1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 */ 17 18 #ifndef SOFT_GATEKEEPER_H_ 19 #define SOFT_GATEKEEPER_H_ 20 21 extern "C" { 22 #include <openssl/rand.h> 23 #include <openssl/sha.h> 24 25 #include <crypto_scrypt.h> 26 } 27 28 #include <memory> 29 #include <unordered_map> 30 31 #include <android-base/logging.h> 32 #include <android-base/memory.h> 33 #include <gatekeeper/gatekeeper.h> 34 #include <keymaster/km_openssl/hmac.h> 35 36 #include "SharedSecret.h" 37 38 namespace gatekeeper { 39 40 struct fast_hash_t { 41 uint64_t salt; 42 uint8_t digest[SHA256_DIGEST_LENGTH]; 43 }; 44 45 class SoftGateKeeper : public GateKeeper { 46 public: 47 static const uint32_t SIGNATURE_LENGTH_BYTES = 32; 48 49 // scrypt params 50 static const uint64_t N = 16384; 51 static const uint32_t r = 8; 52 static const uint32_t p = 1; 53 54 static const int MAX_UINT_32_CHARS = 11; 55 SoftGateKeeper(const::aidl::android::hardware::security::sharedsecret::SoftSharedSecret & shared_secret)56 SoftGateKeeper(const ::aidl::android::hardware::security::sharedsecret::SoftSharedSecret& 57 shared_secret) 58 : shared_secret_(shared_secret) { 59 key_.reset(new uint8_t[SIGNATURE_LENGTH_BYTES]); 60 memset(key_.get(), 0, SIGNATURE_LENGTH_BYTES); 61 } 62 ~SoftGateKeeper()63 virtual ~SoftGateKeeper() {} 64 GetAuthTokenKey(const uint8_t ** auth_token_key,uint32_t * length)65 virtual bool GetAuthTokenKey(const uint8_t** auth_token_key, uint32_t* length) const { 66 if (auth_token_key == NULL || length == NULL) return false; 67 if (hmac_key_.key_material == nullptr) { 68 hmac_key_ = shared_secret_.HmacKey(); 69 } 70 *auth_token_key = hmac_key_.key_material; 71 *length = hmac_key_.key_material_size; 72 return true; 73 } 74 GetPasswordKey(const uint8_t ** password_key,uint32_t * length)75 virtual void GetPasswordKey(const uint8_t** password_key, uint32_t* length) { 76 if (password_key == NULL || length == NULL) return; 77 *password_key = key_.get(); 78 *length = SIGNATURE_LENGTH_BYTES; 79 } 80 ComputePasswordSignature(uint8_t * signature,uint32_t signature_length,const uint8_t *,uint32_t,const uint8_t * password,uint32_t password_length,salt_t salt)81 virtual void ComputePasswordSignature(uint8_t* signature, uint32_t signature_length, 82 const uint8_t*, uint32_t, const uint8_t* password, 83 uint32_t password_length, salt_t salt) const { 84 if (signature == NULL) return; 85 crypto_scrypt(password, password_length, reinterpret_cast<uint8_t*>(&salt), sizeof(salt), N, 86 r, p, signature, signature_length); 87 } 88 GetRandom(void * random,uint32_t requested_length)89 virtual void GetRandom(void* random, uint32_t requested_length) const { 90 if (random == NULL) return; 91 RAND_pseudo_bytes((uint8_t*)random, requested_length); 92 } 93 ComputeSignature(uint8_t * signature,uint32_t signature_length,const uint8_t * key,uint32_t key_length,const uint8_t * message,const uint32_t message_length)94 virtual void ComputeSignature(uint8_t* signature, uint32_t signature_length, const uint8_t* key, 95 uint32_t key_length, const uint8_t* message, 96 const uint32_t message_length) const { 97 if (signature == NULL) return; 98 keymaster::HmacSha256 hmac_calculator; 99 if (!hmac_calculator.Init(key, key_length)) { 100 LOG(ERROR) << "ComputeSignature: Failed to initialize hmac calculator"; 101 return; 102 } 103 if (!hmac_calculator.Sign(message, message_length, signature, signature_length)) { 104 LOG(ERROR) << "ComputeSignature: failed to create hmac"; 105 } 106 } 107 GetMillisecondsSinceBoot()108 virtual uint64_t GetMillisecondsSinceBoot() const { 109 struct timespec time; 110 int res = clock_gettime(CLOCK_BOOTTIME, &time); 111 if (res < 0) return 0; 112 return (time.tv_sec * 1000) + (time.tv_nsec / 1000 / 1000); 113 } 114 IsHardwareBacked()115 virtual bool IsHardwareBacked() const { return false; } 116 GetFailureRecord(uint32_t uid,secure_id_t user_id,failure_record_t * record,bool)117 virtual bool GetFailureRecord(uint32_t uid, secure_id_t user_id, failure_record_t* record, 118 bool /* secure */) { 119 failure_record_t* stored = &failure_map_[uid]; 120 if (user_id != stored->secure_user_id) { 121 stored->secure_user_id = user_id; 122 stored->last_checked_timestamp = 0; 123 stored->failure_counter = 0; 124 } 125 memcpy(record, stored, sizeof(*record)); 126 return true; 127 } 128 ClearFailureRecord(uint32_t uid,secure_id_t user_id,bool)129 virtual bool ClearFailureRecord(uint32_t uid, secure_id_t user_id, bool /* secure */) { 130 failure_record_t* stored = &failure_map_[uid]; 131 stored->secure_user_id = user_id; 132 stored->last_checked_timestamp = 0; 133 stored->failure_counter = 0; 134 return true; 135 } 136 WriteFailureRecord(uint32_t uid,failure_record_t * record,bool)137 virtual bool WriteFailureRecord(uint32_t uid, failure_record_t* record, bool /* secure */) { 138 failure_map_[uid] = *record; 139 return true; 140 } 141 ComputeFastHash(const SizedBuffer & password,uint64_t salt)142 fast_hash_t ComputeFastHash(const SizedBuffer& password, uint64_t salt) { 143 fast_hash_t fast_hash; 144 size_t digest_size = password.size() + sizeof(salt); 145 std::unique_ptr<uint8_t[]> digest(new uint8_t[digest_size]); 146 memcpy(digest.get(), &salt, sizeof(salt)); 147 memcpy(digest.get() + sizeof(salt), password.Data<uint8_t>(), password.size()); 148 149 SHA256(digest.get(), digest_size, (uint8_t*)&fast_hash.digest); 150 151 fast_hash.salt = salt; 152 return fast_hash; 153 } 154 VerifyFast(const fast_hash_t & fast_hash,const SizedBuffer & password)155 bool VerifyFast(const fast_hash_t& fast_hash, const SizedBuffer& password) { 156 fast_hash_t computed = ComputeFastHash(password, fast_hash.salt); 157 return memcmp(computed.digest, fast_hash.digest, SHA256_DIGEST_LENGTH) == 0; 158 } 159 DoVerify(const password_handle_t * expected_handle,const SizedBuffer & password)160 bool DoVerify(const password_handle_t* expected_handle, const SizedBuffer& password) { 161 uint64_t user_id = android::base::get_unaligned<secure_id_t>(&expected_handle->user_id); 162 FastHashMap::const_iterator it = fast_hash_map_.find(user_id); 163 if (it != fast_hash_map_.end() && VerifyFast(it->second, password)) { 164 return true; 165 } else { 166 if (GateKeeper::DoVerify(expected_handle, password)) { 167 uint64_t salt; 168 GetRandom(&salt, sizeof(salt)); 169 fast_hash_map_[user_id] = ComputeFastHash(password, salt); 170 return true; 171 } 172 } 173 174 return false; 175 } 176 177 private: 178 typedef std::unordered_map<uint32_t, failure_record_t> FailureRecordMap; 179 typedef std::unordered_map<uint64_t, fast_hash_t> FastHashMap; 180 181 const ::aidl::android::hardware::security::sharedsecret::SoftSharedSecret& shared_secret_; 182 std::unique_ptr<uint8_t[]> key_; 183 FailureRecordMap failure_map_; 184 FastHashMap fast_hash_map_; 185 mutable ::keymaster::KeymasterKeyBlob hmac_key_; 186 }; 187 } // namespace gatekeeper 188 189 #endif // SOFT_GATEKEEPER_H_ 190