1 /*
2  * Copyright 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "second_imei_attestation.h"
18 
19 #include <inttypes.h>
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <string.h>
23 
24 namespace keymaster {
25 
26 // Calculates the checksum digit of a given number according to the
27 // Luhn algorithm.
28 // The algorithm:
29 // * Starting from the rightmost digit, moving left: Double the value of every
30 //   second digit.
31 // * Sum the digits of the resulting value in each position (if the value
32 //   was not multiplied, use it as-is) as s.
33 // * Caclculate the sum digit to be (10 - (s % 10)) % 10.
calculate_luhn_checksum_digit(uint64_t val)34 uint8_t calculate_luhn_checksum_digit(uint64_t val) {
35     int iteration_counter = 0;
36     uint32_t sum_digits = 0;
37     while (val != 0) {
38         int curr_digit = val % 10;
39         int multiplier = (iteration_counter % 2) == 0 ? 2 : 1;
40         int digit_multiplied = curr_digit * multiplier;
41         sum_digits += (digit_multiplied % 10) + (digit_multiplied / 10);
42         val = val / 10;
43         iteration_counter++;
44     }
45 
46     return (10 - (sum_digits % 10)) % 10;
47 }
48 
49 // Validate that the second IMEI sent by the platform is the one following
50 // the first IMEI, and that the checksum digit matches.
51 // On most devices with two IMEIs, the IMEIs are sequential. This enables
52 // providing attestation for the 2nd IMEI even if KeyMint was not provisioned
53 // with it.
validate_second_imei(const keymaster_blob_t & received_second_imei,uint64_t first_imei)54 bool validate_second_imei(const keymaster_blob_t& received_second_imei,
55                           uint64_t first_imei) {
56     // The first IMEI includes the checksum digit, so get rid of it and increase
57     // by 1 to get the value of the 2nd IMEI.
58     const uint64_t second_imei_no_checksum = (first_imei / 10) + 1;
59     const uint8_t checksum_digit =
60             calculate_luhn_checksum_digit(second_imei_no_checksum);
61     const uint64_t second_imei = second_imei_no_checksum * 10 + checksum_digit;
62     // Compare the second IMEI with the caller-provided value.
63     char calculated_second_imei[64];
64     const size_t calculated_second_imei_len =
65             snprintf(calculated_second_imei, sizeof(calculated_second_imei),
66                      "%" PRIu64, second_imei);
67     bool result =
68             (calculated_second_imei_len == received_second_imei.data_length) &&
69             (memcmp(calculated_second_imei, received_second_imei.data,
70                     calculated_second_imei_len) == 0);
71     return result;
72 }
73 
74 }  // namespace keymaster
75