/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "keystore"
#include "user_state.h"
#include <dirent.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <openssl/evp.h>
#include <cutils/log.h>
#include "blob.h"
#include "keystore_utils.h"
UserState::UserState(uid_t userId) : mUserId(userId), mRetry(MAX_RETRY) {
asprintf(&mUserDir, "user_%u", mUserId);
asprintf(&mMasterKeyFile, "%s/.masterkey", mUserDir);
}
UserState::~UserState() {
free(mUserDir);
free(mMasterKeyFile);
}
bool UserState::initialize() {
if ((mkdir(mUserDir, S_IRUSR | S_IWUSR | S_IXUSR) < 0) && (errno != EEXIST)) {
ALOGE("Could not create directory '%s'", mUserDir);
return false;
}
if (access(mMasterKeyFile, R_OK) == 0) {
setState(STATE_LOCKED);
} else {
setState(STATE_UNINITIALIZED);
}
return true;
}
void UserState::setState(State state) {
mState = state;
if (mState == STATE_NO_ERROR || mState == STATE_UNINITIALIZED) {
mRetry = MAX_RETRY;
}
}
void UserState::zeroizeMasterKeysInMemory() {
memset(mMasterKey, 0, sizeof(mMasterKey));
memset(mSalt, 0, sizeof(mSalt));
memset(&mMasterKeyEncryption, 0, sizeof(mMasterKeyEncryption));
memset(&mMasterKeyDecryption, 0, sizeof(mMasterKeyDecryption));
}
bool UserState::deleteMasterKey() {
setState(STATE_UNINITIALIZED);
zeroizeMasterKeysInMemory();
return unlink(mMasterKeyFile) == 0 || errno == ENOENT;
}
ResponseCode UserState::initialize(const android::String8& pw, Entropy* entropy) {
if (!generateMasterKey(entropy)) {
return SYSTEM_ERROR;
}
ResponseCode response = writeMasterKey(pw, entropy);
if (response != NO_ERROR) {
return response;
}
setupMasterKeys();
return ::NO_ERROR;
}
ResponseCode UserState::copyMasterKey(UserState* src) {
if (mState != STATE_UNINITIALIZED) {
return ::SYSTEM_ERROR;
}
if (src->getState() != STATE_NO_ERROR) {
return ::SYSTEM_ERROR;
}
memcpy(mMasterKey, src->mMasterKey, MASTER_KEY_SIZE_BYTES);
setupMasterKeys();
return copyMasterKeyFile(src);
}
ResponseCode UserState::copyMasterKeyFile(UserState* src) {
/* Copy the master key file to the new user. Unfortunately we don't have the src user's
* password so we cannot generate a new file with a new salt.
*/
int in = TEMP_FAILURE_RETRY(open(src->getMasterKeyFileName(), O_RDONLY));
if (in < 0) {
return ::SYSTEM_ERROR;
}
blob rawBlob;
size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob));
if (close(in) != 0) {
return ::SYSTEM_ERROR;
}
int out =
TEMP_FAILURE_RETRY(open(mMasterKeyFile, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR));
if (out < 0) {
return ::SYSTEM_ERROR;
}
size_t outLength = writeFully(out, (uint8_t*)&rawBlob, length);
if (close(out) != 0) {
return ::SYSTEM_ERROR;
}
if (outLength != length) {
ALOGW("blob not fully written %zu != %zu", outLength, length);
unlink(mMasterKeyFile);
return ::SYSTEM_ERROR;
}
return ::NO_ERROR;
}
ResponseCode UserState::writeMasterKey(const android::String8& pw, Entropy* entropy) {
uint8_t passwordKey[MASTER_KEY_SIZE_BYTES];
generateKeyFromPassword(passwordKey, MASTER_KEY_SIZE_BYTES, pw, mSalt);
AES_KEY passwordAesKey;
AES_set_encrypt_key(passwordKey, MASTER_KEY_SIZE_BITS, &passwordAesKey);
Blob masterKeyBlob(mMasterKey, sizeof(mMasterKey), mSalt, sizeof(mSalt), TYPE_MASTER_KEY);
return masterKeyBlob.writeBlob(mMasterKeyFile, &passwordAesKey, STATE_NO_ERROR, entropy);
}
ResponseCode UserState::readMasterKey(const android::String8& pw, Entropy* entropy) {
int in = TEMP_FAILURE_RETRY(open(mMasterKeyFile, O_RDONLY));
if (in < 0) {
return SYSTEM_ERROR;
}
// We read the raw blob to just to get the salt to generate the AES key, then we create the Blob
// to use with decryptBlob
blob rawBlob;
size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob));
if (close(in) != 0) {
return SYSTEM_ERROR;
}
// find salt at EOF if present, otherwise we have an old file
uint8_t* salt;
if (length > SALT_SIZE && rawBlob.info == SALT_SIZE) {
salt = (uint8_t*)&rawBlob + length - SALT_SIZE;
} else {
salt = NULL;
}
uint8_t passwordKey[MASTER_KEY_SIZE_BYTES];
generateKeyFromPassword(passwordKey, MASTER_KEY_SIZE_BYTES, pw, salt);
AES_KEY passwordAesKey;
AES_set_decrypt_key(passwordKey, MASTER_KEY_SIZE_BITS, &passwordAesKey);
Blob masterKeyBlob(rawBlob);
ResponseCode response = masterKeyBlob.readBlob(mMasterKeyFile, &passwordAesKey, STATE_NO_ERROR);
if (response == SYSTEM_ERROR) {
return response;
}
if (response == NO_ERROR && masterKeyBlob.getLength() == MASTER_KEY_SIZE_BYTES) {
// If salt was missing, generate one and write a new master key file with the salt.
if (salt == NULL) {
if (!generateSalt(entropy)) {
return SYSTEM_ERROR;
}
response = writeMasterKey(pw, entropy);
}
if (response == NO_ERROR) {
memcpy(mMasterKey, masterKeyBlob.getValue(), MASTER_KEY_SIZE_BYTES);
setupMasterKeys();
}
return response;
}
if (mRetry <= 0) {
reset();
return UNINITIALIZED;
}
--mRetry;
switch (mRetry) {
case 0:
return WRONG_PASSWORD_0;
case 1:
return WRONG_PASSWORD_1;
case 2:
return WRONG_PASSWORD_2;
case 3:
return WRONG_PASSWORD_3;
default:
return WRONG_PASSWORD_3;
}
}
bool UserState::reset() {
DIR* dir = opendir(getUserDirName());
if (!dir) {
// If the directory doesn't exist then nothing to do.
if (errno == ENOENT) {
return true;
}
ALOGW("couldn't open user directory: %s", strerror(errno));
return false;
}
struct dirent* file;
while ((file = readdir(dir)) != NULL) {
// skip . and ..
if (!strcmp(".", file->d_name) || !strcmp("..", file->d_name)) {
continue;
}
unlinkat(dirfd(dir), file->d_name, 0);
}
closedir(dir);
return true;
}
void UserState::generateKeyFromPassword(uint8_t* key, ssize_t keySize, const android::String8& pw,
uint8_t* salt) {
size_t saltSize;
if (salt != NULL) {
saltSize = SALT_SIZE;
} else {
// Pre-gingerbread used this hardwired salt, readMasterKey will rewrite these when found
salt = (uint8_t*)"keystore";
// sizeof = 9, not strlen = 8
saltSize = sizeof("keystore");
}
PKCS5_PBKDF2_HMAC_SHA1(reinterpret_cast<const char*>(pw.string()), pw.length(), salt, saltSize,
8192, keySize, key);
}
bool UserState::generateSalt(Entropy* entropy) {
return entropy->generate_random_data(mSalt, sizeof(mSalt));
}
bool UserState::generateMasterKey(Entropy* entropy) {
if (!entropy->generate_random_data(mMasterKey, sizeof(mMasterKey))) {
return false;
}
if (!generateSalt(entropy)) {
return false;
}
return true;
}
void UserState::setupMasterKeys() {
AES_set_encrypt_key(mMasterKey, MASTER_KEY_SIZE_BITS, &mMasterKeyEncryption);
AES_set_decrypt_key(mMasterKey, MASTER_KEY_SIZE_BITS, &mMasterKeyDecryption);
setState(STATE_NO_ERROR);
}