1 /*
2  * Copyright (C) 2017 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "include/ese/app/weaver.h"
18 
19 /* Non-static, but visibility=hidden so they can be used in test. */
20 const uint8_t kManageChannelOpen[] = {0x00, 0x70, 0x00, 0x00, 0x01};
21 const uint32_t kManageChannelOpenLength = (uint32_t)sizeof(kManageChannelOpen);
22 const uint8_t kManageChannelClose[] = {0x00, 0x70, 0x80, 0x00, 0x00};
23 const uint8_t kSelectApplet[] = {0x00, 0xA4, 0x04, 0x00, 0x0D, 0xA0,
24                                  0x00, 0x00, 0x04, 0x76, 0x57, 0x56,
25                                  0x52, 0x43, 0x4F, 0x4D, 0x4D, 0x30};
26 const uint32_t kSelectAppletLength = (uint32_t)sizeof(kSelectApplet);
27 // Supported commands.
28 const uint8_t kGetNumSlots[] = {0x80, 0x02, 0x00, 0x00, 0x04};
29 const uint8_t kWrite[] = {0x80, 0x04, 0x00, 0x00,
30                           4 + kEseWeaverKeySize +
31                               kEseWeaverValueSize}; // slotid + key + value
32 const uint8_t kRead[] = {0x80, 0x06, 0x00, 0x00,
33                          4 + kEseWeaverKeySize}; // slotid + key
34 const uint8_t kEraseValue[] = {0x80, 0x08, 0x00, 0x00, 4}; // slotid
35 const uint8_t kEraseAll[] = {0x80, 0x0a, 0x00, 0x00};
36 
37 // Build 32-bit int from big endian bytes
get_uint32(uint8_t buf[4])38 static uint32_t get_uint32(uint8_t buf[4]) {
39   uint32_t x = buf[3];
40   x |= buf[2] << 8;
41   x |= buf[1] << 16;
42   x |= buf[0] << 24;
43   return x;
44 }
45 
put_uint32(uint8_t buf[4],uint32_t val)46 static void put_uint32(uint8_t buf[4], uint32_t val) {
47   buf[0] = 0xff & (val >> 24);
48   buf[1] = 0xff & (val >> 16);
49   buf[2] = 0xff & (val >> 8);
50   buf[3] = 0xff & val;
51 }
52 
check_apdu_status(uint8_t code[2])53 EseAppResult check_apdu_status(uint8_t code[2]) {
54   if (code[0] == 0x90 && code[1] == 0x00) {
55     return ESE_APP_RESULT_OK;
56   }
57   if (code[0] == 0x66 && code[1] == 0xA5) {
58     return ESE_APP_RESULT_ERROR_COOLDOWN;
59   }
60   if (code[0] == 0x6A && code[1] == 0x83) {
61     return ESE_APP_RESULT_ERROR_UNCONFIGURED;
62   }
63   /* TODO(wad) Bubble up the error code if needed. */
64   ALOGE("unhandled response %.2x %.2x", code[0], code[1]);
65   return ese_make_os_result(code[0], code[1]);
66 }
67 
ese_weaver_session_init(struct EseWeaverSession * session)68 ESE_API void ese_weaver_session_init(struct EseWeaverSession *session) {
69   session->ese = NULL;
70   session->active = false;
71   session->channel_id = 0;
72 }
73 
ese_weaver_session_open(struct EseInterface * ese,struct EseWeaverSession * session)74 ESE_API EseAppResult ese_weaver_session_open(struct EseInterface *ese,
75                                              struct EseWeaverSession *session) {
76   struct EseSgBuffer tx[2];
77   struct EseSgBuffer rx;
78   uint8_t rx_buf[32];
79   int rx_len;
80   if (!ese || !session) {
81     ALOGE("Invalid |ese| or |session|");
82     return ESE_APP_RESULT_ERROR_ARGUMENTS;
83   }
84   if (session->active == true) {
85     ALOGE("|session| is already active");
86     return ESE_APP_RESULT_ERROR_ARGUMENTS;
87   }
88   /* Instantiate a logical channel */
89   rx_len = ese_transceive(ese, kManageChannelOpen, sizeof(kManageChannelOpen),
90                           rx_buf, sizeof(rx_buf));
91   if (ese_error(ese)) {
92     ALOGE("transceive error: code:%d message:'%s'", ese_error_code(ese),
93           ese_error_message(ese));
94     return ESE_APP_RESULT_ERROR_COMM_FAILED;
95   }
96   if (rx_len < 0) {
97     ALOGE("transceive error: rx_len: %d", rx_len);
98     return ESE_APP_RESULT_ERROR_COMM_FAILED;
99   }
100   if (rx_len < 2) {
101     ALOGE("transceive error: reply too short");
102     return ESE_APP_RESULT_ERROR_COMM_FAILED;
103   }
104   EseAppResult ret;
105   ret = check_apdu_status(&rx_buf[rx_len - 2]);
106   if (ret != ESE_APP_RESULT_OK) {
107     ALOGE("MANAGE CHANNEL OPEN failed with error code: %x %x",
108           rx_buf[rx_len - 2], rx_buf[rx_len - 1]);
109     return ret;
110   }
111   if (rx_len < 3) {
112     ALOGE("transceive error: successful reply unexpectedly short");
113     return ESE_APP_RESULT_ERROR_COMM_FAILED;
114   }
115   session->ese = ese;
116   session->channel_id = rx_buf[rx_len - 3];
117 
118   /* Select Weaver Applet. */
119   uint8_t chan = kSelectApplet[0] | session->channel_id;
120   tx[0].base = &chan;
121   tx[0].len = 1;
122   tx[1].base = (uint8_t *)&kSelectApplet[1];
123   tx[1].len = sizeof(kSelectApplet) - 1;
124   rx.base = &rx_buf[0];
125   rx.len = sizeof(rx_buf);
126   rx_len = ese_transceive_sg(ese, tx, 2, &rx, 1);
127   if (rx_len < 0 || ese_error(ese)) {
128     ALOGE("transceive error: caller should check ese_error()");
129     return ESE_APP_RESULT_ERROR_COMM_FAILED;
130   }
131   if (rx_len < 2) {
132     ALOGE("transceive error: reply too short");
133     return ESE_APP_RESULT_ERROR_COMM_FAILED;
134   }
135   ret = check_apdu_status(&rx_buf[rx_len - 2]);
136   if (ret != ESE_APP_RESULT_OK) {
137     ALOGE("SELECT failed with error code: %x %x", rx_buf[rx_len - 2],
138           rx_buf[rx_len - 1]);
139     return ret;
140   }
141   session->active = true;
142   return ESE_APP_RESULT_OK;
143 }
144 
145 ESE_API EseAppResult
ese_weaver_session_close(struct EseWeaverSession * session)146 ese_weaver_session_close(struct EseWeaverSession *session) {
147   uint8_t rx_buf[32];
148   int rx_len;
149   if (!session || !session->ese) {
150     return ESE_APP_RESULT_ERROR_ARGUMENTS;
151   }
152   if (!session->active || session->channel_id == 0) {
153     return ESE_APP_RESULT_ERROR_ARGUMENTS;
154   }
155   /* Release the channel */
156   uint8_t close_channel[sizeof(kManageChannelClose)];
157   ese_memcpy(close_channel, kManageChannelClose, sizeof(kManageChannelClose));
158   close_channel[0] |= session->channel_id;
159   close_channel[3] |= session->channel_id;
160   rx_len = ese_transceive(session->ese, close_channel, sizeof(close_channel),
161                           rx_buf, sizeof(rx_buf));
162   if (rx_len < 0 || ese_error(session->ese)) {
163     return ESE_APP_RESULT_ERROR_COMM_FAILED;
164   }
165   if (rx_len < 2) {
166     return ESE_APP_RESULT_ERROR_COMM_FAILED;
167   }
168   EseAppResult ret;
169   ret = check_apdu_status(&rx_buf[rx_len - 2]);
170   if (ret != ESE_APP_RESULT_OK) {
171     return ret;
172   }
173   session->channel_id = 0;
174   session->active = false;
175   return ESE_APP_RESULT_OK;
176 }
177 
ese_weaver_get_num_slots(struct EseWeaverSession * session,uint32_t * numSlots)178 ESE_API EseAppResult ese_weaver_get_num_slots(struct EseWeaverSession *session,
179                                               uint32_t *numSlots) {
180   if (!session || !session->ese || !session->active) {
181     return ESE_APP_RESULT_ERROR_ARGUMENTS;
182   }
183   if (!session->active || session->channel_id == 0) {
184     return ESE_APP_RESULT_ERROR_ARGUMENTS;
185   }
186   if (!numSlots) {
187     return ESE_APP_RESULT_ERROR_ARGUMENTS;
188   }
189 
190   // Prepare command
191   uint8_t get_num_slots[sizeof(kGetNumSlots)];
192   ese_memcpy(get_num_slots, kGetNumSlots, sizeof(kGetNumSlots));
193   get_num_slots[0] |= session->channel_id;
194 
195   // Send command
196   uint8_t rx_buf[6];
197   const int rx_len =
198       ese_transceive(session->ese, get_num_slots, sizeof(get_num_slots), rx_buf,
199                      sizeof(rx_buf));
200 
201   // Check for errors
202   if (rx_len < 2 || ese_error(session->ese)) {
203     ALOGE("Failed to get num slots");
204     return ESE_APP_RESULT_ERROR_COMM_FAILED;
205   }
206   if (rx_len == 2) {
207     ALOGE("ese_weaver_get_num_slots: SE exception");
208     EseAppResult ret = check_apdu_status(rx_buf);
209     return ret;
210   }
211   if (rx_len != 6) {
212     ALOGE("Unexpected response from Weaver applet");
213     return ESE_APP_RESULT_ERROR_COMM_FAILED;
214   }
215 
216   *numSlots = get_uint32(rx_buf);
217   return ESE_APP_RESULT_OK;
218 }
219 
ese_weaver_write(struct EseWeaverSession * session,uint32_t slotId,const uint8_t * key,const uint8_t * value)220 ESE_API EseAppResult ese_weaver_write(struct EseWeaverSession *session,
221                                       uint32_t slotId, const uint8_t *key,
222                                       const uint8_t *value) {
223   if (!session || !session->ese || !session->active) {
224     return ESE_APP_RESULT_ERROR_ARGUMENTS;
225   }
226   if (!session->active || session->channel_id == 0) {
227     return ESE_APP_RESULT_ERROR_ARGUMENTS;
228   }
229   if (!key || !value) {
230     return ESE_APP_RESULT_ERROR_ARGUMENTS;
231   }
232 
233   // Prepare data to send
234   struct EseSgBuffer tx[5];
235   uint8_t chan = kWrite[0] | session->channel_id;
236   tx[0].base = &chan;
237   tx[0].len = 1;
238   tx[1].base = (uint8_t *)&kWrite[1];
239   tx[1].len = sizeof(kWrite) - 1;
240 
241   // Slot ID in big endian
242   uint8_t slot_id[4];
243   put_uint32(slot_id, slotId);
244   tx[2].base = slot_id;
245   tx[2].len = sizeof(slot_id);
246 
247   // Key and value
248   tx[3].c_base = key;
249   tx[3].len = kEseWeaverKeySize;
250   tx[4].c_base = value;
251   tx[4].len = kEseWeaverValueSize;
252 
253   // Prepare buffer for result
254   struct EseSgBuffer rx;
255   uint8_t rx_buf[2];
256   rx.base = rx_buf;
257   rx.len = sizeof(rx_buf);
258 
259   // Send the command
260   const int rx_len = ese_transceive_sg(session->ese, tx, 5, &rx, 1);
261 
262   // Check for errors
263   if (rx_len < 2 || ese_error(session->ese)) {
264     ALOGE("Failed to write to slot");
265     return ESE_APP_RESULT_ERROR_COMM_FAILED;
266   }
267   if (rx_len > 2) {
268     ALOGE("Unexpected response from Weaver applet");
269     return ESE_APP_RESULT_ERROR_COMM_FAILED;
270   }
271   return check_apdu_status(rx_buf);
272 }
273 
ese_weaver_read(struct EseWeaverSession * session,uint32_t slotId,const uint8_t * key,uint8_t * value,uint32_t * timeout)274 ESE_API EseAppResult ese_weaver_read(struct EseWeaverSession *session,
275                                      uint32_t slotId, const uint8_t *key,
276                                      uint8_t *value, uint32_t *timeout) {
277   if (!session || !session->ese || !session->active) {
278     return ESE_APP_RESULT_ERROR_ARGUMENTS;
279   }
280   if (!session->active || session->channel_id == 0) {
281     return ESE_APP_RESULT_ERROR_ARGUMENTS;
282   }
283   if (!key || !value || !timeout) {
284     return ESE_APP_RESULT_ERROR_ARGUMENTS;
285   }
286 
287   // Prepare data to send
288   struct EseSgBuffer tx[5];
289   uint8_t chan = kRead[0] | session->channel_id;
290   tx[0].base = &chan;
291   tx[0].len = 1;
292   tx[1].base = (uint8_t *)&kRead[1];
293   tx[1].len = sizeof(kRead) - 1;
294 
295   // Slot ID in big endian
296   uint8_t slot_id[4];
297   put_uint32(slot_id, slotId);
298   tx[2].base = slot_id;
299   tx[2].len = sizeof(slot_id);
300 
301   // Key of 16 bytes
302   tx[3].c_base = key;
303   tx[3].len = kEseWeaverKeySize;
304 
305   // Value response is 16 bytes
306   const uint8_t maxResponse = 1 + kEseWeaverValueSize;
307   tx[4].c_base = &maxResponse;
308   tx[4].len = 1;
309 
310   // Prepare buffer for result
311   struct EseSgBuffer rx[3];
312   uint8_t appletStatus;
313   rx[0].base = &appletStatus;
314   rx[0].len = 1;
315   rx[1].base = value;
316   rx[1].len = kEseWeaverValueSize;
317   uint8_t rx_buf[2];
318   rx[2].base = rx_buf;
319   rx[2].len = sizeof(rx_buf);
320 
321   // Send the command
322   const int rx_len = ese_transceive_sg(session->ese, tx, 5, rx, 3);
323 
324   // Check for errors
325   if (rx_len < 2 || ese_error(session->ese)) {
326     ALOGE("Failed to write to slot");
327     return ESE_APP_RESULT_ERROR_COMM_FAILED;
328   }
329   if (rx_len == 2) {
330     rx_buf[0] = appletStatus;
331     rx_buf[1] = value[0];
332     ALOGE("ese_weaver_read: SE exception");
333     EseAppResult ret = check_apdu_status(rx_buf);
334     return ret;
335   }
336   if (rx_len < 7) {
337     ALOGE("Unexpected response from Weaver applet");
338     return ESE_APP_RESULT_ERROR_COMM_FAILED;
339   }
340   const uint8_t READ_SUCCESS = 0x00;
341   const uint8_t READ_WRONG_KEY = 0x7f;
342   const uint8_t READ_BACK_OFF = 0x76;
343   const uint32_t millisInSecond = 1000;
344   // wrong key
345   if (appletStatus == READ_WRONG_KEY) {
346     ALOGI("ese_weaver_read wrong key provided");
347     *timeout = get_uint32(value) * millisInSecond;
348     return ESE_WEAVER_READ_WRONG_KEY;
349   }
350   // backoff
351   if (appletStatus == READ_BACK_OFF) {
352     ALOGI("ese_weaver_read wrong key provided");
353     *timeout = get_uint32(value) * millisInSecond;
354     return ESE_WEAVER_READ_TIMEOUT;
355   }
356   if (rx_len != 19) {
357     ALOGE("Unexpected response from Weaver applet");
358     return ESE_APP_RESULT_ERROR_COMM_FAILED;
359   }
360   return ESE_APP_RESULT_OK;
361 }
362 
ese_weaver_erase_value(struct EseWeaverSession * session,uint32_t slotId)363 ESE_API EseAppResult ese_weaver_erase_value(struct EseWeaverSession *session,
364                                             uint32_t slotId) {
365   if (!session || !session->ese || !session->active) {
366     return ESE_APP_RESULT_ERROR_ARGUMENTS;
367   }
368   if (!session->active || session->channel_id == 0) {
369     return ESE_APP_RESULT_ERROR_ARGUMENTS;
370   }
371 
372   // Prepare data to send
373   struct EseSgBuffer tx[3];
374   uint8_t chan = kEraseValue[0] | session->channel_id;
375   tx[0].base = &chan;
376   tx[0].len = 1;
377   tx[1].base = (uint8_t *)&kEraseValue[1];
378   tx[1].len = sizeof(kEraseValue) - 1;
379 
380   // Slot ID in big endian
381   uint8_t slot_id[4];
382   put_uint32(slot_id, slotId);
383   tx[2].base = slot_id;
384   tx[2].len = sizeof(slot_id);
385 
386   // Prepare buffer for result
387   struct EseSgBuffer rx;
388   uint8_t rx_buf[2];
389   rx.base = rx_buf;
390   rx.len = sizeof(rx_buf);
391 
392   // Send the command
393   const int rx_len = ese_transceive_sg(session->ese, tx, 3, &rx, 1);
394 
395   // Check for errors
396   if (rx_len < 2 || ese_error(session->ese)) {
397     ALOGE("Failed to write to slot");
398     return ESE_APP_RESULT_ERROR_COMM_FAILED;
399   }
400   if (rx_len > 2) {
401     ALOGE("Unexpected response from Weaver applet");
402     return ESE_APP_RESULT_ERROR_COMM_FAILED;
403   }
404   return check_apdu_status(rx_buf);
405 }
406 
407 // TODO: erase all, not currently used
408