blob: 72170e39031f4ff015ab531425150d59dbe6207a [file] [log] [blame]
Janis Danisevskis2ad849b2017-02-07 08:52:08 +00001/*
2**
3** Copyright 2017, The Android Open Source Project
4**
5** Licensed under the Apache License, Version 2.0 (the "License");
6** you may not use this file except in compliance with the License.
7** You may obtain a copy of the License at
8**
9** http://www.apache.org/licenses/LICENSE-2.0
10**
11** Unless required by applicable law or agreed to in writing, software
12** distributed under the License is distributed on an "AS IS" BASIS,
13** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14** See the License for the specific language governing permissions and
15** limitations under the License.
16*/
17
18#define LOG_TAG "scrypt_test"
19#include <log/log.h>
20
Paul Crowley14c8c072018-09-18 13:30:21 -070021#include <gtest/gtest.h>
Janis Danisevskis2ad849b2017-02-07 08:52:08 +000022#include <hardware/keymaster0.h>
23#include <hardware/keymaster1.h>
24#include <cstring>
Janis Danisevskis2ad849b2017-02-07 08:52:08 +000025
Janis Danisevskis2ad849b2017-02-07 08:52:08 +000026#include "../Keymaster.h"
Paul Crowley14c8c072018-09-18 13:30:21 -070027#include "../cryptfs.h"
Janis Danisevskis2ad849b2017-02-07 08:52:08 +000028
29#ifdef CONFIG_HW_DISK_ENCRYPTION
30#include "cryptfs_hw.h"
31#endif
32
33#define min(a, b) ((a) < (b) ? (a) : (b))
34
35/* Maximum allowed keymaster blob size. */
36#define KEYMASTER_BLOB_SIZE 2048
37
38/* Key Derivation Function algorithms */
39#define KDF_PBKDF2 1
40#define KDF_SCRYPT 2
41/* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
42#define KDF_SCRYPT_KEYMASTER 5
43
44#define KEY_LEN_BYTES 16
45
46#define DEFAULT_PASSWORD "default_password"
47
48#define RSA_KEY_SIZE 2048
49#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
50#define RSA_EXPONENT 0x10001
51#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
52
Paul Crowley14c8c072018-09-18 13:30:21 -070053static int keymaster_init(keymaster0_device_t** keymaster0_dev,
54 keymaster1_device_t** keymaster1_dev) {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +000055 int rc;
56
57 const hw_module_t* mod;
58 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
59 if (rc) {
60 ALOGE("could not find any keystore module");
61 goto err;
62 }
63
64 SLOGI("keymaster module name is %s", mod->name);
65 SLOGI("keymaster version is %d", mod->module_api_version);
66
67 *keymaster0_dev = NULL;
68 *keymaster1_dev = NULL;
69 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
70 SLOGI("Found keymaster1 module, using keymaster1 API.");
71 rc = keymaster1_open(mod, keymaster1_dev);
72 } else {
73 SLOGI("Found keymaster0 module, using keymaster0 API.");
74 rc = keymaster0_open(mod, keymaster0_dev);
75 }
76
77 if (rc) {
Paul Crowley14c8c072018-09-18 13:30:21 -070078 ALOGE("could not open keymaster device in %s (%s)", KEYSTORE_HARDWARE_MODULE_ID,
79 strerror(-rc));
Janis Danisevskis2ad849b2017-02-07 08:52:08 +000080 goto err;
81 }
82
83 return 0;
84
85err:
86 *keymaster0_dev = NULL;
87 *keymaster1_dev = NULL;
88 return rc;
89}
90
91/* Should we use keymaster? */
Paul Crowley14c8c072018-09-18 13:30:21 -070092static int keymaster_check_compatibility_old() {
93 keymaster0_device_t* keymaster0_dev = 0;
94 keymaster1_device_t* keymaster1_dev = 0;
Janis Danisevskis2ad849b2017-02-07 08:52:08 +000095 int rc = 0;
96
97 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
98 SLOGE("Failed to init keymaster");
99 rc = -1;
100 goto out;
101 }
102
103 if (keymaster1_dev) {
104 rc = 1;
105 goto out;
106 }
107
108 if (!keymaster0_dev || !keymaster0_dev->common.module) {
109 rc = -1;
110 goto out;
111 }
112
113 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
114 // should work.
Paul Crowley14c8c072018-09-18 13:30:21 -0700115 if (keymaster0_dev->common.module->module_api_version < KEYMASTER_MODULE_API_VERSION_0_3) {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000116 rc = 0;
117 goto out;
118 }
119
120 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
121 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
122 rc = 1;
123 }
124
125out:
126 if (keymaster1_dev) {
127 keymaster1_close(keymaster1_dev);
128 }
129 if (keymaster0_dev) {
130 keymaster0_close(keymaster0_dev);
131 }
132 return rc;
133}
134
135/* Create a new keymaster key and store it in this footer */
Paul Crowley14c8c072018-09-18 13:30:21 -0700136static int keymaster_create_key_old(struct crypt_mnt_ftr* ftr) {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000137 uint8_t* key = 0;
Paul Crowley14c8c072018-09-18 13:30:21 -0700138 keymaster0_device_t* keymaster0_dev = 0;
139 keymaster1_device_t* keymaster1_dev = 0;
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000140
141 if (ftr->keymaster_blob_size) {
142 SLOGI("Already have key");
143 return 0;
144 }
145
146 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
147 SLOGE("Failed to init keymaster");
148 return -1;
149 }
150
151 int rc = 0;
152 size_t key_size = 0;
153 if (keymaster1_dev) {
154 keymaster_key_param_t params[] = {
155 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
156 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
157 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
158 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
159
160 /* The only allowed purpose for this key is signing. */
161 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
162
163 /* Padding & digest specifications. */
164 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
165 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
166
167 /* Require that the key be usable in standalone mode. File system isn't available. */
168 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
169
170 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
171 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
172
173 /* Rate-limit key usage attempts, to rate-limit brute force */
174 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
175 };
Paul Crowley14c8c072018-09-18 13:30:21 -0700176 keymaster_key_param_set_t param_set = {params, sizeof(params) / sizeof(*params)};
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000177 keymaster_key_blob_t key_blob;
Paul Crowley14c8c072018-09-18 13:30:21 -0700178 keymaster_error_t error = keymaster1_dev->generate_key(
179 keymaster1_dev, &param_set, &key_blob, NULL /* characteristics */);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000180 if (error != KM_ERROR_OK) {
181 SLOGE("Failed to generate keymaster1 key, error %d", error);
182 rc = -1;
183 goto out;
184 }
185
186 key = (uint8_t*)key_blob.key_material;
187 key_size = key_blob.key_material_size;
Paul Crowley14c8c072018-09-18 13:30:21 -0700188 } else if (keymaster0_dev) {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000189 keymaster_rsa_keygen_params_t params;
190 memset(&params, '\0', sizeof(params));
191 params.public_exponent = RSA_EXPONENT;
192 params.modulus_size = RSA_KEY_SIZE;
193
Paul Crowley14c8c072018-09-18 13:30:21 -0700194 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, &params, &key, &key_size)) {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000195 SLOGE("Failed to generate keypair");
196 rc = -1;
197 goto out;
198 }
199 } else {
200 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
201 rc = -1;
202 goto out;
203 }
204
205 if (key_size > KEYMASTER_BLOB_SIZE) {
206 SLOGE("Keymaster key too large for crypto footer");
207 rc = -1;
208 goto out;
209 }
210
211 memcpy(ftr->keymaster_blob, key, key_size);
212 ftr->keymaster_blob_size = key_size;
213
214out:
Paul Crowley14c8c072018-09-18 13:30:21 -0700215 if (keymaster0_dev) keymaster0_close(keymaster0_dev);
216 if (keymaster1_dev) keymaster1_close(keymaster1_dev);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000217 free(key);
218 return rc;
219}
220
221/* This signs the given object using the keymaster key. */
Paul Crowley14c8c072018-09-18 13:30:21 -0700222static int keymaster_sign_object_old(struct crypt_mnt_ftr* ftr, const unsigned char* object,
223 const size_t object_size, unsigned char** signature,
224 size_t* signature_size) {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000225 int rc = 0;
Paul Crowley14c8c072018-09-18 13:30:21 -0700226 keymaster0_device_t* keymaster0_dev = 0;
227 keymaster1_device_t* keymaster1_dev = 0;
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000228
229 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
230 size_t to_sign_size = sizeof(to_sign);
231 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
232
233 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
234 SLOGE("Failed to init keymaster");
235 rc = -1;
236 goto out;
237 }
238
239 // To sign a message with RSA, the message must satisfy two
240 // constraints:
241 //
242 // 1. The message, when interpreted as a big-endian numeric value, must
243 // be strictly less than the public modulus of the RSA key. Note
244 // that because the most significant bit of the public modulus is
245 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
246 // key), an n-bit message with most significant bit 0 always
247 // satisfies this requirement.
248 //
249 // 2. The message must have the same length in bits as the public
250 // modulus of the RSA key. This requirement isn't mathematically
251 // necessary, but is necessary to ensure consistency in
252 // implementations.
253 switch (ftr->kdf_type) {
254 case KDF_SCRYPT_KEYMASTER:
255 // This ensures the most significant byte of the signed message
256 // is zero. We could have zero-padded to the left instead, but
257 // this approach is slightly more robust against changes in
258 // object size. However, it's still broken (but not unusably
259 // so) because we really should be using a proper deterministic
260 // RSA padding function, such as PKCS1.
261 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
262 SLOGI("Signing safely-padded object");
263 break;
264 default:
265 SLOGE("Unknown KDF type %d", ftr->kdf_type);
266 rc = -1;
267 goto out;
268 }
269
270 if (keymaster0_dev) {
271 keymaster_rsa_sign_params_t params;
272 params.digest_type = DIGEST_NONE;
273 params.padding_type = PADDING_NONE;
274
Paul Crowley14c8c072018-09-18 13:30:21 -0700275 rc = keymaster0_dev->sign_data(keymaster0_dev, &params, ftr->keymaster_blob,
276 ftr->keymaster_blob_size, to_sign, to_sign_size, signature,
277 signature_size);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000278 goto out;
279 } else if (keymaster1_dev) {
Paul Crowley14c8c072018-09-18 13:30:21 -0700280 keymaster_key_blob_t key = {ftr->keymaster_blob, ftr->keymaster_blob_size};
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000281 keymaster_key_param_t params[] = {
282 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
283 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
284 };
Paul Crowley14c8c072018-09-18 13:30:21 -0700285 keymaster_key_param_set_t param_set = {params, sizeof(params) / sizeof(*params)};
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000286 keymaster_operation_handle_t op_handle;
Paul Crowley14c8c072018-09-18 13:30:21 -0700287 keymaster_error_t error = keymaster1_dev->begin(
288 keymaster1_dev, KM_PURPOSE_SIGN, &key, &param_set, NULL /* out_params */, &op_handle);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000289 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
290 // Key usage has been rate-limited. Wait a bit and try again.
291 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
Paul Crowley14c8c072018-09-18 13:30:21 -0700292 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, &param_set,
293 NULL /* out_params */, &op_handle);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000294 }
295 if (error != KM_ERROR_OK) {
296 SLOGE("Error starting keymaster signature transaction: %d", error);
297 rc = -1;
298 goto out;
299 }
300
Paul Crowley14c8c072018-09-18 13:30:21 -0700301 keymaster_blob_t input = {to_sign, to_sign_size};
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000302 size_t input_consumed;
Paul Crowley14c8c072018-09-18 13:30:21 -0700303 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */, &input,
304 &input_consumed, NULL /* out_params */, NULL /* output */);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000305 if (error != KM_ERROR_OK) {
306 SLOGE("Error sending data to keymaster signature transaction: %d", error);
307 rc = -1;
308 goto out;
309 }
310 if (input_consumed != to_sign_size) {
311 // This should never happen. If it does, it's a bug in the keymaster implementation.
312 SLOGE("Keymaster update() did not consume all data.");
313 keymaster1_dev->abort(keymaster1_dev, op_handle);
314 rc = -1;
315 goto out;
316 }
317
318 keymaster_blob_t tmp_sig;
319 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
Paul Crowley14c8c072018-09-18 13:30:21 -0700320 NULL /* verify signature */, NULL /* out_params */, &tmp_sig);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000321 if (error != KM_ERROR_OK) {
322 SLOGE("Error finishing keymaster signature transaction: %d", error);
323 rc = -1;
324 goto out;
325 }
326
327 *signature = (uint8_t*)tmp_sig.data;
328 *signature_size = tmp_sig.data_length;
329 } else {
330 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
331 rc = -1;
332 goto out;
333 }
334
Paul Crowley14c8c072018-09-18 13:30:21 -0700335out:
336 if (keymaster1_dev) keymaster1_close(keymaster1_dev);
337 if (keymaster0_dev) keymaster0_close(keymaster0_dev);
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000338
Paul Crowley14c8c072018-09-18 13:30:21 -0700339 return rc;
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000340}
341
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000342/* Should we use keymaster? */
Paul Crowley14c8c072018-09-18 13:30:21 -0700343static int keymaster_check_compatibility_new() {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000344 return keymaster_compatibility_cryptfs_scrypt();
345}
346
Chih-Hung Hsieha827f552017-12-07 14:18:34 -0800347#if 0
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000348/* Create a new keymaster key and store it in this footer */
349static int keymaster_create_key_new(struct crypt_mnt_ftr *ftr)
350{
351 if (ftr->keymaster_blob_size) {
352 SLOGI("Already have key");
353 return 0;
354 }
355
356 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
357 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
358 &ftr->keymaster_blob_size);
359 if (rc) {
360 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
361 SLOGE("Keymaster key blob to large)");
362 ftr->keymaster_blob_size = 0;
363 }
364 SLOGE("Failed to generate keypair");
365 return -1;
366 }
367 return 0;
368}
Chih-Hung Hsieha827f552017-12-07 14:18:34 -0800369#endif
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000370
371/* This signs the given object using the keymaster key. */
Paul Crowley14c8c072018-09-18 13:30:21 -0700372static int keymaster_sign_object_new(struct crypt_mnt_ftr* ftr, const unsigned char* object,
373 const size_t object_size, unsigned char** signature,
374 size_t* signature_size) {
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000375 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
376 size_t to_sign_size = sizeof(to_sign);
377 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
378
379 // To sign a message with RSA, the message must satisfy two
380 // constraints:
381 //
382 // 1. The message, when interpreted as a big-endian numeric value, must
383 // be strictly less than the public modulus of the RSA key. Note
384 // that because the most significant bit of the public modulus is
385 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
386 // key), an n-bit message with most significant bit 0 always
387 // satisfies this requirement.
388 //
389 // 2. The message must have the same length in bits as the public
390 // modulus of the RSA key. This requirement isn't mathematically
391 // necessary, but is necessary to ensure consistency in
392 // implementations.
393 switch (ftr->kdf_type) {
394 case KDF_SCRYPT_KEYMASTER:
395 // This ensures the most significant byte of the signed message
396 // is zero. We could have zero-padded to the left instead, but
397 // this approach is slightly more robust against changes in
398 // object size. However, it's still broken (but not unusably
399 // so) because we really should be using a proper deterministic
400 // RSA padding function, such as PKCS1.
401 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
402 SLOGI("Signing safely-padded object");
403 break;
404 default:
405 SLOGE("Unknown KDF type %d", ftr->kdf_type);
406 return -1;
407 }
Paul Crowley73473332017-11-21 15:43:51 -0800408 if (keymaster_sign_object_for_cryptfs_scrypt(
409 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
410 to_sign_size, signature, signature_size) != KeymasterSignResult::ok)
411 return -1;
412 return 0;
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000413}
414
415namespace android {
416
417class CryptFsTest : public testing::Test {
Paul Crowley14c8c072018-09-18 13:30:21 -0700418 protected:
419 virtual void SetUp() {}
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000420
Paul Crowley14c8c072018-09-18 13:30:21 -0700421 virtual void TearDown() {}
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000422};
423
424TEST_F(CryptFsTest, ScryptHidlizationEquivalenceTest) {
425 crypt_mnt_ftr ftr;
426 ftr.kdf_type = KDF_SCRYPT_KEYMASTER;
427 ftr.keymaster_blob_size = 0;
428
429 ASSERT_EQ(0, keymaster_create_key_old(&ftr));
430
Paul Crowley14c8c072018-09-18 13:30:21 -0700431 uint8_t* sig1 = nullptr;
432 uint8_t* sig2 = nullptr;
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000433 size_t sig_size1 = 123456789;
434 size_t sig_size2 = 123456789;
435 uint8_t object[] = "the object";
436
437 ASSERT_EQ(1, keymaster_check_compatibility_old());
438 ASSERT_EQ(1, keymaster_check_compatibility_new());
439 ASSERT_EQ(0, keymaster_sign_object_old(&ftr, object, 10, &sig1, &sig_size1));
440 ASSERT_EQ(0, keymaster_sign_object_new(&ftr, object, 10, &sig2, &sig_size2));
441
442 ASSERT_EQ(sig_size1, sig_size2);
443 ASSERT_NE(nullptr, sig1);
444 ASSERT_NE(nullptr, sig2);
445 EXPECT_EQ(0, memcmp(sig1, sig2, sig_size1));
446 free(sig1);
447 free(sig2);
448}
449
Paul Crowley14c8c072018-09-18 13:30:21 -0700450} // namespace android