Don't check authorizations for pubkey operations.

Bug: 21877150 Change-Id: I43dafb66fc3246f4d8e3bf4743fbdcbe072468d1
author: Shawn Willden <swillden@google.com> 2015-06-17 12:18:55 -0600
committer: Shawn Willden <swillden@google.com> 2015-06-17 13:38:45 -0600
commit: b2ffa420da26414379b31807eec76ec8c9f3b0a9 (patch)
tree: e2ae4e4d2b65aee58ed7eafaf4ec70c95327a660
parent: 3a7d9e626fa6c0e116c07be912c319aad6e08614 (diff)
download: android_system_security-b2ffa420da26414379b31807eec76ec8c9f3b0a9.tar.gz
android_system_security-b2ffa420da26414379b31807eec76ec8c9f3b0a9.tar.bz2
android_system_security-b2ffa420da26414379b31807eec76ec8c9f3b0a9.zip
5 files changed, 53 insertions, 24 deletions
diff --git a/keystore/auth_token_table.cpp b/keystore/auth_token_table.cpp
index 98731b3..c6e5843 100644
--- a/keystore/auth_token_table.cpp
+++ b/keystore/auth_token_table.cpp
@@ -60,18 +60,33 @@ void AuthTokenTable::AddAuthenticationToken(const hw_auth_token_t* auth_token) {
     }
 }
 
-inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info) {
-    return key_info.find(TAG_NO_AUTH_REQUIRED) == -1;
+inline bool is_secret_key_operation(keymaster_algorithm_t algorithm, keymaster_purpose_t purpose) {
+    if ((algorithm != KM_ALGORITHM_RSA || algorithm != KM_ALGORITHM_EC))
+        return true;
+    if (purpose == KM_PURPOSE_SIGN || purpose == KM_PURPOSE_DECRYPT)
+        return true;
+    return false;
+}
+
+inline bool KeyRequiresAuthentication(const AuthorizationSet& key_info,
+                                      keymaster_purpose_t purpose) {
+    keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
+    key_info.GetTagValue(TAG_ALGORITHM, &algorithm);
+    return is_secret_key_operation(algorithm, purpose) && key_info.find(TAG_NO_AUTH_REQUIRED) == -1;
 }
 
-inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info) {
-    return key_info.find(TAG_AUTH_TIMEOUT) == -1;
+inline bool KeyRequiresAuthPerOperation(const AuthorizationSet& key_info,
+                                        keymaster_purpose_t purpose) {
+    keymaster_algorithm_t algorithm = KM_ALGORITHM_AES;
+    key_info.GetTagValue(TAG_ALGORITHM, &algorithm);
+    return is_secret_key_operation(algorithm, purpose) && key_info.find(TAG_AUTH_TIMEOUT) == -1;
 }
 
 AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet& key_info,
+                                                        keymaster_purpose_t purpose,
                                                         keymaster_operation_handle_t op_handle,
                                                         const hw_auth_token_t** found) {
-    if (!KeyRequiresAuthentication(key_info))
+    if (!KeyRequiresAuthentication(key_info, purpose))
         return AUTH_NOT_REQUIRED;
 
     hw_authenticator_type_t auth_type = HW_AUTH_NONE;
@@ -80,7 +95,7 @@ AuthTokenTable::Error AuthTokenTable::FindAuthorization(const AuthorizationSet&
     std::vector<uint64_t> key_sids;
     ExtractSids(key_info, &key_sids);
 
-    if (KeyRequiresAuthPerOperation(key_info))
+    if (KeyRequiresAuthPerOperation(key_info, purpose))
         return FindAuthPerOpAuthorization(key_sids, auth_type, op_handle, found);
     else
         return FindTimedAuthorization(key_sids, auth_type, key_info, found);
diff --git a/keystore/auth_token_table.h b/keystore/auth_token_table.h
index a63e2d8..24aa774 100644
--- a/keystore/auth_token_table.h
+++ b/keystore/auth_token_table.h
@@ -70,7 +70,7 @@ class AuthTokenTable {
      *
      * The table retains ownership of the returned object.
      */
-    Error FindAuthorization(const AuthorizationSet& key_info,
+    Error FindAuthorization(const AuthorizationSet& key_info, keymaster_purpose_t purpose,
                             keymaster_operation_handle_t op_handle, const hw_auth_token_t** found);
 
     /**
@@ -84,8 +84,9 @@ class AuthTokenTable {
      * The table retains ownership of the returned object.
      */
     Error FindAuthorization(const keymaster_key_param_t* params, size_t params_count,
-                            keymaster_operation_handle_t op_handle, const hw_auth_token_t** found) {
-        return FindAuthorization(AuthorizationSet(params, params_count), op_handle, found);
+                            keymaster_purpose_t purpose, keymaster_operation_handle_t op_handle,
+                            const hw_auth_token_t** found) {
+        return FindAuthorization(AuthorizationSet(params, params_count), purpose, op_handle, found);
     }
 
     /**
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index 639866c..33fb499 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -2454,7 +2454,7 @@ public:
             return;
         }
         const hw_auth_token_t* authToken = NULL;
-        int32_t authResult = getAuthToken(characteristics.get(), 0, &authToken,
+        int32_t authResult = getAuthToken(characteristics.get(), 0, purpose, &authToken,
                                                 /*failOnTokenMissing*/ false);
         // If per-operation auth is needed we need to begin the operation and
         // the client will need to authorize that operation before calling
@@ -2495,7 +2495,7 @@ public:
             return;
         }
 
-        sp<IBinder> operationToken = mOperationMap.addOperation(handle, dev, appToken,
+        sp<IBinder> operationToken = mOperationMap.addOperation(handle, purpose, dev, appToken,
                                                                 characteristics.release(),
                                                                 pruneable);
         if (authToken) {
@@ -2523,7 +2523,8 @@ public:
         }
         const keymaster1_device_t* dev;
         keymaster_operation_handle_t handle;
-        if (!mOperationMap.getOperation(token, &handle, &dev, NULL)) {
+        keymaster_purpose_t purpose;
+        if (!mOperationMap.getOperation(token, &handle, &purpose, &dev, NULL)) {
             result->resultCode = KM_ERROR_INVALID_OPERATION_HANDLE;
             return;
         }
@@ -2560,7 +2561,8 @@ public:
         }
         const keymaster1_device_t* dev;
         keymaster_operation_handle_t handle;
-        if (!mOperationMap.getOperation(token, &handle, &dev, NULL)) {
+        keymaster_purpose_t purpose;
+        if (!mOperationMap.getOperation(token, &handle, &purpose, &dev, NULL)) {
             result->resultCode = KM_ERROR_INVALID_OPERATION_HANDLE;
             return;
         }
@@ -2604,7 +2606,8 @@ public:
     int32_t abort(const sp<IBinder>& token) {
         const keymaster1_device_t* dev;
         keymaster_operation_handle_t handle;
-        if (!mOperationMap.getOperation(token, &handle, &dev, NULL)) {
+        keymaster_purpose_t purpose;
+        if (!mOperationMap.getOperation(token, &handle, &purpose, &dev, NULL)) {
             return KM_ERROR_INVALID_OPERATION_HANDLE;
         }
         mOperationMap.removeOperation(token);
@@ -2625,7 +2628,8 @@ public:
         const keymaster1_device_t* dev;
         keymaster_operation_handle_t handle;
         const keymaster_key_characteristics_t* characteristics;
-        if (!mOperationMap.getOperation(token, &handle, &dev, &characteristics)) {
+        keymaster_purpose_t purpose;
+        if (!mOperationMap.getOperation(token, &handle, &purpose, &dev, &characteristics)) {
             return false;
         }
         const hw_auth_token_t* authToken = NULL;
@@ -2831,6 +2835,7 @@ private:
      */
     int32_t getAuthToken(const keymaster_key_characteristics_t* characteristics,
                          keymaster_operation_handle_t handle,
+                         keymaster_purpose_t purpose,
                          const hw_auth_token_t** authToken,
                          bool failOnTokenMissing = true) {
 
@@ -2841,9 +2846,8 @@ private:
         for (size_t i = 0; i < characteristics->hw_enforced.length; i++) {
             allCharacteristics.push_back(characteristics->hw_enforced.params[i]);
         }
-        keymaster::AuthTokenTable::Error err =
-                mAuthTokenTable.FindAuthorization(allCharacteristics.data(),
-                                                  allCharacteristics.size(), handle, authToken);
+        keymaster::AuthTokenTable::Error err = mAuthTokenTable.FindAuthorization(
+                allCharacteristics.data(), allCharacteristics.size(), purpose, handle, authToken);
         switch (err) {
             case keymaster::AuthTokenTable::OK:
             case keymaster::AuthTokenTable::AUTH_NOT_REQUIRED:
@@ -2889,10 +2893,11 @@ private:
             const keymaster1_device_t* dev;
             keymaster_operation_handle_t handle;
             const keymaster_key_characteristics_t* characteristics = NULL;
-            if (!mOperationMap.getOperation(token, &handle, &dev, &characteristics)) {
+            keymaster_purpose_t purpose;
+            if (!mOperationMap.getOperation(token, &handle, &purpose, &dev, &characteristics)) {
                 return KM_ERROR_INVALID_OPERATION_HANDLE;
             }
-            int32_t result = getAuthToken(characteristics, handle, &authToken);
+            int32_t result = getAuthToken(characteristics, handle, purpose, &authToken);
             if (result != ::NO_ERROR) {
                 return result;
             }
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 74d65f6..087beff 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp
@@ -25,12 +25,13 @@ OperationMap::OperationMap(IBinder::DeathRecipient* deathRecipient)
 }
 
 sp<IBinder> OperationMap::addOperation(keymaster_operation_handle_t handle,
+                                       keymaster_purpose_t purpose,
                                        const keymaster1_device_t* dev,
                                        sp<IBinder> appToken,
                                        keymaster_key_characteristics_t* characteristics,
                                        bool pruneable) {
     sp<IBinder> token = new BBinder();
-    mMap[token] = std::move(Operation(handle, dev, characteristics, appToken));
+    mMap[token] = std::move(Operation(handle, purpose, dev, characteristics, appToken));
     if (pruneable) {
         mLru.push_back(token);
     }
@@ -42,6 +43,7 @@ sp<IBinder> OperationMap::addOperation(keymaster_operation_handle_t handle,
 }
 
 bool OperationMap::getOperation(sp<IBinder> token, keymaster_operation_handle_t* outHandle,
+                                keymaster_purpose_t* outPurpose,
                                 const keymaster1_device_t** outDevice,
                                 const keymaster_key_characteristics_t** outCharacteristics) {
     if (!outHandle || !outDevice) {
@@ -54,6 +56,7 @@ bool OperationMap::getOperation(sp<IBinder> token, keymaster_operation_handle_t*
     updateLru(token);
 
     *outHandle = entry->second.handle;
+    *outPurpose = entry->second.purpose;
     *outDevice = entry->second.device;
     if (outCharacteristics) {
         *outCharacteristics = entry->second.characteristics.get();
@@ -139,10 +142,12 @@ std::vector<sp<IBinder>> OperationMap::getOperationsForToken(sp<IBinder> appToke
 }
 
 OperationMap::Operation::Operation(keymaster_operation_handle_t handle_,
+                                   keymaster_purpose_t purpose_,
                                    const keymaster1_device_t* device_,
                                    keymaster_key_characteristics_t* characteristics_,
                                    sp<IBinder> appToken_)
     : handle(handle_),
+      purpose(purpose_),
       device(device_),
       characteristics(characteristics_),
       appToken(appToken_) {
diff --git a/keystore/operation.h b/keystore/operation.h
index 07238d1..d0e65a5 100644
--- a/keystore/operation.h
+++ b/keystore/operation.h
@@ -47,11 +47,12 @@ typedef std::unique_ptr<keymaster_key_characteristics_t, keymaster_key_character
 class OperationMap {
 public:
     OperationMap(IBinder::DeathRecipient* deathRecipient);
-    sp<IBinder> addOperation(keymaster_operation_handle_t handle,
+    sp<IBinder> addOperation(keymaster_operation_handle_t handle, keymaster_purpose_t purpose,
                              const keymaster1_device_t* dev, sp<IBinder> appToken,
                              keymaster_key_characteristics_t* characteristics, bool pruneable);
+    bool hasOperation(sp<IBinder> token);
     bool getOperation(sp<IBinder> token, keymaster_operation_handle_t* outHandle,
-                      const keymaster1_device_t** outDev,
+                      keymaster_purpose_t* outPurpose, const keymaster1_device_t** outDev,
                       const keymaster_key_characteristics_t** outCharacteristics);
     bool removeOperation(sp<IBinder> token);
     bool hasPruneableOperation();
@@ -65,9 +66,11 @@ private:
     void removeOperationTracking(sp<IBinder> token, sp<IBinder> appToken);
     struct Operation {
         Operation();
-        Operation(keymaster_operation_handle_t handle, const keymaster1_device_t* device,
+        Operation(keymaster_operation_handle_t handle, keymaster_purpose_t purpose,
+                  const keymaster1_device_t* device,
                   keymaster_key_characteristics_t* characteristics, sp<IBinder> appToken);
         keymaster_operation_handle_t handle;
+        keymaster_purpose_t purpose;
         const keymaster1_device_t* device;
         Unique_keymaster_key_characteristics characteristics;
         sp<IBinder> appToken;
author	Shawn Willden <swillden@google.com>	2015-06-17 12:18:55 -0600
committer	Shawn Willden <swillden@google.com>	2015-06-17 13:38:45 -0600
commit	b2ffa420da26414379b31807eec76ec8c9f3b0a9 (patch)
tree	e2ae4e4d2b65aee58ed7eafaf4ec70c95327a660
parent	3a7d9e626fa6c0e116c07be912c319aad6e08614 (diff)
download	android_system_security-b2ffa420da26414379b31807eec76ec8c9f3b0a9.tar.gz android_system_security-b2ffa420da26414379b31807eec76ec8c9f3b0a9.tar.bz2 android_system_security-b2ffa420da26414379b31807eec76ec8c9f3b0a9.zip