blob: ddd0cff5cb71728e547e4d778e253c7f1e43262c
1 | /* |
2 | * Copyright 2015 The Android Open Source Project |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | * you may not use this file except in compliance with the License. |
6 | * You may obtain a copy of the License at |
7 | * |
8 | * http://www.apache.org/licenses/LICENSE-2.0 |
9 | * |
10 | * Unless required by applicable law or agreed to in writing, software |
11 | * distributed under the License is distributed on an "AS IS" BASIS, |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 | * See the License for the specific language governing permissions and |
14 | * limitations under the License. |
15 | * |
16 | */ |
17 | |
18 | #ifndef SOFT_GATEKEEPER_H_ |
19 | #define SOFT_GATEKEEPER_H_ |
20 | |
21 | extern "C" { |
22 | #include <openssl/rand.h> |
23 | #include <openssl/sha.h> |
24 | #include <openssl/hmac.h> |
25 | |
26 | #include <crypto_scrypt.h> |
27 | } |
28 | |
29 | #include <android-base/memory.h> |
30 | #include <gatekeeper/gatekeeper.h> |
31 | |
32 | #include <iostream> |
33 | #include <unordered_map> |
34 | #include <memory> |
35 | |
36 | #define HMAC_SHA_256_KEY_SIZE 32 |
37 | |
38 | namespace gatekeeper { |
39 | |
40 | struct fast_hash_t { |
41 | uint64_t salt; |
42 | uint8_t digest[SHA256_DIGEST_LENGTH]; |
43 | }; |
44 | |
45 | class SoftGateKeeper : public GateKeeper { |
46 | public: |
47 | static const uint32_t SIGNATURE_LENGTH_BYTES = 32; |
48 | |
49 | // scrypt params |
50 | static const uint64_t N = 16384; |
51 | static const uint32_t r = 8; |
52 | static const uint32_t p = 1; |
53 | |
54 | static const int MAX_UINT_32_CHARS = 11; |
55 | |
56 | SoftGateKeeper() { |
57 | key_.reset(new uint8_t[SIGNATURE_LENGTH_BYTES]); |
58 | memset(key_.get(), 0, SIGNATURE_LENGTH_BYTES); |
59 | } |
60 | |
61 | virtual ~SoftGateKeeper() { |
62 | } |
63 | |
64 | virtual bool GetAuthTokenKey(const uint8_t **auth_token_key, |
65 | uint32_t *length) const { |
66 | if (auth_token_key == NULL || length == NULL) return false; |
67 | uint8_t *auth_token_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; |
68 | memcpy(auth_token_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); |
69 | |
70 | *auth_token_key = auth_token_key_copy; |
71 | *length = SIGNATURE_LENGTH_BYTES; |
72 | return true; |
73 | } |
74 | |
75 | virtual void GetPasswordKey(const uint8_t **password_key, uint32_t *length) { |
76 | if (password_key == NULL || length == NULL) return; |
77 | uint8_t *password_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES]; |
78 | memcpy(password_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES); |
79 | |
80 | *password_key = password_key_copy; |
81 | *length = SIGNATURE_LENGTH_BYTES; |
82 | } |
83 | |
84 | virtual void ComputePasswordSignature(uint8_t *signature, uint32_t signature_length, |
85 | const uint8_t *, uint32_t, const uint8_t *password, |
86 | uint32_t password_length, salt_t salt) const { |
87 | if (signature == NULL) return; |
88 | crypto_scrypt(password, password_length, reinterpret_cast<uint8_t *>(&salt), |
89 | sizeof(salt), N, r, p, signature, signature_length); |
90 | } |
91 | |
92 | virtual void GetRandom(void *random, uint32_t requested_length) const { |
93 | if (random == NULL) return; |
94 | RAND_pseudo_bytes((uint8_t *) random, requested_length); |
95 | } |
96 | |
97 | virtual void ComputeSignature(uint8_t *signature, uint32_t signature_length, |
98 | const uint8_t *key, uint32_t key_length, const uint8_t *message, const uint32_t length) const { |
99 | if (signature == NULL) return; |
100 | uint8_t buf[HMAC_SHA_256_KEY_SIZE]; |
101 | size_t buf_len; |
102 | HMAC(EVP_sha256(), key, key_length, message, length, buf, (unsigned int *)&buf_len); |
103 | size_t to_write = buf_len; |
104 | if (buf_len > signature_length) to_write = signature_length; |
105 | memset(signature, 0, signature_length); |
106 | memcpy(signature, buf, to_write); |
107 | } |
108 | |
109 | virtual uint64_t GetMillisecondsSinceBoot() const { |
110 | struct timespec time; |
111 | int res = clock_gettime(CLOCK_BOOTTIME, &time); |
112 | if (res < 0) return 0; |
113 | return (time.tv_sec * 1000) + (time.tv_nsec / 1000 / 1000); |
114 | } |
115 | |
116 | virtual bool IsHardwareBacked() const { |
117 | return true; |
118 | } |
119 | |
120 | virtual bool GetFailureRecord(uint32_t uid, secure_id_t user_id, failure_record_t *record, |
121 | bool /* secure */) { |
122 | failure_record_t *stored = &failure_map_[uid]; |
123 | if (user_id != stored->secure_user_id) { |
124 | stored->secure_user_id = user_id; |
125 | stored->last_checked_timestamp = 0; |
126 | stored->failure_counter = 0; |
127 | } |
128 | memcpy(record, stored, sizeof(*record)); |
129 | return true; |
130 | } |
131 | |
132 | virtual bool ClearFailureRecord(uint32_t uid, secure_id_t user_id, bool /* secure */) { |
133 | failure_record_t *stored = &failure_map_[uid]; |
134 | stored->secure_user_id = user_id; |
135 | stored->last_checked_timestamp = 0; |
136 | stored->failure_counter = 0; |
137 | return true; |
138 | } |
139 | |
140 | virtual bool WriteFailureRecord(uint32_t uid, failure_record_t *record, bool /* secure */) { |
141 | failure_map_[uid] = *record; |
142 | return true; |
143 | } |
144 | |
145 | fast_hash_t ComputeFastHash(const SizedBuffer &password, uint64_t salt) { |
146 | fast_hash_t fast_hash; |
147 | size_t digest_size = password.length + sizeof(salt); |
148 | std::unique_ptr<uint8_t[]> digest(new uint8_t[digest_size]); |
149 | memcpy(digest.get(), &salt, sizeof(salt)); |
150 | memcpy(digest.get() + sizeof(salt), password.buffer.get(), password.length); |
151 | |
152 | SHA256(digest.get(), digest_size, (uint8_t *) &fast_hash.digest); |
153 | |
154 | fast_hash.salt = salt; |
155 | return fast_hash; |
156 | } |
157 | |
158 | bool VerifyFast(const fast_hash_t &fast_hash, const SizedBuffer &password) { |
159 | fast_hash_t computed = ComputeFastHash(password, fast_hash.salt); |
160 | return memcmp(computed.digest, fast_hash.digest, SHA256_DIGEST_LENGTH) == 0; |
161 | } |
162 | |
163 | bool DoVerify(const password_handle_t *expected_handle, const SizedBuffer &password) { |
164 | uint64_t user_id = android::base::get_unaligned<secure_id_t>(&expected_handle->user_id); |
165 | FastHashMap::const_iterator it = fast_hash_map_.find(user_id); |
166 | if (it != fast_hash_map_.end() && VerifyFast(it->second, password)) { |
167 | return true; |
168 | } else { |
169 | if (GateKeeper::DoVerify(expected_handle, password)) { |
170 | uint64_t salt; |
171 | GetRandom(&salt, sizeof(salt)); |
172 | fast_hash_map_[user_id] = ComputeFastHash(password, salt); |
173 | return true; |
174 | } |
175 | } |
176 | |
177 | return false; |
178 | } |
179 | |
180 | private: |
181 | |
182 | typedef std::unordered_map<uint32_t, failure_record_t> FailureRecordMap; |
183 | typedef std::unordered_map<uint64_t, fast_hash_t> FastHashMap; |
184 | |
185 | std::unique_ptr<uint8_t[]> key_; |
186 | FailureRecordMap failure_map_; |
187 | FastHashMap fast_hash_map_; |
188 | }; |
189 | } |
190 | |
191 | #endif // SOFT_GATEKEEPER_H_ |
192 |