1 /*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "keystore"
18
19 #include "auth_token_table.h"
20
21 #include <assert.h>
22 #include <time.h>
23
24 #include <algorithm>
25
26 #include <cutils/log.h>
27
28 namespace keystore {
29
30 template <typename IntType, uint32_t byteOrder> struct choose_hton;
31
32 template <typename IntType> struct choose_hton<IntType, __ORDER_LITTLE_ENDIAN__> {
htonkeystore::choose_hton33 inline static IntType hton(const IntType& value) {
34 IntType result = 0;
35 const unsigned char* inbytes = reinterpret_cast<const unsigned char*>(&value);
36 unsigned char* outbytes = reinterpret_cast<unsigned char*>(&result);
37 for (int i = sizeof(IntType) - 1; i >= 0; --i) {
38 *(outbytes++) = inbytes[i];
39 }
40 return result;
41 }
42 };
43
44 template <typename IntType> struct choose_hton<IntType, __ORDER_BIG_ENDIAN__> {
htonkeystore::choose_hton45 inline static IntType hton(const IntType& value) { return value; }
46 };
47
hton(const IntType & value)48 template <typename IntType> inline IntType hton(const IntType& value) {
49 return choose_hton<IntType, __BYTE_ORDER__>::hton(value);
50 }
51
ntoh(const IntType & value)52 template <typename IntType> inline IntType ntoh(const IntType& value) {
53 // same operation and hton
54 return choose_hton<IntType, __BYTE_ORDER__>::hton(value);
55 }
56
57 //
58 // Some trivial template wrappers around std algorithms, so they take containers not ranges.
59 //
60 template <typename Container, typename Predicate>
find_if(Container & container,Predicate pred)61 typename Container::iterator find_if(Container& container, Predicate pred) {
62 return std::find_if(container.begin(), container.end(), pred);
63 }
64
65 template <typename Container, typename Predicate>
remove_if(Container & container,Predicate pred)66 typename Container::iterator remove_if(Container& container, Predicate pred) {
67 return std::remove_if(container.begin(), container.end(), pred);
68 }
69
min_element(Container & container)70 template <typename Container> typename Container::iterator min_element(Container& container) {
71 return std::min_element(container.begin(), container.end());
72 }
73
clock_gettime_raw()74 time_t clock_gettime_raw() {
75 struct timespec time;
76 clock_gettime(CLOCK_MONOTONIC_RAW, &time);
77 return time.tv_sec;
78 }
79
AddAuthenticationToken(HardwareAuthToken && auth_token)80 void AuthTokenTable::AddAuthenticationToken(HardwareAuthToken&& auth_token) {
81 Entry new_entry(std::move(auth_token), clock_function_());
82 // STOPSHIP: debug only, to be removed
83 ALOGD("AddAuthenticationToken: timestamp = %llu, time_received = %lld",
84 static_cast<unsigned long long>(new_entry.token().timestamp),
85 static_cast<long long>(new_entry.time_received()));
86
87 RemoveEntriesSupersededBy(new_entry);
88 if (entries_.size() >= max_entries_) {
89 ALOGW("Auth token table filled up; replacing oldest entry");
90 *min_element(entries_) = std::move(new_entry);
91 } else {
92 entries_.push_back(std::move(new_entry));
93 }
94 }
95
is_secret_key_operation(Algorithm algorithm,KeyPurpose purpose)96 inline bool is_secret_key_operation(Algorithm algorithm, KeyPurpose purpose) {
97 if ((algorithm != Algorithm::RSA && algorithm != Algorithm::EC)) return true;
98 if (purpose == KeyPurpose::SIGN || purpose == KeyPurpose::DECRYPT) return true;
99 return false;
100 }
101
KeyRequiresAuthentication(const AuthorizationSet & key_info,KeyPurpose purpose)102 inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info, KeyPurpose purpose) {
103 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES);
104 return is_secret_key_operation(algorithm, purpose) &&
105 key_info.find(Tag::NO_AUTH_REQUIRED) == -1;
106 }
107
KeyRequiresAuthPerOperation(const AuthorizationSet & key_info,KeyPurpose purpose)108 inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info, KeyPurpose purpose) {
109 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES);
110 return is_secret_key_operation(algorithm, purpose) && key_info.find(Tag::AUTH_TIMEOUT) == -1;
111 }
112
FindAuthorization(const AuthorizationSet & key_info,KeyPurpose purpose,uint64_t op_handle,const HardwareAuthToken ** found)113 AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info,
114 KeyPurpose purpose, uint64_t op_handle,
115 const HardwareAuthToken** found) {
116 if (!KeyRequiresAuthentication(key_info, purpose)) return AUTH_NOT_REQUIRED;
117
118 auto auth_type =
119 defaultOr(key_info.GetTagValue(TAG_USER_AUTH_TYPE), HardwareAuthenticatorType::NONE);
120
121 std::vector<uint64_t> key_sids;
122 ExtractSids(key_info, &key_sids);
123
124 if (KeyRequiresAuthPerOperation(key_info, purpose))
125 return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle, found);
126 else
127 return FindTimedAuthorization(key_sids, auth_type, key_info, found);
128 }
129
130 AuthTokenTable::Error
FindAuthPerOpAuthorization(const std::vector<uint64_t> & sids,HardwareAuthenticatorType auth_type,uint64_t op_handle,const HardwareAuthToken ** found)131 AuthTokenTable::FindAuthPerOpAuthorization(const std::vector<uint64_t>& sids,
132 HardwareAuthenticatorType auth_type, uint64_t op_handle,
133 const HardwareAuthToken** found) {
134 if (op_handle == 0) return OP_HANDLE_REQUIRED;
135
136 auto matching_op = find_if(
137 entries_, [&](Entry& e) { return e.token().challenge == op_handle && !e.completed(); });
138
139 if (matching_op == entries_.end()) return AUTH_TOKEN_NOT_FOUND;
140
141 if (!matching_op->SatisfiesAuth(sids, auth_type)) return AUTH_TOKEN_WRONG_SID;
142
143 *found = &matching_op->token();
144 return OK;
145 }
146
FindTimedAuthorization(const std::vector<uint64_t> & sids,HardwareAuthenticatorType auth_type,const AuthorizationSet & key_info,const HardwareAuthToken ** found)147 AuthTokenTable::Error AuthTokenTable::FindTimedAuthorization(const std::vector<uint64_t>& sids,
148 HardwareAuthenticatorType auth_type,
149 const AuthorizationSet& key_info,
150 const HardwareAuthToken** found) {
151 Entry* newest_match = NULL;
152 for (auto& entry : entries_)
153 if (entry.SatisfiesAuth(sids, auth_type) && entry.is_newer_than(newest_match))
154 newest_match = &entry;
155
156 if (!newest_match) return AUTH_TOKEN_NOT_FOUND;
157
158 auto timeout = defaultOr(key_info.GetTagValue(TAG_AUTH_TIMEOUT), 0);
159
160 time_t now = clock_function_();
161 if (static_cast<int64_t>(newest_match->time_received()) + timeout < static_cast<int64_t>(now))
162 return AUTH_TOKEN_EXPIRED;
163
164 if (key_info.GetTagValue(TAG_ALLOW_WHILE_ON_BODY).isOk()) {
165 if (static_cast<int64_t>(newest_match->time_received()) <
166 static_cast<int64_t>(last_off_body_)) {
167 return AUTH_TOKEN_EXPIRED;
168 }
169 }
170
171 newest_match->UpdateLastUse(now);
172 *found = &newest_match->token();
173 return OK;
174 }
175
ExtractSids(const AuthorizationSet & key_info,std::vector<uint64_t> * sids)176 void AuthTokenTable::ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids) {
177 assert(sids);
178 for (auto& param : key_info)
179 if (param.tag == Tag::USER_SECURE_ID)
180 sids->push_back(authorizationValue(TAG_USER_SECURE_ID, param).value());
181 }
182
RemoveEntriesSupersededBy(const Entry & entry)183 void AuthTokenTable::RemoveEntriesSupersededBy(const Entry& entry) {
184 entries_.erase(remove_if(entries_, [&](Entry& e) { return entry.Supersedes(e); }),
185 entries_.end());
186 }
187
onDeviceOffBody()188 void AuthTokenTable::onDeviceOffBody() {
189 last_off_body_ = clock_function_();
190 }
191
Clear()192 void AuthTokenTable::Clear() {
193 entries_.clear();
194 }
195
IsSupersededBySomeEntry(const Entry & entry)196 bool AuthTokenTable::IsSupersededBySomeEntry(const Entry& entry) {
197 return std::any_of(entries_.begin(), entries_.end(),
198 [&](Entry& e) { return e.Supersedes(entry); });
199 }
200
MarkCompleted(const uint64_t op_handle)201 void AuthTokenTable::MarkCompleted(const uint64_t op_handle) {
202 auto found = find_if(entries_, [&](Entry& e) { return e.token().challenge == op_handle; });
203 if (found == entries_.end()) return;
204
205 assert(!IsSupersededBySomeEntry(*found));
206 found->mark_completed();
207
208 if (IsSupersededBySomeEntry(*found)) entries_.erase(found);
209 }
210
Entry(HardwareAuthToken && token,time_t current_time)211 AuthTokenTable::Entry::Entry(HardwareAuthToken&& token, time_t current_time)
212 : token_(std::move(token)), time_received_(current_time), last_use_(current_time),
213 operation_completed_(token_.challenge == 0) {}
214
SatisfiesAuth(const std::vector<uint64_t> & sids,HardwareAuthenticatorType auth_type)215 bool AuthTokenTable::Entry::SatisfiesAuth(const std::vector<uint64_t>& sids,
216 HardwareAuthenticatorType auth_type) {
217 for (auto sid : sids) {
218 if (SatisfiesAuth(sid, auth_type)) return true;
219 }
220 return false;
221 }
222
UpdateLastUse(time_t time)223 void AuthTokenTable::Entry::UpdateLastUse(time_t time) {
224 this->last_use_ = time;
225 }
226
Supersedes(const Entry & entry) const227 bool AuthTokenTable::Entry::Supersedes(const Entry& entry) const {
228 if (!entry.completed()) return false;
229
230 return (token_.userId == entry.token_.userId &&
231 token_.authenticatorType == entry.token_.authenticatorType &&
232 token_.authenticatorId == entry.token_.authenticatorId && is_newer_than(&entry));
233 }
234
235 } // namespace keystore
236