/* ** ** Copyright 2017, The Android Open Source Project ** ** Licensed under the Apache License, Version 2.0 (the "License"); ** you may not use this file except in compliance with the License. ** You may obtain a copy of the License at ** ** http://www.apache.org/licenses/LICENSE-2.0 ** ** Unless required by applicable law or agreed to in writing, software ** distributed under the License is distributed on an "AS IS" BASIS, ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ** See the License for the specific language governing permissions and ** limitations under the License. */ #define LOG_TAG "scrypt_test" #include <log/log.h> #include <gtest/gtest.h> #include <hardware/keymaster0.h> #include <hardware/keymaster1.h> #include <cstring> #include "../Keymaster.h" #include "../cryptfs.h" #ifdef CONFIG_HW_DISK_ENCRYPTION #include "cryptfs_hw.h" #endif #define min(a, b) ((a) < (b) ? (a) : (b)) /* Maximum allowed keymaster blob size. */ #define KEYMASTER_BLOB_SIZE 2048 /* Key Derivation Function algorithms */ #define KDF_PBKDF2 1 #define KDF_SCRYPT 2 /* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */ #define KDF_SCRYPT_KEYMASTER 5 #define KEY_LEN_BYTES 16 #define DEFAULT_PASSWORD "default_password" #define RSA_KEY_SIZE 2048 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) #define RSA_EXPONENT 0x10001 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second static int keymaster_init(keymaster0_device_t** keymaster0_dev, keymaster1_device_t** keymaster1_dev) { int rc; const hw_module_t* mod; rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); if (rc) { ALOGE("could not find any keystore module"); goto err; } SLOGI("keymaster module name is %s", mod->name); SLOGI("keymaster version is %d", mod->module_api_version); *keymaster0_dev = NULL; *keymaster1_dev = NULL; if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) { SLOGI("Found keymaster1 module, using keymaster1 API."); rc = keymaster1_open(mod, keymaster1_dev); } else { SLOGI("Found keymaster0 module, using keymaster0 API."); rc = keymaster0_open(mod, keymaster0_dev); } if (rc) { ALOGE("could not open keymaster device in %s (%s)", KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); goto err; } return 0; err: *keymaster0_dev = NULL; *keymaster1_dev = NULL; return rc; } /* Should we use keymaster? */ static int keymaster_check_compatibility_old() { keymaster0_device_t* keymaster0_dev = 0; keymaster1_device_t* keymaster1_dev = 0; int rc = 0; if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { SLOGE("Failed to init keymaster"); rc = -1; goto out; } if (keymaster1_dev) { rc = 1; goto out; } if (!keymaster0_dev || !keymaster0_dev->common.module) { rc = -1; goto out; } // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2 // should work. if (keymaster0_dev->common.module->module_api_version < KEYMASTER_MODULE_API_VERSION_0_3) { rc = 0; goto out; } if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) && (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { rc = 1; } out: if (keymaster1_dev) { keymaster1_close(keymaster1_dev); } if (keymaster0_dev) { keymaster0_close(keymaster0_dev); } return rc; } /* Create a new keymaster key and store it in this footer */ static int keymaster_create_key_old(struct crypt_mnt_ftr* ftr) { uint8_t* key = 0; keymaster0_device_t* keymaster0_dev = 0; keymaster1_device_t* keymaster1_dev = 0; if (ftr->keymaster_blob_size) { SLOGI("Already have key"); return 0; } if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { SLOGE("Failed to init keymaster"); return -1; } int rc = 0; size_t key_size = 0; if (keymaster1_dev) { keymaster_key_param_t params[] = { /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */ keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA), keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE), keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT), /* The only allowed purpose for this key is signing. */ keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN), /* Padding & digest specifications. */ keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), /* Require that the key be usable in standalone mode. File system isn't available. */ keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE), /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */ keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED), /* Rate-limit key usage attempts, to rate-limit brute force */ keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT), }; keymaster_key_param_set_t param_set = {params, sizeof(params) / sizeof(*params)}; keymaster_key_blob_t key_blob; keymaster_error_t error = keymaster1_dev->generate_key( keymaster1_dev, ¶m_set, &key_blob, NULL /* characteristics */); if (error != KM_ERROR_OK) { SLOGE("Failed to generate keymaster1 key, error %d", error); rc = -1; goto out; } key = (uint8_t*)key_blob.key_material; key_size = key_blob.key_material_size; } else if (keymaster0_dev) { keymaster_rsa_keygen_params_t params; memset(¶ms, '\0', sizeof(params)); params.public_exponent = RSA_EXPONENT; params.modulus_size = RSA_KEY_SIZE; if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms, &key, &key_size)) { SLOGE("Failed to generate keypair"); rc = -1; goto out; } } else { SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device"); rc = -1; goto out; } if (key_size > KEYMASTER_BLOB_SIZE) { SLOGE("Keymaster key too large for crypto footer"); rc = -1; goto out; } memcpy(ftr->keymaster_blob, key, key_size); ftr->keymaster_blob_size = key_size; out: if (keymaster0_dev) keymaster0_close(keymaster0_dev); if (keymaster1_dev) keymaster1_close(keymaster1_dev); free(key); return rc; } /* This signs the given object using the keymaster key. */ static int keymaster_sign_object_old(struct crypt_mnt_ftr* ftr, const unsigned char* object, const size_t object_size, unsigned char** signature, size_t* signature_size) { int rc = 0; keymaster0_device_t* keymaster0_dev = 0; keymaster1_device_t* keymaster1_dev = 0; unsigned char to_sign[RSA_KEY_SIZE_BYTES]; size_t to_sign_size = sizeof(to_sign); memset(to_sign, 0, RSA_KEY_SIZE_BYTES); if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { SLOGE("Failed to init keymaster"); rc = -1; goto out; } // To sign a message with RSA, the message must satisfy two // constraints: // // 1. The message, when interpreted as a big-endian numeric value, must // be strictly less than the public modulus of the RSA key. Note // that because the most significant bit of the public modulus is // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit // key), an n-bit message with most significant bit 0 always // satisfies this requirement. // // 2. The message must have the same length in bits as the public // modulus of the RSA key. This requirement isn't mathematically // necessary, but is necessary to ensure consistency in // implementations. switch (ftr->kdf_type) { case KDF_SCRYPT_KEYMASTER: // This ensures the most significant byte of the signed message // is zero. We could have zero-padded to the left instead, but // this approach is slightly more robust against changes in // object size. However, it's still broken (but not unusably // so) because we really should be using a proper deterministic // RSA padding function, such as PKCS1. memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); SLOGI("Signing safely-padded object"); break; default: SLOGE("Unknown KDF type %d", ftr->kdf_type); rc = -1; goto out; } if (keymaster0_dev) { keymaster_rsa_sign_params_t params; params.digest_type = DIGEST_NONE; params.padding_type = PADDING_NONE; rc = keymaster0_dev->sign_data(keymaster0_dev, ¶ms, ftr->keymaster_blob, ftr->keymaster_blob_size, to_sign, to_sign_size, signature, signature_size); goto out; } else if (keymaster1_dev) { keymaster_key_blob_t key = {ftr->keymaster_blob, ftr->keymaster_blob_size}; keymaster_key_param_t params[] = { keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), }; keymaster_key_param_set_t param_set = {params, sizeof(params) / sizeof(*params)}; keymaster_operation_handle_t op_handle; keymaster_error_t error = keymaster1_dev->begin( keymaster1_dev, KM_PURPOSE_SIGN, &key, ¶m_set, NULL /* out_params */, &op_handle); if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) { // Key usage has been rate-limited. Wait a bit and try again. sleep(KEYMASTER_CRYPTFS_RATE_LIMIT); error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, ¶m_set, NULL /* out_params */, &op_handle); } if (error != KM_ERROR_OK) { SLOGE("Error starting keymaster signature transaction: %d", error); rc = -1; goto out; } keymaster_blob_t input = {to_sign, to_sign_size}; size_t input_consumed; error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */, &input, &input_consumed, NULL /* out_params */, NULL /* output */); if (error != KM_ERROR_OK) { SLOGE("Error sending data to keymaster signature transaction: %d", error); rc = -1; goto out; } if (input_consumed != to_sign_size) { // This should never happen. If it does, it's a bug in the keymaster implementation. SLOGE("Keymaster update() did not consume all data."); keymaster1_dev->abort(keymaster1_dev, op_handle); rc = -1; goto out; } keymaster_blob_t tmp_sig; error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */, NULL /* verify signature */, NULL /* out_params */, &tmp_sig); if (error != KM_ERROR_OK) { SLOGE("Error finishing keymaster signature transaction: %d", error); rc = -1; goto out; } *signature = (uint8_t*)tmp_sig.data; *signature_size = tmp_sig.data_length; } else { SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device."); rc = -1; goto out; } out: if (keymaster1_dev) keymaster1_close(keymaster1_dev); if (keymaster0_dev) keymaster0_close(keymaster0_dev); return rc; } /* Should we use keymaster? */ static int keymaster_check_compatibility_new() { return keymaster_compatibility_cryptfs_scrypt(); } #if 0 /* Create a new keymaster key and store it in this footer */ static int keymaster_create_key_new(struct crypt_mnt_ftr *ftr) { if (ftr->keymaster_blob_size) { SLOGI("Already have key"); return 0; } int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size); if (rc) { if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) { SLOGE("Keymaster key blob to large)"); ftr->keymaster_blob_size = 0; } SLOGE("Failed to generate keypair"); return -1; } return 0; } #endif /* This signs the given object using the keymaster key. */ static int keymaster_sign_object_new(struct crypt_mnt_ftr* ftr, const unsigned char* object, const size_t object_size, unsigned char** signature, size_t* signature_size) { unsigned char to_sign[RSA_KEY_SIZE_BYTES]; size_t to_sign_size = sizeof(to_sign); memset(to_sign, 0, RSA_KEY_SIZE_BYTES); // To sign a message with RSA, the message must satisfy two // constraints: // // 1. The message, when interpreted as a big-endian numeric value, must // be strictly less than the public modulus of the RSA key. Note // that because the most significant bit of the public modulus is // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit // key), an n-bit message with most significant bit 0 always // satisfies this requirement. // // 2. The message must have the same length in bits as the public // modulus of the RSA key. This requirement isn't mathematically // necessary, but is necessary to ensure consistency in // implementations. switch (ftr->kdf_type) { case KDF_SCRYPT_KEYMASTER: // This ensures the most significant byte of the signed message // is zero. We could have zero-padded to the left instead, but // this approach is slightly more robust against changes in // object size. However, it's still broken (but not unusably // so) because we really should be using a proper deterministic // RSA padding function, such as PKCS1. memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); SLOGI("Signing safely-padded object"); break; default: SLOGE("Unknown KDF type %d", ftr->kdf_type); return -1; } if (keymaster_sign_object_for_cryptfs_scrypt( ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign, to_sign_size, signature, signature_size) != KeymasterSignResult::ok) return -1; return 0; } namespace android { class CryptFsTest : public testing::Test { protected: virtual void SetUp() {} virtual void TearDown() {} }; TEST_F(CryptFsTest, ScryptHidlizationEquivalenceTest) { crypt_mnt_ftr ftr; ftr.kdf_type = KDF_SCRYPT_KEYMASTER; ftr.keymaster_blob_size = 0; ASSERT_EQ(0, keymaster_create_key_old(&ftr)); uint8_t* sig1 = nullptr; uint8_t* sig2 = nullptr; size_t sig_size1 = 123456789; size_t sig_size2 = 123456789; uint8_t object[] = "the object"; ASSERT_EQ(1, keymaster_check_compatibility_old()); ASSERT_EQ(1, keymaster_check_compatibility_new()); ASSERT_EQ(0, keymaster_sign_object_old(&ftr, object, 10, &sig1, &sig_size1)); ASSERT_EQ(0, keymaster_sign_object_new(&ftr, object, 10, &sig2, &sig_size2)); ASSERT_EQ(sig_size1, sig_size2); ASSERT_NE(nullptr, sig1); ASSERT_NE(nullptr, sig2); EXPECT_EQ(0, memcmp(sig1, sig2, sig_size1)); free(sig1); free(sig2); } } // namespace android