1 /*
2 **
3 ** Copyright 2017, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 ** http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17
18 #define LOG_TAG "scrypt_test"
19 #include <log/log.h>
20
21 #include <gtest/gtest.h>
22 #include <hardware/keymaster0.h>
23 #include <hardware/keymaster1.h>
24 #include <cstring>
25
26 #include "../Keymaster.h"
27 #include "../cryptfs.h"
28
29 #ifdef CONFIG_HW_DISK_ENCRYPTION
30 #include "cryptfs_hw.h"
31 #endif
32
33 #define min(a, b) ((a) < (b) ? (a) : (b))
34
35 /* Maximum allowed keymaster blob size. */
36 #define KEYMASTER_BLOB_SIZE 2048
37
38 /* Key Derivation Function algorithms */
39 #define KDF_PBKDF2 1
40 #define KDF_SCRYPT 2
41 /* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
42 #define KDF_SCRYPT_KEYMASTER 5
43
44 #define KEY_LEN_BYTES 16
45
46 #define DEFAULT_PASSWORD "default_password"
47
48 #define RSA_KEY_SIZE 2048
49 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
50 #define RSA_EXPONENT 0x10001
51 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
52
keymaster_init(keymaster0_device_t ** keymaster0_dev,keymaster1_device_t ** keymaster1_dev)53 static int keymaster_init(keymaster0_device_t** keymaster0_dev,
54 keymaster1_device_t** keymaster1_dev) {
55 int rc;
56
57 const hw_module_t* mod;
58 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
59 if (rc) {
60 ALOGE("could not find any keystore module");
61 goto err;
62 }
63
64 SLOGI("keymaster module name is %s", mod->name);
65 SLOGI("keymaster version is %d", mod->module_api_version);
66
67 *keymaster0_dev = NULL;
68 *keymaster1_dev = NULL;
69 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
70 SLOGI("Found keymaster1 module, using keymaster1 API.");
71 rc = keymaster1_open(mod, keymaster1_dev);
72 } else {
73 SLOGI("Found keymaster0 module, using keymaster0 API.");
74 rc = keymaster0_open(mod, keymaster0_dev);
75 }
76
77 if (rc) {
78 ALOGE("could not open keymaster device in %s (%s)", KEYSTORE_HARDWARE_MODULE_ID,
79 strerror(-rc));
80 goto err;
81 }
82
83 return 0;
84
85 err:
86 *keymaster0_dev = NULL;
87 *keymaster1_dev = NULL;
88 return rc;
89 }
90
91 /* Should we use keymaster? */
keymaster_check_compatibility_old()92 static int keymaster_check_compatibility_old() {
93 keymaster0_device_t* keymaster0_dev = 0;
94 keymaster1_device_t* keymaster1_dev = 0;
95 int rc = 0;
96
97 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
98 SLOGE("Failed to init keymaster");
99 rc = -1;
100 goto out;
101 }
102
103 if (keymaster1_dev) {
104 rc = 1;
105 goto out;
106 }
107
108 if (!keymaster0_dev || !keymaster0_dev->common.module) {
109 rc = -1;
110 goto out;
111 }
112
113 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
114 // should work.
115 if (keymaster0_dev->common.module->module_api_version < KEYMASTER_MODULE_API_VERSION_0_3) {
116 rc = 0;
117 goto out;
118 }
119
120 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
121 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
122 rc = 1;
123 }
124
125 out:
126 if (keymaster1_dev) {
127 keymaster1_close(keymaster1_dev);
128 }
129 if (keymaster0_dev) {
130 keymaster0_close(keymaster0_dev);
131 }
132 return rc;
133 }
134
135 /* Create a new keymaster key and store it in this footer */
keymaster_create_key_old(struct crypt_mnt_ftr * ftr)136 static int keymaster_create_key_old(struct crypt_mnt_ftr* ftr) {
137 uint8_t* key = 0;
138 keymaster0_device_t* keymaster0_dev = 0;
139 keymaster1_device_t* keymaster1_dev = 0;
140
141 if (ftr->keymaster_blob_size) {
142 SLOGI("Already have key");
143 return 0;
144 }
145
146 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
147 SLOGE("Failed to init keymaster");
148 return -1;
149 }
150
151 int rc = 0;
152 size_t key_size = 0;
153 if (keymaster1_dev) {
154 keymaster_key_param_t params[] = {
155 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
156 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
157 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
158 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
159
160 /* The only allowed purpose for this key is signing. */
161 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
162
163 /* Padding & digest specifications. */
164 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
165 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
166
167 /* Require that the key be usable in standalone mode. File system isn't available. */
168 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
169
170 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
171 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
172
173 /* Rate-limit key usage attempts, to rate-limit brute force */
174 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
175 };
176 keymaster_key_param_set_t param_set = {params, sizeof(params) / sizeof(*params)};
177 keymaster_key_blob_t key_blob;
178 keymaster_error_t error = keymaster1_dev->generate_key(
179 keymaster1_dev, ¶m_set, &key_blob, NULL /* characteristics */);
180 if (error != KM_ERROR_OK) {
181 SLOGE("Failed to generate keymaster1 key, error %d", error);
182 rc = -1;
183 goto out;
184 }
185
186 key = (uint8_t*)key_blob.key_material;
187 key_size = key_blob.key_material_size;
188 } else if (keymaster0_dev) {
189 keymaster_rsa_keygen_params_t params;
190 memset(¶ms, '\0', sizeof(params));
191 params.public_exponent = RSA_EXPONENT;
192 params.modulus_size = RSA_KEY_SIZE;
193
194 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms, &key, &key_size)) {
195 SLOGE("Failed to generate keypair");
196 rc = -1;
197 goto out;
198 }
199 } else {
200 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
201 rc = -1;
202 goto out;
203 }
204
205 if (key_size > KEYMASTER_BLOB_SIZE) {
206 SLOGE("Keymaster key too large for crypto footer");
207 rc = -1;
208 goto out;
209 }
210
211 memcpy(ftr->keymaster_blob, key, key_size);
212 ftr->keymaster_blob_size = key_size;
213
214 out:
215 if (keymaster0_dev) keymaster0_close(keymaster0_dev);
216 if (keymaster1_dev) keymaster1_close(keymaster1_dev);
217 free(key);
218 return rc;
219 }
220
221 /* This signs the given object using the keymaster key. */
keymaster_sign_object_old(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)222 static int keymaster_sign_object_old(struct crypt_mnt_ftr* ftr, const unsigned char* object,
223 const size_t object_size, unsigned char** signature,
224 size_t* signature_size) {
225 int rc = 0;
226 keymaster0_device_t* keymaster0_dev = 0;
227 keymaster1_device_t* keymaster1_dev = 0;
228
229 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
230 size_t to_sign_size = sizeof(to_sign);
231 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
232
233 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
234 SLOGE("Failed to init keymaster");
235 rc = -1;
236 goto out;
237 }
238
239 // To sign a message with RSA, the message must satisfy two
240 // constraints:
241 //
242 // 1. The message, when interpreted as a big-endian numeric value, must
243 // be strictly less than the public modulus of the RSA key. Note
244 // that because the most significant bit of the public modulus is
245 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
246 // key), an n-bit message with most significant bit 0 always
247 // satisfies this requirement.
248 //
249 // 2. The message must have the same length in bits as the public
250 // modulus of the RSA key. This requirement isn't mathematically
251 // necessary, but is necessary to ensure consistency in
252 // implementations.
253 switch (ftr->kdf_type) {
254 case KDF_SCRYPT_KEYMASTER:
255 // This ensures the most significant byte of the signed message
256 // is zero. We could have zero-padded to the left instead, but
257 // this approach is slightly more robust against changes in
258 // object size. However, it's still broken (but not unusably
259 // so) because we really should be using a proper deterministic
260 // RSA padding function, such as PKCS1.
261 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
262 SLOGI("Signing safely-padded object");
263 break;
264 default:
265 SLOGE("Unknown KDF type %d", ftr->kdf_type);
266 rc = -1;
267 goto out;
268 }
269
270 if (keymaster0_dev) {
271 keymaster_rsa_sign_params_t params;
272 params.digest_type = DIGEST_NONE;
273 params.padding_type = PADDING_NONE;
274
275 rc = keymaster0_dev->sign_data(keymaster0_dev, ¶ms, ftr->keymaster_blob,
276 ftr->keymaster_blob_size, to_sign, to_sign_size, signature,
277 signature_size);
278 goto out;
279 } else if (keymaster1_dev) {
280 keymaster_key_blob_t key = {ftr->keymaster_blob, ftr->keymaster_blob_size};
281 keymaster_key_param_t params[] = {
282 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
283 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
284 };
285 keymaster_key_param_set_t param_set = {params, sizeof(params) / sizeof(*params)};
286 keymaster_operation_handle_t op_handle;
287 keymaster_error_t error = keymaster1_dev->begin(
288 keymaster1_dev, KM_PURPOSE_SIGN, &key, ¶m_set, NULL /* out_params */, &op_handle);
289 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
290 // Key usage has been rate-limited. Wait a bit and try again.
291 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
292 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, ¶m_set,
293 NULL /* out_params */, &op_handle);
294 }
295 if (error != KM_ERROR_OK) {
296 SLOGE("Error starting keymaster signature transaction: %d", error);
297 rc = -1;
298 goto out;
299 }
300
301 keymaster_blob_t input = {to_sign, to_sign_size};
302 size_t input_consumed;
303 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */, &input,
304 &input_consumed, NULL /* out_params */, NULL /* output */);
305 if (error != KM_ERROR_OK) {
306 SLOGE("Error sending data to keymaster signature transaction: %d", error);
307 rc = -1;
308 goto out;
309 }
310 if (input_consumed != to_sign_size) {
311 // This should never happen. If it does, it's a bug in the keymaster implementation.
312 SLOGE("Keymaster update() did not consume all data.");
313 keymaster1_dev->abort(keymaster1_dev, op_handle);
314 rc = -1;
315 goto out;
316 }
317
318 keymaster_blob_t tmp_sig;
319 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
320 NULL /* verify signature */, NULL /* out_params */, &tmp_sig);
321 if (error != KM_ERROR_OK) {
322 SLOGE("Error finishing keymaster signature transaction: %d", error);
323 rc = -1;
324 goto out;
325 }
326
327 *signature = (uint8_t*)tmp_sig.data;
328 *signature_size = tmp_sig.data_length;
329 } else {
330 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
331 rc = -1;
332 goto out;
333 }
334
335 out:
336 if (keymaster1_dev) keymaster1_close(keymaster1_dev);
337 if (keymaster0_dev) keymaster0_close(keymaster0_dev);
338
339 return rc;
340 }
341
342 /* Should we use keymaster? */
keymaster_check_compatibility_new()343 static int keymaster_check_compatibility_new() {
344 return keymaster_compatibility_cryptfs_scrypt();
345 }
346
347 #if 0
348 /* Create a new keymaster key and store it in this footer */
349 static int keymaster_create_key_new(struct crypt_mnt_ftr *ftr)
350 {
351 if (ftr->keymaster_blob_size) {
352 SLOGI("Already have key");
353 return 0;
354 }
355
356 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
357 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
358 &ftr->keymaster_blob_size);
359 if (rc) {
360 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
361 SLOGE("Keymaster key blob to large)");
362 ftr->keymaster_blob_size = 0;
363 }
364 SLOGE("Failed to generate keypair");
365 return -1;
366 }
367 return 0;
368 }
369 #endif
370
371 /* This signs the given object using the keymaster key. */
keymaster_sign_object_new(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)372 static int keymaster_sign_object_new(struct crypt_mnt_ftr* ftr, const unsigned char* object,
373 const size_t object_size, unsigned char** signature,
374 size_t* signature_size) {
375 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
376 size_t to_sign_size = sizeof(to_sign);
377 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
378
379 // To sign a message with RSA, the message must satisfy two
380 // constraints:
381 //
382 // 1. The message, when interpreted as a big-endian numeric value, must
383 // be strictly less than the public modulus of the RSA key. Note
384 // that because the most significant bit of the public modulus is
385 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
386 // key), an n-bit message with most significant bit 0 always
387 // satisfies this requirement.
388 //
389 // 2. The message must have the same length in bits as the public
390 // modulus of the RSA key. This requirement isn't mathematically
391 // necessary, but is necessary to ensure consistency in
392 // implementations.
393 switch (ftr->kdf_type) {
394 case KDF_SCRYPT_KEYMASTER:
395 // This ensures the most significant byte of the signed message
396 // is zero. We could have zero-padded to the left instead, but
397 // this approach is slightly more robust against changes in
398 // object size. However, it's still broken (but not unusably
399 // so) because we really should be using a proper deterministic
400 // RSA padding function, such as PKCS1.
401 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
402 SLOGI("Signing safely-padded object");
403 break;
404 default:
405 SLOGE("Unknown KDF type %d", ftr->kdf_type);
406 return -1;
407 }
408 if (keymaster_sign_object_for_cryptfs_scrypt(
409 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
410 to_sign_size, signature, signature_size) != KeymasterSignResult::ok)
411 return -1;
412 return 0;
413 }
414
415 namespace android {
416
417 class CryptFsTest : public testing::Test {
418 protected:
SetUp()419 virtual void SetUp() {}
420
TearDown()421 virtual void TearDown() {}
422 };
423
TEST_F(CryptFsTest,ScryptHidlizationEquivalenceTest)424 TEST_F(CryptFsTest, ScryptHidlizationEquivalenceTest) {
425 crypt_mnt_ftr ftr;
426 ftr.kdf_type = KDF_SCRYPT_KEYMASTER;
427 ftr.keymaster_blob_size = 0;
428
429 ASSERT_EQ(0, keymaster_create_key_old(&ftr));
430
431 uint8_t* sig1 = nullptr;
432 uint8_t* sig2 = nullptr;
433 size_t sig_size1 = 123456789;
434 size_t sig_size2 = 123456789;
435 uint8_t object[] = "the object";
436
437 ASSERT_EQ(1, keymaster_check_compatibility_old());
438 ASSERT_EQ(1, keymaster_check_compatibility_new());
439 ASSERT_EQ(0, keymaster_sign_object_old(&ftr, object, 10, &sig1, &sig_size1));
440 ASSERT_EQ(0, keymaster_sign_object_new(&ftr, object, 10, &sig2, &sig_size2));
441
442 ASSERT_EQ(sig_size1, sig_size2);
443 ASSERT_NE(nullptr, sig1);
444 ASSERT_NE(nullptr, sig2);
445 EXPECT_EQ(0, memcmp(sig1, sig2, sig_size1));
446 free(sig1);
447 free(sig2);
448 }
449
450 } // namespace android
451