Gitiles
Code Review Sign In
gerrit.twrp.me / android_bootable_recovery / 799243055f8976a6af1a9933f63f55ec9a2311ec / . / crypto / fscrypt / keystore_auth.cpp
blob: a65fe21bc78fa4a775352b915a5c16e3e0cd02d1 [file] [log] [blame]
bigbiff7ba75002020-04-11 20:47:09 -0400[diff] [blame]1/*
2 Copyright 2020 TeamWin
3 This file is part of TWRP/TeamWin Recovery Project.
4
5 TWRP is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation, either version 3 of the License, or
8 (at your option) any later version.
9
10 TWRP is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
14
15 You should have received a copy of the GNU General Public License
16 along with TWRP. If not, see <http://www.gnu.org/licenses/>.
17*/
18
19/* The keystore refuses to allow the root user to supply auth tokens, so
20 * we write the auth token to a file in TWRP and run a separate service
21 * (this) that runs as the system user to add the auth token. TWRP waits
22 * for /auth_token to be deleted and also looks for /auth_error to check
23 * for errors. TWRP will error out after a while if /auth_token does not
24 * get deleted. */
25
26#include <stdio.h>
27#include <string>
28
29#ifdef USE_SECURITY_NAMESPACE
30#include <android/security/keystore/IKeystoreService.h>
31#else
32#include <keystore/IKeystoreService.h>
33#include <keystore/authorization_set.h>
34#endif
35#include <binder/IPCThreadState.h>
36#include <binder/IServiceManager.h>
37
38#include <keystore/keystore.h>
39
40#ifndef LOG_TAG
41#define LOG_TAG "keystore_auth"
42#endif
43
44using namespace android;
45using android::security::keystore::IKeystoreService;
46
47void create_error_file() {
48 FILE* error_file = fopen("/auth_error", "wb");
49 if (error_file == NULL) {
50 printf("Failed to open /auth_error\n");
51 ALOGE("Failed to open /auth_error\n");
52 return;
53 }
54 fwrite("1", 1, 1, error_file);
55 fclose(error_file);
56 unlink("/auth_token");
57}
58
59int main() {
60 unlink("/auth_error");
61 FILE* auth_file = fopen("/auth_token", "rb");
62 if (auth_file == NULL) {
63 printf("Failed to open /auth_token\n");
64 ALOGE("Failed to open /auth_token\n");
65 create_error_file();
66 return -1;
67 }
68 // Get the file size
69 fseek(auth_file, 0, SEEK_END);
70 int size = ftell(auth_file);
71 fseek(auth_file, 0, SEEK_SET);
72 uint8_t auth_token[size];
73 fread(auth_token , sizeof(uint8_t), size, auth_file);
74 fclose(auth_file);
75 // First get the keystore service
76 sp<IServiceManager> sm = defaultServiceManager();
77 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
78#ifdef USE_SECURITY_NAMESPACE
79 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
80#else
81 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
82#endif
83 if (service == NULL) {
84 printf("error: could not connect to keystore service\n");
85 ALOGE("error: could not connect to keystore service\n");
86 create_error_file();
87 return -2;
88 }
89#ifdef USE_SECURITY_NAMESPACE
90 std::vector<uint8_t> auth_token_vector(&auth_token[0], (&auth_token[0]) + size);
91 int result = 0;
92 auto binder_result = service->addAuthToken(auth_token_vector, &result);
93 if (!binder_result.isOk() || !keystore::KeyStoreServiceReturnCode(result).isOk()) {
94#else
95 ::keystore::KeyStoreServiceReturnCode auth_result = service->addAuthToken(auth_token, size);
96 if (!auth_result.isOk()) {
97#endif
98 // The keystore checks the uid of the calling process and will return a permission denied on this operation for user 0
99 printf("keystore error adding auth token\n");
100 ALOGE("keystore error adding auth token\n");
101 create_error_file();
102 return -3;
103 }
104 printf("successfully added auth token to keystore\n");
105 ALOGD("successfully added auth token to keystore\n");
106 unlink("/auth_token");
107 return 0;
108}