Blame - keystore/auth_token_table.h - android_system_security

blob: 7c1836764c6f1e4824e4de61871f2203fdfdd5f2 [file] [log] [blame]

Shawn Willden	489dfe1	2015-03-17 10:13:27 -0600	[diff] [blame]	1	/*
				2	* Copyright (C) 2015 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#include <memory>
				18	#include <vector>
				19
				20	#include <hardware/hw_auth_token.h>
				21	#include <keymaster/authorization_set.h>
Chad Brubaker	06801e0	2015-03-31 15:13:13 -0700	[diff] [blame^]	22	#include <keymaster/key_blob.h>
Shawn Willden	489dfe1	2015-03-17 10:13:27 -0600	[diff] [blame]	23
				24	#ifndef SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H
				25	#define SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H
				26
				27	namespace keymaster {
				28
				29	namespace test {
				30	class AuthTokenTableTest;
				31	} // namespace test
				32
				33	time_t clock_gettime_raw();
				34
				35	/**
				36	* AuthTokenTable manages a set of received authorization tokens and can provide the appropriate
				37	* token for authorizing a key operation.
				38	*
				39	* To keep the table from growing without bound, superseded entries are removed when possible, and
				40	* least recently used entries are automatically pruned when when the table exceeds a size limit,
				41	* which is expected to be relatively small, since the implementation uses a linear search.
				42	*/
				43	class AuthTokenTable {
				44	public:
				45	AuthTokenTable(size_t max_entries = 32, time_t (*clock_function)() = clock_gettime_raw)
				46	: max_entries_(max_entries), clock_function_(clock_function) {}
				47
				48	enum Error {
				49	OK,
				50	AUTH_NOT_REQUIRED = -1,
				51	AUTH_TOKEN_EXPIRED = -2, // Found a matching token, but it's too old.
				52	AUTH_TOKEN_WRONG_SID = -3, // Found a token with the right challenge, but wrong SID. This
				53	// most likely indicates that the authenticator was updated
				54	// (e.g. new fingerprint enrolled).
				55	OP_HANDLE_REQUIRED = -4, // The key requires auth per use but op_handle was zero.
				56	AUTH_TOKEN_NOT_FOUND = -5,
Chad Brubaker	06801e0	2015-03-31 15:13:13 -0700	[diff] [blame^]	57	AUTH_BAD_PARAMS = -6,
Shawn Willden	489dfe1	2015-03-17 10:13:27 -0600	[diff] [blame]	58	};
				59
				60	/**
				61	* Add an authorization token to the table. The table takes ownership of the argument.
				62	*/
				63	void AddAuthenticationToken(const hw_auth_token_t* token);
				64
				65	/**
				66	* Find an authorization token that authorizes the operation specified by \p operation_handle on
				67	* a key with the characteristics specified in \p key_info.
				68	*
				69	* This method is O(n * m), where n is the number of KM_TAG_USER_SECURE_ID entries in key_info
				70	* and m is the number of entries in the table. It could be made better, but n and m should
				71	* always be small.
				72	*
				73	* The table retains ownership of the returned object.
				74	*/
				75	Error FindAuthorization(const AuthorizationSet& key_info,
				76	keymaster_operation_handle_t op_handle, const hw_auth_token_t** found);
				77
				78	/**
				79	* Find an authorization token that authorizes the operation specified by \p operation_handle on
				80	* a key with the characteristics specified in \p key_info.
				81	*
				82	* This method is O(n * m), where n is the number of KM_TAG_USER_SECURE_ID entries in key_info
				83	* and m is the number of entries in the table. It could be made better, but n and m should
				84	* always be small.
				85	*
				86	* The table retains ownership of the returned object.
				87	*/
				88	Error FindAuthorization(const keymaster_key_param_t* params, size_t params_count,
				89	keymaster_operation_handle_t op_handle, const hw_auth_token_t** found) {
				90	return FindAuthorization(AuthorizationSet(params, params_count), op_handle, found);
				91	}
				92
				93	/**
Chad Brubaker	06801e0	2015-03-31 15:13:13 -0700	[diff] [blame^]	94	* Find an authorization token that authorizes the operation specified by \p handle on
				95	* a key with the characteristics specified in \p blob.
				96	*
				97	* The table retains ownership of the returned object.
				98	*/
				99	Error FindAuthorization(const keymaster_key_blob_t& blob, keymaster_operation_handle_t handle,
				100	const hw_auth_token_t** found) {
				101	KeyBlob key(blob);
				102	if (key.error()) {
				103	return AUTH_BAD_PARAMS;
				104	}
				105	AuthorizationSet auths(key.unenforced());
				106	for (auto param : key.enforced()) {
				107	auths.push_back(param);
				108	}
				109	return FindAuthorization(auths, handle, found);
				110
				111	}
				112
				113
				114	/**
Shawn Willden	489dfe1	2015-03-17 10:13:27 -0600	[diff] [blame]	115	* Mark operation completed. This allows tokens associated with the specified operation to be
				116	* superseded by new tokens.
				117	*/
				118	void MarkCompleted(const keymaster_operation_handle_t op_handle);
				119
				120	size_t size() { return entries_.size(); }
				121
				122	private:
				123	friend class AuthTokenTableTest;
				124
				125	class Entry {
				126	public:
				127	Entry(const hw_auth_token_t* token, time_t current_time);
				128	Entry(Entry&& entry) { *this = std::move(entry); }
				129
				130	void operator=(Entry&& rhs) {
				131	token_ = std::move(rhs.token_);
				132	time_received_ = rhs.time_received_;
				133	last_use_ = rhs.last_use_;
				134	operation_completed_ = rhs.operation_completed_;
				135	}
				136
				137	bool operator<(const Entry& rhs) const { return last_use_ < rhs.last_use_; }
				138
				139	void UpdateLastUse(time_t time);
				140
				141	bool Supersedes(const Entry& entry) const;
				142	bool SatisfiesAuth(const std::vector<uint64_t>& sids, hw_authenticator_type_t auth_type);
				143
				144	bool is_newer_than(const Entry* entry) {
				145	if (!entry)
				146	return true;
				147	return timestamp_host_order() > entry->timestamp_host_order();
				148	}
				149
				150	void mark_completed() { operation_completed_ = true; }
				151
				152	const hw_auth_token_t* token() { return token_.get(); }
				153	time_t time_received() const { return time_received_; }
				154	bool completed() const { return operation_completed_; }
				155	uint32_t timestamp_host_order() const;
				156	hw_authenticator_type_t authenticator_type() const;
				157
				158	private:
				159	std::unique_ptr<const hw_auth_token_t> token_;
				160	time_t time_received_;
				161	time_t last_use_;
				162	bool operation_completed_;
				163	};
				164
				165	Error FindAuthPerOpAuthorization(const std::vector<uint64_t>& sids,
				166	hw_authenticator_type_t auth_type,
				167	keymaster_operation_handle_t op_handle,
				168	const hw_auth_token_t** found);
				169	Error FindTimedAuthorization(const std::vector<uint64_t>& sids,
				170	hw_authenticator_type_t auth_type,
				171	const AuthorizationSet& key_info, const hw_auth_token_t** found);
				172	void ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids);
				173	void RemoveEntriesSupersededBy(const Entry& entry);
				174	bool IsSupersededBySomeEntry(const Entry& entry);
				175
				176	std::vector<Entry> entries_;
				177	size_t max_entries_;
				178	time_t (*clock_function_)();
				179	};
				180
				181	} // namespace keymaster
				182
				183	#endif // SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H