1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "auth_encrypted_key_blob.h"
18 
19 #include <keymaster/android_keymaster_utils.h>
20 #include <keymaster/authorization_set.h>
21 #include <keymaster/logger.h>
22 
23 #include "ocb_utils.h"
24 
25 namespace keymaster {
26 
27 const uint32_t CURRENT_BLOB_VERSION = 0;
28 
SerializeAuthEncryptedBlob(const KeymasterKeyBlob & encrypted_key_material,const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced,const Buffer & nonce,const Buffer & tag,KeymasterKeyBlob * key_blob)29 keymaster_error_t SerializeAuthEncryptedBlob(const KeymasterKeyBlob& encrypted_key_material,
30                                              const AuthorizationSet& hw_enforced,
31                                              const AuthorizationSet& sw_enforced,
32 
33                                              const Buffer& nonce, const Buffer& tag,
34                                              KeymasterKeyBlob* key_blob) {
35     size_t size = 1 /* version byte */ + nonce.SerializedSize() +
36                   encrypted_key_material.SerializedSize() + tag.SerializedSize() +
37                   hw_enforced.SerializedSize() + sw_enforced.SerializedSize();
38 
39     if (!key_blob->Reset(size))
40         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
41 
42     uint8_t* buf = key_blob->writable_data();
43     const uint8_t* end = key_blob->key_material + key_blob->key_material_size;
44 
45     *buf++ = CURRENT_BLOB_VERSION;
46     buf = nonce.Serialize(buf, end);
47     buf = encrypted_key_material.Serialize(buf, end);
48     buf = tag.Serialize(buf, end);
49     buf = hw_enforced.Serialize(buf, end);
50     buf = sw_enforced.Serialize(buf, end);
51     if (buf != key_blob->key_material + key_blob->key_material_size)
52         return KM_ERROR_UNKNOWN_ERROR;
53 
54     return KM_ERROR_OK;
55 }
56 
DeserializeUnversionedBlob(const KeymasterKeyBlob & key_blob,KeymasterKeyBlob * encrypted_key_material,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced,Buffer * nonce,Buffer * tag)57 static keymaster_error_t DeserializeUnversionedBlob(const KeymasterKeyBlob& key_blob,
58                                                     KeymasterKeyBlob* encrypted_key_material,
59                                                     AuthorizationSet* hw_enforced,
60                                                     AuthorizationSet* sw_enforced, Buffer* nonce,
61                                                     Buffer* tag) {
62     const uint8_t* tmp = key_blob.key_material;
63     const uint8_t** buf_ptr = &tmp;
64     const uint8_t* end = tmp + key_blob.key_material_size;
65 
66     if (!nonce->reserve(OCB_NONCE_LENGTH) || !tag->reserve(OCB_TAG_LENGTH))
67         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
68 
69     if (!copy_from_buf(buf_ptr, end, nonce->peek_write(), OCB_NONCE_LENGTH) ||
70         !encrypted_key_material->Deserialize(buf_ptr, end) ||
71         !copy_from_buf(buf_ptr, end, tag->peek_write(), OCB_TAG_LENGTH) ||
72         !hw_enforced->Deserialize(buf_ptr, end) ||  //
73         !sw_enforced->Deserialize(buf_ptr, end)) {
74         LOG_D("Failed to deserialize unversioned blob (may be a HW-backed key)", 0);
75         return KM_ERROR_INVALID_KEY_BLOB;
76     }
77     if (!nonce->advance_write(OCB_NONCE_LENGTH) || !tag->advance_write(OCB_TAG_LENGTH))
78         return KM_ERROR_UNKNOWN_ERROR;
79     return KM_ERROR_OK;
80 }
81 
DeserializeAuthEncryptedBlob(const KeymasterKeyBlob & key_blob,KeymasterKeyBlob * encrypted_key_material,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced,Buffer * nonce,Buffer * tag)82 keymaster_error_t DeserializeAuthEncryptedBlob(const KeymasterKeyBlob& key_blob,
83                                                KeymasterKeyBlob* encrypted_key_material,
84                                                AuthorizationSet* hw_enforced,
85                                                AuthorizationSet* sw_enforced, Buffer* nonce,
86                                                Buffer* tag) {
87     if (!key_blob.key_material || key_blob.key_material_size == 0)
88         return KM_ERROR_INVALID_KEY_BLOB;
89 
90     const uint8_t* tmp = key_blob.key_material;
91     const uint8_t** buf_ptr = &tmp;
92     const uint8_t* end = tmp + key_blob.key_material_size;
93 
94     if (end <= *buf_ptr)
95         return KM_ERROR_INVALID_KEY_BLOB;
96 
97     uint8_t version = *(*buf_ptr)++;
98     if (version != CURRENT_BLOB_VERSION ||  //
99         !nonce->Deserialize(buf_ptr, end) || nonce->available_read() != OCB_NONCE_LENGTH ||
100         !encrypted_key_material->Deserialize(buf_ptr, end) ||  //
101         !tag->Deserialize(buf_ptr, end) || tag->available_read() != OCB_TAG_LENGTH ||
102         !hw_enforced->Deserialize(buf_ptr, end) ||  //
103         !sw_enforced->Deserialize(buf_ptr, end)) {
104         // This blob failed to parse.  Either it's corrupted or it's a blob generated by an earlier
105         // version of keymaster using a previous blob format which did not include the version byte
106         // or the nonce or tag length fields.  So we try to parse it as that previous version.
107         //
108         // Note that it's not really a problem if we erronously parse a corrupted blob, because
109         // decryption will fail the authentication check.
110         //
111         // A bigger potential problem is: What if a valid unversioned blob appears to parse
112         // correctly as a versioned blob?  It would then be rejected during decryption, causing a
113         // valid key to become unusable.  If this is a disk encryption key, upgrading to a keymaster
114         // version with the new format would destroy the user's data.
115         //
116         // What is the probability that an unversioned key could be successfully parsed as a version
117         // 0 key?  The first 12 bytes of an unversioned key are the nonce, which, in the only
118         // keymaster version released with unversioned keys, is chosen randomly.  In order for an
119         // unversioned key to parse as a version 0 key, the following must be true about the first
120         // five of those random bytes:
121         //
122         // 1.  The first byte must be zero.  This will happen with probability 1/2^8.
123         //
124         // 2.  The second through fifth bytes must contain an unsigned integer value equal to
125         //     NONCE_LENGTH.  This will happen with probability 1/2^32.
126         //
127         // Based on those two checks alone, the probability of interpreting an unversioned blob as a
128         // version 0 blob is 1/2^40.  That's small enough to be negligible, but there are additional
129         // checks which lower it further.
130         LOG_D("Failed to deserialize versioned key blob.  Assuming unversioned.", 0);
131         return DeserializeUnversionedBlob(key_blob, encrypted_key_material, hw_enforced,
132                                           sw_enforced, nonce, tag);
133     }
134     return KM_ERROR_OK;
135 }
136 
137 }  // namespace keymaster
138