1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "KeyStorage.h"
18
19 #include "Checkpoint.h"
20 #include "Keystore.h"
21 #include "Utils.h"
22
23 #include <algorithm>
24 #include <memory>
25 #include <mutex>
26 #include <vector>
27
28 #include <errno.h>
29 #include <stdio.h>
30 #include <sys/stat.h>
31 #include <sys/types.h>
32 #include <sys/wait.h>
33 #include <unistd.h>
34
35 #include <openssl/err.h>
36 #include <openssl/evp.h>
37 #include <openssl/sha.h>
38
39 #include <android-base/file.h>
40 #include <android-base/logging.h>
41 #include <android-base/properties.h>
42 #include <android-base/unique_fd.h>
43
44 #include <cutils/properties.h>
45
46 namespace android {
47 namespace vold {
48
49 const KeyAuthentication kEmptyAuthentication{""};
50
51 static constexpr size_t AES_KEY_BYTES = 32;
52 static constexpr size_t GCM_NONCE_BYTES = 12;
53 static constexpr size_t GCM_MAC_BYTES = 16;
54 static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
55
56 static const char* kCurrentVersion = "1";
57 static const char* kRmPath = "/system/bin/rm";
58 static const char* kSecdiscardPath = "/system/bin/secdiscard";
59 static const char* kHashPrefix_secdiscardable = "Android secdiscardable SHA512";
60 static const char* kHashPrefix_keygen = "Android key wrapping key generation SHA512";
61 static const char* kFn_encrypted_key = "encrypted_key";
62 static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
63 static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
64 static const char* kFn_secdiscardable = "secdiscardable";
65 static const char* kFn_version = "version";
66 // Note: old key directories may contain a file named "stretching".
67
68 namespace {
69
70 // Storage binding info for ensuring key encryption keys include a
71 // platform-provided seed in their derivation.
72 struct StorageBindingInfo {
73 enum class State {
74 UNINITIALIZED,
75 IN_USE, // key storage keys are bound to seed
76 NOT_USED, // key storage keys are NOT bound to seed
77 };
78
79 // Binding seed mixed into all key storage keys.
80 std::vector<uint8_t> seed;
81
82 // State tracker for the key storage key binding.
83 State state = State::UNINITIALIZED;
84
85 std::mutex guard;
86 };
87
88 // Never freed as the dtor is non-trivial.
89 StorageBindingInfo& storage_binding_info = *new StorageBindingInfo;
90
91 } // namespace
92
checkSize(const std::string & kind,size_t actual,size_t expected)93 static bool checkSize(const std::string& kind, size_t actual, size_t expected) {
94 if (actual != expected) {
95 LOG(ERROR) << "Wrong number of bytes in " << kind << ", expected " << expected << " got "
96 << actual;
97 return false;
98 }
99 return true;
100 }
101
hashWithPrefix(char const * prefix,const std::string & tohash,std::string * res)102 static void hashWithPrefix(char const* prefix, const std::string& tohash, std::string* res) {
103 SHA512_CTX c;
104
105 SHA512_Init(&c);
106 // Personalise the hashing by introducing a fixed prefix.
107 // Hashing applications should use personalization except when there is a
108 // specific reason not to; see section 4.11 of https://www.schneier.com/skein1.3.pdf
109 std::string hashingPrefix = prefix;
110 hashingPrefix.resize(SHA512_CBLOCK);
111 SHA512_Update(&c, hashingPrefix.data(), hashingPrefix.size());
112 SHA512_Update(&c, tohash.data(), tohash.size());
113 res->assign(SHA512_DIGEST_LENGTH, '\0');
114 SHA512_Final(reinterpret_cast<uint8_t*>(&(*res)[0]), &c);
115 }
116
generateKeyStorageKey(Keystore & keystore,const std::string & appId,std::string * key)117 static bool generateKeyStorageKey(Keystore& keystore, const std::string& appId, std::string* key) {
118 auto paramBuilder = km::AuthorizationSetBuilder()
119 .AesEncryptionKey(AES_KEY_BYTES * 8)
120 .GcmModeMinMacLen(GCM_MAC_BYTES * 8)
121 .Authorization(km::TAG_APPLICATION_ID, appId)
122 .Authorization(km::TAG_NO_AUTH_REQUIRED);
123 LOG(DEBUG) << "Generating \"key storage\" key";
124 auto paramsWithRollback = paramBuilder;
125 paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
126
127 if (!keystore.generateKey(paramsWithRollback, key)) {
128 LOG(WARNING) << "Failed to generate rollback-resistant key. This is expected if keystore "
129 "doesn't support rollback resistance. Falling back to "
130 "non-rollback-resistant key.";
131 if (!keystore.generateKey(paramBuilder, key)) return false;
132 }
133 return true;
134 }
135
generateWrappedStorageKey(KeyBuffer * key)136 bool generateWrappedStorageKey(KeyBuffer* key) {
137 Keystore keystore;
138 if (!keystore) return false;
139 std::string key_temp;
140 auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
141 paramBuilder.Authorization(km::TAG_STORAGE_KEY);
142 if (!keystore.generateKey(paramBuilder, &key_temp)) return false;
143 *key = KeyBuffer(key_temp.size());
144 memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
145 return true;
146 }
147
exportWrappedStorageKey(const KeyBuffer & ksKey,KeyBuffer * key)148 bool exportWrappedStorageKey(const KeyBuffer& ksKey, KeyBuffer* key) {
149 Keystore keystore;
150 if (!keystore) return false;
151 std::string key_temp;
152
153 if (!keystore.exportKey(ksKey, &key_temp)) return false;
154 *key = KeyBuffer(key_temp.size());
155 memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
156 return true;
157 }
158
beginParams(const std::string & appId)159 static km::AuthorizationSet beginParams(const std::string& appId) {
160 return km::AuthorizationSetBuilder()
161 .GcmModeMacLen(GCM_MAC_BYTES * 8)
162 .Authorization(km::TAG_APPLICATION_ID, appId);
163 }
164
readFileToString(const std::string & filename,std::string * result)165 static bool readFileToString(const std::string& filename, std::string* result) {
166 if (!android::base::ReadFileToString(filename, result)) {
167 PLOG(ERROR) << "Failed to read from " << filename;
168 return false;
169 }
170 return true;
171 }
172
readRandomBytesOrLog(size_t count,std::string * out)173 static bool readRandomBytesOrLog(size_t count, std::string* out) {
174 auto status = ReadRandomBytes(count, *out);
175 if (status != OK) {
176 LOG(ERROR) << "Random read failed with status: " << status;
177 return false;
178 }
179 return true;
180 }
181
createSecdiscardable(const std::string & filename,std::string * hash)182 bool createSecdiscardable(const std::string& filename, std::string* hash) {
183 std::string secdiscardable;
184 if (!readRandomBytesOrLog(SECDISCARDABLE_BYTES, &secdiscardable)) return false;
185 if (!writeStringToFile(secdiscardable, filename)) return false;
186 hashWithPrefix(kHashPrefix_secdiscardable, secdiscardable, hash);
187 return true;
188 }
189
readSecdiscardable(const std::string & filename,std::string * hash)190 bool readSecdiscardable(const std::string& filename, std::string* hash) {
191 if (pathExists(filename)) {
192 std::string secdiscardable;
193 if (!readFileToString(filename, &secdiscardable)) return false;
194 hashWithPrefix(kHashPrefix_secdiscardable, secdiscardable, hash);
195 } else {
196 *hash = "";
197 }
198 return true;
199 }
200
201 static std::mutex key_upgrade_lock;
202
203 // List of key directories that have had their Keystore key upgraded during
204 // this boot and written to "keymaster_key_blob_upgraded", but replacing the old
205 // key was delayed due to an active checkpoint. Protected by key_upgrade_lock.
206 // A directory can be in this list at most once.
207 static std::vector<std::string> key_dirs_to_commit;
208
209 // Replaces |dir|/keymaster_key_blob with |dir|/keymaster_key_blob_upgraded and
210 // deletes the old key from Keystore.
CommitUpgradedKey(Keystore & keystore,const std::string & dir)211 static bool CommitUpgradedKey(Keystore& keystore, const std::string& dir) {
212 auto blob_file = dir + "/" + kFn_keymaster_key_blob;
213 auto upgraded_blob_file = dir + "/" + kFn_keymaster_key_blob_upgraded;
214
215 std::string blob;
216 if (!readFileToString(blob_file, &blob)) return false;
217
218 if (rename(upgraded_blob_file.c_str(), blob_file.c_str()) != 0) {
219 PLOG(ERROR) << "Failed to rename " << upgraded_blob_file << " to " << blob_file;
220 return false;
221 }
222 // Ensure that the rename is persisted before deleting the Keystore key.
223 if (!FsyncDirectory(dir)) return false;
224
225 if (!keystore || !keystore.deleteKey(blob)) {
226 LOG(WARNING) << "Failed to delete old key " << blob_file
227 << " from Keystore; continuing anyway";
228 // Continue on, but the space in Keystore used by the old key won't be freed.
229 }
230 return true;
231 }
232
DeferredCommitKeystoreKeys()233 void DeferredCommitKeystoreKeys() {
234 LOG(INFO) << "Committing upgraded Keystore keys";
235 Keystore keystore;
236 if (!keystore) {
237 LOG(ERROR) << "Failed to open Keystore; old keys won't be deleted from Keystore";
238 // Continue on, but the space in Keystore used by the old keys won't be freed.
239 }
240 std::lock_guard<std::mutex> lock(key_upgrade_lock);
241 for (auto& dir : key_dirs_to_commit) {
242 LOG(INFO) << "Committing upgraded Keystore key for " << dir;
243 CommitUpgradedKey(keystore, dir);
244 }
245 key_dirs_to_commit.clear();
246 LOG(INFO) << "Done committing upgraded Keystore keys";
247 }
248
249 // Returns true if the Keystore key in |dir| has already been upgraded and is
250 // pending being committed. Assumes that key_upgrade_lock is held.
IsKeyCommitPending(const std::string & dir)251 static bool IsKeyCommitPending(const std::string& dir) {
252 for (const auto& dir_to_commit : key_dirs_to_commit) {
253 if (IsSameFile(dir, dir_to_commit)) return true;
254 }
255 return false;
256 }
257
258 // Schedules the upgraded Keystore key in |dir| to be committed later. Assumes
259 // that key_upgrade_lock is held and that a commit isn't already pending for the
260 // directory.
ScheduleKeyCommit(const std::string & dir)261 static void ScheduleKeyCommit(const std::string& dir) {
262 key_dirs_to_commit.push_back(dir);
263 }
264
CancelPendingKeyCommit(const std::string & dir)265 static void CancelPendingKeyCommit(const std::string& dir) {
266 std::lock_guard<std::mutex> lock(key_upgrade_lock);
267 for (auto it = key_dirs_to_commit.begin(); it != key_dirs_to_commit.end(); it++) {
268 if (IsSameFile(*it, dir)) {
269 LOG(DEBUG) << "Cancelling pending commit of upgraded key " << dir
270 << " because it is being destroyed";
271 key_dirs_to_commit.erase(it);
272 break;
273 }
274 }
275 }
276
RenameKeyDir(const std::string & old_name,const std::string & new_name)277 bool RenameKeyDir(const std::string& old_name, const std::string& new_name) {
278 std::lock_guard<std::mutex> lock(key_upgrade_lock);
279
280 // Find the entry in key_dirs_to_commit (if any) for this directory so that
281 // we can update it if the rename succeeds. We don't allow duplicates in
282 // this list, so there can be at most one such entry.
283 auto it = key_dirs_to_commit.begin();
284 for (; it != key_dirs_to_commit.end(); it++) {
285 if (IsSameFile(old_name, *it)) break;
286 }
287
288 if (rename(old_name.c_str(), new_name.c_str()) != 0) {
289 PLOG(ERROR) << "Failed to rename key directory \"" << old_name << "\" to \"" << new_name
290 << "\"";
291 return false;
292 }
293
294 if (it != key_dirs_to_commit.end()) *it = new_name;
295
296 return true;
297 }
298
299 // Deletes a leftover upgraded key, if present. An upgraded key can be left
300 // over if an update failed, or if we rebooted before committing the key in a
301 // freak accident. Either way, we can re-upgrade the key if we need to.
DeleteUpgradedKey(Keystore & keystore,const std::string & path)302 static void DeleteUpgradedKey(Keystore& keystore, const std::string& path) {
303 if (pathExists(path)) {
304 LOG(DEBUG) << "Deleting leftover upgraded key " << path;
305 std::string blob;
306 if (!android::base::ReadFileToString(path, &blob)) {
307 LOG(WARNING) << "Failed to read leftover upgraded key " << path
308 << "; continuing anyway";
309 } else if (!keystore.deleteKey(blob)) {
310 LOG(WARNING) << "Failed to delete leftover upgraded key " << path
311 << " from Keystore; continuing anyway";
312 }
313 if (unlink(path.c_str()) != 0) {
314 LOG(WARNING) << "Failed to unlink leftover upgraded key " << path
315 << "; continuing anyway";
316 }
317 }
318 }
319
320 // Begins a Keystore operation using the key stored in |dir|.
BeginKeystoreOp(Keystore & keystore,const std::string & dir,const km::AuthorizationSet & keyParams,const km::AuthorizationSet & opParams,km::AuthorizationSet * outParams)321 static KeystoreOperation BeginKeystoreOp(Keystore& keystore, const std::string& dir,
322 const km::AuthorizationSet& keyParams,
323 const km::AuthorizationSet& opParams,
324 km::AuthorizationSet* outParams) {
325 km::AuthorizationSet inParams(keyParams);
326 inParams.append(opParams.begin(), opParams.end());
327
328 auto blob_file = dir + "/" + kFn_keymaster_key_blob;
329 auto upgraded_blob_file = dir + "/" + kFn_keymaster_key_blob_upgraded;
330
331 std::lock_guard<std::mutex> lock(key_upgrade_lock);
332
333 std::string blob;
334 bool already_upgraded = IsKeyCommitPending(dir);
335 if (already_upgraded) {
336 LOG(DEBUG)
337 << blob_file
338 << " was already upgraded and is waiting to be committed; using the upgraded blob";
339 if (!readFileToString(upgraded_blob_file, &blob)) return KeystoreOperation();
340 } else {
341 DeleteUpgradedKey(keystore, upgraded_blob_file);
342 if (!readFileToString(blob_file, &blob)) return KeystoreOperation();
343 }
344
345 auto opHandle = keystore.begin(blob, inParams, outParams);
346 if (!opHandle) return opHandle;
347
348 // If key blob wasn't upgraded, nothing left to do.
349 if (!opHandle.getUpgradedBlob()) return opHandle;
350
351 if (already_upgraded) {
352 LOG(ERROR) << "Unexpected case; already-upgraded key " << upgraded_blob_file
353 << " still requires upgrade";
354 return KeystoreOperation();
355 }
356 LOG(INFO) << "Upgrading key: " << blob_file;
357 if (!writeStringToFile(*opHandle.getUpgradedBlob(), upgraded_blob_file))
358 return KeystoreOperation();
359 if (cp_needsCheckpoint()) {
360 LOG(INFO) << "Wrote upgraded key to " << upgraded_blob_file
361 << "; delaying commit due to checkpoint";
362 ScheduleKeyCommit(dir);
363 } else {
364 if (!CommitUpgradedKey(keystore, dir)) return KeystoreOperation();
365 LOG(INFO) << "Key upgraded: " << blob_file;
366 }
367 return opHandle;
368 }
369
encryptWithKeystoreKey(Keystore & keystore,const std::string & dir,const km::AuthorizationSet & keyParams,const KeyBuffer & message,std::string * ciphertext)370 static bool encryptWithKeystoreKey(Keystore& keystore, const std::string& dir,
371 const km::AuthorizationSet& keyParams, const KeyBuffer& message,
372 std::string* ciphertext) {
373 km::AuthorizationSet opParams =
374 km::AuthorizationSetBuilder().Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT);
375 km::AuthorizationSet outParams;
376 auto opHandle = BeginKeystoreOp(keystore, dir, keyParams, opParams, &outParams);
377 if (!opHandle) return false;
378 auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE);
379 if (!nonceBlob) {
380 LOG(ERROR) << "GCM encryption but no nonce generated";
381 return false;
382 }
383 // nonceBlob here is just a pointer into existing data, must not be freed
384 std::string nonce(nonceBlob.value().get().begin(), nonceBlob.value().get().end());
385 if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
386 std::string body;
387 if (!opHandle.updateCompletely(message, &body)) return false;
388
389 std::string mac;
390 if (!opHandle.finish(&mac)) return false;
391 if (!checkSize("mac", mac.size(), GCM_MAC_BYTES)) return false;
392 *ciphertext = nonce + body + mac;
393 return true;
394 }
395
decryptWithKeystoreKey(Keystore & keystore,const std::string & dir,const km::AuthorizationSet & keyParams,const std::string & ciphertext,KeyBuffer * message)396 static bool decryptWithKeystoreKey(Keystore& keystore, const std::string& dir,
397 const km::AuthorizationSet& keyParams,
398 const std::string& ciphertext, KeyBuffer* message) {
399 const std::string nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
400 auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
401 auto opParams = km::AuthorizationSetBuilder()
402 .Authorization(km::TAG_NONCE, nonce)
403 .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT);
404 auto opHandle = BeginKeystoreOp(keystore, dir, keyParams, opParams, nullptr);
405 if (!opHandle) return false;
406 if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
407 if (!opHandle.finish(nullptr)) return false;
408 return true;
409 }
410
generateAppId(const KeyAuthentication & auth,const std::string & secdiscardable_hash)411 static std::string generateAppId(const KeyAuthentication& auth,
412 const std::string& secdiscardable_hash) {
413 std::string appId = secdiscardable_hash + auth.secret;
414
415 const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
416 switch (storage_binding_info.state) {
417 case StorageBindingInfo::State::UNINITIALIZED:
418 storage_binding_info.state = StorageBindingInfo::State::NOT_USED;
419 break;
420 case StorageBindingInfo::State::IN_USE:
421 appId.append(storage_binding_info.seed.begin(), storage_binding_info.seed.end());
422 break;
423 case StorageBindingInfo::State::NOT_USED:
424 // noop
425 break;
426 }
427 return appId;
428 }
429
logOpensslError()430 static void logOpensslError() {
431 LOG(ERROR) << "Openssl error: " << ERR_get_error();
432 }
433
encryptWithoutKeystore(const std::string & preKey,const KeyBuffer & plaintext,std::string * ciphertext)434 static bool encryptWithoutKeystore(const std::string& preKey, const KeyBuffer& plaintext,
435 std::string* ciphertext) {
436 std::string key;
437 hashWithPrefix(kHashPrefix_keygen, preKey, &key);
438 key.resize(AES_KEY_BYTES);
439 if (!readRandomBytesOrLog(GCM_NONCE_BYTES, ciphertext)) return false;
440 auto ctx = std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)>(
441 EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free);
442 if (!ctx) {
443 logOpensslError();
444 return false;
445 }
446 if (1 != EVP_EncryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
447 reinterpret_cast<const uint8_t*>(key.data()),
448 reinterpret_cast<const uint8_t*>(ciphertext->data()))) {
449 logOpensslError();
450 return false;
451 }
452 ciphertext->resize(GCM_NONCE_BYTES + plaintext.size() + GCM_MAC_BYTES);
453 int outlen;
454 if (1 != EVP_EncryptUpdate(
455 ctx.get(), reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES),
456 &outlen, reinterpret_cast<const uint8_t*>(plaintext.data()), plaintext.size())) {
457 logOpensslError();
458 return false;
459 }
460 if (outlen != static_cast<int>(plaintext.size())) {
461 LOG(ERROR) << "GCM ciphertext length should be " << plaintext.size() << " was " << outlen;
462 return false;
463 }
464 if (1 != EVP_EncryptFinal_ex(
465 ctx.get(),
466 reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()),
467 &outlen)) {
468 logOpensslError();
469 return false;
470 }
471 if (outlen != 0) {
472 LOG(ERROR) << "GCM EncryptFinal should be 0, was " << outlen;
473 return false;
474 }
475 if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, GCM_MAC_BYTES,
476 reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES +
477 plaintext.size()))) {
478 logOpensslError();
479 return false;
480 }
481 return true;
482 }
483
decryptWithoutKeystore(const std::string & preKey,const std::string & ciphertext,KeyBuffer * plaintext)484 static bool decryptWithoutKeystore(const std::string& preKey, const std::string& ciphertext,
485 KeyBuffer* plaintext) {
486 if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) {
487 LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size();
488 return false;
489 }
490 std::string key;
491 hashWithPrefix(kHashPrefix_keygen, preKey, &key);
492 key.resize(AES_KEY_BYTES);
493 auto ctx = std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)>(
494 EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free);
495 if (!ctx) {
496 logOpensslError();
497 return false;
498 }
499 if (1 != EVP_DecryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
500 reinterpret_cast<const uint8_t*>(key.data()),
501 reinterpret_cast<const uint8_t*>(ciphertext.data()))) {
502 logOpensslError();
503 return false;
504 }
505 *plaintext = KeyBuffer(ciphertext.size() - GCM_NONCE_BYTES - GCM_MAC_BYTES);
506 int outlen;
507 if (1 != EVP_DecryptUpdate(ctx.get(), reinterpret_cast<uint8_t*>(&(*plaintext)[0]), &outlen,
508 reinterpret_cast<const uint8_t*>(ciphertext.data() + GCM_NONCE_BYTES),
509 plaintext->size())) {
510 logOpensslError();
511 return false;
512 }
513 if (outlen != static_cast<int>(plaintext->size())) {
514 LOG(ERROR) << "GCM plaintext length should be " << plaintext->size() << " was " << outlen;
515 return false;
516 }
517 if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, GCM_MAC_BYTES,
518 const_cast<void*>(reinterpret_cast<const void*>(
519 ciphertext.data() + GCM_NONCE_BYTES + plaintext->size())))) {
520 logOpensslError();
521 return false;
522 }
523 if (1 != EVP_DecryptFinal_ex(ctx.get(),
524 reinterpret_cast<uint8_t*>(&(*plaintext)[0] + plaintext->size()),
525 &outlen)) {
526 logOpensslError();
527 return false;
528 }
529 if (outlen != 0) {
530 LOG(ERROR) << "GCM EncryptFinal should be 0, was " << outlen;
531 return false;
532 }
533 return true;
534 }
535
536 // Creates a directory at the given path |dir| and stores |key| in it, in such a
537 // way that it can only be retrieved via Keystore (if no secret is given in
538 // |auth|) or with the given secret (if a secret is given in |auth|). In the
539 // former case, an attempt is made to make the key securely deletable. In the
540 // latter case, secure deletion is expected to be handled at a higher level.
541 //
542 // If a storage binding seed has been set, then the storage binding seed will be
543 // required to retrieve the key as well.
storeKey(const std::string & dir,const KeyAuthentication & auth,const KeyBuffer & key)544 static bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key) {
545 if (TEMP_FAILURE_RETRY(mkdir(dir.c_str(), 0700)) == -1) {
546 PLOG(ERROR) << "key mkdir " << dir;
547 return false;
548 }
549 if (!writeStringToFile(kCurrentVersion, dir + "/" + kFn_version)) return false;
550 std::string secdiscardable_hash;
551 if (auth.usesKeystore() &&
552 !createSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash))
553 return false;
554 std::string appId = generateAppId(auth, secdiscardable_hash);
555 std::string encryptedKey;
556 if (auth.usesKeystore()) {
557 Keystore keystore;
558 if (!keystore) return false;
559 std::string ksKey;
560 if (!generateKeyStorageKey(keystore, appId, &ksKey)) return false;
561 if (!writeStringToFile(ksKey, dir + "/" + kFn_keymaster_key_blob)) return false;
562 km::AuthorizationSet keyParams = beginParams(appId);
563 if (!encryptWithKeystoreKey(keystore, dir, keyParams, key, &encryptedKey)) {
564 LOG(ERROR) << "encryptWithKeystoreKey failed";
565 return false;
566 }
567 } else {
568 if (!encryptWithoutKeystore(appId, key, &encryptedKey)) {
569 LOG(ERROR) << "encryptWithoutKeystore failed";
570 return false;
571 }
572 }
573 if (!writeStringToFile(encryptedKey, dir + "/" + kFn_encrypted_key)) return false;
574 if (!FsyncDirectory(dir)) return false;
575 return true;
576 }
577
storeKeyAtomically(const std::string & key_path,const std::string & tmp_path,const KeyAuthentication & auth,const KeyBuffer & key)578 bool storeKeyAtomically(const std::string& key_path, const std::string& tmp_path,
579 const KeyAuthentication& auth, const KeyBuffer& key) {
580 if (pathExists(key_path)) {
581 LOG(ERROR) << "Already exists, cannot create key at: " << key_path;
582 return false;
583 }
584 if (pathExists(tmp_path)) {
585 LOG(DEBUG) << "Already exists, destroying: " << tmp_path;
586 destroyKey(tmp_path); // May be partially created so ignore errors
587 }
588 if (!storeKey(tmp_path, auth, key)) return false;
589
590 if (!RenameKeyDir(tmp_path, key_path)) return false;
591
592 if (!FsyncParentDirectory(key_path)) return false;
593 LOG(DEBUG) << "Stored key " << key_path;
594 return true;
595 }
596
retrieveKey(const std::string & dir,const KeyAuthentication & auth,KeyBuffer * key)597 bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key) {
598 std::string version;
599 if (!readFileToString(dir + "/" + kFn_version, &version)) return false;
600 if (version != kCurrentVersion) {
601 LOG(ERROR) << "Version mismatch, expected " << kCurrentVersion << " got " << version;
602 return false;
603 }
604 std::string secdiscardable_hash;
605 if (!readSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
606 std::string appId = generateAppId(auth, secdiscardable_hash);
607 std::string encryptedMessage;
608 if (!readFileToString(dir + "/" + kFn_encrypted_key, &encryptedMessage)) return false;
609 if (auth.usesKeystore()) {
610 Keystore keystore;
611 if (!keystore) return false;
612 km::AuthorizationSet keyParams = beginParams(appId);
613 if (!decryptWithKeystoreKey(keystore, dir, keyParams, encryptedMessage, key)) {
614 LOG(ERROR) << "decryptWithKeystoreKey failed";
615 return false;
616 }
617 } else {
618 if (!decryptWithoutKeystore(appId, encryptedMessage, key)) {
619 LOG(ERROR) << "decryptWithoutKeystore failed";
620 return false;
621 }
622 }
623 return true;
624 }
625
DeleteKeystoreKey(const std::string & blob_file)626 static bool DeleteKeystoreKey(const std::string& blob_file) {
627 std::string blob;
628 if (!readFileToString(blob_file, &blob)) return false;
629 Keystore keystore;
630 if (!keystore) return false;
631 LOG(DEBUG) << "Deleting key " << blob_file << " from Keystore";
632 if (!keystore.deleteKey(blob)) return false;
633 return true;
634 }
635
runSecdiscardSingle(const std::string & file)636 bool runSecdiscardSingle(const std::string& file) {
637 if (ForkExecvp(std::vector<std::string>{kSecdiscardPath, "--", file}) != 0) {
638 LOG(ERROR) << "secdiscard failed";
639 return false;
640 }
641 return true;
642 }
643
recursiveDeleteKey(const std::string & dir)644 static bool recursiveDeleteKey(const std::string& dir) {
645 if (ForkExecvp(std::vector<std::string>{kRmPath, "-rf", dir}) != 0) {
646 LOG(ERROR) << "recursive delete failed";
647 return false;
648 }
649 return true;
650 }
651
destroyKey(const std::string & dir)652 bool destroyKey(const std::string& dir) {
653 bool success = true;
654
655 CancelPendingKeyCommit(dir);
656
657 auto secdiscard_cmd = std::vector<std::string>{
658 kSecdiscardPath,
659 "--",
660 dir + "/" + kFn_encrypted_key,
661 };
662 auto secdiscardable = dir + "/" + kFn_secdiscardable;
663 if (pathExists(secdiscardable)) {
664 secdiscard_cmd.push_back(secdiscardable);
665 }
666 // Try each thing, even if previous things failed.
667
668 for (auto& fn : {kFn_keymaster_key_blob, kFn_keymaster_key_blob_upgraded}) {
669 auto blob_file = dir + "/" + fn;
670 if (pathExists(blob_file)) {
671 success &= DeleteKeystoreKey(blob_file);
672 secdiscard_cmd.push_back(blob_file);
673 }
674 }
675 if (ForkExecvp(secdiscard_cmd) != 0) {
676 LOG(ERROR) << "secdiscard failed";
677 success = false;
678 }
679 success &= recursiveDeleteKey(dir);
680 return success;
681 }
682
setKeyStorageBindingSeed(const std::vector<uint8_t> & seed)683 bool setKeyStorageBindingSeed(const std::vector<uint8_t>& seed) {
684 const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
685 switch (storage_binding_info.state) {
686 case StorageBindingInfo::State::UNINITIALIZED:
687 storage_binding_info.state = StorageBindingInfo::State::IN_USE;
688 storage_binding_info.seed = seed;
689 android::base::SetProperty("vold.storage_seed_bound", "1");
690 return true;
691 case StorageBindingInfo::State::IN_USE:
692 LOG(ERROR) << "key storage binding seed already set";
693 return false;
694 case StorageBindingInfo::State::NOT_USED:
695 LOG(ERROR) << "key storage already in use without binding";
696 return false;
697 }
698 return false;
699 }
700
701 } // namespace vold
702 } // namespace android
703