Merge "Added HIDL based software implementation of gatekeeper" into qt-r1-dev-plus-aosp

jdanis@google.com

swillden@google.com

cc_binary {

    name: "android.hardware.gatekeeper@1.0-service.software",

    defaults: ["hidl_defaults"],

    relative_install_path: "hw",

    vendor: true,

    init_rc: ["android.hardware.gatekeeper@1.0-service.software.rc"],

    srcs: [

        "service.cpp",

        "SoftGateKeeperDevice.cpp",

    ],

    shared_libs: [

        "android.hardware.gatekeeper@1.0",

        "libbase",

        "libhardware",

        "libhidlbase",

        "libhidltransport",

        "libutils",

        "liblog",

        "libcrypto",

        "libgatekeeper",

    ],

    static_libs: ["libscrypt_static"],

    vintf_fragments: ["android.hardware.gatekeeper@1.0-service.software.xml"],

}

jdanis@google.com

swillden@google.com

/*

 * Copyright 2015 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 */

#ifndef SOFT_GATEKEEPER_H_

#define SOFT_GATEKEEPER_H_

extern "C" {

#include <openssl/rand.h>

#include <openssl/sha.h>

#include <crypto_scrypt.h>

}

#include <android-base/memory.h>

#include <gatekeeper/gatekeeper.h>

#include <iostream>

#include <memory>

#include <unordered_map>

namespace gatekeeper {

struct fast_hash_t {

    uint64_t salt;

    uint8_t digest[SHA256_DIGEST_LENGTH];

};

class SoftGateKeeper : public GateKeeper {

  public:

    static const uint32_t SIGNATURE_LENGTH_BYTES = 32;

    // scrypt params

    static const uint64_t N = 16384;

    static const uint32_t r = 8;

    static const uint32_t p = 1;

    static const int MAX_UINT_32_CHARS = 11;

    SoftGateKeeper() {

        key_.reset(new uint8_t[SIGNATURE_LENGTH_BYTES]);

        memset(key_.get(), 0, SIGNATURE_LENGTH_BYTES);

    }

    virtual ~SoftGateKeeper() {}

    virtual bool GetAuthTokenKey(const uint8_t** auth_token_key, uint32_t* length) const {

        if (auth_token_key == NULL || length == NULL) return false;

        *auth_token_key = key_.get();

        *length = SIGNATURE_LENGTH_BYTES;

        return true;

    }

    virtual void GetPasswordKey(const uint8_t** password_key, uint32_t* length) {

        if (password_key == NULL || length == NULL) return;

        *password_key = key_.get();

        *length = SIGNATURE_LENGTH_BYTES;

    }

    virtual void ComputePasswordSignature(uint8_t* signature, uint32_t signature_length,

                                          const uint8_t*, uint32_t, const uint8_t* password,

                                          uint32_t password_length, salt_t salt) const {

        if (signature == NULL) return;

        crypto_scrypt(password, password_length, reinterpret_cast<uint8_t*>(&salt), sizeof(salt), N,

                      r, p, signature, signature_length);

    }

    virtual void GetRandom(void* random, uint32_t requested_length) const {

        if (random == NULL) return;

        RAND_pseudo_bytes((uint8_t*)random, requested_length);

    }

    virtual void ComputeSignature(uint8_t* signature, uint32_t signature_length, const uint8_t*,

                                  uint32_t, const uint8_t*, const uint32_t) const {

        if (signature == NULL) return;

        memset(signature, 0, signature_length);

    }

    virtual uint64_t GetMillisecondsSinceBoot() const {

        struct timespec time;

        int res = clock_gettime(CLOCK_BOOTTIME, &time);

        if (res < 0) return 0;

        return (time.tv_sec * 1000) + (time.tv_nsec / 1000 / 1000);

    }

    virtual bool IsHardwareBacked() const { return false; }

    virtual bool GetFailureRecord(uint32_t uid, secure_id_t user_id, failure_record_t* record,

                                  bool /* secure */) {

        failure_record_t* stored = &failure_map_[uid];

        if (user_id != stored->secure_user_id) {

            stored->secure_user_id = user_id;

            stored->last_checked_timestamp = 0;

            stored->failure_counter = 0;

        }

        memcpy(record, stored, sizeof(*record));

        return true;

    }

    virtual bool ClearFailureRecord(uint32_t uid, secure_id_t user_id, bool /* secure */) {

        failure_record_t* stored = &failure_map_[uid];

        stored->secure_user_id = user_id;

        stored->last_checked_timestamp = 0;

        stored->failure_counter = 0;

        return true;

    }

    virtual bool WriteFailureRecord(uint32_t uid, failure_record_t* record, bool /* secure */) {

        failure_map_[uid] = *record;

        return true;

    }

    fast_hash_t ComputeFastHash(const SizedBuffer& password, uint64_t salt) {

        fast_hash_t fast_hash;

        size_t digest_size = password.size() + sizeof(salt);

        std::unique_ptr<uint8_t[]> digest(new uint8_t[digest_size]);

        memcpy(digest.get(), &salt, sizeof(salt));

        memcpy(digest.get() + sizeof(salt), password.Data<uint8_t>(), password.size());

        SHA256(digest.get(), digest_size, (uint8_t*)&fast_hash.digest);

        fast_hash.salt = salt;

        return fast_hash;

    }

    bool VerifyFast(const fast_hash_t& fast_hash, const SizedBuffer& password) {

        fast_hash_t computed = ComputeFastHash(password, fast_hash.salt);

        return memcmp(computed.digest, fast_hash.digest, SHA256_DIGEST_LENGTH) == 0;

    }

    bool DoVerify(const password_handle_t* expected_handle, const SizedBuffer& password) {

        uint64_t user_id = android::base::get_unaligned<secure_id_t>(&expected_handle->user_id);

        FastHashMap::const_iterator it = fast_hash_map_.find(user_id);

        if (it != fast_hash_map_.end() && VerifyFast(it->second, password)) {

            return true;

        } else {

            if (GateKeeper::DoVerify(expected_handle, password)) {

                uint64_t salt;

                GetRandom(&salt, sizeof(salt));

                fast_hash_map_[user_id] = ComputeFastHash(password, salt);

                return true;

            }

        }

        return false;

    }

  private:

    typedef std::unordered_map<uint32_t, failure_record_t> FailureRecordMap;

    typedef std::unordered_map<uint64_t, fast_hash_t> FastHashMap;

    std::unique_ptr<uint8_t[]> key_;

    FailureRecordMap failure_map_;

    FastHashMap fast_hash_map_;

};

}  // namespace gatekeeper

#endif  // SOFT_GATEKEEPER_H_

/*

 * Copyright (C) 2015 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include "SoftGateKeeperDevice.h"

#include "SoftGateKeeper.h"

using ::android::hardware::hidl_vec;

using ::android::hardware::Return;

using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;

using ::gatekeeper::EnrollRequest;

using ::gatekeeper::EnrollResponse;

using ::gatekeeper::ERROR_INVALID;

using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;

using ::gatekeeper::ERROR_NONE;

using ::gatekeeper::ERROR_RETRY;

using ::gatekeeper::SizedBuffer;

using ::gatekeeper::VerifyRequest;

using ::gatekeeper::VerifyResponse;

#include <limits>

namespace android {

inline SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {

    if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};

    auto dummy = new uint8_t[vec.size()];

    std::copy(vec.begin(), vec.end(), dummy);

    return {dummy, static_cast<uint32_t>(vec.size())};

}

Return<void> SoftGateKeeperDevice::enroll(uint32_t uid,

                                          const hidl_vec<uint8_t>& currentPasswordHandle,

                                          const hidl_vec<uint8_t>& currentPassword,

                                          const hidl_vec<uint8_t>& desiredPassword,

                                          enroll_cb _hidl_cb) {

    if (desiredPassword.size() == 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

    }

    EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),

                          hidl_vec2sized_buffer(desiredPassword),

                          hidl_vec2sized_buffer(currentPassword));

    EnrollResponse response;

    impl_->Enroll(request, &response);

    if (response.error == ERROR_RETRY) {

        _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});

    } else if (response.error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

    } else {

        hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),

                                     response.enrolled_password_handle.Data<uint8_t>() +

                                             response.enrolled_password_handle.size());

        _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});

    }

    return {};

}

Return<void> SoftGateKeeperDevice::verify(

        uint32_t uid, uint64_t challenge,

        const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,

        const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {

    if (enrolledPasswordHandle.size() == 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

    }

    VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),

                          hidl_vec2sized_buffer(providedPassword));

    VerifyResponse response;

    impl_->Verify(request, &response);

    if (response.error == ERROR_RETRY) {

        _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});

    } else if (response.error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

    } else {

        hidl_vec<uint8_t> auth_token(

                response.auth_token.Data<uint8_t>(),

                response.auth_token.Data<uint8_t>() + response.auth_token.size());

        _hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL

                                            : GatekeeperStatusCode::STATUS_OK,

                  response.retry_timeout, auth_token});

    }

    return {};

}

Return<void> SoftGateKeeperDevice::deleteUser(uint32_t /*uid*/, deleteUser_cb _hidl_cb) {

    _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});

    return {};

}

Return<void> SoftGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {

    _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});

    return {};

}

}  // namespace android