Blame - keystore/auth_token_table.cpp - android_system_security

blob: 2ae10a053d359b90e8bf87d9d02cf007d5bee10b [file] [log] [blame]

Shawn Willden	489dfe1	2015-03-17 10:13:27 -0600	[diff] [blame^]	1	/*
				2	* Copyright (C) 2015 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#include "auth_token_table.h"
				18
				19	#include <assert.h>
				20	#include <time.h>
				21
				22	#include <algorithm>
				23
				24	#include <keymaster/google_keymaster_utils.h>
				25	#include <keymaster/logger.h>
				26
				27	namespace keymaster {
				28
				29	//
				30	// Some trivial template wrappers around std algorithms, so they take containers not ranges.
				31	//
				32	template <typename Container, typename Predicate>
				33	typename Container::iterator find_if(Container& container, Predicate pred) {
				34	return std::find_if(container.begin(), container.end(), pred);
				35	}
				36
				37	template <typename Container, typename Predicate>
				38	typename Container::iterator remove_if(Container& container, Predicate pred) {
				39	return std::remove_if(container.begin(), container.end(), pred);
				40	}
				41
				42	template <typename Container> typename Container::iterator min_element(Container& container) {
				43	return std::min_element(container.begin(), container.end());
				44	}
				45
				46	time_t clock_gettime_raw() {
				47	struct timespec time;
				48	clock_gettime(CLOCK_MONOTONIC_RAW, &time);
				49	return time.tv_sec;
				50	}
				51
				52	void AuthTokenTable::AddAuthenticationToken(const hw_auth_token_t* auth_token) {
				53	Entry new_entry(auth_token, clock_function_());
				54	RemoveEntriesSupersededBy(new_entry);
				55	if (entries_.size() >= max_entries_) {
				56	LOG_W("Auth token table filled up; replacing oldest entry", 0);
				57	*min_element(entries_) = std::move(new_entry);
				58	} else {
				59	entries_.push_back(std::move(new_entry));
				60	}
				61	}
				62
				63	inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info) {
				64	return key_info.find(TAG_NO_AUTH_REQUIRED) == -1;
				65	}
				66
				67	inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info) {
				68	return key_info.find(TAG_AUTH_TIMEOUT) == -1;
				69	}
				70
				71	AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info,
				72	keymaster_operation_handle_t op_handle,
				73	const hw_auth_token_t** found) {
				74	if (!KeyRequiresAuthentication(key_info))
				75	return AUTH_NOT_REQUIRED;
				76
				77	hw_authenticator_type_t auth_type = HW_AUTH_NONE;
				78	key_info.GetTagValue(TAG_USER_AUTH_TYPE, &auth_type);
				79
				80	std::vector<uint64_t> key_sids;
				81	ExtractSids(key_info, &key_sids);
				82
				83	if (KeyRequiresAuthPerOperation(key_info))
				84	return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle, found);
				85	else
				86	return FindTimedAuthorization(key_sids, auth_type, key_info, found);
				87	}
				88
				89	AuthTokenTable::Error AuthTokenTable::FindAuthPerOpAuthorization(
				90	const std::vector<uint64_t>& sids, hw_authenticator_type_t auth_type,
				91	keymaster_operation_handle_t op_handle, const hw_auth_token_t** found) {
				92	if (op_handle == 0)
				93	return OP_HANDLE_REQUIRED;
				94
				95	auto matching_op = find_if(
				96	entries_, [&](Entry& e) { return e.token()->challenge == op_handle && !e.completed(); });
				97
				98	if (matching_op == entries_.end())
				99	return AUTH_TOKEN_NOT_FOUND;
				100
				101	if (!matching_op->SatisfiesAuth(sids, auth_type))
				102	return AUTH_TOKEN_WRONG_SID;
				103
				104	*found = matching_op->token();
				105	return OK;
				106	}
				107
				108	AuthTokenTable::Error AuthTokenTable::FindTimedAuthorization(const std::vector<uint64_t>& sids,
				109	hw_authenticator_type_t auth_type,
				110	const AuthorizationSet& key_info,
				111	const hw_auth_token_t** found) {
				112	Entry* newest_match = NULL;
				113	for (auto& entry : entries_)
				114	if (entry.SatisfiesAuth(sids, auth_type) && entry.is_newer_than(newest_match))
				115	newest_match = &entry;
				116
				117	if (!newest_match)
				118	return AUTH_TOKEN_NOT_FOUND;
				119
				120	uint32_t timeout;
				121	key_info.GetTagValue(TAG_AUTH_TIMEOUT, &timeout);
				122	time_t now = clock_function_();
				123	if (static_cast<int64_t>(newest_match->time_received()) + timeout < static_cast<int64_t>(now))
				124	return AUTH_TOKEN_EXPIRED;
				125
				126	newest_match->UpdateLastUse(now);
				127	*found = newest_match->token();
				128	return OK;
				129	}
				130
				131	void AuthTokenTable::ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids) {
				132	assert(sids);
				133	for (auto& param : key_info)
				134	if (param.tag == TAG_USER_SECURE_ID)
				135	sids->push_back(param.long_integer);
				136	}
				137
				138	void AuthTokenTable::RemoveEntriesSupersededBy(const Entry& entry) {
				139	entries_.erase(remove_if(entries_, [&](Entry& e) { return entry.Supersedes(e); }),
				140	entries_.end());
				141	}
				142
				143	bool AuthTokenTable::IsSupersededBySomeEntry(const Entry& entry) {
				144	return std::any_of(entries_.begin(), entries_.end(),
				145	[&](Entry& e) { return e.Supersedes(entry); });
				146	}
				147
				148	void AuthTokenTable::MarkCompleted(const keymaster_operation_handle_t op_handle) {
				149	auto found = find_if(entries_, [&](Entry& e) { return e.token()->challenge == op_handle; });
				150	if (found == entries_.end())
				151	return;
				152
				153	assert(!IsSupersededBySomeEntry(*found));
				154	found->mark_completed();
				155
				156	if (IsSupersededBySomeEntry(*found))
				157	entries_.erase(found);
				158	}
				159
				160	AuthTokenTable::Entry::Entry(const hw_auth_token_t* token, time_t current_time)
				161	: token_(token), time_received_(current_time), last_use_(current_time),
				162	operation_completed_(token_->challenge == 0) {
				163	}
				164
				165	uint32_t AuthTokenTable::Entry::timestamp_host_order() const {
				166	return ntoh(token_->timestamp);
				167	}
				168
				169	hw_authenticator_type_t AuthTokenTable::Entry::authenticator_type() const {
				170	hw_authenticator_type_t result = static_cast<hw_authenticator_type_t>(
				171	ntoh(static_cast<uint32_t>(token_->authenticator_type)));
				172	return result;
				173	}
				174
				175	bool AuthTokenTable::Entry::SatisfiesAuth(const std::vector<uint64_t>& sids,
				176	hw_authenticator_type_t auth_type) {
				177	for (auto sid : sids)
				178	if ((sid == token_->authenticator_id) \|\|
				179	(sid == token_->user_id && (auth_type & authenticator_type()) != 0))
				180	return true;
				181	return false;
				182	}
				183
				184	void AuthTokenTable::Entry::UpdateLastUse(time_t time) {
				185	this->last_use_ = time;
				186	}
				187
				188	bool AuthTokenTable::Entry::Supersedes(const Entry& entry) const {
				189	if (!entry.completed())
				190	return false;
				191
				192	return (token_->user_id == entry.token_->user_id &&
				193	token_->authenticator_type == entry.token_->authenticator_type &&
				194	token_->authenticator_type == entry.token_->authenticator_type &&
				195	timestamp_host_order() > entry.timestamp_host_order());
				196	}
				197
				198	} // namespace keymaster