1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "keystore" 18 19 #include "auth_token_table.h" 20 21 #include <assert.h> 22 #include <time.h> 23 24 #include <algorithm> 25 26 #include <cutils/log.h> 27 28 namespace keystore { 29 30 template <typename IntType, uint32_t byteOrder> struct choose_hton; 31 32 template <typename IntType> struct choose_hton<IntType, __ORDER_LITTLE_ENDIAN__> { 33 inline static IntType hton(const IntType& value) { 34 IntType result = 0; 35 const unsigned char* inbytes = reinterpret_cast<const unsigned char*>(&value); 36 unsigned char* outbytes = reinterpret_cast<unsigned char*>(&result); 37 for (int i = sizeof(IntType) - 1; i >= 0; --i) { 38 *(outbytes++) = inbytes[i]; 39 } 40 return result; 41 } 42 }; 43 44 template <typename IntType> struct choose_hton<IntType, __ORDER_BIG_ENDIAN__> { 45 inline static IntType hton(const IntType& value) { return value; } 46 }; 47 48 template <typename IntType> inline IntType hton(const IntType& value) { 49 return choose_hton<IntType, __BYTE_ORDER__>::hton(value); 50 } 51 52 template <typename IntType> inline IntType ntoh(const IntType& value) { 53 // same operation and hton 54 return choose_hton<IntType, __BYTE_ORDER__>::hton(value); 55 } 56 57 // 58 // Some trivial template wrappers around std algorithms, so they take containers not ranges. 59 // 60 template <typename Container, typename Predicate> 61 typename Container::iterator find_if(Container& container, Predicate pred) { 62 return std::find_if(container.begin(), container.end(), pred); 63 } 64 65 template <typename Container, typename Predicate> 66 typename Container::iterator remove_if(Container& container, Predicate pred) { 67 return std::remove_if(container.begin(), container.end(), pred); 68 } 69 70 template <typename Container> typename Container::iterator min_element(Container& container) { 71 return std::min_element(container.begin(), container.end()); 72 } 73 74 time_t clock_gettime_raw() { 75 struct timespec time; 76 clock_gettime(CLOCK_MONOTONIC_RAW, &time); 77 return time.tv_sec; 78 } 79 80 void AuthTokenTable::AddAuthenticationToken(HardwareAuthToken&& auth_token) { 81 Entry new_entry(std::move(auth_token), clock_function_()); 82 // STOPSHIP: debug only, to be removed 83 ALOGD("AddAuthenticationToken: timestamp = %llu, time_received = %lld", 84 static_cast<unsigned long long>(new_entry.token().timestamp), 85 static_cast<long long>(new_entry.time_received())); 86 87 RemoveEntriesSupersededBy(new_entry); 88 if (entries_.size() >= max_entries_) { 89 ALOGW("Auth token table filled up; replacing oldest entry"); 90 *min_element(entries_) = std::move(new_entry); 91 } else { 92 entries_.push_back(std::move(new_entry)); 93 } 94 } 95 96 inline bool is_secret_key_operation(Algorithm algorithm, KeyPurpose purpose) { 97 if ((algorithm != Algorithm::RSA && algorithm != Algorithm::EC)) return true; 98 if (purpose == KeyPurpose::SIGN || purpose == KeyPurpose::DECRYPT) return true; 99 return false; 100 } 101 102 inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info, KeyPurpose purpose) { 103 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES); 104 return is_secret_key_operation(algorithm, purpose) && 105 key_info.find(Tag::NO_AUTH_REQUIRED) == -1; 106 } 107 108 inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info, KeyPurpose purpose) { 109 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES); 110 return is_secret_key_operation(algorithm, purpose) && key_info.find(Tag::AUTH_TIMEOUT) == -1; 111 } 112 113 AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info, 114 KeyPurpose purpose, uint64_t op_handle, 115 const HardwareAuthToken** found) { 116 if (!KeyRequiresAuthentication(key_info, purpose)) return AUTH_NOT_REQUIRED; 117 118 auto auth_type = 119 defaultOr(key_info.GetTagValue(TAG_USER_AUTH_TYPE), HardwareAuthenticatorType::NONE); 120 121 std::vector<uint64_t> key_sids; 122 ExtractSids(key_info, &key_sids); 123 124 if (KeyRequiresAuthPerOperation(key_info, purpose)) 125 return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle, found); 126 else 127 return FindTimedAuthorization(key_sids, auth_type, key_info, found); 128 } 129 130 AuthTokenTable::Error 131 AuthTokenTable::FindAuthPerOpAuthorization(const std::vector<uint64_t>& sids, 132 HardwareAuthenticatorType auth_type, uint64_t op_handle, 133 const HardwareAuthToken** found) { 134 if (op_handle == 0) return OP_HANDLE_REQUIRED; 135 136 auto matching_op = find_if( 137 entries_, [&](Entry& e) { return e.token().challenge == op_handle && !e.completed(); }); 138 139 if (matching_op == entries_.end()) return AUTH_TOKEN_NOT_FOUND; 140 141 if (!matching_op->SatisfiesAuth(sids, auth_type)) return AUTH_TOKEN_WRONG_SID; 142 143 *found = &matching_op->token(); 144 return OK; 145 } 146 147 AuthTokenTable::Error AuthTokenTable::FindTimedAuthorization(const std::vector<uint64_t>& sids, 148 HardwareAuthenticatorType auth_type, 149 const AuthorizationSet& key_info, 150 const HardwareAuthToken** found) { 151 Entry* newest_match = NULL; 152 for (auto& entry : entries_) 153 if (entry.SatisfiesAuth(sids, auth_type) && entry.is_newer_than(newest_match)) 154 newest_match = &entry; 155 156 if (!newest_match) return AUTH_TOKEN_NOT_FOUND; 157 158 auto timeout = defaultOr(key_info.GetTagValue(TAG_AUTH_TIMEOUT), 0); 159 160 time_t now = clock_function_(); 161 if (static_cast<int64_t>(newest_match->time_received()) + timeout < static_cast<int64_t>(now)) 162 return AUTH_TOKEN_EXPIRED; 163 164 if (key_info.GetTagValue(TAG_ALLOW_WHILE_ON_BODY).isOk()) { 165 if (static_cast<int64_t>(newest_match->time_received()) < 166 static_cast<int64_t>(last_off_body_)) { 167 return AUTH_TOKEN_EXPIRED; 168 } 169 } 170 171 newest_match->UpdateLastUse(now); 172 *found = &newest_match->token(); 173 return OK; 174 } 175 176 void AuthTokenTable::ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids) { 177 assert(sids); 178 for (auto& param : key_info) 179 if (param.tag == Tag::USER_SECURE_ID) 180 sids->push_back(authorizationValue(TAG_USER_SECURE_ID, param).value()); 181 } 182 183 void AuthTokenTable::RemoveEntriesSupersededBy(const Entry& entry) { 184 entries_.erase(remove_if(entries_, [&](Entry& e) { return entry.Supersedes(e); }), 185 entries_.end()); 186 } 187 188 void AuthTokenTable::onDeviceOffBody() { 189 last_off_body_ = clock_function_(); 190 } 191 192 void AuthTokenTable::Clear() { 193 entries_.clear(); 194 } 195 196 bool AuthTokenTable::IsSupersededBySomeEntry(const Entry& entry) { 197 return std::any_of(entries_.begin(), entries_.end(), 198 [&](Entry& e) { return e.Supersedes(entry); }); 199 } 200 201 void AuthTokenTable::MarkCompleted(const uint64_t op_handle) { 202 auto found = find_if(entries_, [&](Entry& e) { return e.token().challenge == op_handle; }); 203 if (found == entries_.end()) return; 204 205 assert(!IsSupersededBySomeEntry(*found)); 206 found->mark_completed(); 207 208 if (IsSupersededBySomeEntry(*found)) entries_.erase(found); 209 } 210 211 AuthTokenTable::Entry::Entry(HardwareAuthToken&& token, time_t current_time) 212 : token_(std::move(token)), time_received_(current_time), last_use_(current_time), 213 operation_completed_(token_.challenge == 0) {} 214 215 bool AuthTokenTable::Entry::SatisfiesAuth(const std::vector<uint64_t>& sids, 216 HardwareAuthenticatorType auth_type) { 217 for (auto sid : sids) { 218 if (SatisfiesAuth(sid, auth_type)) return true; 219 } 220 return false; 221 } 222 223 void AuthTokenTable::Entry::UpdateLastUse(time_t time) { 224 this->last_use_ = time; 225 } 226 227 bool AuthTokenTable::Entry::Supersedes(const Entry& entry) const { 228 if (!entry.completed()) return false; 229 230 return (token_.userId == entry.token_.userId && 231 token_.authenticatorType == entry.token_.authenticatorType && 232 token_.authenticatorId == entry.token_.authenticatorId && is_newer_than(&entry)); 233 } 234 235 } // namespace keystore 236