1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "keystore"
18 
19 #include <arpa/inet.h>
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <string.h>
23 
24 #include <cutils/log.h>
25 
26 #include "blob.h"
27 #include "entropy.h"
28 
29 #include "keystore_utils.h"
30 
31 namespace {
32 
33 constexpr size_t kGcmIvSizeBytes = 96 / 8;
34 
35 template <typename T, void (*FreeFunc)(T*)> struct OpenSslObjectDeleter {
36     void operator()(T* p) { FreeFunc(p); }
37 };
38 
39 #define DEFINE_OPENSSL_OBJECT_POINTER(name)                                                        \
40     typedef OpenSslObjectDeleter<name, name##_free> name##_Delete;                                 \
41     typedef std::unique_ptr<name, name##_Delete> name##_Ptr;
42 
43 DEFINE_OPENSSL_OBJECT_POINTER(EVP_CIPHER_CTX);
44 
45 #if defined(__clang__)
46 #define OPTNONE __attribute__((optnone))
47 #elif defined(__GNUC__)
48 #define OPTNONE __attribute__((optimize("O0")))
49 #else
50 #error Need a definition for OPTNONE
51 #endif
52 
53 class ArrayEraser {
54   public:
55     ArrayEraser(uint8_t* arr, size_t size) : mArr(arr), mSize(size) {}
56     OPTNONE ~ArrayEraser() { std::fill(mArr, mArr + mSize, 0); }
57 
58   private:
59     volatile uint8_t* mArr;
60     size_t mSize;
61 };
62 
63 /*
64  * Encrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv' and write
65  * output to 'out' (which may be the same location as 'in') and 128-bit tag to 'tag'.
66  */
67 ResponseCode AES_gcm_encrypt(const uint8_t* in, uint8_t* out, size_t len, const uint8_t* key,
68                              const uint8_t* iv, uint8_t* tag) {
69     const EVP_CIPHER* cipher = EVP_aes_128_gcm();
70     EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
71 
72     EVP_EncryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key, iv);
73     EVP_CIPHER_CTX_set_padding(ctx.get(), 0 /* no padding needed with GCM */);
74 
75     std::unique_ptr<uint8_t[]> out_tmp(new uint8_t[len]);
76     uint8_t* out_pos = out_tmp.get();
77     int out_len;
78 
79     EVP_EncryptUpdate(ctx.get(), out_pos, &out_len, in, len);
80     out_pos += out_len;
81     EVP_EncryptFinal_ex(ctx.get(), out_pos, &out_len);
82     out_pos += out_len;
83     if (out_pos - out_tmp.get() != static_cast<ssize_t>(len)) {
84         ALOGD("Encrypted ciphertext is the wrong size, expected %zu, got %zd", len,
85               out_pos - out_tmp.get());
86         return ResponseCode::SYSTEM_ERROR;
87     }
88 
89     std::copy(out_tmp.get(), out_pos, out);
90     EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, kGcmTagLength, tag);
91 
92     return ResponseCode::NO_ERROR;
93 }
94 
95 /*
96  * Decrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv', checking
97  * 128-bit tag at 'tag' and writing plaintext to 'out' (which may be the same location as 'in').
98  */
99 ResponseCode AES_gcm_decrypt(const uint8_t* in, uint8_t* out, size_t len, const uint8_t* key,
100                              const uint8_t* iv, const uint8_t* tag) {
101     const EVP_CIPHER* cipher = EVP_aes_128_gcm();
102     EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
103 
104     EVP_DecryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key, iv);
105     EVP_CIPHER_CTX_set_padding(ctx.get(), 0 /* no padding needed with GCM */);
106     EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, kGcmTagLength, const_cast<uint8_t*>(tag));
107 
108     std::unique_ptr<uint8_t[]> out_tmp(new uint8_t[len]);
109     ArrayEraser out_eraser(out_tmp.get(), len);
110     uint8_t* out_pos = out_tmp.get();
111     int out_len;
112 
113     EVP_DecryptUpdate(ctx.get(), out_pos, &out_len, in, len);
114     out_pos += out_len;
115     if (!EVP_DecryptFinal_ex(ctx.get(), out_pos, &out_len)) {
116         ALOGD("Failed to decrypt blob; ciphertext or tag is likely corrupted");
117         return ResponseCode::VALUE_CORRUPTED;
118     }
119     out_pos += out_len;
120     if (out_pos - out_tmp.get() != static_cast<ssize_t>(len)) {
121         ALOGD("Encrypted plaintext is the wrong size, expected %zu, got %zd", len,
122               out_pos - out_tmp.get());
123         return ResponseCode::VALUE_CORRUPTED;
124     }
125 
126     std::copy(out_tmp.get(), out_pos, out);
127 
128     return ResponseCode::NO_ERROR;
129 }
130 
131 }  // namespace
132 
133 Blob::Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_t infoLength,
134            BlobType type) {
135     memset(&mBlob, 0, sizeof(mBlob));
136     if (valueLength > kValueSize) {
137         valueLength = kValueSize;
138         ALOGW("Provided blob length too large");
139     }
140     if (infoLength + valueLength > kValueSize) {
141         infoLength = kValueSize - valueLength;
142         ALOGW("Provided info length too large");
143     }
144     mBlob.length = valueLength;
145     memcpy(mBlob.value, value, valueLength);
146 
147     mBlob.info = infoLength;
148     memcpy(mBlob.value + valueLength, info, infoLength);
149 
150     mBlob.version = CURRENT_BLOB_VERSION;
151     mBlob.type = uint8_t(type);
152 
153     if (type == TYPE_MASTER_KEY) {
154         mBlob.flags = KEYSTORE_FLAG_ENCRYPTED;
155     } else {
156         mBlob.flags = KEYSTORE_FLAG_NONE;
157     }
158 }
159 
160 Blob::Blob(blobv3 b) {
161     mBlob = b;
162 }
163 
164 Blob::Blob() {
165     memset(&mBlob, 0, sizeof(mBlob));
166 }
167 
168 bool Blob::isEncrypted() const {
169     if (mBlob.version < 2) {
170         return true;
171     }
172 
173     return mBlob.flags & KEYSTORE_FLAG_ENCRYPTED;
174 }
175 
176 bool Blob::isSuperEncrypted() const {
177     return mBlob.flags & KEYSTORE_FLAG_SUPER_ENCRYPTED;
178 }
179 
180 bool Blob::isCriticalToDeviceEncryption() const {
181     return mBlob.flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION;
182 }
183 
184 inline uint8_t setFlag(uint8_t flags, bool set, KeyStoreFlag flag) {
185     return set ? (flags | flag) : (flags & ~flag);
186 }
187 
188 void Blob::setEncrypted(bool encrypted) {
189     mBlob.flags = setFlag(mBlob.flags, encrypted, KEYSTORE_FLAG_ENCRYPTED);
190 }
191 
192 void Blob::setSuperEncrypted(bool superEncrypted) {
193     mBlob.flags = setFlag(mBlob.flags, superEncrypted, KEYSTORE_FLAG_SUPER_ENCRYPTED);
194 }
195 
196 void Blob::setCriticalToDeviceEncryption(bool critical) {
197     mBlob.flags = setFlag(mBlob.flags, critical, KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
198 }
199 
200 void Blob::setFallback(bool fallback) {
201     if (fallback) {
202         mBlob.flags |= KEYSTORE_FLAG_FALLBACK;
203     } else {
204         mBlob.flags &= ~KEYSTORE_FLAG_FALLBACK;
205     }
206 }
207 
208 ResponseCode Blob::writeBlob(const std::string& filename, const uint8_t* aes_key, State state,
209                              Entropy* entropy) {
210     ALOGV("writing blob %s", filename.c_str());
211 
212     const size_t dataLength = mBlob.length;
213     mBlob.length = htonl(mBlob.length);
214 
215     if (isEncrypted() || isSuperEncrypted()) {
216         if (state != STATE_NO_ERROR) {
217             ALOGD("couldn't insert encrypted blob while not unlocked");
218             return ResponseCode::LOCKED;
219         }
220 
221         memset(mBlob.initialization_vector, 0, AES_BLOCK_SIZE);
222         if (!entropy->generate_random_data(mBlob.initialization_vector, kGcmIvSizeBytes)) {
223             ALOGW("Could not read random data for: %s", filename.c_str());
224             return ResponseCode::SYSTEM_ERROR;
225         }
226 
227         auto rc = AES_gcm_encrypt(mBlob.value /* in */, mBlob.value /* out */, dataLength, aes_key,
228                                   mBlob.initialization_vector, mBlob.aead_tag);
229         if (rc != ResponseCode::NO_ERROR) return rc;
230     }
231 
232     size_t fileLength = offsetof(blobv3, value) + dataLength + mBlob.info;
233 
234     const char* tmpFileName = ".tmp";
235     int out =
236         TEMP_FAILURE_RETRY(open(tmpFileName, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR));
237     if (out < 0) {
238         ALOGW("could not open file: %s: %s", tmpFileName, strerror(errno));
239         return ResponseCode::SYSTEM_ERROR;
240     }
241 
242     const size_t writtenBytes = writeFully(out, (uint8_t*)&mBlob, fileLength);
243     if (close(out) != 0) {
244         return ResponseCode::SYSTEM_ERROR;
245     }
246     if (writtenBytes != fileLength) {
247         ALOGW("blob not fully written %zu != %zu", writtenBytes, fileLength);
248         unlink(tmpFileName);
249         return ResponseCode::SYSTEM_ERROR;
250     }
251     if (rename(tmpFileName, filename.c_str()) == -1) {
252         ALOGW("could not rename blob to %s: %s", filename.c_str(), strerror(errno));
253         return ResponseCode::SYSTEM_ERROR;
254     }
255     return ResponseCode::NO_ERROR;
256 }
257 
258 ResponseCode Blob::readBlob(const std::string& filename, const uint8_t* aes_key, State state) {
259     ALOGV("reading blob %s", filename.c_str());
260     const int in = TEMP_FAILURE_RETRY(open(filename.c_str(), O_RDONLY));
261     if (in < 0) {
262         return (errno == ENOENT) ? ResponseCode::KEY_NOT_FOUND : ResponseCode::SYSTEM_ERROR;
263     }
264 
265     // fileLength may be less than sizeof(mBlob)
266     const size_t fileLength = readFully(in, (uint8_t*)&mBlob, sizeof(mBlob));
267     if (close(in) != 0) {
268         return ResponseCode::SYSTEM_ERROR;
269     }
270 
271     if (fileLength == 0) {
272         return ResponseCode::VALUE_CORRUPTED;
273     }
274 
275     if ((isEncrypted() || isSuperEncrypted())) {
276         if (state == STATE_LOCKED) return ResponseCode::LOCKED;
277         if (state == STATE_UNINITIALIZED) return ResponseCode::UNINITIALIZED;
278     }
279 
280     if (fileLength < offsetof(blobv3, value)) return ResponseCode::VALUE_CORRUPTED;
281 
282     if (mBlob.version == 3) {
283         const ssize_t encryptedLength = ntohl(mBlob.length);
284 
285         if (isEncrypted() || isSuperEncrypted()) {
286             auto rc = AES_gcm_decrypt(mBlob.value /* in */, mBlob.value /* out */, encryptedLength,
287                                       aes_key, mBlob.initialization_vector, mBlob.aead_tag);
288             if (rc != ResponseCode::NO_ERROR) return rc;
289         }
290     } else if (mBlob.version < 3) {
291         blobv2& blob = reinterpret_cast<blobv2&>(mBlob);
292         const size_t headerLength = offsetof(blobv2, encrypted);
293         const ssize_t encryptedLength = fileLength - headerLength - blob.info;
294         if (encryptedLength < 0) return ResponseCode::VALUE_CORRUPTED;
295 
296         if (isEncrypted() || isSuperEncrypted()) {
297             if (encryptedLength % AES_BLOCK_SIZE != 0) {
298                 return ResponseCode::VALUE_CORRUPTED;
299             }
300 
301             AES_KEY key;
302             AES_set_decrypt_key(aes_key, kAesKeySize * 8, &key);
303             AES_cbc_encrypt(blob.encrypted, blob.encrypted, encryptedLength, &key, blob.vector,
304                             AES_DECRYPT);
305             key = {};  // clear key
306 
307             uint8_t computedDigest[MD5_DIGEST_LENGTH];
308             ssize_t digestedLength = encryptedLength - MD5_DIGEST_LENGTH;
309             MD5(blob.digested, digestedLength, computedDigest);
310             if (memcmp(blob.digest, computedDigest, MD5_DIGEST_LENGTH) != 0) {
311                 return ResponseCode::VALUE_CORRUPTED;
312             }
313         }
314     }
315 
316     const ssize_t maxValueLength = fileLength - offsetof(blobv3, value) - mBlob.info;
317     mBlob.length = ntohl(mBlob.length);
318     if (mBlob.length < 0 || mBlob.length > maxValueLength ||
319         mBlob.length + mBlob.info + AES_BLOCK_SIZE > static_cast<ssize_t>(sizeof(mBlob.value))) {
320         return ResponseCode::VALUE_CORRUPTED;
321     }
322 
323     if (mBlob.info != 0 && mBlob.version < 3) {
324         // move info from after padding to after data
325         memmove(mBlob.value + mBlob.length, mBlob.value + maxValueLength, mBlob.info);
326     }
327 
328     return ResponseCode::NO_ERROR;
329 }
330 
331 keystore::SecurityLevel Blob::getSecurityLevel() const {
332     return keystore::flagsToSecurityLevel(mBlob.flags);
333 }
334 
335 void Blob::setSecurityLevel(keystore::SecurityLevel secLevel) {
336     mBlob.flags &= ~(KEYSTORE_FLAG_FALLBACK | KEYSTORE_FLAG_STRONGBOX);
337     mBlob.flags |= keystore::securityLevelToFlags(secLevel);
338 }
339