| /* |
| * Copyright (C) 2018 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <regex.h> |
| |
| #include <android-base/logging.h> |
| #include <android-base/properties.h> |
| #include <hardware/hw_auth_token.h> |
| #include <keymasterV4_0/keymaster_utils.h> |
| |
| namespace android::hardware { |
| |
| inline static bool operator<(const hidl_vec<uint8_t>& a, const hidl_vec<uint8_t>& b) { |
| auto result = memcmp(a.data(), b.data(), std::min(a.size(), b.size())); |
| if (!result) return a.size() < b.size(); |
| return result < 0; |
| } |
| |
| template <size_t SIZE> |
| inline static bool operator<(const hidl_array<uint8_t, SIZE>& a, |
| const hidl_array<uint8_t, SIZE>& b) { |
| return memcmp(a.data(), b.data(), SIZE) == -1; |
| } |
| |
| namespace keymaster::V4_0 { |
| |
| bool operator<(const HmacSharingParameters& a, const HmacSharingParameters& b) { |
| return std::tie(a.seed, a.nonce) < std::tie(b.seed, b.nonce); |
| } |
| |
| namespace support { |
| |
| template <typename T, typename InIter> |
| inline static InIter copy_bytes_from_iterator(T* value, InIter src) { |
| uint8_t* value_ptr = reinterpret_cast<uint8_t*>(value); |
| std::copy(src, src + sizeof(T), value_ptr); |
| return src + sizeof(T); |
| } |
| |
| template <typename T, typename OutIter> |
| inline static OutIter copy_bytes_to_iterator(const T& value, OutIter dest) { |
| const uint8_t* value_ptr = reinterpret_cast<const uint8_t*>(&value); |
| return std::copy(value_ptr, value_ptr + sizeof(value), dest); |
| } |
| |
| constexpr size_t kHmacSize = 32; |
| |
| hidl_vec<uint8_t> authToken2HidlVec(const HardwareAuthToken& token) { |
| static_assert(1 /* version size */ + sizeof(token.challenge) + sizeof(token.userId) + |
| sizeof(token.authenticatorId) + sizeof(token.authenticatorType) + |
| sizeof(token.timestamp) + kHmacSize == |
| sizeof(hw_auth_token_t), |
| "HardwareAuthToken content size does not match hw_auth_token_t size"); |
| |
| hidl_vec<uint8_t> result; |
| result.resize(sizeof(hw_auth_token_t)); |
| auto pos = result.begin(); |
| *pos++ = 0; // Version byte |
| pos = copy_bytes_to_iterator(token.challenge, pos); |
| pos = copy_bytes_to_iterator(token.userId, pos); |
| pos = copy_bytes_to_iterator(token.authenticatorId, pos); |
| auto auth_type = htonl(static_cast<uint32_t>(token.authenticatorType)); |
| pos = copy_bytes_to_iterator(auth_type, pos); |
| auto timestamp = htonq(token.timestamp); |
| pos = copy_bytes_to_iterator(timestamp, pos); |
| if (token.mac.size() != kHmacSize) { |
| std::fill(pos, pos + kHmacSize, 0); |
| } else { |
| std::copy(token.mac.begin(), token.mac.end(), pos); |
| } |
| |
| return result; |
| } |
| |
| HardwareAuthToken hidlVec2AuthToken(const hidl_vec<uint8_t>& buffer) { |
| HardwareAuthToken token; |
| static_assert(1 /* version size */ + sizeof(token.challenge) + sizeof(token.userId) + |
| sizeof(token.authenticatorId) + sizeof(token.authenticatorType) + |
| sizeof(token.timestamp) + kHmacSize == |
| sizeof(hw_auth_token_t), |
| "HardwareAuthToken content size does not match hw_auth_token_t size"); |
| |
| if (buffer.size() != sizeof(hw_auth_token_t)) return {}; |
| |
| auto pos = buffer.begin(); |
| ++pos; // skip first byte |
| pos = copy_bytes_from_iterator(&token.challenge, pos); |
| pos = copy_bytes_from_iterator(&token.userId, pos); |
| pos = copy_bytes_from_iterator(&token.authenticatorId, pos); |
| pos = copy_bytes_from_iterator(&token.authenticatorType, pos); |
| token.authenticatorType = static_cast<HardwareAuthenticatorType>( |
| ntohl(static_cast<uint32_t>(token.authenticatorType))); |
| pos = copy_bytes_from_iterator(&token.timestamp, pos); |
| token.timestamp = ntohq(token.timestamp); |
| token.mac.resize(kHmacSize); |
| std::copy(pos, pos + kHmacSize, token.mac.data()); |
| |
| return token; |
| } |
| |
| void appendUint64(std::vector<uint8_t>& vec, uint64_t value) { |
| for (size_t n = 0; n < sizeof(uint64_t); n++) { |
| uint8_t byte = (value >> (n * 8)) & 0xff; |
| vec.push_back(byte); |
| } |
| } |
| |
| uint64_t extractUint64(const std::vector<uint8_t>& data, size_t offset) { |
| uint64_t value = 0; |
| for (size_t n = 0; n < sizeof(uint64_t); n++) { |
| uint64_t tmp = data[offset + n]; |
| value |= (tmp << (n * 8)); |
| } |
| return value; |
| } |
| |
| void appendUint32(std::vector<uint8_t>& vec, uint32_t value) { |
| for (size_t n = 0; n < sizeof(uint32_t); n++) { |
| uint8_t byte = (value >> (n * 8)) & 0xff; |
| vec.push_back(byte); |
| } |
| } |
| |
| uint32_t extractUint32(const std::vector<uint8_t>& data, size_t offset) { |
| uint32_t value = 0; |
| for (size_t n = 0; n < sizeof(uint32_t); n++) { |
| uint32_t tmp = data[offset + n]; |
| value |= (tmp << (n * 8)); |
| } |
| return value; |
| } |
| |
| std::optional<std::vector<uint8_t>> serializeVerificationToken(const VerificationToken& token) { |
| if (token.parametersVerified.size() > 0) { |
| LOG(ERROR) << "Serializing verification tokens with parametersVerified is not supported"; |
| return {}; |
| } |
| if (!(token.mac.size() == 0 || token.mac.size() == 32)) { |
| LOG(ERROR) << "Unexpected MAC size " << token.mac.size() << ", expected 0 or 32"; |
| return {}; |
| } |
| std::vector<uint8_t> serializedToken; |
| appendUint64(serializedToken, token.challenge); |
| appendUint64(serializedToken, token.timestamp); |
| appendUint32(serializedToken, uint32_t(token.securityLevel)); |
| appendUint32(serializedToken, token.mac.size()); |
| serializedToken.insert(serializedToken.end(), token.mac.begin(), token.mac.end()); |
| return serializedToken; |
| } |
| |
| std::optional<VerificationToken> deserializeVerificationToken( |
| const std::vector<uint8_t>& serializedToken) { |
| if (serializedToken.size() < 24) { |
| LOG(ERROR) << "Unexpected serialized VerificationToken size " << serializedToken.size() |
| << ", expected at least 24 bytes"; |
| return {}; |
| } |
| VerificationToken token; |
| token.challenge = extractUint64(serializedToken, 0); |
| token.timestamp = extractUint64(serializedToken, 8); |
| token.securityLevel = SecurityLevel(extractUint32(serializedToken, 16)); |
| size_t macSize = extractUint32(serializedToken, 20); |
| size_t expectedSerializedSize = 24 + macSize; |
| if (serializedToken.size() != expectedSerializedSize) { |
| LOG(ERROR) << "Unexpected serialized VerificationToken size " << serializedToken.size() |
| << ", expected " << expectedSerializedSize; |
| return {}; |
| } |
| if (macSize > 0) { |
| token.mac = std::vector<uint8_t>(serializedToken.begin() + 24, serializedToken.end()); |
| } |
| return token; |
| } |
| |
| namespace { |
| |
| constexpr char kPlatformVersionProp[] = "ro.build.version.release"; |
| constexpr char kPlatformVersionRegex[] = "^([0-9]{1,2})(\\.([0-9]{1,2}))?(\\.([0-9]{1,2}))?"; |
| constexpr size_t kMajorVersionMatch = 1; |
| constexpr size_t kMinorVersionMatch = 3; |
| constexpr size_t kSubminorVersionMatch = 5; |
| constexpr size_t kPlatformVersionMatchCount = kSubminorVersionMatch + 1; |
| |
| constexpr char kPlatformPatchlevelProp[] = "ro.build.version.security_patch"; |
| constexpr char kPlatformPatchlevelRegex[] = "^([0-9]{4})-([0-9]{2})-[0-9]{2}$"; |
| constexpr size_t kYearMatch = 1; |
| constexpr size_t kMonthMatch = 2; |
| constexpr size_t kPlatformPatchlevelMatchCount = kMonthMatch + 1; |
| |
| uint32_t match_to_uint32(const char* expression, const regmatch_t& match) { |
| if (match.rm_so == -1) return 0; |
| |
| size_t len = match.rm_eo - match.rm_so; |
| std::string s(expression + match.rm_so, len); |
| return std::stoul(s); |
| } |
| |
| std::string wait_and_get_property(const char* prop) { |
| std::string prop_value; |
| while (!android::base::WaitForPropertyCreation(prop)) |
| ; |
| prop_value = android::base::GetProperty(prop, "" /* default */); |
| return prop_value; |
| } |
| |
| } // anonymous namespace |
| |
| uint32_t getOsVersion(const char* version_str) { |
| regex_t regex; |
| if (regcomp(®ex, kPlatformVersionRegex, REG_EXTENDED)) { |
| return 0; |
| } |
| |
| regmatch_t matches[kPlatformVersionMatchCount]; |
| int not_match = |
| regexec(®ex, version_str, kPlatformVersionMatchCount, matches, 0 /* flags */); |
| regfree(®ex); |
| if (not_match) { |
| return 0; |
| } |
| |
| uint32_t major = match_to_uint32(version_str, matches[kMajorVersionMatch]); |
| uint32_t minor = match_to_uint32(version_str, matches[kMinorVersionMatch]); |
| uint32_t subminor = match_to_uint32(version_str, matches[kSubminorVersionMatch]); |
| |
| return (major * 100 + minor) * 100 + subminor; |
| } |
| |
| uint32_t getOsVersion() { |
| std::string version = wait_and_get_property(kPlatformVersionProp); |
| return getOsVersion(version.c_str()); |
| } |
| |
| uint32_t getOsPatchlevel(const char* patchlevel_str) { |
| regex_t regex; |
| if (regcomp(®ex, kPlatformPatchlevelRegex, REG_EXTENDED) != 0) { |
| return 0; |
| } |
| |
| regmatch_t matches[kPlatformPatchlevelMatchCount]; |
| int not_match = |
| regexec(®ex, patchlevel_str, kPlatformPatchlevelMatchCount, matches, 0 /* flags */); |
| regfree(®ex); |
| if (not_match) { |
| return 0; |
| } |
| |
| uint32_t year = match_to_uint32(patchlevel_str, matches[kYearMatch]); |
| uint32_t month = match_to_uint32(patchlevel_str, matches[kMonthMatch]); |
| |
| if (month < 1 || month > 12) { |
| return 0; |
| } |
| return year * 100 + month; |
| } |
| |
| uint32_t getOsPatchlevel() { |
| std::string patchlevel = wait_and_get_property(kPlatformPatchlevelProp); |
| return getOsPatchlevel(patchlevel.c_str()); |
| } |
| |
| } // namespace support |
| } // namespace keymaster::V4_0 |
| } // namespace android::hardware |