LOG_E("Rate-limited keys table full. Entries will time out.", 0);
373 return KM_ERROR_TOO_MANY_OPERATIONS;
374 }
375 }
376
377 if (update_access_count) {
378 if (!access_count_map_) {
379 LOG_S("Usage-count limited keys tabel not allocated. Count-limited keys disabled", 0);
380 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
381 }
382
383 if (!access_count_map_->IncrementKeyAccessCount(keyid)) {
384 LOG_E("Usage count-limited keys table full, until reboot.", 0);
385 return KM_ERROR_TOO_MANY_OPERATIONS;
386 }
387 }
388
389 return KM_ERROR_OK;
390 }
391
392 class EvpMdCtx {
393 public:
EvpMdCtx()394 EvpMdCtx() { EVP_MD_CTX_init(&ctx_); }
~EvpMdCtx()395 ~EvpMdCtx() { EVP_MD_CTX_cleanup(&ctx_); }
396
get()397 EVP_MD_CTX* get() { return &ctx_; }
398
399 private:
400 EVP_MD_CTX ctx_;
401 };
402
403 /* static */
CreateKeyId(const keymaster_key_blob_t & key_blob,km_id_t * keyid)404 bool KeymasterEnforcement::CreateKeyId(const keymaster_key_blob_t& key_blob, km_id_t* keyid) {
405 EvpMdCtx ctx;
406
407 uint8_t hash[EVP_MAX_MD_SIZE];
408 unsigned int hash_len;
409 if (EVP_DigestInit_ex(ctx.get(), EVP_sha256(), nullptr /* ENGINE */) &&
410 EVP_DigestUpdate(ctx.get(), key_blob.key_material, key_blob.key_material_size) &&
411 EVP_DigestFinal_ex(ctx.get(), hash, &hash_len)) {
412 assert(hash_len >= sizeof(*keyid));
413 memcpy(keyid, hash, sizeof(*keyid));
414 return true;
415 }
416
417 return false;
418 }
419
MinTimeBetweenOpsPassed(uint32_t min_time_between,const km_id_t keyid)420 bool KeymasterEnforcement::MinTimeBetweenOpsPassed(uint32_t min_time_between, const km_id_t keyid) {
421 if (!access_time_map_)
422 return false;
423
424 uint32_t last_access_time;
425 if (!access_time_map_->LastKeyAccessTime(keyid, &last_access_time))
426 return true;
427 return min_time_between <= static_cast<int64_t>(get_current_time()) - last_access_time;
428 }
429
MaxUsesPerBootNotExceeded(const km_id_t keyid,uint32_t max_uses)430 bool KeymasterEnforcement::MaxUsesPerBootNotExceeded(const km_id_t keyid, uint32_t max_uses) {
431 if (!access_count_map_)
432 return false;
433
434 uint32_t key_access_count;
435 if (!access_count_map_->KeyAccessCount(keyid, &key_access_count))
436 return true;
437 return key_access_count < max_uses;
438 }
439
AuthTokenMatches(const AuthorizationSet & auth_set,const AuthorizationSet & operation_params,const uint64_t user_secure_id,const int auth_type_index,const int auth_timeout_index,const keymaster_operation_handle_t op_handle,bool is_begin_operation) const440 bool KeymasterEnforcement::AuthTokenMatches(const AuthorizationSet& auth_set,
441 const AuthorizationSet& operation_params,
442 const uint64_t user_secure_id,
443 const int auth_type_index, const int auth_timeout_index,
444 const keymaster_operation_handle_t op_handle,
445 bool is_begin_operation) const {
446 assert(auth_type_index < static_cast<int>(auth_set.size()));
447 assert(auth_timeout_index < static_cast<int>(auth_set.size()));
448
449 keymaster_blob_t auth_token_blob;
450 if (!operation_params.GetTagValue(TAG_AUTH_TOKEN, &auth_token_blob)) {
451 LOG_E("Authentication required, but auth token not provided", 0);
452 return false;
453 }
454
455 if (auth_token_blob.data_length != sizeof(hw_auth_token_t)) {
456 LOG_E("Bug: Auth token is the wrong size (%d expected, %d found)", sizeof(hw_auth_token_t),
457 auth_token_blob.data_length);
458 return false;
459 }
460
461 hw_auth_token_t auth_token;
462 memcpy(&auth_token, auth_token_blob.data, sizeof(hw_auth_token_t));
463 if (auth_token.version != HW_AUTH_TOKEN_VERSION) {
464 LOG_E("Bug: Auth token is the version %d (or is not an auth token). Expected %d",
465 auth_token.version, HW_AUTH_TOKEN_VERSION);
466 return false;
467 }
468
469 if (!ValidateTokenSignature(auth_token)) {
470 LOG_E("Auth token signature invalid", 0);
471 return false;
472 }
473
474 if (auth_timeout_index == -1 && op_handle && op_handle != auth_token.challenge) {
475 LOG_E("Auth token has the challenge %llu, need %llu", auth_token.challenge, op_handle);
476 return false;
477 }
478
479 if (user_secure_id != auth_token.user_id && user_secure_id != auth_token.authenticator_id) {
480 LOG_I("Auth token SIDs %llu and %llu do not match key SID %llu", auth_token.user_id,
481 auth_token.authenticator_id, user_secure_id);
482 return false;
483 }
484
485 if (auth_type_index < 0 || auth_type_index > static_cast<int>(auth_set.size())) {
486 LOG_E("Auth required but no auth type found", 0);
487 return false;
488 }
489
490 assert(auth_set[auth_type_index].tag == KM_TAG_USER_AUTH_TYPE);
491 if (auth_set[auth_type_index].tag != KM_TAG_USER_AUTH_TYPE)
492 return false;
493
494 uint32_t key_auth_type_mask = auth_set[auth_type_index].integer;
495 uint32_t token_auth_type = ntoh(auth_token.authenticator_type);
496 if ((key_auth_type_mask & token_auth_type) == 0) {
497 LOG_E("Key requires match of auth type mask 0%uo, but token contained 0%uo",
498 key_auth_type_mask, token_auth_type);
499 return false;
500 }
501
502 if (auth_timeout_index != -1 && is_begin_operation) {
503 assert(auth_set[auth_timeout_index].tag == KM_TAG_AUTH_TIMEOUT);
504 if (auth_set[auth_timeout_index].tag != KM_TAG_AUTH_TIMEOUT)
505 return false;
506
507 if (auth_token_timed_out(auth_token, auth_set[auth_timeout_index].integer)) {
508 LOG_E("Auth token has timed out", 0);
509 return false;
510 }
511 }
512
513 // Survived the whole gauntlet. We have authentage!
514 return true;
515 }
516
LastKeyAccessTime(km_id_t keyid,uint32_t * last_access_time) const517 bool AccessTimeMap::LastKeyAccessTime(km_id_t keyid, uint32_t* last_access_time) const {
518 for (auto& entry : last_access_list_)
519 if (entry.keyid == keyid) {
520 *last_access_time = entry.access_time;
521 return true;
522 }
523 return false;
524 }
525
UpdateKeyAccessTime(km_id_t keyid,uint32_t current_time,uint32_t timeout)526 bool AccessTimeMap::UpdateKeyAccessTime(km_id_t keyid, uint32_t current_time, uint32_t timeout) {
527 List<AccessTime>::iterator iter;
528 for (iter = last_access_list_.begin(); iter != last_access_list_.end();) {
529 if (iter->keyid == keyid) {
530 iter->access_time = current_time;
531 return true;
532 }
533
534 // Expire entry if possible.
535 assert(current_time >= iter->access_time);
536 if (current_time - iter->access_time >= iter->timeout)
537 iter = last_access_list_.erase(iter);
538 else
539 ++iter;
540 }
541
542 if (last_access_list_.size() >= max_size_)
543 return false;
544
545 AccessTime new_entry;
546 new_entry.keyid = keyid;
547 new_entry.access_time = current_time;
548 new_entry.timeout = timeout;
549 last_access_list_.push_front(new_entry);
550 return true;
551 }
552
KeyAccessCount(km_id_t keyid,uint32_t * count) const553 bool AccessCountMap::KeyAccessCount(km_id_t keyid, uint32_t* count) const {
554 for (auto& entry : access_count_list_)
555 if (entry.keyid == keyid) {
556 *count = entry.access_count;
557 return true;
558 }
559 return false;
560 }
561
IncrementKeyAccessCount(km_id_t keyid)562 bool AccessCountMap::IncrementKeyAccessCount(km_id_t keyid) {
563 for (auto& entry : access_count_list_)
564 if (entry.keyid == keyid) {
565 // Note that the 'if' below will always be true because KM_TAG_MAX_USES_PER_BOOT is a
566 // uint32_t, and as soon as entry.access_count reaches the specified maximum value
567 // operation requests will be rejected and access_count won't be incremented any more.
568 // And, besides, UINT64_MAX is huge. But we ensure that it doesn't wrap anyway, out of
569 // an abundance of caution.
570 if (entry.access_count < UINT64_MAX)
571 ++entry.access_count;
572 return true;
573 }
574
575 if (access_count_list_.size() >= max_size_)
576 return false;
577
578 AccessCount new_entry;
579 new_entry.keyid = keyid;
580 new_entry.access_count = 1;
581 access_count_list_.push_front(new_entry);
582 return true;
583 }
584 }; /* namespace keymaster */
585