diff options
| author | David Zeuthen <zeuthen@google.com> | 2021-03-04 16:39:42 -0500 |
|---|---|---|
| committer | David Zeuthen <zeuthen@google.com> | 2021-03-04 17:45:54 -0500 |
| commit | c6c950b55be95fe3e52d93d90ac817e9c7598f2b (patch) | |
| tree | 75edcf7bb2466e31a1bd9d20ce05449ec521e3b1 /identity/aidl/default/libeic/EicPresentation.c | |
| parent | 620ad1ca3f4aecc22a3a5a54196a123ddfb222f8 (diff) | |
identity: Check freshness of verification token in TA.
A problem where credstore didn't always use the TA-generated challenge
in the verification token was fixed in aosp/1619825. With this bug-fix
we can now reliably check that the passed-in verification token is
always fresh.
Bug: 181893400
Test: atest android.security.identity.cts on emulator
Test: atest VtsHalIdentityTargetTest
Change-Id: Iffdf026475da6321764561972aae27a82ab94530
Diffstat (limited to 'identity/aidl/default/libeic/EicPresentation.c')
| -rw-r--r-- | identity/aidl/default/libeic/EicPresentation.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/identity/aidl/default/libeic/EicPresentation.c b/identity/aidl/default/libeic/EicPresentation.c index 5e9a280d09..9e033b39fb 100644 --- a/identity/aidl/default/libeic/EicPresentation.c +++ b/identity/aidl/default/libeic/EicPresentation.c @@ -336,6 +336,18 @@ bool eicPresentationSetAuthToken(EicPresentation* ctx, uint64_t challenge, uint6 int verificationTokenSecurityLevel, const uint8_t* verificationTokenMac, size_t verificationTokenMacSize) { + // It doesn't make sense to accept any tokens if eicPresentationCreateAuthChallenge() + // was never called. + if (ctx->authChallenge == 0) { + eicDebug("Trying validate tokens when no auth-challenge was previously generated"); + return false; + } + // At least the verification-token must have the same challenge as what was generated. + if (verificationTokenChallenge != ctx->authChallenge) { + eicDebug("Challenge in verification token does not match the challenge " + "previously generated"); + return false; + } if (!eicOpsValidateAuthToken( challenge, secureUserId, authenticatorId, hardwareAuthenticatorType, timeStamp, mac, macSize, verificationTokenChallenge, verificationTokenTimestamp, @@ -360,18 +372,9 @@ static bool checkUserAuth(EicPresentation* ctx, bool userAuthenticationRequired, return false; } + // Only ACP with auth-on-every-presentation - those with timeout == 0 - need the + // challenge to match... if (timeoutMillis == 0) { - if (ctx->authTokenChallenge == 0) { - eicDebug("No challenge in authToken"); - return false; - } - - // If we didn't create a challenge, too bad but user auth with - // timeoutMillis set to 0 needs it. - if (ctx->authChallenge == 0) { - eicDebug("No challenge was created for this session"); - return false; - } if (ctx->authTokenChallenge != ctx->authChallenge) { eicDebug("Challenge in authToken (%" PRIu64 ") doesn't match the challenge " |