Gitiles
Code Review Sign In
gerrit.twrp.me / android_bootable_recovery / 5f8394ca88e33bb0a0af374ad5412650a6e222e6 / . / crypto / ext4crypt / KeyUtil.cpp
blob: 946c6cf9c013fd7484c32f87296e57ac11e8ad30 [file] [log] [blame]
Ethan Yonkere9afc3d2018-08-30 15:16:27 -0500[diff] [blame]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "KeyUtil.h"
18
19#include <iomanip>
20#include <sstream>
21#include <string>
22
23#include <openssl/sha.h>
24
25#include <android-base/file.h>
26//#include <android-base/logging.h>
27#include <keyutils.h>
28
29#include "KeyStorage4.h"
30#include "Utils.h"
31
32#include <iostream>
33#define LOG(x) std::cout
34#define PLOG(x) std::cout
35#include <sys/types.h>
36#include <unistd.h>
37
38namespace android {
39namespace vold {
40
41// ext4enc:TODO get this const from somewhere good
42const int EXT4_KEY_DESCRIPTOR_SIZE = 8;
43
44// ext4enc:TODO Include structure from somewhere sensible
45// MUST be in sync with ext4_crypto.c in kernel
46constexpr int EXT4_ENCRYPTION_MODE_AES_256_XTS = 1;
47constexpr int EXT4_AES_256_XTS_KEY_SIZE = 64;
48constexpr int EXT4_MAX_KEY_SIZE = 64;
49struct ext4_encryption_key {
50 uint32_t mode;
51 char raw[EXT4_MAX_KEY_SIZE];
52 uint32_t size;
53};
54
55bool randomKey(KeyBuffer* key) {
56 *key = KeyBuffer(EXT4_AES_256_XTS_KEY_SIZE);
57 if (ReadRandomBytes(key->size(), key->data()) != 0) {
58 // TODO status_t plays badly with PLOG, fix it.
59 LOG(ERROR) << "Random read failed" << std::endl;
60 return false;
61 }
62 return true;
63}
64
65// Get raw keyref - used to make keyname and to pass to ioctl
66static std::string generateKeyRef(const char* key, int length) {
67 SHA512_CTX c;
68
69 SHA512_Init(&c);
70 SHA512_Update(&c, key, length);
71 unsigned char key_ref1[SHA512_DIGEST_LENGTH];
72 SHA512_Final(key_ref1, &c);
73
74 SHA512_Init(&c);
75 SHA512_Update(&c, key_ref1, SHA512_DIGEST_LENGTH);
76 unsigned char key_ref2[SHA512_DIGEST_LENGTH];
77 SHA512_Final(key_ref2, &c);
78
79 static_assert(EXT4_KEY_DESCRIPTOR_SIZE <= SHA512_DIGEST_LENGTH,
80 "Hash too short for descriptor");
81 return std::string((char*)key_ref2, EXT4_KEY_DESCRIPTOR_SIZE);
82}
83
84static bool fillKey(const KeyBuffer& key, ext4_encryption_key* ext4_key) {
85 if (key.size() != EXT4_AES_256_XTS_KEY_SIZE) {
86 LOG(ERROR) << "Wrong size key " << key.size();
87 return false;
88 }
89 static_assert(EXT4_AES_256_XTS_KEY_SIZE <= sizeof(ext4_key->raw), "Key too long!");
90 ext4_key->mode = EXT4_ENCRYPTION_MODE_AES_256_XTS;
91 ext4_key->size = key.size();
92 memset(ext4_key->raw, 0, sizeof(ext4_key->raw));
93 memcpy(ext4_key->raw, key.data(), key.size());
94 return true;
95}
96
97static char const* const NAME_PREFIXES[] = {
98 "ext4",
99 "f2fs",
100 "fscrypt",
101 nullptr
102};
103
104static std::string keyname(const std::string& prefix, const std::string& raw_ref) {
105 std::ostringstream o;
106 o << prefix << ":";
107 for (unsigned char i : raw_ref) {
108 o << std::hex << std::setw(2) << std::setfill('0') << (int)i;
109 }
110 return o.str();
111}
112
113// Get the keyring we store all keys in
114static bool e4cryptKeyring(key_serial_t* device_keyring) {
115 *device_keyring = keyctl_search(KEY_SPEC_SESSION_KEYRING, "keyring", "e4crypt", 0);
116 if (*device_keyring == -1) {
117 PLOG(ERROR) << "Unable to find device keyring" << std::endl;
118 return false;
119 }
120 return true;
121}
122
123// Install password into global keyring
124// Return raw key reference for use in policy
125bool installKey(const KeyBuffer& key, std::string* raw_ref) {
126 // Place ext4_encryption_key into automatically zeroing buffer.
127 KeyBuffer ext4KeyBuffer(sizeof(ext4_encryption_key));
128 ext4_encryption_key &ext4_key = *reinterpret_cast<ext4_encryption_key*>(ext4KeyBuffer.data());
129
130 if (!fillKey(key, &ext4_key)) return false;
131 *raw_ref = generateKeyRef(ext4_key.raw, ext4_key.size);
132 key_serial_t device_keyring;
133 if (!e4cryptKeyring(&device_keyring)) return false;
134 for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) {
135 auto ref = keyname(*name_prefix, *raw_ref);
136 key_serial_t key_id =
137 add_key("logon", ref.c_str(), (void*)&ext4_key, sizeof(ext4_key), device_keyring);
138 if (key_id == -1) {
139 PLOG(ERROR) << "Failed to insert key into keyring " << device_keyring << std::endl;
140 return false;
141 }
142 LOG(DEBUG) << "Added key " << key_id << " (" << ref << ") to keyring " << device_keyring
143 << " in process " << getpid() << std::endl;
144 }
145 return true;
146}
147
148bool evictKey(const std::string& raw_ref) {
149 LOG(ERROR) << "not actually evicting key\n";
150 return true;
151 key_serial_t device_keyring;
152 if (!e4cryptKeyring(&device_keyring)) return false;
153 bool success = true;
154 for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) {
155 auto ref = keyname(*name_prefix, raw_ref);
156 auto key_serial = keyctl_search(device_keyring, "logon", ref.c_str(), 0);
157
158 // Unlink the key from the keyring. Prefer unlinking to revoking or
159 // invalidating, since unlinking is actually no less secure currently, and
160 // it avoids bugs in certain kernel versions where the keyring key is
161 // referenced from places it shouldn't be.
162 if (keyctl_unlink(key_serial, device_keyring) != 0) {
163 PLOG(ERROR) << "Failed to unlink key with serial " << key_serial << " ref " << ref;
164 success = false;
165 } else {
166 LOG(DEBUG) << "Unlinked key with serial " << key_serial << " ref " << ref;
167 }
168 }
169 return success;
170}
171
172bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_authentication,
173 const std::string& key_path, const std::string& tmp_path,
174 std::string* key_ref) {
175 KeyBuffer key;
176 if (pathExists(key_path)) {
177 LOG(DEBUG) << "Key exists, using: " << key_path << std::endl;
178 if (!retrieveKey(key_path, key_authentication, &key)) return false;
179 } else {
180 if (!create_if_absent) {
181 LOG(ERROR) << "No key found in " << key_path << std::endl;
182 return false;
183 }
184 LOG(INFO) << "Creating new key in " << key_path << std::endl;
185 if (!randomKey(&key)) return false;
186 if (!storeKeyAtomically(key_path, tmp_path, key_authentication, key)) return false;
187 }
188
189 if (!installKey(key, key_ref)) {
190 LOG(ERROR) << "Failed to install key in " << key_path << std::endl;
191 return false;
192 }
193 return true;
194}
195
196bool retrieveKey(bool create_if_absent, const std::string& key_path,
197 const std::string& tmp_path, KeyBuffer* key) {
198 if (pathExists(key_path)) {
199 LOG(DEBUG) << "Key exists, using: " << key_path << std::endl;
200 if (!retrieveKey(key_path, kEmptyAuthentication, key)) return false;
201 } else {
202 if (!create_if_absent) {
203 LOG(ERROR) << "No key found in " << key_path << std::endl;
204 return false;
205 }
206 LOG(INFO) << "Creating new key in " << key_path << std::endl;
207 if (!randomKey(key)) return false;
208 if (!storeKeyAtomically(key_path, tmp_path,
209 kEmptyAuthentication, *key)) return false;
210 }
211 return true;
212}
213
214} // namespace vold
215} // namespace android