Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / security / 3b3599385a88ae26fce0484c20a34cc911fed000 / . / keystore / auth_token_table.cpp
blob: 6bffa7c62ff0e06868a0bed6a8b2bb08d1a8e8e6 [file] [log] [blame]
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Rubin Xuce99f582017-10-12 10:50:11 +0100[diff] [blame]17#define LOG_TAG "keystore"
18
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]19#include "auth_token_table.h"
20
21#include <assert.h>
22#include <time.h>
23
24#include <algorithm>
25
Logan Chiencdc813f2018-04-23 13:52:28 +0800[diff] [blame]26#include <log/log.h>
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]27
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]28namespace keystore {
29
Shawn Willdend3ed3a22017-03-28 00:39:16 +0000[diff] [blame]30template <typename IntType, uint32_t byteOrder> struct choose_hton;
31
32template <typename IntType> struct choose_hton<IntType, __ORDER_LITTLE_ENDIAN__> {
33 inline static IntType hton(const IntType& value) {
34 IntType result = 0;
35 const unsigned char* inbytes = reinterpret_cast<const unsigned char*>(&value);
36 unsigned char* outbytes = reinterpret_cast<unsigned char*>(&result);
37 for (int i = sizeof(IntType) - 1; i >= 0; --i) {
38 *(outbytes++) = inbytes[i];
39 }
40 return result;
41 }
42};
43
44template <typename IntType> struct choose_hton<IntType, __ORDER_BIG_ENDIAN__> {
45 inline static IntType hton(const IntType& value) { return value; }
46};
47
48template <typename IntType> inline IntType hton(const IntType& value) {
49 return choose_hton<IntType, __BYTE_ORDER__>::hton(value);
50}
51
52template <typename IntType> inline IntType ntoh(const IntType& value) {
53 // same operation and hton
54 return choose_hton<IntType, __BYTE_ORDER__>::hton(value);
55}
56
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]57//
58// Some trivial template wrappers around std algorithms, so they take containers not ranges.
59//
60template <typename Container, typename Predicate>
61typename Container::iterator find_if(Container& container, Predicate pred) {
62 return std::find_if(container.begin(), container.end(), pred);
63}
64
65template <typename Container, typename Predicate>
66typename Container::iterator remove_if(Container& container, Predicate pred) {
67 return std::remove_if(container.begin(), container.end(), pred);
68}
69
70template <typename Container> typename Container::iterator min_element(Container& container) {
71 return std::min_element(container.begin(), container.end());
72}
73
74time_t clock_gettime_raw() {
75 struct timespec time;
76 clock_gettime(CLOCK_MONOTONIC_RAW, &time);
77 return time.tv_sec;
78}
79
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]80void AuthTokenTable::AddAuthenticationToken(HardwareAuthToken&& auth_token) {
Janis Danisevskis8f737ad2017-11-21 12:30:15 -0800[diff] [blame]81 Entry new_entry(std::move(auth_token), clock_function_());
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]82 // STOPSHIP: debug only, to be removed
83 ALOGD("AddAuthenticationToken: timestamp = %llu, time_received = %lld",
84 static_cast<unsigned long long>(new_entry.token().timestamp),
85 static_cast<long long>(new_entry.time_received()));
Rubin Xuce99f582017-10-12 10:50:11 +0100[diff] [blame]86
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]87 std::lock_guard<std::mutex> lock(entries_mutex_);
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]88 RemoveEntriesSupersededBy(new_entry);
89 if (entries_.size() >= max_entries_) {
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]90 ALOGW("Auth token table filled up; replacing oldest entry");
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]91 *min_element(entries_) = std::move(new_entry);
92 } else {
93 entries_.push_back(std::move(new_entry));
94 }
95}
96
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]97inline bool is_secret_key_operation(Algorithm algorithm, KeyPurpose purpose) {
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]98 if ((algorithm != Algorithm::RSA && algorithm != Algorithm::EC)) return true;
99 if (purpose == KeyPurpose::SIGN || purpose == KeyPurpose::DECRYPT) return true;
Shawn Willdenb2ffa422015-06-17 12:18:55 -0600[diff] [blame]100 return false;
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]101}
102
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]103inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info, KeyPurpose purpose) {
104 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES);
105 return is_secret_key_operation(algorithm, purpose) &&
106 key_info.find(Tag::NO_AUTH_REQUIRED) == -1;
Shawn Willdenb2ffa422015-06-17 12:18:55 -0600[diff] [blame]107}
108
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]109inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info, KeyPurpose purpose) {
110 auto algorithm = defaultOr(key_info.GetTagValue(TAG_ALGORITHM), Algorithm::AES);
111 return is_secret_key_operation(algorithm, purpose) && key_info.find(Tag::AUTH_TIMEOUT) == -1;
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]112}
113
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]114std::tuple<AuthTokenTable::Error, HardwareAuthToken>
115AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info, KeyPurpose purpose,
116 uint64_t op_handle) {
117
118 std::lock_guard<std::mutex> lock(entries_mutex_);
119
120 if (!KeyRequiresAuthentication(key_info, purpose)) return {AUTH_NOT_REQUIRED, {}};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]121
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]122 auto auth_type =
123 defaultOr(key_info.GetTagValue(TAG_USER_AUTH_TYPE), HardwareAuthenticatorType::NONE);
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]124
125 std::vector<uint64_t> key_sids;
126 ExtractSids(key_info, &key_sids);
127
Shawn Willdenb2ffa422015-06-17 12:18:55 -0600[diff] [blame]128 if (KeyRequiresAuthPerOperation(key_info, purpose))
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]129 return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle);
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]130 else
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]131 return FindTimedAuthorization(key_sids, auth_type, key_info);
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]132}
133
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]134std::tuple<AuthTokenTable::Error, HardwareAuthToken> AuthTokenTable::FindAuthPerOpAuthorization(
135 const std::vector<uint64_t>& sids, HardwareAuthenticatorType auth_type, uint64_t op_handle) {
136 if (op_handle == 0) return {OP_HANDLE_REQUIRED, {}};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]137
138 auto matching_op = find_if(
Janis Danisevskis8f737ad2017-11-21 12:30:15 -0800[diff] [blame]139 entries_, [&](Entry& e) { return e.token().challenge == op_handle && !e.completed(); });
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]140
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]141 if (matching_op == entries_.end()) return {AUTH_TOKEN_NOT_FOUND, {}};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]142
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]143 if (!matching_op->SatisfiesAuth(sids, auth_type)) return {AUTH_TOKEN_WRONG_SID, {}};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]144
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]145 return {OK, matching_op->token()};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]146}
147
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]148std::tuple<AuthTokenTable::Error, HardwareAuthToken>
149AuthTokenTable::FindTimedAuthorization(const std::vector<uint64_t>& sids,
150 HardwareAuthenticatorType auth_type,
151 const AuthorizationSet& key_info) {
Yi Konge353f252018-07-30 01:38:39 -0700[diff] [blame]152 Entry* newest_match = nullptr;
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]153 for (auto& entry : entries_)
154 if (entry.SatisfiesAuth(sids, auth_type) && entry.is_newer_than(newest_match))
155 newest_match = &entry;
156
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]157 if (!newest_match) return {AUTH_TOKEN_NOT_FOUND, {}};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]158
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]159 auto timeout = defaultOr(key_info.GetTagValue(TAG_AUTH_TIMEOUT), 0);
160
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]161 time_t now = clock_function_();
162 if (static_cast<int64_t>(newest_match->time_received()) + timeout < static_cast<int64_t>(now))
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]163 return {AUTH_TOKEN_EXPIRED, {}};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]164
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]165 if (key_info.GetTagValue(TAG_ALLOW_WHILE_ON_BODY).isOk()) {
Tucker Sylvestro0ab28b72016-08-05 18:02:47 -0400[diff] [blame]166 if (static_cast<int64_t>(newest_match->time_received()) <
167 static_cast<int64_t>(last_off_body_)) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]168 return {AUTH_TOKEN_EXPIRED, {}};
Tucker Sylvestro0ab28b72016-08-05 18:02:47 -0400[diff] [blame]169 }
170 }
171
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]172 newest_match->UpdateLastUse(now);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]173 return {OK, newest_match->token()};
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]174}
175
176void AuthTokenTable::ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids) {
177 assert(sids);
178 for (auto& param : key_info)
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]179 if (param.tag == Tag::USER_SECURE_ID)
180 sids->push_back(authorizationValue(TAG_USER_SECURE_ID, param).value());
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]181}
182
183void AuthTokenTable::RemoveEntriesSupersededBy(const Entry& entry) {
184 entries_.erase(remove_if(entries_, [&](Entry& e) { return entry.Supersedes(e); }),
185 entries_.end());
186}
187
Tucker Sylvestro0ab28b72016-08-05 18:02:47 -0400[diff] [blame]188void AuthTokenTable::onDeviceOffBody() {
189 last_off_body_ = clock_function_();
190}
191
Chad Brubakerbbc76482015-04-16 15:16:44 -0700[diff] [blame]192void AuthTokenTable::Clear() {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]193 std::lock_guard<std::mutex> lock(entries_mutex_);
194
Chad Brubakerbbc76482015-04-16 15:16:44 -0700[diff] [blame]195 entries_.clear();
196}
197
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]198size_t AuthTokenTable::size() const {
199 std::lock_guard<std::mutex> lock(entries_mutex_);
200 return entries_.size();
201}
202
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]203bool AuthTokenTable::IsSupersededBySomeEntry(const Entry& entry) {
204 return std::any_of(entries_.begin(), entries_.end(),
205 [&](Entry& e) { return e.Supersedes(entry); });
206}
207
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]208void AuthTokenTable::MarkCompleted(const uint64_t op_handle) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]209 std::lock_guard<std::mutex> lock(entries_mutex_);
210
Janis Danisevskis8f737ad2017-11-21 12:30:15 -0800[diff] [blame]211 auto found = find_if(entries_, [&](Entry& e) { return e.token().challenge == op_handle; });
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]212 if (found == entries_.end()) return;
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]213
214 assert(!IsSupersededBySomeEntry(*found));
215 found->mark_completed();
216
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]217 if (IsSupersededBySomeEntry(*found)) entries_.erase(found);
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]218}
219
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]220AuthTokenTable::Entry::Entry(HardwareAuthToken&& token, time_t current_time)
Janis Danisevskis8f737ad2017-11-21 12:30:15 -0800[diff] [blame]221 : token_(std::move(token)), time_received_(current_time), last_use_(current_time),
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]222 operation_completed_(token_.challenge == 0) {}
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]223
224bool AuthTokenTable::Entry::SatisfiesAuth(const std::vector<uint64_t>& sids,
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]225 HardwareAuthenticatorType auth_type) {
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]226 for (auto sid : sids) {
227 if (SatisfiesAuth(sid, auth_type)) return true;
228 }
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]229 return false;
230}
231
232void AuthTokenTable::Entry::UpdateLastUse(time_t time) {
233 this->last_use_ = time;
234}
235
236bool AuthTokenTable::Entry::Supersedes(const Entry& entry) const {
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100[diff] [blame]237 if (!entry.completed()) return false;
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]238
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]239 return (token_.userId == entry.token_.userId &&
240 token_.authenticatorType == entry.token_.authenticatorType &&
241 token_.authenticatorId == entry.token_.authenticatorId && is_newer_than(&entry));
Shawn Willden489dfe12015-03-17 10:13:27 -0600[diff] [blame]242}
243
Shawn Willden0329a822017-12-04 13:55:14 -0700[diff] [blame]244} // namespace keystore