blob: ee56245d162fe6f15d7988211af9f94dfb31b010 [file] [log] [blame]
Shawn Willdenc1d1fee2016-01-26 22:44:56 -07001/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "keystore"
18
19#include <arpa/inet.h>
20#include <errno.h>
21#include <fcntl.h>
22#include <string.h>
23
Logan Chiencdc813f2018-04-23 13:52:28 +080024#include <log/log.h>
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070025
26#include "blob.h"
27#include "entropy.h"
28
29#include "keystore_utils.h"
30
Janis Danisevskisff3d7f42018-10-08 07:15:09 -070031#include <openssl/evp.h>
32
33#include <istream>
34#include <ostream>
35#include <streambuf>
36#include <string>
37
38#include <android-base/logging.h>
39
Shawn Willdene9830582017-04-18 10:47:57 -060040namespace {
41
42constexpr size_t kGcmIvSizeBytes = 96 / 8;
43
44template <typename T, void (*FreeFunc)(T*)> struct OpenSslObjectDeleter {
45 void operator()(T* p) { FreeFunc(p); }
46};
47
48#define DEFINE_OPENSSL_OBJECT_POINTER(name) \
49 typedef OpenSslObjectDeleter<name, name##_free> name##_Delete; \
50 typedef std::unique_ptr<name, name##_Delete> name##_Ptr;
51
52DEFINE_OPENSSL_OBJECT_POINTER(EVP_CIPHER_CTX);
53
Shawn Willden0ed642c2017-05-26 10:13:28 -060054#if defined(__clang__)
Shawn Willdene9830582017-04-18 10:47:57 -060055#define OPTNONE __attribute__((optnone))
Shawn Willden0ed642c2017-05-26 10:13:28 -060056#elif defined(__GNUC__)
Shawn Willdene9830582017-04-18 10:47:57 -060057#define OPTNONE __attribute__((optimize("O0")))
Shawn Willden0ed642c2017-05-26 10:13:28 -060058#else
59#error Need a definition for OPTNONE
60#endif
Shawn Willdene9830582017-04-18 10:47:57 -060061
62class ArrayEraser {
63 public:
64 ArrayEraser(uint8_t* arr, size_t size) : mArr(arr), mSize(size) {}
65 OPTNONE ~ArrayEraser() { std::fill(mArr, mArr + mSize, 0); }
66
67 private:
Shawn Willden0ed642c2017-05-26 10:13:28 -060068 volatile uint8_t* mArr;
Shawn Willdene9830582017-04-18 10:47:57 -060069 size_t mSize;
70};
71
72/*
73 * Encrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv' and write
74 * output to 'out' (which may be the same location as 'in') and 128-bit tag to 'tag'.
75 */
76ResponseCode AES_gcm_encrypt(const uint8_t* in, uint8_t* out, size_t len, const uint8_t* key,
77 const uint8_t* iv, uint8_t* tag) {
78 const EVP_CIPHER* cipher = EVP_aes_128_gcm();
79 EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
80
81 EVP_EncryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key, iv);
82 EVP_CIPHER_CTX_set_padding(ctx.get(), 0 /* no padding needed with GCM */);
83
84 std::unique_ptr<uint8_t[]> out_tmp(new uint8_t[len]);
85 uint8_t* out_pos = out_tmp.get();
86 int out_len;
87
88 EVP_EncryptUpdate(ctx.get(), out_pos, &out_len, in, len);
89 out_pos += out_len;
90 EVP_EncryptFinal_ex(ctx.get(), out_pos, &out_len);
91 out_pos += out_len;
92 if (out_pos - out_tmp.get() != static_cast<ssize_t>(len)) {
93 ALOGD("Encrypted ciphertext is the wrong size, expected %zu, got %zd", len,
94 out_pos - out_tmp.get());
95 return ResponseCode::SYSTEM_ERROR;
96 }
97
98 std::copy(out_tmp.get(), out_pos, out);
99 EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, kGcmTagLength, tag);
100
101 return ResponseCode::NO_ERROR;
102}
103
104/*
105 * Decrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv', checking
106 * 128-bit tag at 'tag' and writing plaintext to 'out' (which may be the same location as 'in').
107 */
108ResponseCode AES_gcm_decrypt(const uint8_t* in, uint8_t* out, size_t len, const uint8_t* key,
109 const uint8_t* iv, const uint8_t* tag) {
110 const EVP_CIPHER* cipher = EVP_aes_128_gcm();
111 EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
112
113 EVP_DecryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key, iv);
114 EVP_CIPHER_CTX_set_padding(ctx.get(), 0 /* no padding needed with GCM */);
115 EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, kGcmTagLength, const_cast<uint8_t*>(tag));
116
117 std::unique_ptr<uint8_t[]> out_tmp(new uint8_t[len]);
118 ArrayEraser out_eraser(out_tmp.get(), len);
119 uint8_t* out_pos = out_tmp.get();
120 int out_len;
121
122 EVP_DecryptUpdate(ctx.get(), out_pos, &out_len, in, len);
123 out_pos += out_len;
124 if (!EVP_DecryptFinal_ex(ctx.get(), out_pos, &out_len)) {
125 ALOGD("Failed to decrypt blob; ciphertext or tag is likely corrupted");
Pavel Grafovcef39472018-02-12 18:45:02 +0000126 return ResponseCode::VALUE_CORRUPTED;
Shawn Willdene9830582017-04-18 10:47:57 -0600127 }
128 out_pos += out_len;
129 if (out_pos - out_tmp.get() != static_cast<ssize_t>(len)) {
130 ALOGD("Encrypted plaintext is the wrong size, expected %zu, got %zd", len,
131 out_pos - out_tmp.get());
Pavel Grafovcef39472018-02-12 18:45:02 +0000132 return ResponseCode::VALUE_CORRUPTED;
Shawn Willdene9830582017-04-18 10:47:57 -0600133 }
134
135 std::copy(out_tmp.get(), out_pos, out);
136
137 return ResponseCode::NO_ERROR;
138}
139
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700140class ArrayStreamBuffer : public std::streambuf {
141 public:
142 template <typename T, size_t size> ArrayStreamBuffer(const T (&data)[size]) {
143 static_assert(sizeof(T) == 1, "Array element size too large");
144 std::streambuf::char_type* d = const_cast<std::streambuf::char_type*>(
145 reinterpret_cast<const std::streambuf::char_type*>(&data[0]));
146 setg(d, d, d + size);
147 setp(d, d + size);
148 }
149
150 protected:
151 pos_type seekoff(off_type off, std::ios_base::seekdir dir,
152 std::ios_base::openmode which = std::ios_base::in |
153 std::ios_base::out) override {
154 bool in = which & std::ios_base::in;
155 bool out = which & std::ios_base::out;
156 if ((!in && !out) || (in && out && dir == std::ios_base::cur)) return -1;
157 std::streambuf::char_type* newPosPtr;
158 switch (dir) {
159 case std::ios_base::beg:
160 newPosPtr = pbase();
161 break;
162 case std::ios_base::cur:
163 // if dir == cur then in xor out due to
164 // if ((!in && !out) || (in && out && dir == std::ios_base::cur)) return -1; above
165 if (in)
166 newPosPtr = gptr();
167 else
168 newPosPtr = pptr();
169 break;
170 case std::ios_base::end:
171 // in and out bounds are the same and cannot change, so we can take either range
172 // regardless of the value of "which"
173 newPosPtr = epptr();
174 break;
175 }
176 newPosPtr += off;
177 if (newPosPtr < pbase() || newPosPtr > epptr()) return -1;
178 if (in) {
179 gbump(newPosPtr - gptr());
180 }
181 if (out) {
182 pbump(newPosPtr - pptr());
183 }
184 return newPosPtr - pbase();
185 }
186};
187
Shawn Willdene9830582017-04-18 10:47:57 -0600188} // namespace
189
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700190Blob::Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_t infoLength,
191 BlobType type) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700192 mBlob = std::make_unique<blobv3>();
193 memset(mBlob.get(), 0, sizeof(blobv3));
Shawn Willdene9830582017-04-18 10:47:57 -0600194 if (valueLength > kValueSize) {
195 valueLength = kValueSize;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700196 ALOGW("Provided blob length too large");
197 }
Shawn Willdene9830582017-04-18 10:47:57 -0600198 if (infoLength + valueLength > kValueSize) {
199 infoLength = kValueSize - valueLength;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700200 ALOGW("Provided info length too large");
201 }
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700202 mBlob->length = valueLength;
203 memcpy(mBlob->value, value, valueLength);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700204
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700205 mBlob->info = infoLength;
206 memcpy(mBlob->value + valueLength, info, infoLength);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700207
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700208 mBlob->version = CURRENT_BLOB_VERSION;
209 mBlob->type = uint8_t(type);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700210
211 if (type == TYPE_MASTER_KEY) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700212 mBlob->flags = KEYSTORE_FLAG_ENCRYPTED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700213 } else {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700214 mBlob->flags = KEYSTORE_FLAG_NONE;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700215 }
216}
217
Shawn Willdene9830582017-04-18 10:47:57 -0600218Blob::Blob(blobv3 b) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700219 mBlob = std::make_unique<blobv3>(b);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700220}
221
222Blob::Blob() {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700223 if (mBlob) *mBlob = {};
224}
225
226Blob::Blob(const Blob& rhs) {
227 if (rhs.mBlob) {
228 mBlob = std::make_unique<blobv3>(*rhs.mBlob);
229 }
230}
231
232Blob::Blob(Blob&& rhs) : mBlob(std::move(rhs.mBlob)) {}
233
234Blob& Blob::operator=(const Blob& rhs) {
235 if (&rhs != this) {
236 if (mBlob) *mBlob = {};
237 if (rhs) {
238 mBlob = std::make_unique<blobv3>(*rhs.mBlob);
239 } else {
240 mBlob = {};
241 }
242 }
243 return *this;
244}
245
246Blob& Blob::operator=(Blob&& rhs) {
247 if (mBlob) *mBlob = {};
248 mBlob = std::move(rhs.mBlob);
249 return *this;
250}
251
252template <typename BlobType> static bool rawBlobIsEncrypted(const BlobType& blob) {
253 if (blob.version < 2) return true;
254
255 return blob.flags & (KEYSTORE_FLAG_ENCRYPTED | KEYSTORE_FLAG_SUPER_ENCRYPTED);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700256}
257
258bool Blob::isEncrypted() const {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700259 if (mBlob->version < 2) {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700260 return true;
261 }
262
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700263 return mBlob->flags & KEYSTORE_FLAG_ENCRYPTED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700264}
265
Shawn Willdend5a24e62017-02-28 13:53:24 -0700266bool Blob::isSuperEncrypted() const {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700267 return mBlob->flags & KEYSTORE_FLAG_SUPER_ENCRYPTED;
Shawn Willdend5a24e62017-02-28 13:53:24 -0700268}
269
Rubin Xu67899de2017-04-21 19:15:13 +0100270bool Blob::isCriticalToDeviceEncryption() const {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700271 return mBlob->flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION;
Rubin Xu67899de2017-04-21 19:15:13 +0100272}
273
Shawn Willdend5a24e62017-02-28 13:53:24 -0700274inline uint8_t setFlag(uint8_t flags, bool set, KeyStoreFlag flag) {
275 return set ? (flags | flag) : (flags & ~flag);
276}
277
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700278void Blob::setEncrypted(bool encrypted) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700279 mBlob->flags = setFlag(mBlob->flags, encrypted, KEYSTORE_FLAG_ENCRYPTED);
Shawn Willdend5a24e62017-02-28 13:53:24 -0700280}
281
Rubin Xu67899de2017-04-21 19:15:13 +0100282void Blob::setSuperEncrypted(bool superEncrypted) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700283 mBlob->flags = setFlag(mBlob->flags, superEncrypted, KEYSTORE_FLAG_SUPER_ENCRYPTED);
Rubin Xu67899de2017-04-21 19:15:13 +0100284}
Rubin Xu48477952017-04-19 14:16:57 +0100285
Rubin Xu67899de2017-04-21 19:15:13 +0100286void Blob::setCriticalToDeviceEncryption(bool critical) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700287 mBlob->flags = setFlag(mBlob->flags, critical, KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700288}
289
290void Blob::setFallback(bool fallback) {
291 if (fallback) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700292 mBlob->flags |= KEYSTORE_FLAG_FALLBACK;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700293 } else {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700294 mBlob->flags &= ~KEYSTORE_FLAG_FALLBACK;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700295 }
296}
297
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700298static ResponseCode writeBlob(const std::string& filename, Blob blob, blobv3* rawBlob,
299 const uint8_t* aes_key, State state, Entropy* entropy) {
Shawn Willdene9830582017-04-18 10:47:57 -0600300 ALOGV("writing blob %s", filename.c_str());
301
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700302 const size_t dataLength = rawBlob->length;
303 rawBlob->length = htonl(rawBlob->length);
Shawn Willdene9830582017-04-18 10:47:57 -0600304
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700305 if (blob.isEncrypted() || blob.isSuperEncrypted()) {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700306 if (state != STATE_NO_ERROR) {
307 ALOGD("couldn't insert encrypted blob while not unlocked");
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100308 return ResponseCode::LOCKED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700309 }
310
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700311 memset(rawBlob->initialization_vector, 0, AES_BLOCK_SIZE);
312 if (!entropy->generate_random_data(rawBlob->initialization_vector, kGcmIvSizeBytes)) {
Shawn Willdene9830582017-04-18 10:47:57 -0600313 ALOGW("Could not read random data for: %s", filename.c_str());
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100314 return ResponseCode::SYSTEM_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700315 }
Shawn Willdene9830582017-04-18 10:47:57 -0600316
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700317 auto rc = AES_gcm_encrypt(rawBlob->value /* in */, rawBlob->value /* out */, dataLength,
318 aes_key, rawBlob->initialization_vector, rawBlob->aead_tag);
Shawn Willdene9830582017-04-18 10:47:57 -0600319 if (rc != ResponseCode::NO_ERROR) return rc;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700320 }
321
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700322 size_t fileLength = offsetof(blobv3, value) + dataLength + rawBlob->info;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700323
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700324 int out =
325 TEMP_FAILURE_RETRY(open(filename.c_str(), O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR));
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700326 if (out < 0) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700327 ALOGW("could not open file: %s: %s", filename.c_str(), strerror(errno));
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100328 return ResponseCode::SYSTEM_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700329 }
Shawn Willdene9830582017-04-18 10:47:57 -0600330
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700331 const size_t writtenBytes = writeFully(out, reinterpret_cast<uint8_t*>(rawBlob), fileLength);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700332 if (close(out) != 0) {
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100333 return ResponseCode::SYSTEM_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700334 }
335 if (writtenBytes != fileLength) {
336 ALOGW("blob not fully written %zu != %zu", writtenBytes, fileLength);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700337 unlink(filename.c_str());
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100338 return ResponseCode::SYSTEM_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700339 }
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100340 return ResponseCode::NO_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700341}
342
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700343ResponseCode LockedKeyBlobEntry::writeBlobs(Blob keyBlob, Blob characteristicsBlob,
344 const uint8_t* aes_key, State state,
345 Entropy* entropy) const {
346 if (entry_ == nullptr) {
347 return ResponseCode::SYSTEM_ERROR;
348 }
349 ResponseCode rc;
350 if (keyBlob) {
351 blobv3* rawBlob = keyBlob.mBlob.get();
352 rc = writeBlob(entry_->getKeyBlobPath(), std::move(keyBlob), rawBlob, aes_key, state,
353 entropy);
354 if (rc != ResponseCode::NO_ERROR) {
355 return rc;
356 }
357 }
358
359 if (characteristicsBlob) {
360 blobv3* rawBlob = characteristicsBlob.mBlob.get();
361 rc = writeBlob(entry_->getCharacteristicsBlobPath(), std::move(characteristicsBlob),
362 rawBlob, aes_key, state, entropy);
363 }
364 return rc;
365}
366
Shawn Willdene9830582017-04-18 10:47:57 -0600367ResponseCode Blob::readBlob(const std::string& filename, const uint8_t* aes_key, State state) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700368 ResponseCode rc;
Shawn Willdene9830582017-04-18 10:47:57 -0600369 ALOGV("reading blob %s", filename.c_str());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700370 std::unique_ptr<blobv3> rawBlob = std::make_unique<blobv3>();
371
Shawn Willdene9830582017-04-18 10:47:57 -0600372 const int in = TEMP_FAILURE_RETRY(open(filename.c_str(), O_RDONLY));
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700373 if (in < 0) {
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100374 return (errno == ENOENT) ? ResponseCode::KEY_NOT_FOUND : ResponseCode::SYSTEM_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700375 }
Shawn Willdene9830582017-04-18 10:47:57 -0600376
377 // fileLength may be less than sizeof(mBlob)
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700378 const size_t fileLength = readFully(in, (uint8_t*)rawBlob.get(), sizeof(blobv3));
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700379 if (close(in) != 0) {
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100380 return ResponseCode::SYSTEM_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700381 }
382
383 if (fileLength == 0) {
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100384 return ResponseCode::VALUE_CORRUPTED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700385 }
386
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700387 if (rawBlobIsEncrypted(*rawBlob)) {
388 if (state == STATE_LOCKED) {
389 mBlob = std::move(rawBlob);
390 return ResponseCode::LOCKED;
391 }
Janis Danisevskis36316d62017-09-01 14:31:36 -0700392 if (state == STATE_UNINITIALIZED) return ResponseCode::UNINITIALIZED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700393 }
394
Shawn Willdene9830582017-04-18 10:47:57 -0600395 if (fileLength < offsetof(blobv3, value)) return ResponseCode::VALUE_CORRUPTED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700396
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700397 if (rawBlob->version == 3) {
398 const ssize_t encryptedLength = ntohl(rawBlob->length);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700399
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700400 if (rawBlobIsEncrypted(*rawBlob)) {
401 rc = AES_gcm_decrypt(rawBlob->value /* in */, rawBlob->value /* out */, encryptedLength,
402 aes_key, rawBlob->initialization_vector, rawBlob->aead_tag);
Max Bires66694212018-11-02 10:45:12 -0700403 if (rc != ResponseCode::NO_ERROR) {
404 // If the blob was superencrypted and decryption failed, it is
405 // almost certain that decryption is failing due to a user's
406 // changed master key.
407 if ((rawBlob->flags & KEYSTORE_FLAG_SUPER_ENCRYPTED) &&
408 (rc == ResponseCode::VALUE_CORRUPTED)) {
409 return ResponseCode::KEY_PERMANENTLY_INVALIDATED;
410 }
411 return rc;
412 }
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700413 }
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700414 } else if (rawBlob->version < 3) {
415 blobv2& v2blob = reinterpret_cast<blobv2&>(*rawBlob);
Shawn Willdene9830582017-04-18 10:47:57 -0600416 const size_t headerLength = offsetof(blobv2, encrypted);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700417 const ssize_t encryptedLength = fileLength - headerLength - v2blob.info;
Shawn Willdene9830582017-04-18 10:47:57 -0600418 if (encryptedLength < 0) return ResponseCode::VALUE_CORRUPTED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700419
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700420 if (rawBlobIsEncrypted(*rawBlob)) {
Shawn Willdene9830582017-04-18 10:47:57 -0600421 if (encryptedLength % AES_BLOCK_SIZE != 0) {
422 return ResponseCode::VALUE_CORRUPTED;
423 }
424
425 AES_KEY key;
426 AES_set_decrypt_key(aes_key, kAesKeySize * 8, &key);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700427 AES_cbc_encrypt(v2blob.encrypted, v2blob.encrypted, encryptedLength, &key,
428 v2blob.vector, AES_DECRYPT);
Shawn Willdene9830582017-04-18 10:47:57 -0600429 key = {}; // clear key
430
431 uint8_t computedDigest[MD5_DIGEST_LENGTH];
432 ssize_t digestedLength = encryptedLength - MD5_DIGEST_LENGTH;
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700433 MD5(v2blob.digested, digestedLength, computedDigest);
434 if (memcmp(v2blob.digest, computedDigest, MD5_DIGEST_LENGTH) != 0) {
Shawn Willdene9830582017-04-18 10:47:57 -0600435 return ResponseCode::VALUE_CORRUPTED;
436 }
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700437 }
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700438 }
439
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700440 const ssize_t maxValueLength = fileLength - offsetof(blobv3, value) - rawBlob->info;
441 rawBlob->length = ntohl(rawBlob->length);
442 if (rawBlob->length < 0 || rawBlob->length > maxValueLength ||
443 rawBlob->length + rawBlob->info + AES_BLOCK_SIZE >
444 static_cast<ssize_t>(sizeof(rawBlob->value))) {
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100445 return ResponseCode::VALUE_CORRUPTED;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700446 }
Shawn Willdene9830582017-04-18 10:47:57 -0600447
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700448 if (rawBlob->info != 0 && rawBlob->version < 3) {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700449 // move info from after padding to after data
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700450 memmove(rawBlob->value + rawBlob->length, rawBlob->value + maxValueLength, rawBlob->info);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700451 }
Shawn Willdene9830582017-04-18 10:47:57 -0600452
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700453 mBlob = std::move(rawBlob);
Janis Danisevskisc7a9fa22016-10-13 18:43:45 +0100454 return ResponseCode::NO_ERROR;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700455}
Janis Danisevskisc1460142017-12-18 16:48:46 -0800456
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700457std::tuple<ResponseCode, Blob, Blob> LockedKeyBlobEntry::readBlobs(const uint8_t* aes_key,
458 State state) const {
459 std::tuple<ResponseCode, Blob, Blob> result;
460 auto& [rc, keyBlob, characteristicsBlob] = result;
461 if (entry_ == nullptr) return rc = ResponseCode::SYSTEM_ERROR, result;
462
463 rc = keyBlob.readBlob(entry_->getKeyBlobPath(), aes_key, state);
464 if (rc != ResponseCode::NO_ERROR && rc != ResponseCode::UNINITIALIZED) {
465 return result;
466 }
467
468 if (entry_->hasCharacteristicsBlob()) {
469 characteristicsBlob.readBlob(entry_->getCharacteristicsBlobPath(), aes_key, state);
470 }
471 return result;
472}
473
474ResponseCode LockedKeyBlobEntry::deleteBlobs() const {
475 if (entry_ == nullptr) return ResponseCode::NO_ERROR;
476
477 // always try to delete both
478 ResponseCode rc1 = (unlink(entry_->getKeyBlobPath().c_str()) && errno != ENOENT)
479 ? ResponseCode::SYSTEM_ERROR
480 : ResponseCode::NO_ERROR;
481 if (rc1 != ResponseCode::NO_ERROR) {
482 ALOGW("Failed to delete key blob file \"%s\"", entry_->getKeyBlobPath().c_str());
483 }
484 ResponseCode rc2 = (unlink(entry_->getCharacteristicsBlobPath().c_str()) && errno != ENOENT)
485 ? ResponseCode::SYSTEM_ERROR
486 : ResponseCode::NO_ERROR;
487 if (rc2 != ResponseCode::NO_ERROR) {
488 ALOGW("Failed to delete key characteristics file \"%s\"",
489 entry_->getCharacteristicsBlobPath().c_str());
490 }
491 // then report the first error that occured
492 if (rc1 != ResponseCode::NO_ERROR) return rc1;
493 return rc2;
494}
495
Janis Danisevskisc1460142017-12-18 16:48:46 -0800496keystore::SecurityLevel Blob::getSecurityLevel() const {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700497 return keystore::flagsToSecurityLevel(mBlob->flags);
Janis Danisevskisc1460142017-12-18 16:48:46 -0800498}
499
500void Blob::setSecurityLevel(keystore::SecurityLevel secLevel) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700501 mBlob->flags &= ~(KEYSTORE_FLAG_FALLBACK | KEYSTORE_FLAG_STRONGBOX);
502 mBlob->flags |= keystore::securityLevelToFlags(secLevel);
503}
504
505std::tuple<bool, keystore::AuthorizationSet, keystore::AuthorizationSet>
506Blob::getKeyCharacteristics() const {
507 std::tuple<bool, keystore::AuthorizationSet, keystore::AuthorizationSet> result;
508 auto& [success, hwEnforced, swEnforced] = result;
509 success = false;
510 ArrayStreamBuffer buf(mBlob->value);
511 std::istream in(&buf);
512
513 // only the characteristics cache has both sets
514 if (getType() == TYPE_KEY_CHARACTERISTICS_CACHE) {
515 hwEnforced.Deserialize(&in);
516 } else if (getType() != TYPE_KEY_CHARACTERISTICS) {
517 // if its not the cache and not the legacy characteristics file we have no business
518 // here
519 return result;
520 }
521 swEnforced.Deserialize(&in);
522 success = !in.bad();
523
524 return result;
525}
526bool Blob::putKeyCharacteristics(const keystore::AuthorizationSet& hwEnforced,
527 const keystore::AuthorizationSet& swEnforced) {
528 if (!mBlob) mBlob = std::make_unique<blobv3>();
529 mBlob->version = CURRENT_BLOB_VERSION;
530 ArrayStreamBuffer buf(mBlob->value);
531 std::ostream out(&buf);
532 hwEnforced.Serialize(&out);
533 swEnforced.Serialize(&out);
534 if (out.bad()) return false;
535 setType(TYPE_KEY_CHARACTERISTICS_CACHE);
536 mBlob->length = out.tellp();
537 return true;
538}
539
540void LockedKeyBlobEntry::put(const KeyBlobEntry& entry) {
541 std::unique_lock<std::mutex> lock(locked_blobs_mutex_);
542 locked_blobs_.erase(entry);
543 lock.unlock();
544 locked_blobs_mutex_cond_var_.notify_all();
545}
546
547LockedKeyBlobEntry::~LockedKeyBlobEntry() {
548 if (entry_ != nullptr) put(*entry_);
549}
550
551LockedKeyBlobEntry LockedKeyBlobEntry::get(KeyBlobEntry entry) {
552 std::unique_lock<std::mutex> lock(locked_blobs_mutex_);
553 locked_blobs_mutex_cond_var_.wait(
554 lock, [&] { return locked_blobs_.find(entry) == locked_blobs_.end(); });
555 auto [iterator, success] = locked_blobs_.insert(std::move(entry));
556 if (!success) return {};
557 return LockedKeyBlobEntry(*iterator);
558}
559
560std::set<KeyBlobEntry> LockedKeyBlobEntry::locked_blobs_;
561std::mutex LockedKeyBlobEntry::locked_blobs_mutex_;
562std::condition_variable LockedKeyBlobEntry::locked_blobs_mutex_cond_var_;
563
564/* Here is the encoding of key names. This is necessary in order to allow arbitrary
565 * characters in key names. Characters in [0-~] are not encoded. Others are encoded
566 * into two bytes. The first byte is one of [+-.] which represents the first
567 * two bits of the character. The second byte encodes the rest of the bits into
568 * [0-o]. Therefore in the worst case the length of a key gets doubled. Note
569 * that Base64 cannot be used here due to the need of prefix match on keys. */
570
Eran Messeri2ba77c32018-12-04 12:22:16 +0000571std::string encodeKeyName(const std::string& keyName) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700572 std::string encodedName;
573 encodedName.reserve(keyName.size() * 2);
574 auto in = keyName.begin();
575 while (in != keyName.end()) {
Eran Messeri2ba77c32018-12-04 12:22:16 +0000576 // Input character needs to be encoded.
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700577 if (*in < '0' || *in > '~') {
Eran Messeri2ba77c32018-12-04 12:22:16 +0000578 // Encode the two most-significant bits of the input char in the first
579 // output character, by counting up from 43 ('+').
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700580 encodedName.append(1, '+' + (uint8_t(*in) >> 6));
Eran Messeri2ba77c32018-12-04 12:22:16 +0000581 // Encode the six least-significant bits of the input char in the second
582 // output character, by counting up from 48 ('0').
583 // This is safe because the maximum value is 112, which is the
584 // character 'p'.
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700585 encodedName.append(1, '0' + (*in & 0x3F));
586 } else {
Eran Messeri2ba77c32018-12-04 12:22:16 +0000587 // No need to encode input char - append as-is.
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700588 encodedName.append(1, *in);
589 }
590 ++in;
591 }
592 return encodedName;
593}
594
Eran Messeri2ba77c32018-12-04 12:22:16 +0000595std::string decodeKeyName(const std::string& encodedName) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700596 std::string decodedName;
597 decodedName.reserve(encodedName.size());
598 auto in = encodedName.begin();
599 bool multichar = false;
600 char c;
601 while (in != encodedName.end()) {
602 if (multichar) {
Eran Messeri2ba77c32018-12-04 12:22:16 +0000603 // Second part of a multi-character encoding. Turn off the multichar
604 // flag and set the six least-significant bits of c to the value originally
605 // encoded by counting up from '0'.
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700606 multichar = false;
Eran Messeri2ba77c32018-12-04 12:22:16 +0000607 decodedName.append(1, c | (uint8_t(*in) - '0'));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700608 } else if (*in >= '+' && *in <= '.') {
Eran Messeri2ba77c32018-12-04 12:22:16 +0000609 // First part of a multi-character encoding. Set the multichar flag
610 // and set the two most-significant bits of c to be the two bits originally
611 // encoded by counting up from '+'.
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700612 multichar = true;
613 c = (*in - '+') << 6;
614 } else {
Eran Messeri2ba77c32018-12-04 12:22:16 +0000615 // Regular character, append as-is.
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700616 decodedName.append(1, *in);
617 }
618 ++in;
619 }
620 // mulitchars at the end get truncated
621 return decodedName;
622}
623
624std::string KeyBlobEntry::getKeyBlobBaseName() const {
625 std::stringstream s;
626 if (masterkey_) {
627 s << alias_;
628 } else {
629 s << uid_ << "_" << encodeKeyName(alias_);
630 }
631 return s.str();
632}
633
634std::string KeyBlobEntry::getKeyBlobPath() const {
635 std::stringstream s;
636 if (masterkey_) {
637 s << user_dir_ << "/" << alias_;
638 } else {
639 s << user_dir_ << "/" << uid_ << "_" << encodeKeyName(alias_);
640 }
641 return s.str();
642}
643
644std::string KeyBlobEntry::getCharacteristicsBlobBaseName() const {
645 std::stringstream s;
646 if (!masterkey_) s << "." << uid_ << "_chr_" << encodeKeyName(alias_);
647 return s.str();
648}
649
650std::string KeyBlobEntry::getCharacteristicsBlobPath() const {
651 std::stringstream s;
652 if (!masterkey_)
653 s << user_dir_ << "/"
654 << "." << uid_ << "_chr_" << encodeKeyName(alias_);
655 return s.str();
656}
657
658bool KeyBlobEntry::hasKeyBlob() const {
659 return !access(getKeyBlobPath().c_str(), R_OK | W_OK);
660}
661bool KeyBlobEntry::hasCharacteristicsBlob() const {
662 return !access(getCharacteristicsBlobPath().c_str(), R_OK | W_OK);
663}
664
665static std::tuple<bool, uid_t, std::string> filename2UidAlias(const std::string& filepath) {
666 std::tuple<bool, uid_t, std::string> result;
667
668 auto& [success, uid, alias] = result;
669
670 success = false;
671
672 auto filenamebase = filepath.find_last_of('/');
673 std::string filename =
674 filenamebase == std::string::npos ? filepath : filepath.substr(filenamebase + 1);
675
676 if (filename[0] == '.') return result;
677
678 auto sep = filename.find('_');
679 if (sep == std::string::npos) return result;
680
681 std::stringstream s(filename.substr(0, sep));
682 s >> uid;
683 if (!s) return result;
684
685 alias = decodeKeyName(filename.substr(sep + 1));
686 success = true;
687 return result;
688}
689
690std::tuple<ResponseCode, std::list<LockedKeyBlobEntry>>
691LockedKeyBlobEntry::list(const std::string& user_dir,
692 std::function<bool(uid_t, const std::string&)> filter) {
693 std::list<LockedKeyBlobEntry> matches;
694
695 // This is a fence against any concurrent database accesses during database iteration.
696 // Only the keystore thread can lock entries. So it cannot be starved
697 // by workers grabbing new individual locks. We just wait here until all
698 // workers have relinquished their locked files.
699 std::unique_lock<std::mutex> lock(locked_blobs_mutex_);
700 locked_blobs_mutex_cond_var_.wait(lock, [&] { return locked_blobs_.empty(); });
701
702 DIR* dir = opendir(user_dir.c_str());
703 if (!dir) {
704 ALOGW("can't open directory for user: %s", strerror(errno));
705 return std::tuple<ResponseCode, std::list<LockedKeyBlobEntry>&&>{ResponseCode::SYSTEM_ERROR,
706 std::move(matches)};
707 }
708
709 struct dirent* file;
710 while ((file = readdir(dir)) != nullptr) {
711 // We only care about files.
712 if (file->d_type != DT_REG) {
713 continue;
714 }
715
716 // Skip anything that starts with a "."
717 if (file->d_name[0] == '.') {
718 continue;
719 }
720
721 auto [success, uid, alias] = filename2UidAlias(file->d_name);
722
723 if (!success) {
724 ALOGW("could not parse key filename \"%s\"", file->d_name);
725 continue;
726 }
727
728 if (!filter(uid, alias)) continue;
729
730 auto [iterator, dummy] = locked_blobs_.emplace(alias, user_dir, uid);
731 matches.push_back(*iterator);
732 }
733 closedir(dir);
734 return std::tuple<ResponseCode, std::list<LockedKeyBlobEntry>&&>{ResponseCode::NO_ERROR,
735 std::move(matches)};
Janis Danisevskisc1460142017-12-18 16:48:46 -0800736}