• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "keystore"
18 
19 #include "auth_token_table.h"
20 
21 #include <assert.h>
22 #include <time.h>
23 
24 #include <algorithm>
25 
26 #include <cutils/log.h>
27 
28 namespace keystore {
29 
30 template <typename IntType, uint32_t byteOrder> struct choose_hton;
31 
32 template <typename IntType> struct choose_hton<IntType, __ORDER_LITTLE_ENDIAN__> {
htonkeystore::choose_hton33     inline static IntType hton(const IntType& value) {
34         IntType result = 0;
35         const unsigned char* inbytes = reinterpret_cast<const unsigned char*>(&value);
36         unsigned char* outbytes = reinterpret_cast<unsigned char*>(&result);
37         for (int i = sizeof(IntType) - 1; i >= 0; --i) {
38             *(outbytes++) = inbytes[i];
39         }
40         return result;
41     }
42 };
43 
44 template <typename IntType> struct choose_hton<IntType, __ORDER_BIG_ENDIAN__> {
htonkeystore::choose_hton45     inline static IntType hton(const IntType& value) { return value; }
46 };
47 
hton(const IntType & value)48 template <typename IntType> inline IntType hton(const IntType& value) {
49     return choose_hton<IntType, __BYTE_ORDER__>::hton(value);
50 }
51 
ntoh(const IntType & value)52 template <typename IntType> inline IntType ntoh(const IntType& value) {
53     // same operation and hton
54     return choose_hton<IntType, __BYTE_ORDER__>::hton(value);
55 }
56 
57 //
58 // Some trivial template wrappers around std algorithms, so they take containers not ranges.
59 //
60 template <typename Container, typename Predicate>
find_if(Container & container,Predicate pred)61 typename Container::iterator find_if(Container& container, Predicate pred) {
62     return std::find_if(container.begin(), container.end(), pred);
63 }
64 
65 template <typename Container, typename Predicate>
remove_if(Container & container,Predicate pred)66 typename Container::iterator remove_if(Container& container, Predicate pred) {
67     return std::remove_if(container.begin(), container.end(), pred);
68 }
69 
min_element(Container & container)70 template <typename Container> typename Container::iterator min_element(Container& container) {
71     return std::min_element(container.begin(), container.end());
72 }
73 
clock_gettime_raw()74 time_t clock_gettime_raw() {
75     struct timespec time;
76     clock_gettime(CLOCK_MONOTONIC_RAW, &time);
77     return time.tv_sec;
78 }
79 
AddAuthenticationToken(const HardwareAuthToken * auth_token)80 void AuthTokenTable::AddAuthenticationToken(const HardwareAuthToken* auth_token) {
81     Entry new_entry(auth_token, clock_function_());
82     //STOPSHIP: debug only, to be removed
83     ALOGD("AddAuthenticationToken: timestamp = %llu (%llu), time_received = %lld",
84         static_cast<unsigned long long>(new_entry.timestamp_host_order()),
85         static_cast<unsigned long long>(auth_token->timestamp),
86         static_cast<long long>(new_entry.time_received()));
87 
88     RemoveEntriesSupersededBy(new_entry);
89     if (entries_.size() >= max_entries_) {
90         ALOGW("Auth token table filled up; replacing oldest entry");
91         *min_element(entries_) = std::move(new_entry);
92     } else {
93         entries_.push_back(std::move(new_entry));
94     }
95 }
96 
is_secret_key_operation(Algorithm algorithm,KeyPurpose purpose)97 inline bool is_secret_key_operation(Algorithm algorithm, KeyPurpose purpose) {
98     if ((algorithm != Algorithm::RSA && algorithm != Algorithm::EC))
99         return true;
100     if (purpose == KeyPurpose::SIGN || purpose == KeyPurpose::DECRYPT)
101         return true;
102     return false;
103 }
104 
KeyRequiresAuthentication(const AuthorizationSet & key_info,KeyPurpose purpose)105 inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info, KeyPurpose purpose) {
106     auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES);
107     return is_secret_key_operation(algorithm, purpose) &&
108            key_info.find(Tag::NO_AUTH_REQUIRED) == -1;
109 }
110 
KeyRequiresAuthPerOperation(const AuthorizationSet & key_info,KeyPurpose purpose)111 inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info, KeyPurpose purpose) {
112     auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES);
113     return is_secret_key_operation(algorithm, purpose) && key_info.find(Tag::AUTH_TIMEOUT) == -1;
114 }
115 
FindAuthorization(const AuthorizationSet & key_info,KeyPurpose purpose,uint64_t op_handle,const HardwareAuthToken ** found)116 AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info,
117                                                         KeyPurpose purpose, uint64_t op_handle,
118                                                         const HardwareAuthToken** found) {
119     if (!KeyRequiresAuthentication(key_info, purpose)) return AUTH_NOT_REQUIRED;
120 
121     auto auth_type =
122         defaultOr(key_info.GetTagValue(TAG_USER_AUTH_TYPE), HardwareAuthenticatorType::NONE);
123 
124     std::vector<uint64_t> key_sids;
125     ExtractSids(key_info, &key_sids);
126 
127     if (KeyRequiresAuthPerOperation(key_info, purpose))
128         return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle, found);
129     else
130         return FindTimedAuthorization(key_sids, auth_type, key_info, found);
131 }
132 
133 AuthTokenTable::Error
FindAuthPerOpAuthorization(const std::vector<uint64_t> & sids,HardwareAuthenticatorType auth_type,uint64_t op_handle,const HardwareAuthToken ** found)134 AuthTokenTable::FindAuthPerOpAuthorization(const std::vector<uint64_t>& sids,
135                                            HardwareAuthenticatorType auth_type, uint64_t op_handle,
136                                            const HardwareAuthToken** found) {
137     if (op_handle == 0) return OP_HANDLE_REQUIRED;
138 
139     auto matching_op = find_if(
140         entries_, [&](Entry& e) { return e.token()->challenge == op_handle && !e.completed(); });
141 
142     if (matching_op == entries_.end()) return AUTH_TOKEN_NOT_FOUND;
143 
144     if (!matching_op->SatisfiesAuth(sids, auth_type)) return AUTH_TOKEN_WRONG_SID;
145 
146     *found = matching_op->token();
147     return OK;
148 }
149 
FindTimedAuthorization(const std::vector<uint64_t> & sids,HardwareAuthenticatorType auth_type,const AuthorizationSet & key_info,const HardwareAuthToken ** found)150 AuthTokenTable::Error AuthTokenTable::FindTimedAuthorization(const std::vector<uint64_t>& sids,
151                                                              HardwareAuthenticatorType auth_type,
152                                                              const AuthorizationSet& key_info,
153                                                              const HardwareAuthToken** found) {
154     Entry* newest_match = NULL;
155     for (auto& entry : entries_)
156         if (entry.SatisfiesAuth(sids, auth_type) && entry.is_newer_than(newest_match))
157             newest_match = &entry;
158 
159     if (!newest_match) return AUTH_TOKEN_NOT_FOUND;
160 
161     auto timeout = defaultOr(key_info.GetTagValue(TAG_AUTH_TIMEOUT), 0);
162 
163     time_t now = clock_function_();
164     if (static_cast<int64_t>(newest_match->time_received()) + timeout < static_cast<int64_t>(now))
165         return AUTH_TOKEN_EXPIRED;
166 
167     if (key_info.GetTagValue(TAG_ALLOW_WHILE_ON_BODY).isOk()) {
168         if (static_cast<int64_t>(newest_match->time_received()) <
169             static_cast<int64_t>(last_off_body_)) {
170             return AUTH_TOKEN_EXPIRED;
171         }
172     }
173 
174     newest_match->UpdateLastUse(now);
175     *found = newest_match->token();
176     return OK;
177 }
178 
ExtractSids(const AuthorizationSet & key_info,std::vector<uint64_t> * sids)179 void AuthTokenTable::ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids) {
180     assert(sids);
181     for (auto& param : key_info)
182         if (param.tag == Tag::USER_SECURE_ID)
183             sids->push_back(authorizationValue(TAG_USER_SECURE_ID, param).value());
184 }
185 
RemoveEntriesSupersededBy(const Entry & entry)186 void AuthTokenTable::RemoveEntriesSupersededBy(const Entry& entry) {
187     entries_.erase(remove_if(entries_, [&](Entry& e) { return entry.Supersedes(e); }),
188                    entries_.end());
189 }
190 
onDeviceOffBody()191 void AuthTokenTable::onDeviceOffBody() {
192     last_off_body_ = clock_function_();
193 }
194 
Clear()195 void AuthTokenTable::Clear() {
196     entries_.clear();
197 }
198 
IsSupersededBySomeEntry(const Entry & entry)199 bool AuthTokenTable::IsSupersededBySomeEntry(const Entry& entry) {
200     return std::any_of(entries_.begin(), entries_.end(),
201                        [&](Entry& e) { return e.Supersedes(entry); });
202 }
203 
MarkCompleted(const uint64_t op_handle)204 void AuthTokenTable::MarkCompleted(const uint64_t op_handle) {
205     auto found = find_if(entries_, [&](Entry& e) { return e.token()->challenge == op_handle; });
206     if (found == entries_.end()) return;
207 
208     assert(!IsSupersededBySomeEntry(*found));
209     found->mark_completed();
210 
211     if (IsSupersededBySomeEntry(*found)) entries_.erase(found);
212 }
213 
Entry(const HardwareAuthToken * token,time_t current_time)214 AuthTokenTable::Entry::Entry(const HardwareAuthToken* token, time_t current_time)
215     : token_(token), time_received_(current_time), last_use_(current_time),
216       operation_completed_(token_->challenge == 0) {}
217 
timestamp_host_order() const218 uint64_t AuthTokenTable::Entry::timestamp_host_order() const {
219     return ntoh(token_->timestamp);
220 }
221 
authenticator_type() const222 HardwareAuthenticatorType AuthTokenTable::Entry::authenticator_type() const {
223     HardwareAuthenticatorType result = static_cast<HardwareAuthenticatorType>(
224         ntoh(static_cast<uint32_t>(token_->authenticatorType)));
225     return result;
226 }
227 
SatisfiesAuth(const std::vector<uint64_t> & sids,HardwareAuthenticatorType auth_type)228 bool AuthTokenTable::Entry::SatisfiesAuth(const std::vector<uint64_t>& sids,
229                                           HardwareAuthenticatorType auth_type) {
230     for (auto sid : sids)
231         if ((sid == token_->authenticatorId) ||
232             (sid == token_->userId && (auth_type & authenticator_type()) != 0))
233             return true;
234     return false;
235 }
236 
UpdateLastUse(time_t time)237 void AuthTokenTable::Entry::UpdateLastUse(time_t time) {
238     this->last_use_ = time;
239 }
240 
Supersedes(const Entry & entry) const241 bool AuthTokenTable::Entry::Supersedes(const Entry& entry) const {
242     if (!entry.completed()) return false;
243 
244     return (token_->userId == entry.token_->userId &&
245             token_->authenticatorType == entry.token_->authenticatorType &&
246             token_->authenticatorId == entry.token_->authenticatorId &&
247             is_newer_than(&entry));
248 }
249 
250 }  // namespace keymaster
251