1 /*
2 * Copyright (C) 2009 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <stdio.h>
18 #include <stdint.h>
19 #include <string.h>
20 #include <unistd.h>
21 #include <signal.h>
22 #include <errno.h>
23 #include <dirent.h>
24 #include <fcntl.h>
25 #include <limits.h>
26 #include <assert.h>
27 #include <sys/types.h>
28 #include <sys/socket.h>
29 #include <sys/stat.h>
30 #include <sys/time.h>
31 #include <arpa/inet.h>
32
33 #include <openssl/aes.h>
34 #include <openssl/bio.h>
35 #include <openssl/evp.h>
36 #include <openssl/md5.h>
37 #include <openssl/pem.h>
38
39 #include <hardware/keymaster.h>
40
41 #include <utils/UniquePtr.h>
42
43 #include <cutils/list.h>
44
45 //#define LOG_NDEBUG 0
46 #define LOG_TAG "keystore"
47 #include <cutils/log.h>
48 #include <cutils/sockets.h>
49 #include <private/android_filesystem_config.h>
50
51 #include "keystore.h"
52
53 /* KeyStore is a secured storage for key-value pairs. In this implementation,
54 * each file stores one key-value pair. Keys are encoded in file names, and
55 * values are encrypted with checksums. The encryption key is protected by a
56 * user-defined password. To keep things simple, buffers are always larger than
57 * the maximum space we needed, so boundary checks on buffers are omitted. */
58
59 #define KEY_SIZE ((NAME_MAX - 15) / 2)
60 #define VALUE_SIZE 32768
61 #define PASSWORD_SIZE VALUE_SIZE
62
63
64 struct BIO_Delete {
operator ()BIO_Delete65 void operator()(BIO* p) const {
66 BIO_free(p);
67 }
68 };
69 typedef UniquePtr<BIO, BIO_Delete> Unique_BIO;
70
71 struct EVP_PKEY_Delete {
operator ()EVP_PKEY_Delete72 void operator()(EVP_PKEY* p) const {
73 EVP_PKEY_free(p);
74 }
75 };
76 typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY;
77
78 struct PKCS8_PRIV_KEY_INFO_Delete {
operator ()PKCS8_PRIV_KEY_INFO_Delete79 void operator()(PKCS8_PRIV_KEY_INFO* p) const {
80 PKCS8_PRIV_KEY_INFO_free(p);
81 }
82 };
83 typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> Unique_PKCS8_PRIV_KEY_INFO;
84
85
86 struct Value {
ValueValue87 Value(const uint8_t* orig, int origLen) {
88 assert(origLen <= VALUE_SIZE);
89 memcpy(value, orig, origLen);
90 length = origLen;
91 }
92
ValueValue93 Value() {
94 }
95
96 int length;
97 uint8_t value[VALUE_SIZE];
98 };
99
100 class ValueString {
101 public:
ValueString(const Value * orig)102 ValueString(const Value* orig) {
103 assert(length <= VALUE_SIZE);
104 length = orig->length;
105 value = new char[length + 1];
106 memcpy(value, orig->value, length);
107 value[length] = '\0';
108 }
109
~ValueString()110 ~ValueString() {
111 delete[] value;
112 }
113
c_str() const114 const char* c_str() const {
115 return value;
116 }
117
release()118 char* release() {
119 char* ret = value;
120 value = NULL;
121 return ret;
122 }
123
124 private:
125 char* value;
126 size_t length;
127 };
128
keymaster_device_initialize(keymaster_device_t ** dev)129 static int keymaster_device_initialize(keymaster_device_t** dev) {
130 int rc;
131
132 const hw_module_t* mod;
133 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
134 if (rc) {
135 ALOGE("could not find any keystore module");
136 goto out;
137 }
138
139 rc = keymaster_open(mod, dev);
140 if (rc) {
141 ALOGE("could not open keymaster device in %s (%s)",
142 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
143 goto out;
144 }
145
146 return 0;
147
148 out:
149 *dev = NULL;
150 return rc;
151 }
152
keymaster_device_release(keymaster_device_t * dev)153 static void keymaster_device_release(keymaster_device_t* dev) {
154 keymaster_close(dev);
155 }
156
157 /* Here is the encoding of keys. This is necessary in order to allow arbitrary
158 * characters in keys. Characters in [0-~] are not encoded. Others are encoded
159 * into two bytes. The first byte is one of [+-.] which represents the first
160 * two bits of the character. The second byte encodes the rest of the bits into
161 * [0-o]. Therefore in the worst case the length of a key gets doubled. Note
162 * that Base64 cannot be used here due to the need of prefix match on keys. */
163
encode_key(char * out,const Value * key)164 static int encode_key(char* out, const Value* key) {
165 const uint8_t* in = key->value;
166 int length = key->length;
167 for (int i = length; i > 0; --i, ++in, ++out) {
168 if (*in >= '0' && *in <= '~') {
169 *out = *in;
170 } else {
171 *out = '+' + (*in >> 6);
172 *++out = '0' + (*in & 0x3F);
173 ++length;
174 }
175 }
176 *out = '\0';
177 return length;
178 }
179
encode_key_for_uid(char * out,uid_t uid,const Value * key)180 static int encode_key_for_uid(char* out, uid_t uid, const Value* key) {
181 int n = snprintf(out, NAME_MAX, "%u_", uid);
182 out += n;
183
184 return n + encode_key(out, key);
185 }
186
decode_key(uint8_t * out,const char * in,int length)187 static int decode_key(uint8_t* out, const char* in, int length) {
188 for (int i = 0; i < length; ++i, ++in, ++out) {
189 if (*in >= '0' && *in <= '~') {
190 *out = *in;
191 } else {
192 *out = (*in - '+') << 6;
193 *out |= (*++in - '0') & 0x3F;
194 --length;
195 }
196 }
197 *out = '\0';
198 return length;
199 }
200
readFully(int fd,uint8_t * data,size_t size)201 static size_t readFully(int fd, uint8_t* data, size_t size) {
202 size_t remaining = size;
203 while (remaining > 0) {
204 ssize_t n = TEMP_FAILURE_RETRY(read(fd, data, size));
205 if (n == -1 || n == 0) {
206 return size-remaining;
207 }
208 data += n;
209 remaining -= n;
210 }
211 return size;
212 }
213
writeFully(int fd,uint8_t * data,size_t size)214 static size_t writeFully(int fd, uint8_t* data, size_t size) {
215 size_t remaining = size;
216 while (remaining > 0) {
217 ssize_t n = TEMP_FAILURE_RETRY(write(fd, data, size));
218 if (n == -1 || n == 0) {
219 return size-remaining;
220 }
221 data += n;
222 remaining -= n;
223 }
224 return size;
225 }
226
227 class Entropy {
228 public:
Entropy()229 Entropy() : mRandom(-1) {}
~Entropy()230 ~Entropy() {
231 if (mRandom != -1) {
232 close(mRandom);
233 }
234 }
235
open()236 bool open() {
237 const char* randomDevice = "/dev/urandom";
238 mRandom = ::open(randomDevice, O_RDONLY);
239 if (mRandom == -1) {
240 ALOGE("open: %s: %s", randomDevice, strerror(errno));
241 return false;
242 }
243 return true;
244 }
245
generate_random_data(uint8_t * data,size_t size) const246 bool generate_random_data(uint8_t* data, size_t size) const {
247 return (readFully(mRandom, data, size) == size);
248 }
249
250 private:
251 int mRandom;
252 };
253
254 /* Here is the file format. There are two parts in blob.value, the secret and
255 * the description. The secret is stored in ciphertext, and its original size
256 * can be found in blob.length. The description is stored after the secret in
257 * plaintext, and its size is specified in blob.info. The total size of the two
258 * parts must be no more than VALUE_SIZE bytes. The first field is the version,
259 * the second is the blob's type, and the third byte is reserved. Fields other
260 * than blob.info, blob.length, and blob.value are modified by encryptBlob()
261 * and decryptBlob(). Thus they should not be accessed from outside. */
262
263 /* ** Note to future implementors of encryption: **
264 * Currently this is the construction:
265 * metadata || Enc(MD5(data) || data)
266 *
267 * This should be the construction used for encrypting if re-implementing:
268 *
269 * Derive independent keys for encryption and MAC:
270 * Kenc = AES_encrypt(masterKey, "Encrypt")
271 * Kmac = AES_encrypt(masterKey, "MAC")
272 *
273 * Store this:
274 * metadata || AES_CTR_encrypt(Kenc, rand_IV, data) ||
275 * HMAC(Kmac, metadata || Enc(data))
276 */
277 struct __attribute__((packed)) blob {
278 uint8_t version;
279 uint8_t type;
280 uint8_t reserved;
281 uint8_t info;
282 uint8_t vector[AES_BLOCK_SIZE];
283 uint8_t encrypted[0]; // Marks offset to encrypted data.
284 uint8_t digest[MD5_DIGEST_LENGTH];
285 uint8_t digested[0]; // Marks offset to digested data.
286 int32_t length; // in network byte order when encrypted
287 uint8_t value[VALUE_SIZE + AES_BLOCK_SIZE];
288 };
289
290 typedef enum {
291 TYPE_GENERIC = 1,
292 TYPE_MASTER_KEY = 2,
293 TYPE_KEY_PAIR = 3,
294 } BlobType;
295
296 static const uint8_t CurrentBlobVersion = 1;
297
298 class Blob {
299 public:
Blob(uint8_t * value,int32_t valueLength,uint8_t * info,uint8_t infoLength,BlobType type)300 Blob(uint8_t* value, int32_t valueLength, uint8_t* info, uint8_t infoLength, BlobType type) {
301 mBlob.length = valueLength;
302 memcpy(mBlob.value, value, valueLength);
303
304 mBlob.info = infoLength;
305 memcpy(mBlob.value + valueLength, info, infoLength);
306
307 mBlob.version = CurrentBlobVersion;
308 mBlob.type = uint8_t(type);
309 }
310
Blob(blob b)311 Blob(blob b) {
312 mBlob = b;
313 }
314
Blob()315 Blob() {}
316
getValue() const317 const uint8_t* getValue() const {
318 return mBlob.value;
319 }
320
getLength() const321 int32_t getLength() const {
322 return mBlob.length;
323 }
324
getInfo() const325 const uint8_t* getInfo() const {
326 return mBlob.value + mBlob.length;
327 }
328
getInfoLength() const329 uint8_t getInfoLength() const {
330 return mBlob.info;
331 }
332
getVersion() const333 uint8_t getVersion() const {
334 return mBlob.version;
335 }
336
setVersion(uint8_t version)337 void setVersion(uint8_t version) {
338 mBlob.version = version;
339 }
340
getType() const341 BlobType getType() const {
342 return BlobType(mBlob.type);
343 }
344
setType(BlobType type)345 void setType(BlobType type) {
346 mBlob.type = uint8_t(type);
347 }
348
encryptBlob(const char * filename,AES_KEY * aes_key,Entropy * entropy)349 ResponseCode encryptBlob(const char* filename, AES_KEY *aes_key, Entropy* entropy) {
350 if (!entropy->generate_random_data(mBlob.vector, AES_BLOCK_SIZE)) {
351 return SYSTEM_ERROR;
352 }
353
354 // data includes the value and the value's length
355 size_t dataLength = mBlob.length + sizeof(mBlob.length);
356 // pad data to the AES_BLOCK_SIZE
357 size_t digestedLength = ((dataLength + AES_BLOCK_SIZE - 1)
358 / AES_BLOCK_SIZE * AES_BLOCK_SIZE);
359 // encrypted data includes the digest value
360 size_t encryptedLength = digestedLength + MD5_DIGEST_LENGTH;
361 // move info after space for padding
362 memmove(&mBlob.encrypted[encryptedLength], &mBlob.value[mBlob.length], mBlob.info);
363 // zero padding area
364 memset(mBlob.value + mBlob.length, 0, digestedLength - dataLength);
365
366 mBlob.length = htonl(mBlob.length);
367 MD5(mBlob.digested, digestedLength, mBlob.digest);
368
369 uint8_t vector[AES_BLOCK_SIZE];
370 memcpy(vector, mBlob.vector, AES_BLOCK_SIZE);
371 AES_cbc_encrypt(mBlob.encrypted, mBlob.encrypted, encryptedLength,
372 aes_key, vector, AES_ENCRYPT);
373
374 mBlob.reserved = 0;
375 size_t headerLength = (mBlob.encrypted - (uint8_t*) &mBlob);
376 size_t fileLength = encryptedLength + headerLength + mBlob.info;
377
378 const char* tmpFileName = ".tmp";
379 int out = open(tmpFileName, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
380 if (out == -1) {
381 return SYSTEM_ERROR;
382 }
383 size_t writtenBytes = writeFully(out, (uint8_t*) &mBlob, fileLength);
384 if (close(out) != 0) {
385 return SYSTEM_ERROR;
386 }
387 if (writtenBytes != fileLength) {
388 unlink(tmpFileName);
389 return SYSTEM_ERROR;
390 }
391 return (rename(tmpFileName, filename) == 0) ? NO_ERROR : SYSTEM_ERROR;
392 }
393
decryptBlob(const char * filename,AES_KEY * aes_key)394 ResponseCode decryptBlob(const char* filename, AES_KEY *aes_key) {
395 int in = open(filename, O_RDONLY);
396 if (in == -1) {
397 return (errno == ENOENT) ? KEY_NOT_FOUND : SYSTEM_ERROR;
398 }
399 // fileLength may be less than sizeof(mBlob) since the in
400 // memory version has extra padding to tolerate rounding up to
401 // the AES_BLOCK_SIZE
402 size_t fileLength = readFully(in, (uint8_t*) &mBlob, sizeof(mBlob));
403 if (close(in) != 0) {
404 return SYSTEM_ERROR;
405 }
406 size_t headerLength = (mBlob.encrypted - (uint8_t*) &mBlob);
407 if (fileLength < headerLength) {
408 return VALUE_CORRUPTED;
409 }
410
411 ssize_t encryptedLength = fileLength - (headerLength + mBlob.info);
412 if (encryptedLength < 0 || encryptedLength % AES_BLOCK_SIZE != 0) {
413 return VALUE_CORRUPTED;
414 }
415 AES_cbc_encrypt(mBlob.encrypted, mBlob.encrypted, encryptedLength, aes_key,
416 mBlob.vector, AES_DECRYPT);
417 size_t digestedLength = encryptedLength - MD5_DIGEST_LENGTH;
418 uint8_t computedDigest[MD5_DIGEST_LENGTH];
419 MD5(mBlob.digested, digestedLength, computedDigest);
420 if (memcmp(mBlob.digest, computedDigest, MD5_DIGEST_LENGTH) != 0) {
421 return VALUE_CORRUPTED;
422 }
423
424 ssize_t maxValueLength = digestedLength - sizeof(mBlob.length);
425 mBlob.length = ntohl(mBlob.length);
426 if (mBlob.length < 0 || mBlob.length > maxValueLength) {
427 return VALUE_CORRUPTED;
428 }
429 if (mBlob.info != 0) {
430 // move info from after padding to after data
431 memmove(&mBlob.value[mBlob.length], &mBlob.value[maxValueLength], mBlob.info);
432 }
433 return NO_ERROR;
434 }
435
436 private:
437 struct blob mBlob;
438 };
439
440 typedef struct {
441 uint32_t uid;
442 const uint8_t* filename;
443
444 struct listnode plist;
445 } grant_t;
446
447 class KeyStore {
448 public:
KeyStore(Entropy * entropy,keymaster_device_t * device)449 KeyStore(Entropy* entropy, keymaster_device_t* device)
450 : mEntropy(entropy)
451 , mDevice(device)
452 , mRetry(MAX_RETRY)
453 {
454 if (access(MASTER_KEY_FILE, R_OK) == 0) {
455 setState(STATE_LOCKED);
456 } else {
457 setState(STATE_UNINITIALIZED);
458 }
459
460 list_init(&mGrants);
461 }
462
getState() const463 State getState() const {
464 return mState;
465 }
466
getRetry() const467 int8_t getRetry() const {
468 return mRetry;
469 }
470
getDevice() const471 keymaster_device_t* getDevice() const {
472 return mDevice;
473 }
474
initialize(Value * pw)475 ResponseCode initialize(Value* pw) {
476 if (!generateMasterKey()) {
477 return SYSTEM_ERROR;
478 }
479 ResponseCode response = writeMasterKey(pw);
480 if (response != NO_ERROR) {
481 return response;
482 }
483 setupMasterKeys();
484 return NO_ERROR;
485 }
486
writeMasterKey(Value * pw)487 ResponseCode writeMasterKey(Value* pw) {
488 uint8_t passwordKey[MASTER_KEY_SIZE_BYTES];
489 generateKeyFromPassword(passwordKey, MASTER_KEY_SIZE_BYTES, pw, mSalt);
490 AES_KEY passwordAesKey;
491 AES_set_encrypt_key(passwordKey, MASTER_KEY_SIZE_BITS, &passwordAesKey);
492 Blob masterKeyBlob(mMasterKey, sizeof(mMasterKey), mSalt, sizeof(mSalt), TYPE_MASTER_KEY);
493 return masterKeyBlob.encryptBlob(MASTER_KEY_FILE, &passwordAesKey, mEntropy);
494 }
495
readMasterKey(Value * pw)496 ResponseCode readMasterKey(Value* pw) {
497 int in = open(MASTER_KEY_FILE, O_RDONLY);
498 if (in == -1) {
499 return SYSTEM_ERROR;
500 }
501
502 // we read the raw blob to just to get the salt to generate
503 // the AES key, then we create the Blob to use with decryptBlob
504 blob rawBlob;
505 size_t length = readFully(in, (uint8_t*) &rawBlob, sizeof(rawBlob));
506 if (close(in) != 0) {
507 return SYSTEM_ERROR;
508 }
509 // find salt at EOF if present, otherwise we have an old file
510 uint8_t* salt;
511 if (length > SALT_SIZE && rawBlob.info == SALT_SIZE) {
512 salt = (uint8_t*) &rawBlob + length - SALT_SIZE;
513 } else {
514 salt = NULL;
515 }
516 uint8_t passwordKey[MASTER_KEY_SIZE_BYTES];
517 generateKeyFromPassword(passwordKey, MASTER_KEY_SIZE_BYTES, pw, salt);
518 AES_KEY passwordAesKey;
519 AES_set_decrypt_key(passwordKey, MASTER_KEY_SIZE_BITS, &passwordAesKey);
520 Blob masterKeyBlob(rawBlob);
521 ResponseCode response = masterKeyBlob.decryptBlob(MASTER_KEY_FILE, &passwordAesKey);
522 if (response == SYSTEM_ERROR) {
523 return SYSTEM_ERROR;
524 }
525 if (response == NO_ERROR && masterKeyBlob.getLength() == MASTER_KEY_SIZE_BYTES) {
526 // if salt was missing, generate one and write a new master key file with the salt.
527 if (salt == NULL) {
528 if (!generateSalt()) {
529 return SYSTEM_ERROR;
530 }
531 response = writeMasterKey(pw);
532 }
533 if (response == NO_ERROR) {
534 memcpy(mMasterKey, masterKeyBlob.getValue(), MASTER_KEY_SIZE_BYTES);
535 setupMasterKeys();
536 }
537 return response;
538 }
539 if (mRetry <= 0) {
540 reset();
541 return UNINITIALIZED;
542 }
543 --mRetry;
544 switch (mRetry) {
545 case 0: return WRONG_PASSWORD_0;
546 case 1: return WRONG_PASSWORD_1;
547 case 2: return WRONG_PASSWORD_2;
548 case 3: return WRONG_PASSWORD_3;
549 default: return WRONG_PASSWORD_3;
550 }
551 }
552
reset()553 bool reset() {
554 clearMasterKeys();
555 setState(STATE_UNINITIALIZED);
556
557 DIR* dir = opendir(".");
558 struct dirent* file;
559
560 if (!dir) {
561 return false;
562 }
563 while ((file = readdir(dir)) != NULL) {
564 unlink(file->d_name);
565 }
566 closedir(dir);
567 return true;
568 }
569
isEmpty() const570 bool isEmpty() const {
571 DIR* dir = opendir(".");
572 struct dirent* file;
573 if (!dir) {
574 return true;
575 }
576 bool result = true;
577 while ((file = readdir(dir)) != NULL) {
578 if (isKeyFile(file->d_name)) {
579 result = false;
580 break;
581 }
582 }
583 closedir(dir);
584 return result;
585 }
586
lock()587 void lock() {
588 clearMasterKeys();
589 setState(STATE_LOCKED);
590 }
591
get(const char * filename,Blob * keyBlob,const BlobType type)592 ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type) {
593 ResponseCode rc = keyBlob->decryptBlob(filename, &mMasterKeyDecryption);
594 if (rc != NO_ERROR) {
595 return rc;
596 }
597
598 const uint8_t version = keyBlob->getVersion();
599 if (version < CurrentBlobVersion) {
600 upgrade(filename, keyBlob, version, type);
601 }
602
603 if (keyBlob->getType() != type) {
604 ALOGW("key found but type doesn't match: %d vs %d", keyBlob->getType(), type);
605 return KEY_NOT_FOUND;
606 }
607
608 return rc;
609 }
610
put(const char * filename,Blob * keyBlob)611 ResponseCode put(const char* filename, Blob* keyBlob) {
612 return keyBlob->encryptBlob(filename, &mMasterKeyEncryption, mEntropy);
613 }
614
addGrant(const char * filename,const Value * uidValue)615 void addGrant(const char* filename, const Value* uidValue) {
616 uid_t uid;
617 if (!convertToUid(uidValue, &uid)) {
618 return;
619 }
620
621 grant_t *grant = getGrant(filename, uid);
622 if (grant == NULL) {
623 grant = new grant_t;
624 grant->uid = uid;
625 grant->filename = reinterpret_cast<const uint8_t*>(strdup(filename));
626 list_add_tail(&mGrants, &grant->plist);
627 }
628 }
629
removeGrant(const char * filename,const Value * uidValue)630 bool removeGrant(const char* filename, const Value* uidValue) {
631 uid_t uid;
632 if (!convertToUid(uidValue, &uid)) {
633 return false;
634 }
635
636 grant_t *grant = getGrant(filename, uid);
637 if (grant != NULL) {
638 list_remove(&grant->plist);
639 delete grant;
640 return true;
641 }
642
643 return false;
644 }
645
hasGrant(const char * filename,const uid_t uid) const646 bool hasGrant(const char* filename, const uid_t uid) const {
647 return getGrant(filename, uid) != NULL;
648 }
649
importKey(const Value * key,const char * filename)650 ResponseCode importKey(const Value* key, const char* filename) {
651 uint8_t* data;
652 size_t dataLength;
653 int rc;
654
655 if (mDevice->import_keypair == NULL) {
656 ALOGE("Keymaster doesn't support import!");
657 return SYSTEM_ERROR;
658 }
659
660 rc = mDevice->import_keypair(mDevice, key->value, key->length, &data, &dataLength);
661 if (rc) {
662 ALOGE("Error while importing keypair: %d", rc);
663 return SYSTEM_ERROR;
664 }
665
666 Blob keyBlob(data, dataLength, NULL, 0, TYPE_KEY_PAIR);
667 free(data);
668
669 return put(filename, &keyBlob);
670 }
671
672 private:
673 static const char* MASTER_KEY_FILE;
674 static const int MASTER_KEY_SIZE_BYTES = 16;
675 static const int MASTER_KEY_SIZE_BITS = MASTER_KEY_SIZE_BYTES * 8;
676
677 static const int MAX_RETRY = 4;
678 static const size_t SALT_SIZE = 16;
679
680 Entropy* mEntropy;
681
682 keymaster_device_t* mDevice;
683
684 State mState;
685 int8_t mRetry;
686
687 uint8_t mMasterKey[MASTER_KEY_SIZE_BYTES];
688 uint8_t mSalt[SALT_SIZE];
689
690 AES_KEY mMasterKeyEncryption;
691 AES_KEY mMasterKeyDecryption;
692
693 struct listnode mGrants;
694
setState(State state)695 void setState(State state) {
696 mState = state;
697 if (mState == STATE_NO_ERROR || mState == STATE_UNINITIALIZED) {
698 mRetry = MAX_RETRY;
699 }
700 }
701
generateSalt()702 bool generateSalt() {
703 return mEntropy->generate_random_data(mSalt, sizeof(mSalt));
704 }
705
generateMasterKey()706 bool generateMasterKey() {
707 if (!mEntropy->generate_random_data(mMasterKey, sizeof(mMasterKey))) {
708 return false;
709 }
710 if (!generateSalt()) {
711 return false;
712 }
713 return true;
714 }
715
setupMasterKeys()716 void setupMasterKeys() {
717 AES_set_encrypt_key(mMasterKey, MASTER_KEY_SIZE_BITS, &mMasterKeyEncryption);
718 AES_set_decrypt_key(mMasterKey, MASTER_KEY_SIZE_BITS, &mMasterKeyDecryption);
719 setState(STATE_NO_ERROR);
720 }
721
clearMasterKeys()722 void clearMasterKeys() {
723 memset(mMasterKey, 0, sizeof(mMasterKey));
724 memset(mSalt, 0, sizeof(mSalt));
725 memset(&mMasterKeyEncryption, 0, sizeof(mMasterKeyEncryption));
726 memset(&mMasterKeyDecryption, 0, sizeof(mMasterKeyDecryption));
727 }
728
generateKeyFromPassword(uint8_t * key,ssize_t keySize,Value * pw,uint8_t * salt)729 static void generateKeyFromPassword(uint8_t* key, ssize_t keySize, Value* pw, uint8_t* salt) {
730 size_t saltSize;
731 if (salt != NULL) {
732 saltSize = SALT_SIZE;
733 } else {
734 // pre-gingerbread used this hardwired salt, readMasterKey will rewrite these when found
735 salt = (uint8_t*) "keystore";
736 // sizeof = 9, not strlen = 8
737 saltSize = sizeof("keystore");
738 }
739 PKCS5_PBKDF2_HMAC_SHA1((char*) pw->value, pw->length, salt, saltSize, 8192, keySize, key);
740 }
741
isKeyFile(const char * filename)742 static bool isKeyFile(const char* filename) {
743 return ((strcmp(filename, MASTER_KEY_FILE) != 0)
744 && (strcmp(filename, ".") != 0)
745 && (strcmp(filename, "..") != 0));
746 }
747
getGrant(const char * filename,uid_t uid) const748 grant_t* getGrant(const char* filename, uid_t uid) const {
749 struct listnode *node;
750 grant_t *grant;
751
752 list_for_each(node, &mGrants) {
753 grant = node_to_item(node, grant_t, plist);
754 if (grant->uid == uid
755 && !strcmp(reinterpret_cast<const char*>(grant->filename),
756 filename)) {
757 return grant;
758 }
759 }
760
761 return NULL;
762 }
763
convertToUid(const Value * uidValue,uid_t * uid) const764 bool convertToUid(const Value* uidValue, uid_t* uid) const {
765 ValueString uidString(uidValue);
766 char* end = NULL;
767 *uid = strtol(uidString.c_str(), &end, 10);
768 return *end == '\0';
769 }
770
771 /**
772 * Upgrade code. This will upgrade the key from the current version
773 * to whatever is newest.
774 */
upgrade(const char * filename,Blob * blob,const uint8_t oldVersion,const BlobType type)775 void upgrade(const char* filename, Blob* blob, const uint8_t oldVersion, const BlobType type) {
776 bool updated = false;
777 uint8_t version = oldVersion;
778
779 /* From V0 -> V1: All old types were unknown */
780 if (version == 0) {
781 ALOGV("upgrading to version 1 and setting type %d", type);
782
783 blob->setType(type);
784 if (type == TYPE_KEY_PAIR) {
785 importBlobAsKey(blob, filename);
786 }
787 version = 1;
788 updated = true;
789 }
790
791 /*
792 * If we've updated, set the key blob to the right version
793 * and write it.
794 * */
795 if (updated) {
796 ALOGV("updated and writing file %s", filename);
797 blob->setVersion(version);
798 this->put(filename, blob);
799 }
800 }
801
802 /**
803 * Takes a blob that is an PEM-encoded RSA key as a byte array and
804 * converts it to a DER-encoded PKCS#8 for import into a keymaster.
805 * Then it overwrites the original blob with the new blob
806 * format that is returned from the keymaster.
807 */
importBlobAsKey(Blob * blob,const char * filename)808 ResponseCode importBlobAsKey(Blob* blob, const char* filename) {
809 // We won't even write to the blob directly with this BIO, so const_cast is okay.
810 Unique_BIO b(BIO_new_mem_buf(const_cast<uint8_t*>(blob->getValue()), blob->getLength()));
811 if (b.get() == NULL) {
812 ALOGE("Problem instantiating BIO");
813 return SYSTEM_ERROR;
814 }
815
816 Unique_EVP_PKEY pkey(PEM_read_bio_PrivateKey(b.get(), NULL, NULL, NULL));
817 if (pkey.get() == NULL) {
818 ALOGE("Couldn't read old PEM file");
819 return SYSTEM_ERROR;
820 }
821
822 Unique_PKCS8_PRIV_KEY_INFO pkcs8(EVP_PKEY2PKCS8(pkey.get()));
823 int len = i2d_PKCS8_PRIV_KEY_INFO(pkcs8.get(), NULL);
824 if (len < 0) {
825 ALOGE("Couldn't measure PKCS#8 length");
826 return SYSTEM_ERROR;
827 }
828
829 Value pkcs8key;
830 pkcs8key.length = len;
831 uint8_t* tmp = pkcs8key.value;
832 if (i2d_PKCS8_PRIV_KEY_INFO(pkcs8.get(), &tmp) != len) {
833 ALOGE("Couldn't convert to PKCS#8");
834 return SYSTEM_ERROR;
835 }
836
837 ResponseCode rc = importKey(&pkcs8key, filename);
838 if (rc != NO_ERROR) {
839 return rc;
840 }
841
842 return get(filename, blob, TYPE_KEY_PAIR);
843 }
844 };
845
846 const char* KeyStore::MASTER_KEY_FILE = ".masterkey";
847
848 /* Here is the protocol used in both requests and responses:
849 * code [length_1 message_1 ... length_n message_n] end-of-file
850 * where code is one byte long and lengths are unsigned 16-bit integers in
851 * network order. Thus the maximum length of a message is 65535 bytes. */
852
recv_code(int sock,int8_t * code)853 static int recv_code(int sock, int8_t* code) {
854 return recv(sock, code, 1, 0) == 1;
855 }
856
recv_message(int sock,uint8_t * message,int length)857 static int recv_message(int sock, uint8_t* message, int length) {
858 uint8_t bytes[2];
859 if (recv(sock, &bytes[0], 1, 0) != 1 ||
860 recv(sock, &bytes[1], 1, 0) != 1) {
861 return -1;
862 } else {
863 int offset = bytes[0] << 8 | bytes[1];
864 if (length < offset) {
865 return -1;
866 }
867 length = offset;
868 offset = 0;
869 while (offset < length) {
870 int n = recv(sock, &message[offset], length - offset, 0);
871 if (n <= 0) {
872 return -1;
873 }
874 offset += n;
875 }
876 }
877 return length;
878 }
879
recv_end_of_file(int sock)880 static int recv_end_of_file(int sock) {
881 uint8_t byte;
882 return recv(sock, &byte, 1, 0) == 0;
883 }
884
send_code(int sock,int8_t code)885 static void send_code(int sock, int8_t code) {
886 send(sock, &code, 1, 0);
887 }
888
send_message(int sock,const uint8_t * message,int length)889 static void send_message(int sock, const uint8_t* message, int length) {
890 uint16_t bytes = htons(length);
891 send(sock, &bytes, 2, 0);
892 send(sock, message, length, 0);
893 }
894
get_key_for_name(KeyStore * keyStore,Blob * keyBlob,const Value * keyName,const uid_t uid,const BlobType type)895 static ResponseCode get_key_for_name(KeyStore* keyStore, Blob* keyBlob, const Value* keyName,
896 const uid_t uid, const BlobType type) {
897 char filename[NAME_MAX];
898
899 encode_key_for_uid(filename, uid, keyName);
900 ResponseCode responseCode = keyStore->get(filename, keyBlob, type);
901 if (responseCode == NO_ERROR) {
902 return responseCode;
903 }
904
905 // If this is the Wifi or VPN user, they actually want system
906 // UID keys.
907 if (uid == AID_WIFI || uid == AID_VPN) {
908 encode_key_for_uid(filename, AID_SYSTEM, keyName);
909 responseCode = keyStore->get(filename, keyBlob, type);
910 if (responseCode == NO_ERROR) {
911 return responseCode;
912 }
913 }
914
915 // They might be using a granted key.
916 encode_key(filename, keyName);
917 if (!keyStore->hasGrant(filename, uid)) {
918 return responseCode;
919 }
920
921 // It is a granted key. Try to load it.
922 return keyStore->get(filename, keyBlob, type);
923 }
924
925 /* Here are the actions. Each of them is a function without arguments. All
926 * information is defined in global variables, which are set properly before
927 * performing an action. The number of parameters required by each action is
928 * fixed and defined in a table. If the return value of an action is positive,
929 * it will be treated as a response code and transmitted to the client. Note
930 * that the lengths of parameters are checked when they are received, so
931 * boundary checks on parameters are omitted. */
932
933 static const ResponseCode NO_ERROR_RESPONSE_CODE_SENT = (ResponseCode) 0;
934
test(KeyStore * keyStore,int,uid_t,Value *,Value *,Value *)935 static ResponseCode test(KeyStore* keyStore, int, uid_t, Value*, Value*, Value*) {
936 return (ResponseCode) keyStore->getState();
937 }
938
get(KeyStore * keyStore,int sock,uid_t uid,Value * keyName,Value *,Value *)939 static ResponseCode get(KeyStore* keyStore, int sock, uid_t uid, Value* keyName, Value*, Value*) {
940 char filename[NAME_MAX];
941 encode_key_for_uid(filename, uid, keyName);
942 Blob keyBlob;
943 ResponseCode responseCode = keyStore->get(filename, &keyBlob, TYPE_GENERIC);
944 if (responseCode != NO_ERROR) {
945 return responseCode;
946 }
947 send_code(sock, NO_ERROR);
948 send_message(sock, keyBlob.getValue(), keyBlob.getLength());
949 return NO_ERROR_RESPONSE_CODE_SENT;
950 }
951
insert(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value * val,Value *)952 static ResponseCode insert(KeyStore* keyStore, int, uid_t uid, Value* keyName, Value* val,
953 Value*) {
954 char filename[NAME_MAX];
955 encode_key_for_uid(filename, uid, keyName);
956 Blob keyBlob(val->value, val->length, NULL, 0, TYPE_GENERIC);
957 return keyStore->put(filename, &keyBlob);
958 }
959
del(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value *,Value *)960 static ResponseCode del(KeyStore* keyStore, int, uid_t uid, Value* keyName, Value*, Value*) {
961 char filename[NAME_MAX];
962 encode_key_for_uid(filename, uid, keyName);
963 Blob keyBlob;
964 ResponseCode responseCode = keyStore->get(filename, &keyBlob, TYPE_GENERIC);
965 if (responseCode != NO_ERROR) {
966 return responseCode;
967 }
968 return (unlink(filename) && errno != ENOENT) ? SYSTEM_ERROR : NO_ERROR;
969 }
970
exist(KeyStore *,int,uid_t uid,Value * keyName,Value *,Value *)971 static ResponseCode exist(KeyStore*, int, uid_t uid, Value* keyName, Value*, Value*) {
972 char filename[NAME_MAX];
973 encode_key_for_uid(filename, uid, keyName);
974 if (access(filename, R_OK) == -1) {
975 return (errno != ENOENT) ? SYSTEM_ERROR : KEY_NOT_FOUND;
976 }
977 return NO_ERROR;
978 }
979
saw(KeyStore *,int sock,uid_t uid,Value * keyPrefix,Value *,Value *)980 static ResponseCode saw(KeyStore*, int sock, uid_t uid, Value* keyPrefix, Value*, Value*) {
981 DIR* dir = opendir(".");
982 if (!dir) {
983 return SYSTEM_ERROR;
984 }
985 char filename[NAME_MAX];
986 int n = encode_key_for_uid(filename, uid, keyPrefix);
987 send_code(sock, NO_ERROR);
988
989 struct dirent* file;
990 while ((file = readdir(dir)) != NULL) {
991 if (!strncmp(filename, file->d_name, n)) {
992 const char* p = &file->d_name[n];
993 keyPrefix->length = decode_key(keyPrefix->value, p, strlen(p));
994 send_message(sock, keyPrefix->value, keyPrefix->length);
995 }
996 }
997 closedir(dir);
998 return NO_ERROR_RESPONSE_CODE_SENT;
999 }
1000
reset(KeyStore * keyStore,int,uid_t,Value *,Value *,Value *)1001 static ResponseCode reset(KeyStore* keyStore, int, uid_t, Value*, Value*, Value*) {
1002 ResponseCode rc = keyStore->reset() ? NO_ERROR : SYSTEM_ERROR;
1003
1004 const keymaster_device_t* device = keyStore->getDevice();
1005 if (device == NULL) {
1006 ALOGE("No keymaster device!");
1007 return SYSTEM_ERROR;
1008 }
1009
1010 if (device->delete_all == NULL) {
1011 ALOGV("keymaster device doesn't implement delete_all");
1012 return rc;
1013 }
1014
1015 if (device->delete_all(device)) {
1016 ALOGE("Problem calling keymaster's delete_all");
1017 return SYSTEM_ERROR;
1018 }
1019
1020 return rc;
1021 }
1022
1023 /* Here is the history. To improve the security, the parameters to generate the
1024 * master key has been changed. To make a seamless transition, we update the
1025 * file using the same password when the user unlock it for the first time. If
1026 * any thing goes wrong during the transition, the new file will not overwrite
1027 * the old one. This avoids permanent damages of the existing data. */
1028
password(KeyStore * keyStore,int,uid_t,Value * pw,Value *,Value *)1029 static ResponseCode password(KeyStore* keyStore, int, uid_t, Value* pw, Value*, Value*) {
1030 switch (keyStore->getState()) {
1031 case STATE_UNINITIALIZED: {
1032 // generate master key, encrypt with password, write to file, initialize mMasterKey*.
1033 return keyStore->initialize(pw);
1034 }
1035 case STATE_NO_ERROR: {
1036 // rewrite master key with new password.
1037 return keyStore->writeMasterKey(pw);
1038 }
1039 case STATE_LOCKED: {
1040 // read master key, decrypt with password, initialize mMasterKey*.
1041 return keyStore->readMasterKey(pw);
1042 }
1043 }
1044 return SYSTEM_ERROR;
1045 }
1046
lock(KeyStore * keyStore,int,uid_t,Value *,Value *,Value *)1047 static ResponseCode lock(KeyStore* keyStore, int, uid_t, Value*, Value*, Value*) {
1048 keyStore->lock();
1049 return NO_ERROR;
1050 }
1051
unlock(KeyStore * keyStore,int sock,uid_t uid,Value * pw,Value * unused,Value * unused2)1052 static ResponseCode unlock(KeyStore* keyStore, int sock, uid_t uid, Value* pw, Value* unused,
1053 Value* unused2) {
1054 return password(keyStore, sock, uid, pw, unused, unused2);
1055 }
1056
zero(KeyStore * keyStore,int,uid_t,Value *,Value *,Value *)1057 static ResponseCode zero(KeyStore* keyStore, int, uid_t, Value*, Value*, Value*) {
1058 return keyStore->isEmpty() ? KEY_NOT_FOUND : NO_ERROR;
1059 }
1060
generate(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value *,Value *)1061 static ResponseCode generate(KeyStore* keyStore, int, uid_t uid, Value* keyName, Value*,
1062 Value*) {
1063 char filename[NAME_MAX];
1064 uint8_t* data;
1065 size_t dataLength;
1066 int rc;
1067
1068 const keymaster_device_t* device = keyStore->getDevice();
1069 if (device == NULL) {
1070 return SYSTEM_ERROR;
1071 }
1072
1073 if (device->generate_keypair == NULL) {
1074 return SYSTEM_ERROR;
1075 }
1076
1077 keymaster_rsa_keygen_params_t rsa_params;
1078 rsa_params.modulus_size = 2048;
1079 rsa_params.public_exponent = 0x10001;
1080
1081 rc = device->generate_keypair(device, TYPE_RSA, &rsa_params, &data, &dataLength);
1082 if (rc) {
1083 return SYSTEM_ERROR;
1084 }
1085
1086 encode_key_for_uid(filename, uid, keyName);
1087
1088 Blob keyBlob(data, dataLength, NULL, 0, TYPE_KEY_PAIR);
1089 free(data);
1090
1091 return keyStore->put(filename, &keyBlob);
1092 }
1093
import(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value * key,Value *)1094 static ResponseCode import(KeyStore* keyStore, int, uid_t uid, Value* keyName, Value* key,
1095 Value*) {
1096 char filename[NAME_MAX];
1097
1098 encode_key_for_uid(filename, uid, keyName);
1099
1100 return keyStore->importKey(key, filename);
1101 }
1102
1103 /*
1104 * TODO: The abstraction between things stored in hardware and regular blobs
1105 * of data stored on the filesystem should be moved down to keystore itself.
1106 * Unfortunately the Java code that calls this has naming conventions that it
1107 * knows about. Ideally keystore shouldn't be used to store random blobs of
1108 * data.
1109 *
1110 * Until that happens, it's necessary to have a separate "get_pubkey" and
1111 * "del_key" since the Java code doesn't really communicate what it's
1112 * intentions are.
1113 */
get_pubkey(KeyStore * keyStore,int sock,uid_t uid,Value * keyName,Value *,Value *)1114 static ResponseCode get_pubkey(KeyStore* keyStore, int sock, uid_t uid, Value* keyName, Value*, Value*) {
1115 Blob keyBlob;
1116 ALOGV("get_pubkey '%s' from uid %d", ValueString(keyName).c_str(), uid);
1117
1118 ResponseCode responseCode = get_key_for_name(keyStore, &keyBlob, keyName, uid, TYPE_KEY_PAIR);
1119 if (responseCode != NO_ERROR) {
1120 return responseCode;
1121 }
1122
1123 const keymaster_device_t* device = keyStore->getDevice();
1124 if (device == NULL) {
1125 return SYSTEM_ERROR;
1126 }
1127
1128 if (device->get_keypair_public == NULL) {
1129 ALOGE("device has no get_keypair_public implementation!");
1130 return SYSTEM_ERROR;
1131 }
1132
1133 uint8_t* data = NULL;
1134 size_t dataLength;
1135
1136 int rc = device->get_keypair_public(device, keyBlob.getValue(), keyBlob.getLength(), &data,
1137 &dataLength);
1138 if (rc) {
1139 return SYSTEM_ERROR;
1140 }
1141
1142 send_code(sock, NO_ERROR);
1143 send_message(sock, data, dataLength);
1144 free(data);
1145
1146 return NO_ERROR_RESPONSE_CODE_SENT;
1147 }
1148
del_key(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value *,Value *)1149 static ResponseCode del_key(KeyStore* keyStore, int, uid_t uid, Value* keyName, Value*,
1150 Value*) {
1151 char filename[NAME_MAX];
1152 encode_key_for_uid(filename, uid, keyName);
1153 Blob keyBlob;
1154 ResponseCode responseCode = keyStore->get(filename, &keyBlob, TYPE_KEY_PAIR);
1155 if (responseCode != NO_ERROR) {
1156 return responseCode;
1157 }
1158
1159 ResponseCode rc = NO_ERROR;
1160
1161 const keymaster_device_t* device = keyStore->getDevice();
1162 if (device == NULL) {
1163 rc = SYSTEM_ERROR;
1164 } else {
1165 // A device doesn't have to implement delete_keypair.
1166 if (device->delete_keypair != NULL) {
1167 if (device->delete_keypair(device, keyBlob.getValue(), keyBlob.getLength())) {
1168 rc = SYSTEM_ERROR;
1169 }
1170 }
1171 }
1172
1173 if (rc != NO_ERROR) {
1174 return rc;
1175 }
1176
1177 return (unlink(filename) && errno != ENOENT) ? SYSTEM_ERROR : NO_ERROR;
1178 }
1179
sign(KeyStore * keyStore,int sock,uid_t uid,Value * keyName,Value * data,Value *)1180 static ResponseCode sign(KeyStore* keyStore, int sock, uid_t uid, Value* keyName, Value* data,
1181 Value*) {
1182 ALOGV("sign %s from uid %d", ValueString(keyName).c_str(), uid);
1183 Blob keyBlob;
1184 int rc;
1185
1186 ResponseCode responseCode = get_key_for_name(keyStore, &keyBlob, keyName, uid, TYPE_KEY_PAIR);
1187 if (responseCode != NO_ERROR) {
1188 return responseCode;
1189 }
1190
1191 uint8_t* signedData;
1192 size_t signedDataLength;
1193
1194 const keymaster_device_t* device = keyStore->getDevice();
1195 if (device == NULL) {
1196 ALOGE("no keymaster device; cannot sign");
1197 return SYSTEM_ERROR;
1198 }
1199
1200 if (device->sign_data == NULL) {
1201 ALOGE("device doesn't implement signing");
1202 return SYSTEM_ERROR;
1203 }
1204
1205 keymaster_rsa_sign_params_t params;
1206 params.digest_type = DIGEST_NONE;
1207 params.padding_type = PADDING_NONE;
1208
1209 rc = device->sign_data(device, ¶ms, keyBlob.getValue(), keyBlob.getLength(),
1210 data->value, data->length, &signedData, &signedDataLength);
1211 if (rc) {
1212 ALOGW("device couldn't sign data");
1213 return SYSTEM_ERROR;
1214 }
1215
1216 send_code(sock, NO_ERROR);
1217 send_message(sock, signedData, signedDataLength);
1218 return NO_ERROR_RESPONSE_CODE_SENT;
1219 }
1220
verify(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value * data,Value * signature)1221 static ResponseCode verify(KeyStore* keyStore, int, uid_t uid, Value* keyName, Value* data,
1222 Value* signature) {
1223 Blob keyBlob;
1224 int rc;
1225
1226 ResponseCode responseCode = get_key_for_name(keyStore, &keyBlob, keyName, uid, TYPE_KEY_PAIR);
1227 if (responseCode != NO_ERROR) {
1228 return responseCode;
1229 }
1230
1231 const keymaster_device_t* device = keyStore->getDevice();
1232 if (device == NULL) {
1233 return SYSTEM_ERROR;
1234 }
1235
1236 if (device->verify_data == NULL) {
1237 return SYSTEM_ERROR;
1238 }
1239
1240 keymaster_rsa_sign_params_t params;
1241 params.digest_type = DIGEST_NONE;
1242 params.padding_type = PADDING_NONE;
1243
1244 rc = device->verify_data(device, ¶ms, keyBlob.getValue(), keyBlob.getLength(),
1245 data->value, data->length, signature->value, signature->length);
1246 if (rc) {
1247 return SYSTEM_ERROR;
1248 } else {
1249 return NO_ERROR;
1250 }
1251 }
1252
grant(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value * granteeData,Value *)1253 static ResponseCode grant(KeyStore* keyStore, int, uid_t uid, Value* keyName,
1254 Value* granteeData, Value*) {
1255 char filename[NAME_MAX];
1256 encode_key_for_uid(filename, uid, keyName);
1257 if (access(filename, R_OK) == -1) {
1258 return (errno != ENOENT) ? SYSTEM_ERROR : KEY_NOT_FOUND;
1259 }
1260
1261 keyStore->addGrant(filename, granteeData);
1262 return NO_ERROR;
1263 }
1264
ungrant(KeyStore * keyStore,int,uid_t uid,Value * keyName,Value * granteeData,Value *)1265 static ResponseCode ungrant(KeyStore* keyStore, int, uid_t uid, Value* keyName,
1266 Value* granteeData, Value*) {
1267 char filename[NAME_MAX];
1268 encode_key_for_uid(filename, uid, keyName);
1269 if (access(filename, R_OK) == -1) {
1270 return (errno != ENOENT) ? SYSTEM_ERROR : KEY_NOT_FOUND;
1271 }
1272
1273 return keyStore->removeGrant(filename, granteeData) ? NO_ERROR : KEY_NOT_FOUND;
1274 }
1275
getmtime(KeyStore *,int sock,uid_t uid,Value * keyName,Value *,Value *)1276 static ResponseCode getmtime(KeyStore*, int sock, uid_t uid, Value* keyName,
1277 Value*, Value*) {
1278 char filename[NAME_MAX];
1279 encode_key_for_uid(filename, uid, keyName);
1280 if (access(filename, R_OK) == -1) {
1281 return (errno != ENOENT) ? SYSTEM_ERROR : KEY_NOT_FOUND;
1282 }
1283
1284 int fd = open(filename, O_NOFOLLOW, O_RDONLY);
1285 if (fd < 0) {
1286 return SYSTEM_ERROR;
1287 }
1288
1289 struct stat s;
1290 int ret = fstat(fd, &s);
1291 close(fd);
1292 if (ret == -1) {
1293 return SYSTEM_ERROR;
1294 }
1295
1296 uint8_t *data;
1297 int dataLength = asprintf(reinterpret_cast<char**>(&data), "%lu", s.st_mtime);
1298 if (dataLength < 0) {
1299 return SYSTEM_ERROR;
1300 }
1301
1302 send_code(sock, NO_ERROR);
1303 send_message(sock, data, dataLength);
1304 free(data);
1305
1306 return NO_ERROR_RESPONSE_CODE_SENT;
1307 }
1308
1309 /* Here are the permissions, actions, users, and the main function. */
1310 enum perm {
1311 P_TEST = 1 << TEST,
1312 P_GET = 1 << GET,
1313 P_INSERT = 1 << INSERT,
1314 P_DELETE = 1 << DELETE,
1315 P_EXIST = 1 << EXIST,
1316 P_SAW = 1 << SAW,
1317 P_RESET = 1 << RESET,
1318 P_PASSWORD = 1 << PASSWORD,
1319 P_LOCK = 1 << LOCK,
1320 P_UNLOCK = 1 << UNLOCK,
1321 P_ZERO = 1 << ZERO,
1322 P_SIGN = 1 << SIGN,
1323 P_VERIFY = 1 << VERIFY,
1324 P_GRANT = 1 << GRANT,
1325 };
1326
1327 static const int MAX_PARAM = 3;
1328
1329 static const State STATE_ANY = (State) 0;
1330
1331 static struct action {
1332 ResponseCode (*run)(KeyStore* keyStore, int sock, uid_t uid, Value* param1, Value* param2,
1333 Value* param3);
1334 int8_t code;
1335 State state;
1336 uint32_t perm;
1337 int lengths[MAX_PARAM];
1338 } actions[] = {
1339 {test, CommandCodes[TEST], STATE_ANY, P_TEST, {0, 0, 0}},
1340 {get, CommandCodes[GET], STATE_NO_ERROR, P_GET, {KEY_SIZE, 0, 0}},
1341 {insert, CommandCodes[INSERT], STATE_NO_ERROR, P_INSERT, {KEY_SIZE, VALUE_SIZE, 0}},
1342 {del, CommandCodes[DELETE], STATE_ANY, P_DELETE, {KEY_SIZE, 0, 0}},
1343 {exist, CommandCodes[EXIST], STATE_ANY, P_EXIST, {KEY_SIZE, 0, 0}},
1344 {saw, CommandCodes[SAW], STATE_ANY, P_SAW, {KEY_SIZE, 0, 0}},
1345 {reset, CommandCodes[RESET], STATE_ANY, P_RESET, {0, 0, 0}},
1346 {password, CommandCodes[PASSWORD], STATE_ANY, P_PASSWORD, {PASSWORD_SIZE, 0, 0}},
1347 {lock, CommandCodes[LOCK], STATE_NO_ERROR, P_LOCK, {0, 0, 0}},
1348 {unlock, CommandCodes[UNLOCK], STATE_LOCKED, P_UNLOCK, {PASSWORD_SIZE, 0, 0}},
1349 {zero, CommandCodes[ZERO], STATE_ANY, P_ZERO, {0, 0, 0}},
1350 {generate, CommandCodes[GENERATE], STATE_NO_ERROR, P_INSERT, {KEY_SIZE, 0, 0}},
1351 {import, CommandCodes[IMPORT], STATE_NO_ERROR, P_INSERT, {KEY_SIZE, VALUE_SIZE, 0}},
1352 {sign, CommandCodes[SIGN], STATE_NO_ERROR, P_SIGN, {KEY_SIZE, VALUE_SIZE, 0}},
1353 {verify, CommandCodes[VERIFY], STATE_NO_ERROR, P_VERIFY, {KEY_SIZE, VALUE_SIZE, VALUE_SIZE}},
1354 {get_pubkey, CommandCodes[GET_PUBKEY], STATE_NO_ERROR, P_GET, {KEY_SIZE, 0, 0}},
1355 {del_key, CommandCodes[DEL_KEY], STATE_ANY, P_DELETE, {KEY_SIZE, 0, 0}},
1356 {grant, CommandCodes[GRANT], STATE_NO_ERROR, P_GRANT, {KEY_SIZE, KEY_SIZE, 0}},
1357 {ungrant, CommandCodes[UNGRANT], STATE_NO_ERROR, P_GRANT, {KEY_SIZE, KEY_SIZE, 0}},
1358 {getmtime, CommandCodes[GETMTIME], STATE_ANY, P_SAW, {KEY_SIZE, 0, 0}},
1359 {NULL, 0, STATE_ANY, 0, {0, 0, 0}},
1360 };
1361
1362 static struct user {
1363 uid_t uid;
1364 uid_t euid;
1365 uint32_t perms;
1366 } users[] = {
1367 {AID_SYSTEM, ~0, ~0},
1368 {AID_VPN, AID_SYSTEM, P_GET | P_SIGN | P_VERIFY },
1369 {AID_WIFI, AID_SYSTEM, P_GET | P_SIGN | P_VERIFY },
1370 {AID_ROOT, AID_SYSTEM, P_GET},
1371 {~0, ~0, P_TEST | P_GET | P_INSERT | P_DELETE | P_EXIST | P_SAW |
1372 P_SIGN | P_VERIFY},
1373 };
1374
process(KeyStore * keyStore,int sock,uid_t uid,int8_t code)1375 static ResponseCode process(KeyStore* keyStore, int sock, uid_t uid, int8_t code) {
1376 struct user* user = users;
1377 struct action* action = actions;
1378 int i;
1379
1380 while (~user->uid && user->uid != (uid % AID_USER)) {
1381 ++user;
1382 }
1383 while (action->code && action->code != code) {
1384 ++action;
1385 }
1386 if (!action->code) {
1387 return UNDEFINED_ACTION;
1388 }
1389 if (!(action->perm & user->perms)) {
1390 return PERMISSION_DENIED;
1391 }
1392 if (action->state != STATE_ANY && action->state != keyStore->getState()) {
1393 return (ResponseCode) keyStore->getState();
1394 }
1395 if (~user->euid) {
1396 uid = user->euid;
1397 }
1398 Value params[MAX_PARAM];
1399 for (i = 0; i < MAX_PARAM && action->lengths[i] != 0; ++i) {
1400 params[i].length = recv_message(sock, params[i].value, action->lengths[i]);
1401 if (params[i].length < 0) {
1402 return PROTOCOL_ERROR;
1403 }
1404 }
1405 if (!recv_end_of_file(sock)) {
1406 return PROTOCOL_ERROR;
1407 }
1408 return action->run(keyStore, sock, uid, ¶ms[0], ¶ms[1], ¶ms[2]);
1409 }
1410
main(int argc,char * argv[])1411 int main(int argc, char* argv[]) {
1412 int controlSocket = android_get_control_socket("keystore");
1413 if (argc < 2) {
1414 ALOGE("A directory must be specified!");
1415 return 1;
1416 }
1417 if (chdir(argv[1]) == -1) {
1418 ALOGE("chdir: %s: %s", argv[1], strerror(errno));
1419 return 1;
1420 }
1421
1422 Entropy entropy;
1423 if (!entropy.open()) {
1424 return 1;
1425 }
1426
1427 keymaster_device_t* dev;
1428 if (keymaster_device_initialize(&dev)) {
1429 ALOGE("keystore keymaster could not be initialized; exiting");
1430 return 1;
1431 }
1432
1433 if (listen(controlSocket, 3) == -1) {
1434 ALOGE("listen: %s", strerror(errno));
1435 return 1;
1436 }
1437
1438 signal(SIGPIPE, SIG_IGN);
1439
1440 KeyStore keyStore(&entropy, dev);
1441 int sock;
1442 while ((sock = accept(controlSocket, NULL, 0)) != -1) {
1443 struct timeval tv;
1444 tv.tv_sec = 3;
1445 setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
1446 setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv));
1447
1448 struct ucred cred;
1449 socklen_t size = sizeof(cred);
1450 int credResult = getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &cred, &size);
1451 if (credResult != 0) {
1452 ALOGW("getsockopt: %s", strerror(errno));
1453 } else {
1454 int8_t request;
1455 if (recv_code(sock, &request)) {
1456 State old_state = keyStore.getState();
1457 ResponseCode response = process(&keyStore, sock, cred.uid, request);
1458 if (response == NO_ERROR_RESPONSE_CODE_SENT) {
1459 response = NO_ERROR;
1460 } else {
1461 send_code(sock, response);
1462 }
1463 ALOGI("uid: %d action: %c -> %d state: %d -> %d retry: %d",
1464 cred.uid,
1465 request, response,
1466 old_state, keyStore.getState(),
1467 keyStore.getRetry());
1468 }
1469 }
1470 close(sock);
1471 }
1472 ALOGE("accept: %s", strerror(errno));
1473
1474 keymaster_device_release(dev);
1475
1476 return 1;
1477 }
1478