Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / c6c950b55be95fe3e52d93d90ac817e9c7598f2b^! / . / identity / aidl / default / libeic / EicPresentation.c
commitc6c950b55be95fe3e52d93d90ac817e9c7598f2b[log] [tgz]
authorDavid Zeuthen <zeuthen@google.com>Thu Mar 04 16:39:42 2021 -0500
committerDavid Zeuthen <zeuthen@google.com>Thu Mar 04 17:45:54 2021 -0500
tree75edcf7bb2466e31a1bd9d20ce05449ec521e3b1
parent620ad1ca3f4aecc22a3a5a54196a123ddfb222f8 [diff] [blame]
identity: Check freshness of verification token in TA.

A problem where credstore didn't always use the TA-generated challenge
in the verification token was fixed in aosp/1619825. With this bug-fix
we can now reliably check that the passed-in verification token is
always fresh.

Bug: 181893400
Test: atest android.security.identity.cts on emulator
Test: atest VtsHalIdentityTargetTest
Change-Id: Iffdf026475da6321764561972aae27a82ab94530

diff --git a/identity/aidl/default/libeic/EicPresentation.c b/identity/aidl/default/libeic/EicPresentation.c
index 5e9a280..9e033b3 100644
--- a/identity/aidl/default/libeic/EicPresentation.c
+++ b/identity/aidl/default/libeic/EicPresentation.c

@@ -336,6 +336,18 @@
                                  int verificationTokenSecurityLevel,
                                  const uint8_t* verificationTokenMac,
                                  size_t verificationTokenMacSize) {
+    // It doesn't make sense to accept any tokens if eicPresentationCreateAuthChallenge()
+    // was never called.
+    if (ctx->authChallenge == 0) {
+        eicDebug("Trying validate tokens when no auth-challenge was previously generated");
+        return false;
+    }
+    // At least the verification-token must have the same challenge as what was generated.
+    if (verificationTokenChallenge != ctx->authChallenge) {
+        eicDebug("Challenge in verification token does not match the challenge "
+                 "previously generated");
+        return false;
+    }
     if (!eicOpsValidateAuthToken(
                 challenge, secureUserId, authenticatorId, hardwareAuthenticatorType, timeStamp, mac,
                 macSize, verificationTokenChallenge, verificationTokenTimestamp,
@@ -360,18 +372,9 @@
         return false;
     }
 
+    // Only ACP with auth-on-every-presentation - those with timeout == 0 - need the
+    // challenge to match...
     if (timeoutMillis == 0) {
-        if (ctx->authTokenChallenge == 0) {
-            eicDebug("No challenge in authToken");
-            return false;
-        }
-
-        // If we didn't create a challenge, too bad but user auth with
-        // timeoutMillis set to 0 needs it.
-        if (ctx->authChallenge == 0) {
-            eicDebug("No challenge was created for this session");
-            return false;
-        }
         if (ctx->authTokenChallenge != ctx->authChallenge) {
             eicDebug("Challenge in authToken (%" PRIu64
                      ") doesn't match the challenge "