1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "auth_token_table.h" 18 19 #include <assert.h> 20 #include <time.h> 21 22 #include <algorithm> 23 24 #include <cutils/log.h> 25 26 namespace keystore { 27 28 template <typename IntType, uint32_t byteOrder> struct choose_hton; 29 30 template <typename IntType> struct choose_hton<IntType, __ORDER_LITTLE_ENDIAN__> { 31 inline static IntType hton(const IntType& value) { 32 IntType result = 0; 33 const unsigned char* inbytes = reinterpret_cast<const unsigned char*>(&value); 34 unsigned char* outbytes = reinterpret_cast<unsigned char*>(&result); 35 for (int i = sizeof(IntType) - 1; i >= 0; --i) { 36 *(outbytes++) = inbytes[i]; 37 } 38 return result; 39 } 40 }; 41 42 template <typename IntType> struct choose_hton<IntType, __ORDER_BIG_ENDIAN__> { 43 inline static IntType hton(const IntType& value) { return value; } 44 }; 45 46 template <typename IntType> inline IntType hton(const IntType& value) { 47 return choose_hton<IntType, __BYTE_ORDER__>::hton(value); 48 } 49 50 template <typename IntType> inline IntType ntoh(const IntType& value) { 51 // same operation and hton 52 return choose_hton<IntType, __BYTE_ORDER__>::hton(value); 53 } 54 55 // 56 // Some trivial template wrappers around std algorithms, so they take containers not ranges. 57 // 58 template <typename Container, typename Predicate> 59 typename Container::iterator find_if(Container& container, Predicate pred) { 60 return std::find_if(container.begin(), container.end(), pred); 61 } 62 63 template <typename Container, typename Predicate> 64 typename Container::iterator remove_if(Container& container, Predicate pred) { 65 return std::remove_if(container.begin(), container.end(), pred); 66 } 67 68 template <typename Container> typename Container::iterator min_element(Container& container) { 69 return std::min_element(container.begin(), container.end()); 70 } 71 72 time_t clock_gettime_raw() { 73 struct timespec time; 74 clock_gettime(CLOCK_MONOTONIC_RAW, &time); 75 return time.tv_sec; 76 } 77 78 void AuthTokenTable::AddAuthenticationToken(const HardwareAuthToken* auth_token) { 79 Entry new_entry(auth_token, clock_function_()); 80 RemoveEntriesSupersededBy(new_entry); 81 if (entries_.size() >= max_entries_) { 82 ALOGW("Auth token table filled up; replacing oldest entry"); 83 *min_element(entries_) = std::move(new_entry); 84 } else { 85 entries_.push_back(std::move(new_entry)); 86 } 87 } 88 89 inline bool is_secret_key_operation(Algorithm algorithm, KeyPurpose purpose) { 90 if ((algorithm != Algorithm::RSA && algorithm != Algorithm::EC)) 91 return true; 92 if (purpose == KeyPurpose::SIGN || purpose == KeyPurpose::DECRYPT) 93 return true; 94 return false; 95 } 96 97 inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info, KeyPurpose purpose) { 98 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES); 99 return is_secret_key_operation(algorithm, purpose) && 100 key_info.find(Tag::NO_AUTH_REQUIRED) == -1; 101 } 102 103 inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info, KeyPurpose purpose) { 104 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES); 105 return is_secret_key_operation(algorithm, purpose) && key_info.find(Tag::AUTH_TIMEOUT) == -1; 106 } 107 108 AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info, 109 KeyPurpose purpose, uint64_t op_handle, 110 const HardwareAuthToken** found) { 111 if (!KeyRequiresAuthentication(key_info, purpose)) return AUTH_NOT_REQUIRED; 112 113 auto auth_type = 114 defaultOr(key_info.GetTagValue(TAG_USER_AUTH_TYPE), HardwareAuthenticatorType::NONE); 115 116 std::vector<uint64_t> key_sids; 117 ExtractSids(key_info, &key_sids); 118 119 if (KeyRequiresAuthPerOperation(key_info, purpose)) 120 return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle, found); 121 else 122 return FindTimedAuthorization(key_sids, auth_type, key_info, found); 123 } 124 125 AuthTokenTable::Error 126 AuthTokenTable::FindAuthPerOpAuthorization(const std::vector<uint64_t>& sids, 127 HardwareAuthenticatorType auth_type, uint64_t op_handle, 128 const HardwareAuthToken** found) { 129 if (op_handle == 0) return OP_HANDLE_REQUIRED; 130 131 auto matching_op = find_if( 132 entries_, [&](Entry& e) { return e.token()->challenge == op_handle && !e.completed(); }); 133 134 if (matching_op == entries_.end()) return AUTH_TOKEN_NOT_FOUND; 135 136 if (!matching_op->SatisfiesAuth(sids, auth_type)) return AUTH_TOKEN_WRONG_SID; 137 138 *found = matching_op->token(); 139 return OK; 140 } 141 142 AuthTokenTable::Error AuthTokenTable::FindTimedAuthorization(const std::vector<uint64_t>& sids, 143 HardwareAuthenticatorType auth_type, 144 const AuthorizationSet& key_info, 145 const HardwareAuthToken** found) { 146 Entry* newest_match = NULL; 147 for (auto& entry : entries_) 148 if (entry.SatisfiesAuth(sids, auth_type) && entry.is_newer_than(newest_match)) 149 newest_match = &entry; 150 151 if (!newest_match) return AUTH_TOKEN_NOT_FOUND; 152 153 auto timeout = defaultOr(key_info.GetTagValue(TAG_AUTH_TIMEOUT), 0); 154 155 time_t now = clock_function_(); 156 if (static_cast<int64_t>(newest_match->time_received()) + timeout < static_cast<int64_t>(now)) 157 return AUTH_TOKEN_EXPIRED; 158 159 if (key_info.GetTagValue(TAG_ALLOW_WHILE_ON_BODY).isOk()) { 160 if (static_cast<int64_t>(newest_match->time_received()) < 161 static_cast<int64_t>(last_off_body_)) { 162 return AUTH_TOKEN_EXPIRED; 163 } 164 } 165 166 newest_match->UpdateLastUse(now); 167 *found = newest_match->token(); 168 return OK; 169 } 170 171 void AuthTokenTable::ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids) { 172 assert(sids); 173 for (auto& param : key_info) 174 if (param.tag == Tag::USER_SECURE_ID) 175 sids->push_back(authorizationValue(TAG_USER_SECURE_ID, param).value()); 176 } 177 178 void AuthTokenTable::RemoveEntriesSupersededBy(const Entry& entry) { 179 entries_.erase(remove_if(entries_, [&](Entry& e) { return entry.Supersedes(e); }), 180 entries_.end()); 181 } 182 183 void AuthTokenTable::onDeviceOffBody() { 184 last_off_body_ = clock_function_(); 185 } 186 187 void AuthTokenTable::Clear() { 188 entries_.clear(); 189 } 190 191 bool AuthTokenTable::IsSupersededBySomeEntry(const Entry& entry) { 192 return std::any_of(entries_.begin(), entries_.end(), 193 [&](Entry& e) { return e.Supersedes(entry); }); 194 } 195 196 void AuthTokenTable::MarkCompleted(const uint64_t op_handle) { 197 auto found = find_if(entries_, [&](Entry& e) { return e.token()->challenge == op_handle; }); 198 if (found == entries_.end()) return; 199 200 assert(!IsSupersededBySomeEntry(*found)); 201 found->mark_completed(); 202 203 if (IsSupersededBySomeEntry(*found)) entries_.erase(found); 204 } 205 206 AuthTokenTable::Entry::Entry(const HardwareAuthToken* token, time_t current_time) 207 : token_(token), time_received_(current_time), last_use_(current_time), 208 operation_completed_(token_->challenge == 0) {} 209 210 uint32_t AuthTokenTable::Entry::timestamp_host_order() const { 211 return ntoh(token_->timestamp); 212 } 213 214 HardwareAuthenticatorType AuthTokenTable::Entry::authenticator_type() const { 215 HardwareAuthenticatorType result = static_cast<HardwareAuthenticatorType>( 216 ntoh(static_cast<uint32_t>(token_->authenticatorType))); 217 return result; 218 } 219 220 bool AuthTokenTable::Entry::SatisfiesAuth(const std::vector<uint64_t>& sids, 221 HardwareAuthenticatorType auth_type) { 222 for (auto sid : sids) 223 if ((sid == token_->authenticatorId) || 224 (sid == token_->userId && (auth_type & authenticator_type()) != 0)) 225 return true; 226 return false; 227 } 228 229 void AuthTokenTable::Entry::UpdateLastUse(time_t time) { 230 this->last_use_ = time; 231 } 232 233 bool AuthTokenTable::Entry::Supersedes(const Entry& entry) const { 234 if (!entry.completed()) return false; 235 236 return (token_->userId == entry.token_->userId && 237 token_->authenticatorType == entry.token_->authenticatorType && 238 token_->authenticatorType == entry.token_->authenticatorType && 239 timestamp_host_order() > entry.timestamp_host_order()); 240 } 241 242 } // namespace keymaster 243
