blob: 9c0d684744f5e76ffe52e01b0de4969f8adc095c [file] [log] [blame]
Janis Danisevskis2ad849b2017-02-07 08:52:08 +00001/*
2**
3** Copyright 2017, The Android Open Source Project
4**
5** Licensed under the Apache License, Version 2.0 (the "License");
6** you may not use this file except in compliance with the License.
7** You may obtain a copy of the License at
8**
9** http://www.apache.org/licenses/LICENSE-2.0
10**
11** Unless required by applicable law or agreed to in writing, software
12** distributed under the License is distributed on an "AS IS" BASIS,
13** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14** See the License for the specific language governing permissions and
15** limitations under the License.
16*/
17
18#define LOG_TAG "scrypt_test"
19#include <log/log.h>
20
21#include <hardware/keymaster0.h>
22#include <hardware/keymaster1.h>
23#include <cstring>
24#include <gtest/gtest.h>
25
26#include "../cryptfs.h"
27#include "../Keymaster.h"
28
29#ifdef CONFIG_HW_DISK_ENCRYPTION
30#include "cryptfs_hw.h"
31#endif
32
33#define min(a, b) ((a) < (b) ? (a) : (b))
34
35/* Maximum allowed keymaster blob size. */
36#define KEYMASTER_BLOB_SIZE 2048
37
38/* Key Derivation Function algorithms */
39#define KDF_PBKDF2 1
40#define KDF_SCRYPT 2
41/* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
42#define KDF_SCRYPT_KEYMASTER 5
43
44#define KEY_LEN_BYTES 16
45
46#define DEFAULT_PASSWORD "default_password"
47
48#define RSA_KEY_SIZE 2048
49#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
50#define RSA_EXPONENT 0x10001
51#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
52
53static int keymaster_init(keymaster0_device_t **keymaster0_dev,
54 keymaster1_device_t **keymaster1_dev)
55{
56 int rc;
57
58 const hw_module_t* mod;
59 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
60 if (rc) {
61 ALOGE("could not find any keystore module");
62 goto err;
63 }
64
65 SLOGI("keymaster module name is %s", mod->name);
66 SLOGI("keymaster version is %d", mod->module_api_version);
67
68 *keymaster0_dev = NULL;
69 *keymaster1_dev = NULL;
70 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
71 SLOGI("Found keymaster1 module, using keymaster1 API.");
72 rc = keymaster1_open(mod, keymaster1_dev);
73 } else {
74 SLOGI("Found keymaster0 module, using keymaster0 API.");
75 rc = keymaster0_open(mod, keymaster0_dev);
76 }
77
78 if (rc) {
79 ALOGE("could not open keymaster device in %s (%s)",
80 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
81 goto err;
82 }
83
84 return 0;
85
86err:
87 *keymaster0_dev = NULL;
88 *keymaster1_dev = NULL;
89 return rc;
90}
91
92/* Should we use keymaster? */
93static int keymaster_check_compatibility_old()
94{
95 keymaster0_device_t *keymaster0_dev = 0;
96 keymaster1_device_t *keymaster1_dev = 0;
97 int rc = 0;
98
99 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
100 SLOGE("Failed to init keymaster");
101 rc = -1;
102 goto out;
103 }
104
105 if (keymaster1_dev) {
106 rc = 1;
107 goto out;
108 }
109
110 if (!keymaster0_dev || !keymaster0_dev->common.module) {
111 rc = -1;
112 goto out;
113 }
114
115 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
116 // should work.
117 if (keymaster0_dev->common.module->module_api_version
118 < KEYMASTER_MODULE_API_VERSION_0_3) {
119 rc = 0;
120 goto out;
121 }
122
123 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
124 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
125 rc = 1;
126 }
127
128out:
129 if (keymaster1_dev) {
130 keymaster1_close(keymaster1_dev);
131 }
132 if (keymaster0_dev) {
133 keymaster0_close(keymaster0_dev);
134 }
135 return rc;
136}
137
138/* Create a new keymaster key and store it in this footer */
139static int keymaster_create_key_old(struct crypt_mnt_ftr *ftr)
140{
141 uint8_t* key = 0;
142 keymaster0_device_t *keymaster0_dev = 0;
143 keymaster1_device_t *keymaster1_dev = 0;
144
145 if (ftr->keymaster_blob_size) {
146 SLOGI("Already have key");
147 return 0;
148 }
149
150 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
151 SLOGE("Failed to init keymaster");
152 return -1;
153 }
154
155 int rc = 0;
156 size_t key_size = 0;
157 if (keymaster1_dev) {
158 keymaster_key_param_t params[] = {
159 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
160 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
161 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
162 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
163
164 /* The only allowed purpose for this key is signing. */
165 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
166
167 /* Padding & digest specifications. */
168 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
169 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
170
171 /* Require that the key be usable in standalone mode. File system isn't available. */
172 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
173
174 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
175 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
176
177 /* Rate-limit key usage attempts, to rate-limit brute force */
178 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
179 };
180 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
181 keymaster_key_blob_t key_blob;
182 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, &param_set,
183 &key_blob,
184 NULL /* characteristics */);
185 if (error != KM_ERROR_OK) {
186 SLOGE("Failed to generate keymaster1 key, error %d", error);
187 rc = -1;
188 goto out;
189 }
190
191 key = (uint8_t*)key_blob.key_material;
192 key_size = key_blob.key_material_size;
193 }
194 else if (keymaster0_dev) {
195 keymaster_rsa_keygen_params_t params;
196 memset(&params, '\0', sizeof(params));
197 params.public_exponent = RSA_EXPONENT;
198 params.modulus_size = RSA_KEY_SIZE;
199
200 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, &params,
201 &key, &key_size)) {
202 SLOGE("Failed to generate keypair");
203 rc = -1;
204 goto out;
205 }
206 } else {
207 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
208 rc = -1;
209 goto out;
210 }
211
212 if (key_size > KEYMASTER_BLOB_SIZE) {
213 SLOGE("Keymaster key too large for crypto footer");
214 rc = -1;
215 goto out;
216 }
217
218 memcpy(ftr->keymaster_blob, key, key_size);
219 ftr->keymaster_blob_size = key_size;
220
221out:
222 if (keymaster0_dev)
223 keymaster0_close(keymaster0_dev);
224 if (keymaster1_dev)
225 keymaster1_close(keymaster1_dev);
226 free(key);
227 return rc;
228}
229
230/* This signs the given object using the keymaster key. */
231static int keymaster_sign_object_old(struct crypt_mnt_ftr *ftr,
232 const unsigned char *object,
233 const size_t object_size,
234 unsigned char **signature,
235 size_t *signature_size)
236{
237 int rc = 0;
238 keymaster0_device_t *keymaster0_dev = 0;
239 keymaster1_device_t *keymaster1_dev = 0;
240
241 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
242 size_t to_sign_size = sizeof(to_sign);
243 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
244
245 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
246 SLOGE("Failed to init keymaster");
247 rc = -1;
248 goto out;
249 }
250
251 // To sign a message with RSA, the message must satisfy two
252 // constraints:
253 //
254 // 1. The message, when interpreted as a big-endian numeric value, must
255 // be strictly less than the public modulus of the RSA key. Note
256 // that because the most significant bit of the public modulus is
257 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
258 // key), an n-bit message with most significant bit 0 always
259 // satisfies this requirement.
260 //
261 // 2. The message must have the same length in bits as the public
262 // modulus of the RSA key. This requirement isn't mathematically
263 // necessary, but is necessary to ensure consistency in
264 // implementations.
265 switch (ftr->kdf_type) {
266 case KDF_SCRYPT_KEYMASTER:
267 // This ensures the most significant byte of the signed message
268 // is zero. We could have zero-padded to the left instead, but
269 // this approach is slightly more robust against changes in
270 // object size. However, it's still broken (but not unusably
271 // so) because we really should be using a proper deterministic
272 // RSA padding function, such as PKCS1.
273 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
274 SLOGI("Signing safely-padded object");
275 break;
276 default:
277 SLOGE("Unknown KDF type %d", ftr->kdf_type);
278 rc = -1;
279 goto out;
280 }
281
282 if (keymaster0_dev) {
283 keymaster_rsa_sign_params_t params;
284 params.digest_type = DIGEST_NONE;
285 params.padding_type = PADDING_NONE;
286
287 rc = keymaster0_dev->sign_data(keymaster0_dev,
288 &params,
289 ftr->keymaster_blob,
290 ftr->keymaster_blob_size,
291 to_sign,
292 to_sign_size,
293 signature,
294 signature_size);
295 goto out;
296 } else if (keymaster1_dev) {
297 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
298 keymaster_key_param_t params[] = {
299 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
300 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
301 };
302 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
303 keymaster_operation_handle_t op_handle;
304 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
305 &param_set, NULL /* out_params */,
306 &op_handle);
307 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
308 // Key usage has been rate-limited. Wait a bit and try again.
309 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
310 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
311 &param_set, NULL /* out_params */,
312 &op_handle);
313 }
314 if (error != KM_ERROR_OK) {
315 SLOGE("Error starting keymaster signature transaction: %d", error);
316 rc = -1;
317 goto out;
318 }
319
320 keymaster_blob_t input = { to_sign, to_sign_size };
321 size_t input_consumed;
322 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
323 &input, &input_consumed, NULL /* out_params */,
324 NULL /* output */);
325 if (error != KM_ERROR_OK) {
326 SLOGE("Error sending data to keymaster signature transaction: %d", error);
327 rc = -1;
328 goto out;
329 }
330 if (input_consumed != to_sign_size) {
331 // This should never happen. If it does, it's a bug in the keymaster implementation.
332 SLOGE("Keymaster update() did not consume all data.");
333 keymaster1_dev->abort(keymaster1_dev, op_handle);
334 rc = -1;
335 goto out;
336 }
337
338 keymaster_blob_t tmp_sig;
339 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
340 NULL /* verify signature */, NULL /* out_params */,
341 &tmp_sig);
342 if (error != KM_ERROR_OK) {
343 SLOGE("Error finishing keymaster signature transaction: %d", error);
344 rc = -1;
345 goto out;
346 }
347
348 *signature = (uint8_t*)tmp_sig.data;
349 *signature_size = tmp_sig.data_length;
350 } else {
351 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
352 rc = -1;
353 goto out;
354 }
355
356 out:
357 if (keymaster1_dev)
358 keymaster1_close(keymaster1_dev);
359 if (keymaster0_dev)
360 keymaster0_close(keymaster0_dev);
361
362 return rc;
363}
364
365
366/* Should we use keymaster? */
367static int keymaster_check_compatibility_new()
368{
369 return keymaster_compatibility_cryptfs_scrypt();
370}
371
372/* Create a new keymaster key and store it in this footer */
373static int keymaster_create_key_new(struct crypt_mnt_ftr *ftr)
374{
375 if (ftr->keymaster_blob_size) {
376 SLOGI("Already have key");
377 return 0;
378 }
379
380 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
381 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
382 &ftr->keymaster_blob_size);
383 if (rc) {
384 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
385 SLOGE("Keymaster key blob to large)");
386 ftr->keymaster_blob_size = 0;
387 }
388 SLOGE("Failed to generate keypair");
389 return -1;
390 }
391 return 0;
392}
393
394/* This signs the given object using the keymaster key. */
395static int keymaster_sign_object_new(struct crypt_mnt_ftr *ftr,
396 const unsigned char *object,
397 const size_t object_size,
398 unsigned char **signature,
399 size_t *signature_size)
400{
401 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
402 size_t to_sign_size = sizeof(to_sign);
403 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
404
405 // To sign a message with RSA, the message must satisfy two
406 // constraints:
407 //
408 // 1. The message, when interpreted as a big-endian numeric value, must
409 // be strictly less than the public modulus of the RSA key. Note
410 // that because the most significant bit of the public modulus is
411 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
412 // key), an n-bit message with most significant bit 0 always
413 // satisfies this requirement.
414 //
415 // 2. The message must have the same length in bits as the public
416 // modulus of the RSA key. This requirement isn't mathematically
417 // necessary, but is necessary to ensure consistency in
418 // implementations.
419 switch (ftr->kdf_type) {
420 case KDF_SCRYPT_KEYMASTER:
421 // This ensures the most significant byte of the signed message
422 // is zero. We could have zero-padded to the left instead, but
423 // this approach is slightly more robust against changes in
424 // object size. However, it's still broken (but not unusably
425 // so) because we really should be using a proper deterministic
426 // RSA padding function, such as PKCS1.
427 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
428 SLOGI("Signing safely-padded object");
429 break;
430 default:
431 SLOGE("Unknown KDF type %d", ftr->kdf_type);
432 return -1;
433 }
Paul Crowley73473332017-11-21 15:43:51 -0800434 if (keymaster_sign_object_for_cryptfs_scrypt(
435 ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
436 to_sign_size, signature, signature_size) != KeymasterSignResult::ok)
437 return -1;
438 return 0;
Janis Danisevskis2ad849b2017-02-07 08:52:08 +0000439}
440
441namespace android {
442
443class CryptFsTest : public testing::Test {
444protected:
445 virtual void SetUp() {
446 }
447
448 virtual void TearDown() {
449 }
450};
451
452TEST_F(CryptFsTest, ScryptHidlizationEquivalenceTest) {
453 crypt_mnt_ftr ftr;
454 ftr.kdf_type = KDF_SCRYPT_KEYMASTER;
455 ftr.keymaster_blob_size = 0;
456
457 ASSERT_EQ(0, keymaster_create_key_old(&ftr));
458
459 uint8_t *sig1 = nullptr;
460 uint8_t *sig2 = nullptr;
461 size_t sig_size1 = 123456789;
462 size_t sig_size2 = 123456789;
463 uint8_t object[] = "the object";
464
465 ASSERT_EQ(1, keymaster_check_compatibility_old());
466 ASSERT_EQ(1, keymaster_check_compatibility_new());
467 ASSERT_EQ(0, keymaster_sign_object_old(&ftr, object, 10, &sig1, &sig_size1));
468 ASSERT_EQ(0, keymaster_sign_object_new(&ftr, object, 10, &sig2, &sig_size2));
469
470 ASSERT_EQ(sig_size1, sig_size2);
471 ASSERT_NE(nullptr, sig1);
472 ASSERT_NE(nullptr, sig2);
473 EXPECT_EQ(0, memcmp(sig1, sig2, sig_size1));
474 free(sig1);
475 free(sig2);
476}
477
478}