1 /*
2  * Copyright 2024, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "SharedSecret.h"
18 
19 #include <algorithm>
20 #include <cstring>
21 #include <mutex>
22 #include <vector>
23 
24 #include <openssl/rand.h>
25 
26 #include <KeyMintUtils.h>
27 #include <aidl/android/hardware/security/sharedsecret/BnSharedSecret.h>
28 #include <aidl/android/hardware/security/sharedsecret/SharedSecretParameters.h>
29 #include <android-base/logging.h>
30 #include <keymaster/android_keymaster_messages.h>
31 #include <keymaster/android_keymaster_utils.h>
32 #include <keymaster/km_openssl/ckdf.h>
33 #include <keymaster/km_openssl/hmac.h>
34 
35 namespace aidl::android::hardware::security::sharedsecret {
36 
getSharedSecretParameters(SharedSecretParameters * out_params)37 ::ndk::ScopedAStatus SoftSharedSecret::getSharedSecretParameters(
38         SharedSecretParameters* out_params) {
39     std::lock_guard lock(mutex_);
40     if (seed_.empty()) {
41         seed_.resize(32, 0);
42     }
43     out_params->seed = seed_;
44     if (nonce_.empty()) {
45         nonce_.resize(32, 0);
46         RAND_bytes(nonce_.data(), 32);
47     }
48     out_params->nonce = nonce_;
49     LOG(INFO) << "Presented shared secret parameters with seed size " << out_params->seed.size()
50               << " and nonce size " << out_params->nonce.size();
51     return ::ndk::ScopedAStatus::ok();
52 }
53 
computeSharedSecret(const std::vector<SharedSecretParameters> & params,std::vector<uint8_t> * sharing_check)54 ::ndk::ScopedAStatus SoftSharedSecret::computeSharedSecret(
55         const std::vector<SharedSecretParameters>& params, std::vector<uint8_t>* sharing_check) {
56     std::lock_guard lock(mutex_);
57     LOG(INFO) << "Computing shared secret";
58     // Reimplemented based on SoftKeymasterEnforcement, which does not expose
59     // enough functionality to satisfy the GateKeeper interface
60     keymaster::KeymasterKeyBlob key_agreement_key;
61     if (key_agreement_key.Reset(32) == nullptr) {
62         LOG(ERROR) << "key agreement key memory allocation failed";
63         return keymint::km_utils::kmError2ScopedAStatus(KM_ERROR_MEMORY_ALLOCATION_FAILED);
64     }
65     // Matching:
66     // - kFakeAgreementKey in system/keymaster/km_openssl/soft_keymaster_enforcement.cpp
67     // - Keys::kak in hardware/interfaces/security/keymint/aidl/default/ta/soft.rs
68     std::memset(key_agreement_key.writable_data(), 0, 32);
69     keymaster::KeymasterBlob label((uint8_t*)KEY_AGREEMENT_LABEL, strlen(KEY_AGREEMENT_LABEL));
70     if (label.data == nullptr) {
71         LOG(ERROR) << "label memory allocation failed";
72         return keymint::km_utils::kmError2ScopedAStatus(KM_ERROR_MEMORY_ALLOCATION_FAILED);
73     }
74 
75     static_assert(sizeof(keymaster_blob_t) == sizeof(keymaster::KeymasterBlob));
76 
77     bool found_mine = false;
78     std::vector<keymaster::KeymasterBlob> context_blobs;
79     for (const auto& param : params) {
80         auto& seed_blob = context_blobs.emplace_back();
81         if (seed_blob.Reset(param.seed.size()) == nullptr) {
82             LOG(ERROR) << "seed memory allocation failed";
83             return keymint::km_utils::kmError2ScopedAStatus(KM_ERROR_MEMORY_ALLOCATION_FAILED);
84         }
85         std::copy(param.seed.begin(), param.seed.end(), seed_blob.writable_data());
86         auto& nonce_blob = context_blobs.emplace_back();
87         if (nonce_blob.Reset(param.nonce.size()) == nullptr) {
88             LOG(ERROR) << "Nonce memory allocation failed";
89             return keymint::km_utils::kmError2ScopedAStatus(KM_ERROR_MEMORY_ALLOCATION_FAILED);
90         }
91         std::copy(param.nonce.begin(), param.nonce.end(), nonce_blob.writable_data());
92         if (param.seed == seed_ && param.nonce == nonce_) {
93             found_mine = true;
94         }
95     }
96     if (!found_mine) {
97         LOG(ERROR) << "Did not receive my own shared secret parameter back";
98         return keymint::km_utils::kmError2ScopedAStatus(KM_ERROR_INVALID_ARGUMENT);
99     }
100     auto context_blobs_ptr = reinterpret_cast<keymaster_blob_t*>(context_blobs.data());
101     if (hmac_key_.Reset(32) == nullptr) {
102         LOG(ERROR) << "hmac key allocation failed";
103         return keymint::km_utils::kmError2ScopedAStatus(KM_ERROR_MEMORY_ALLOCATION_FAILED);
104     }
105     auto error = keymaster::ckdf(key_agreement_key, label, context_blobs_ptr, context_blobs.size(),
106                                  &hmac_key_);
107     if (error != KM_ERROR_OK) {
108         LOG(ERROR) << "CKDF failed";
109         return keymint::km_utils::kmError2ScopedAStatus(error);
110     }
111 
112     keymaster::HmacSha256 hmac_impl;
113     if (!hmac_impl.Init(hmac_key_.key_material, hmac_key_.key_material_size)) {
114         LOG(ERROR) << "hmac initialization failed";
115         return ::ndk::ScopedAStatus::fromExceptionCode(EX_ILLEGAL_STATE);
116     }
117     sharing_check->clear();
118     sharing_check->resize(32, 0);
119     if (!hmac_impl.Sign((const uint8_t*)KEY_CHECK_LABEL, strlen(KEY_CHECK_LABEL),
120                         sharing_check->data(), sharing_check->size())) {
121         return ::ndk::ScopedAStatus::fromExceptionCode(EX_ILLEGAL_STATE);
122     }
123     return ::ndk::ScopedAStatus::ok();
124 }
125 
HmacKey() const126 keymaster::KeymasterKeyBlob SoftSharedSecret::HmacKey() const {
127     std::lock_guard lock(mutex_);
128     return hmac_key_;
129 }
130 
131 }  // namespace aidl::android::hardware::security::sharedsecret
132