1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "keystore" 18 19 #include "user_state.h" 20 21 #include <dirent.h> 22 #include <fcntl.h> 23 #include <stdio.h> 24 #include <stdlib.h> 25 #include <sys/stat.h> 26 27 #include <openssl/evp.h> 28 29 #include <cutils/log.h> 30 31 #include "blob.h" 32 #include "keystore_utils.h" 33 34 UserState::UserState(uid_t userId) : mUserId(userId), mRetry(MAX_RETRY) { 35 asprintf(&mUserDir, "user_%u", mUserId); 36 asprintf(&mMasterKeyFile, "%s/.masterkey", mUserDir); 37 } 38 39 UserState::~UserState() { 40 free(mUserDir); 41 free(mMasterKeyFile); 42 } 43 44 bool UserState::initialize() { 45 if ((mkdir(mUserDir, S_IRUSR | S_IWUSR | S_IXUSR) < 0) && (errno != EEXIST)) { 46 ALOGE("Could not create directory '%s'", mUserDir); 47 return false; 48 } 49 50 if (access(mMasterKeyFile, R_OK) == 0) { 51 setState(STATE_LOCKED); 52 } else { 53 setState(STATE_UNINITIALIZED); 54 } 55 56 return true; 57 } 58 59 void UserState::setState(State state) { 60 mState = state; 61 if (mState == STATE_NO_ERROR || mState == STATE_UNINITIALIZED) { 62 mRetry = MAX_RETRY; 63 } 64 } 65 66 void UserState::zeroizeMasterKeysInMemory() { 67 memset(mMasterKey, 0, sizeof(mMasterKey)); 68 memset(mSalt, 0, sizeof(mSalt)); 69 memset(&mMasterKeyEncryption, 0, sizeof(mMasterKeyEncryption)); 70 memset(&mMasterKeyDecryption, 0, sizeof(mMasterKeyDecryption)); 71 } 72 73 bool UserState::deleteMasterKey() { 74 setState(STATE_UNINITIALIZED); 75 zeroizeMasterKeysInMemory(); 76 return unlink(mMasterKeyFile) == 0 || errno == ENOENT; 77 } 78 79 ResponseCode UserState::initialize(const android::String8& pw, Entropy* entropy) { 80 if (!generateMasterKey(entropy)) { 81 return SYSTEM_ERROR; 82 } 83 ResponseCode response = writeMasterKey(pw, entropy); 84 if (response != NO_ERROR) { 85 return response; 86 } 87 setupMasterKeys(); 88 return ::NO_ERROR; 89 } 90 91 ResponseCode UserState::copyMasterKey(UserState* src) { 92 if (mState != STATE_UNINITIALIZED) { 93 return ::SYSTEM_ERROR; 94 } 95 if (src->getState() != STATE_NO_ERROR) { 96 return ::SYSTEM_ERROR; 97 } 98 memcpy(mMasterKey, src->mMasterKey, MASTER_KEY_SIZE_BYTES); 99 setupMasterKeys(); 100 return copyMasterKeyFile(src); 101 } 102 103 ResponseCode UserState::copyMasterKeyFile(UserState* src) { 104 /* Copy the master key file to the new user. Unfortunately we don't have the src user's 105 * password so we cannot generate a new file with a new salt. 106 */ 107 int in = TEMP_FAILURE_RETRY(open(src->getMasterKeyFileName(), O_RDONLY)); 108 if (in < 0) { 109 return ::SYSTEM_ERROR; 110 } 111 blob rawBlob; 112 size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob)); 113 if (close(in) != 0) { 114 return ::SYSTEM_ERROR; 115 } 116 int out = 117 TEMP_FAILURE_RETRY(open(mMasterKeyFile, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR)); 118 if (out < 0) { 119 return ::SYSTEM_ERROR; 120 } 121 size_t outLength = writeFully(out, (uint8_t*)&rawBlob, length); 122 if (close(out) != 0) { 123 return ::SYSTEM_ERROR; 124 } 125 if (outLength != length) { 126 ALOGW("blob not fully written %zu != %zu", outLength, length); 127 unlink(mMasterKeyFile); 128 return ::SYSTEM_ERROR; 129 } 130 return ::NO_ERROR; 131 } 132 133 ResponseCode UserState::writeMasterKey(const android::String8& pw, Entropy* entropy) { 134 uint8_t passwordKey[MASTER_KEY_SIZE_BYTES]; 135 generateKeyFromPassword(passwordKey, MASTER_KEY_SIZE_BYTES, pw, mSalt); 136 AES_KEY passwordAesKey; 137 AES_set_encrypt_key(passwordKey, MASTER_KEY_SIZE_BITS, &passwordAesKey); 138 Blob masterKeyBlob(mMasterKey, sizeof(mMasterKey), mSalt, sizeof(mSalt), TYPE_MASTER_KEY); 139 return masterKeyBlob.writeBlob(mMasterKeyFile, &passwordAesKey, STATE_NO_ERROR, entropy); 140 } 141 142 ResponseCode UserState::readMasterKey(const android::String8& pw, Entropy* entropy) { 143 int in = TEMP_FAILURE_RETRY(open(mMasterKeyFile, O_RDONLY)); 144 if (in < 0) { 145 return SYSTEM_ERROR; 146 } 147 148 // We read the raw blob to just to get the salt to generate the AES key, then we create the Blob 149 // to use with decryptBlob 150 blob rawBlob; 151 size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob)); 152 if (close(in) != 0) { 153 return SYSTEM_ERROR; 154 } 155 // find salt at EOF if present, otherwise we have an old file 156 uint8_t* salt; 157 if (length > SALT_SIZE && rawBlob.info == SALT_SIZE) { 158 salt = (uint8_t*)&rawBlob + length - SALT_SIZE; 159 } else { 160 salt = NULL; 161 } 162 uint8_t passwordKey[MASTER_KEY_SIZE_BYTES]; 163 generateKeyFromPassword(passwordKey, MASTER_KEY_SIZE_BYTES, pw, salt); 164 AES_KEY passwordAesKey; 165 AES_set_decrypt_key(passwordKey, MASTER_KEY_SIZE_BITS, &passwordAesKey); 166 Blob masterKeyBlob(rawBlob); 167 ResponseCode response = masterKeyBlob.readBlob(mMasterKeyFile, &passwordAesKey, STATE_NO_ERROR); 168 if (response == SYSTEM_ERROR) { 169 return response; 170 } 171 if (response == NO_ERROR && masterKeyBlob.getLength() == MASTER_KEY_SIZE_BYTES) { 172 // If salt was missing, generate one and write a new master key file with the salt. 173 if (salt == NULL) { 174 if (!generateSalt(entropy)) { 175 return SYSTEM_ERROR; 176 } 177 response = writeMasterKey(pw, entropy); 178 } 179 if (response == NO_ERROR) { 180 memcpy(mMasterKey, masterKeyBlob.getValue(), MASTER_KEY_SIZE_BYTES); 181 setupMasterKeys(); 182 } 183 return response; 184 } 185 if (mRetry <= 0) { 186 reset(); 187 return UNINITIALIZED; 188 } 189 --mRetry; 190 switch (mRetry) { 191 case 0: 192 return WRONG_PASSWORD_0; 193 case 1: 194 return WRONG_PASSWORD_1; 195 case 2: 196 return WRONG_PASSWORD_2; 197 case 3: 198 return WRONG_PASSWORD_3; 199 default: 200 return WRONG_PASSWORD_3; 201 } 202 } 203 204 bool UserState::reset() { 205 DIR* dir = opendir(getUserDirName()); 206 if (!dir) { 207 // If the directory doesn't exist then nothing to do. 208 if (errno == ENOENT) { 209 return true; 210 } 211 ALOGW("couldn't open user directory: %s", strerror(errno)); 212 return false; 213 } 214 215 struct dirent* file; 216 while ((file = readdir(dir)) != NULL) { 217 // skip . and .. 218 if (!strcmp(".", file->d_name) || !strcmp("..", file->d_name)) { 219 continue; 220 } 221 222 unlinkat(dirfd(dir), file->d_name, 0); 223 } 224 closedir(dir); 225 return true; 226 } 227 228 void UserState::generateKeyFromPassword(uint8_t* key, ssize_t keySize, const android::String8& pw, 229 uint8_t* salt) { 230 size_t saltSize; 231 if (salt != NULL) { 232 saltSize = SALT_SIZE; 233 } else { 234 // Pre-gingerbread used this hardwired salt, readMasterKey will rewrite these when found 235 salt = (uint8_t*)"keystore"; 236 // sizeof = 9, not strlen = 8 237 saltSize = sizeof("keystore"); 238 } 239 240 PKCS5_PBKDF2_HMAC_SHA1(reinterpret_cast<const char*>(pw.string()), pw.length(), salt, saltSize, 241 8192, keySize, key); 242 } 243 244 bool UserState::generateSalt(Entropy* entropy) { 245 return entropy->generate_random_data(mSalt, sizeof(mSalt)); 246 } 247 248 bool UserState::generateMasterKey(Entropy* entropy) { 249 if (!entropy->generate_random_data(mMasterKey, sizeof(mMasterKey))) { 250 return false; 251 } 252 if (!generateSalt(entropy)) { 253 return false; 254 } 255 return true; 256 } 257 258 void UserState::setupMasterKeys() { 259 AES_set_encrypt_key(mMasterKey, MASTER_KEY_SIZE_BITS, &mMasterKeyEncryption); 260 AES_set_decrypt_key(mMasterKey, MASTER_KEY_SIZE_BITS, &mMasterKeyDecryption); 261 setState(STATE_NO_ERROR); 262 } 263
