1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 
18 #ifndef SOFT_GATEKEEPER_H_
19 #define SOFT_GATEKEEPER_H_
20 
21 extern "C" {
22 #include <openssl/rand.h>
23 #include <openssl/sha.h>
24 
25 #include <crypto_scrypt.h>
26 }
27 
28 #include <android-base/memory.h>
29 #include <UniquePtr.h>
30 #include <gatekeeper/gatekeeper.h>
31 
32 #include <iostream>
33 #include <unordered_map>
34 
35 namespace gatekeeper {
36 
37 struct fast_hash_t {
38     uint64_t salt;
39     uint8_t digest[SHA256_DIGEST_LENGTH];
40 };
41 
42 class SoftGateKeeper : public GateKeeper {
43 public:
44     static const uint32_t SIGNATURE_LENGTH_BYTES = 32;
45 
46     // scrypt params
47     static const uint64_t N = 16384;
48     static const uint32_t r = 8;
49     static const uint32_t p = 1;
50 
51     static const int MAX_UINT_32_CHARS = 11;
52 
SoftGateKeeper()53     SoftGateKeeper() {
54         key_.reset(new uint8_t[SIGNATURE_LENGTH_BYTES]);
55         memset(key_.get(), 0, SIGNATURE_LENGTH_BYTES);
56     }
57 
~SoftGateKeeper()58     virtual ~SoftGateKeeper() {
59     }
60 
GetAuthTokenKey(const uint8_t ** auth_token_key,uint32_t * length)61     virtual bool GetAuthTokenKey(const uint8_t **auth_token_key,
62             uint32_t *length) const {
63         if (auth_token_key == NULL || length == NULL) return false;
64         uint8_t *auth_token_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES];
65         memcpy(auth_token_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES);
66 
67         *auth_token_key = auth_token_key_copy;
68         *length = SIGNATURE_LENGTH_BYTES;
69         return true;
70     }
71 
GetPasswordKey(const uint8_t ** password_key,uint32_t * length)72     virtual void GetPasswordKey(const uint8_t **password_key, uint32_t *length) {
73         if (password_key == NULL || length == NULL) return;
74         uint8_t *password_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES];
75         memcpy(password_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES);
76 
77         *password_key = password_key_copy;
78         *length = SIGNATURE_LENGTH_BYTES;
79     }
80 
ComputePasswordSignature(uint8_t * signature,uint32_t signature_length,const uint8_t *,uint32_t,const uint8_t * password,uint32_t password_length,salt_t salt)81     virtual void ComputePasswordSignature(uint8_t *signature, uint32_t signature_length,
82             const uint8_t *, uint32_t, const uint8_t *password,
83             uint32_t password_length, salt_t salt) const {
84         if (signature == NULL) return;
85         crypto_scrypt(password, password_length, reinterpret_cast<uint8_t *>(&salt),
86                 sizeof(salt), N, r, p, signature, signature_length);
87     }
88 
GetRandom(void * random,uint32_t requested_length)89     virtual void GetRandom(void *random, uint32_t requested_length) const {
90         if (random == NULL) return;
91         RAND_pseudo_bytes((uint8_t *) random, requested_length);
92     }
93 
ComputeSignature(uint8_t * signature,uint32_t signature_length,const uint8_t *,uint32_t,const uint8_t *,const uint32_t)94     virtual void ComputeSignature(uint8_t *signature, uint32_t signature_length,
95             const uint8_t *, uint32_t, const uint8_t *, const uint32_t) const {
96         if (signature == NULL) return;
97         memset(signature, 0, signature_length);
98     }
99 
GetMillisecondsSinceBoot()100     virtual uint64_t GetMillisecondsSinceBoot() const {
101         struct timespec time;
102         int res = clock_gettime(CLOCK_BOOTTIME, &time);
103         if (res < 0) return 0;
104         return (time.tv_sec * 1000) + (time.tv_nsec / 1000 / 1000);
105     }
106 
IsHardwareBacked()107     virtual bool IsHardwareBacked() const {
108         return false;
109     }
110 
GetFailureRecord(uint32_t uid,secure_id_t user_id,failure_record_t * record,bool)111     virtual bool GetFailureRecord(uint32_t uid, secure_id_t user_id, failure_record_t *record,
112             bool /* secure */) {
113         failure_record_t *stored = &failure_map_[uid];
114         if (user_id != stored->secure_user_id) {
115             stored->secure_user_id = user_id;
116             stored->last_checked_timestamp = 0;
117             stored->failure_counter = 0;
118         }
119         memcpy(record, stored, sizeof(*record));
120         return true;
121     }
122 
ClearFailureRecord(uint32_t uid,secure_id_t user_id,bool)123     virtual bool ClearFailureRecord(uint32_t uid, secure_id_t user_id, bool /* secure */) {
124         failure_record_t *stored = &failure_map_[uid];
125         stored->secure_user_id = user_id;
126         stored->last_checked_timestamp = 0;
127         stored->failure_counter = 0;
128         return true;
129     }
130 
WriteFailureRecord(uint32_t uid,failure_record_t * record,bool)131     virtual bool WriteFailureRecord(uint32_t uid, failure_record_t *record, bool /* secure */) {
132         failure_map_[uid] = *record;
133         return true;
134     }
135 
ComputeFastHash(const SizedBuffer & password,uint64_t salt)136     fast_hash_t ComputeFastHash(const SizedBuffer &password, uint64_t salt) {
137         fast_hash_t fast_hash;
138         size_t digest_size = password.length + sizeof(salt);
139         std::unique_ptr<uint8_t[]> digest(new uint8_t[digest_size]);
140         memcpy(digest.get(), &salt, sizeof(salt));
141         memcpy(digest.get() + sizeof(salt), password.buffer.get(), password.length);
142 
143         SHA256(digest.get(), digest_size, (uint8_t *) &fast_hash.digest);
144 
145         fast_hash.salt = salt;
146         return fast_hash;
147     }
148 
VerifyFast(const fast_hash_t & fast_hash,const SizedBuffer & password)149     bool VerifyFast(const fast_hash_t &fast_hash, const SizedBuffer &password) {
150         fast_hash_t computed = ComputeFastHash(password, fast_hash.salt);
151         return memcmp(computed.digest, fast_hash.digest, SHA256_DIGEST_LENGTH) == 0;
152     }
153 
DoVerify(const password_handle_t * expected_handle,const SizedBuffer & password)154     bool DoVerify(const password_handle_t *expected_handle, const SizedBuffer &password) {
155         uint64_t user_id = android::base::get_unaligned<secure_id_t>(&expected_handle->user_id);
156         FastHashMap::const_iterator it = fast_hash_map_.find(user_id);
157         if (it != fast_hash_map_.end() && VerifyFast(it->second, password)) {
158             return true;
159         } else {
160             if (GateKeeper::DoVerify(expected_handle, password)) {
161                 uint64_t salt;
162                 GetRandom(&salt, sizeof(salt));
163                 fast_hash_map_[user_id] = ComputeFastHash(password, salt);
164                 return true;
165             }
166         }
167 
168         return false;
169     }
170 
171 private:
172 
173     typedef std::unordered_map<uint32_t, failure_record_t> FailureRecordMap;
174     typedef std::unordered_map<uint64_t, fast_hash_t> FastHashMap;
175 
176     UniquePtr<uint8_t[]> key_;
177     FailureRecordMap failure_map_;
178     FastHashMap fast_hash_map_;
179 };
180 }
181 
182 #endif // SOFT_GATEKEEPER_H_
183