1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <memory>
18 #include <vector>
19 
20 #include <hardware/hw_auth_token.h>
21 #include <keymaster/authorization_set.h>
22 
23 #ifndef SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H
24 #define SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H
25 
26 namespace keymaster {
27 
28 namespace test {
29 class AuthTokenTableTest;
30 }  // namespace test
31 
32 time_t clock_gettime_raw();
33 
34 /**
35  * AuthTokenTable manages a set of received authorization tokens and can provide the appropriate
36  * token for authorizing a key operation.
37  *
38  * To keep the table from growing without bound, superseded entries are removed when possible, and
39  * least recently used entries are automatically pruned when when the table exceeds a size limit,
40  * which is expected to be relatively small, since the implementation uses a linear search.
41  */
42 class AuthTokenTable {
43   public:
44     AuthTokenTable(size_t max_entries = 32, time_t (*clock_function)() = clock_gettime_raw)
max_entries_(max_entries)45         : max_entries_(max_entries), clock_function_(clock_function) {}
46 
47     enum Error {
48         OK,
49         AUTH_NOT_REQUIRED = -1,
50         AUTH_TOKEN_EXPIRED = -2,    // Found a matching token, but it's too old.
51         AUTH_TOKEN_WRONG_SID = -3,  // Found a token with the right challenge, but wrong SID.  This
52                                     // most likely indicates that the authenticator was updated
53                                     // (e.g. new fingerprint enrolled).
54         OP_HANDLE_REQUIRED = -4,    // The key requires auth per use but op_handle was zero.
55         AUTH_TOKEN_NOT_FOUND = -5,
56     };
57 
58     /**
59      * Add an authorization token to the table.  The table takes ownership of the argument.
60      */
61     void AddAuthenticationToken(const hw_auth_token_t* token);
62 
63     /**
64      * Find an authorization token that authorizes the operation specified by \p operation_handle on
65      * a key with the characteristics specified in \p key_info.
66      *
67      * This method is O(n * m), where n is the number of KM_TAG_USER_SECURE_ID entries in key_info
68      * and m is the number of entries in the table.  It could be made better, but n and m should
69      * always be small.
70      *
71      * The table retains ownership of the returned object.
72      */
73     Error FindAuthorization(const AuthorizationSet& key_info, keymaster_purpose_t purpose,
74                             keymaster_operation_handle_t op_handle, const hw_auth_token_t** found);
75 
76     /**
77      * Find an authorization token that authorizes the operation specified by \p operation_handle on
78      * a key with the characteristics specified in \p key_info.
79      *
80      * This method is O(n * m), where n is the number of KM_TAG_USER_SECURE_ID entries in key_info
81      * and m is the number of entries in the table.  It could be made better, but n and m should
82      * always be small.
83      *
84      * The table retains ownership of the returned object.
85      */
FindAuthorization(const keymaster_key_param_t * params,size_t params_count,keymaster_purpose_t purpose,keymaster_operation_handle_t op_handle,const hw_auth_token_t ** found)86     Error FindAuthorization(const keymaster_key_param_t* params, size_t params_count,
87                             keymaster_purpose_t purpose, keymaster_operation_handle_t op_handle,
88                             const hw_auth_token_t** found) {
89         return FindAuthorization(AuthorizationSet(params, params_count), purpose, op_handle, found);
90     }
91 
92     /**
93      * Mark operation completed.  This allows tokens associated with the specified operation to be
94      * superseded by new tokens.
95      */
96     void MarkCompleted(const keymaster_operation_handle_t op_handle);
97 
98     void Clear();
99 
size()100     size_t size() { return entries_.size(); }
101 
102   private:
103     friend class AuthTokenTableTest;
104 
105     class Entry {
106       public:
107         Entry(const hw_auth_token_t* token, time_t current_time);
Entry(Entry && entry)108         Entry(Entry&& entry) { *this = std::move(entry); }
109 
110         void operator=(Entry&& rhs) {
111             token_ = std::move(rhs.token_);
112             time_received_ = rhs.time_received_;
113             last_use_ = rhs.last_use_;
114             operation_completed_ = rhs.operation_completed_;
115         }
116 
117         bool operator<(const Entry& rhs) const { return last_use_ < rhs.last_use_; }
118 
119         void UpdateLastUse(time_t time);
120 
121         bool Supersedes(const Entry& entry) const;
122         bool SatisfiesAuth(const std::vector<uint64_t>& sids, hw_authenticator_type_t auth_type);
123 
is_newer_than(const Entry * entry)124         bool is_newer_than(const Entry* entry) {
125             if (!entry)
126                 return true;
127             return timestamp_host_order() > entry->timestamp_host_order();
128         }
129 
mark_completed()130         void mark_completed() { operation_completed_ = true; }
131 
token()132         const hw_auth_token_t* token() { return token_.get(); }
time_received()133         time_t time_received() const { return time_received_; }
completed()134         bool completed() const { return operation_completed_; }
135         uint32_t timestamp_host_order() const;
136         hw_authenticator_type_t authenticator_type() const;
137 
138       private:
139         std::unique_ptr<const hw_auth_token_t> token_;
140         time_t time_received_;
141         time_t last_use_;
142         bool operation_completed_;
143     };
144 
145     Error FindAuthPerOpAuthorization(const std::vector<uint64_t>& sids,
146                                      hw_authenticator_type_t auth_type,
147                                      keymaster_operation_handle_t op_handle,
148                                      const hw_auth_token_t** found);
149     Error FindTimedAuthorization(const std::vector<uint64_t>& sids,
150                                  hw_authenticator_type_t auth_type,
151                                  const AuthorizationSet& key_info, const hw_auth_token_t** found);
152     void ExtractSids(const AuthorizationSet& key_info, std::vector<uint64_t>* sids);
153     void RemoveEntriesSupersededBy(const Entry& entry);
154     bool IsSupersededBySomeEntry(const Entry& entry);
155 
156     std::vector<Entry> entries_;
157     size_t max_entries_;
158     time_t (*clock_function_)();
159 };
160 
161 }  // namespace keymaster
162 
163 #endif  // SYSTEM_KEYMASTER_AUTH_TOKEN_TABLE_H
164