tequilaOS/platform_system_vold
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Clang-format Keymaster.{cpp|h} and KeyStorage.{cpp|h}

Browse source 
Test: Build & boot
Change-Id: I92bb107409f493770028cf6fd637d34af7644262
This commit is contained in:
Shawn Willden 2018-01-20 09:37:36 -07:00
parent 71cd43f434
commit 785365b2f7
3 changed files with 73 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
KeyStorage.cpp
View file

@ -41,7 +41,6 @@
#include <hardware/hw_auth_token.h> #include <hardware/hw_auth_token.h>
extern "C" { extern "C" {
#include "crypto_scrypt.h" #include "crypto_scrypt.h"
@ -131,8 +130,7 @@ static bool generateKeymasterKey(Keymaster& keymaster, const KeyAuthentication&
return keymaster.generateKey(paramBuilder, key); return keymaster.generateKey(paramBuilder, key);
} }
static AuthorizationSet beginParams(const KeyAuthentication& auth, static AuthorizationSet beginParams(const KeyAuthentication& auth, const std::string& appId) {
const std::string& appId) {
auto paramBuilder = AuthorizationSetBuilder() auto paramBuilder = AuthorizationSetBuilder()
.Authorization(TAG_BLOCK_MODE, BlockMode::GCM) .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
.Authorization(TAG_MAC_LENGTH, GCM_MAC_BYTES * 8) .Authorization(TAG_MAC_LENGTH, GCM_MAC_BYTES * 8)
@ -204,10 +202,8 @@ bool readSecdiscardable(const std::string& filename, std::string* hash) {
return true; return true;
} }
static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir, static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir, KeyPurpose purpose,
KeyPurpose purpose, const AuthorizationSet& keyParams, const AuthorizationSet& opParams,
const AuthorizationSet &keyParams,
const AuthorizationSet &opParams,
AuthorizationSet* outParams) { AuthorizationSet* outParams) {
auto kmKeyPath = dir + "/" + kFn_keymaster_key_blob; auto kmKeyPath = dir + "/" + kFn_keymaster_key_blob;
std::string kmKey; std::string kmKey;
@ -238,8 +234,8 @@ static KeymasterOperation begin(Keymaster& keymaster, const std::string& dir,
} }
static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir, static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
const AuthorizationSet &keyParams, const AuthorizationSet& keyParams, const KeyBuffer& message,
const KeyBuffer& message, std::string* ciphertext) { std::string* ciphertext) {
AuthorizationSet opParams; AuthorizationSet opParams;
AuthorizationSet outParams; AuthorizationSet outParams;
auto opHandle = begin(keymaster, dir, KeyPurpose::ENCRYPT, keyParams, opParams, &outParams); auto opHandle = begin(keymaster, dir, KeyPurpose::ENCRYPT, keyParams, opParams, &outParams);
@ -250,7 +246,8 @@ static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir
return false; return false;
} }
// nonceBlob here is just a pointer into existing data, must not be freed // nonceBlob here is just a pointer into existing data, must not be freed
std::string nonce(reinterpret_cast<const char*>(&nonceBlob.value()[0]), nonceBlob.value().size()); std::string nonce(reinterpret_cast<const char*>(&nonceBlob.value()[0]),
nonceBlob.value().size());
if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false; if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
std::string body; std::string body;
if (!opHandle.updateCompletely(message, &body)) return false; if (!opHandle.updateCompletely(message, &body)) return false;
@ -267,8 +264,7 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir
const std::string& ciphertext, KeyBuffer* message) { const std::string& ciphertext, KeyBuffer* message) {
auto nonce = ciphertext.substr(0, GCM_NONCE_BYTES); auto nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES); auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
auto opParams = AuthorizationSetBuilder() auto opParams = AuthorizationSetBuilder().Authorization(TAG_NONCE, blob2hidlVec(nonce));
.Authorization(TAG_NONCE, blob2hidlVec(nonce));
auto opHandle = begin(keymaster, dir, KeyPurpose::DECRYPT, keyParams, opParams, nullptr); auto opHandle = begin(keymaster, dir, KeyPurpose::DECRYPT, keyParams, opParams, nullptr);
if (!opHandle) return false; if (!opHandle) return false;
if (!opHandle.updateCompletely(bodyAndMac, message)) return false; if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
@ -313,9 +309,9 @@ static bool stretchSecret(const std::string& stretching, const std::string& secr
} }
stretched->assign(STRETCHED_BYTES, '\0'); stretched->assign(STRETCHED_BYTES, '\0');
if (crypto_scrypt(reinterpret_cast<const uint8_t*>(secret.data()), secret.size(), if (crypto_scrypt(reinterpret_cast<const uint8_t*>(secret.data()), secret.size(),
reinterpret_cast<const uint8_t*>(salt.data()), salt.size(), reinterpret_cast<const uint8_t*>(salt.data()), salt.size(), 1 << Nf,
1 << Nf, 1 << rf, 1 << pf, 1 << rf, 1 << pf, reinterpret_cast<uint8_t*>(&(*stretched)[0]),
reinterpret_cast<uint8_t*>(&(*stretched)[0]), stretched->size()) != 0) { stretched->size()) != 0) {
LOG(ERROR) << "scrypt failed with params: " << stretching; LOG(ERROR) << "scrypt failed with params: " << stretching;
return false; return false;
} }
@ -339,8 +335,8 @@ static void logOpensslError() {
LOG(ERROR) << "Openssl error: " << ERR_get_error(); LOG(ERROR) << "Openssl error: " << ERR_get_error();
} }
static bool encryptWithoutKeymaster(const std::string& preKey, static bool encryptWithoutKeymaster(const std::string& preKey, const KeyBuffer& plaintext,
const KeyBuffer& plaintext, std::string* ciphertext) { std::string* ciphertext) {
std::string key; std::string key;
hashWithPrefix(kHashPrefix_keygen, preKey, &key); hashWithPrefix(kHashPrefix_keygen, preKey, &key);
key.resize(AES_KEY_BYTES); key.resize(AES_KEY_BYTES);
@ -359,9 +355,9 @@ static bool encryptWithoutKeymaster(const std::string& preKey,
} }
ciphertext->resize(GCM_NONCE_BYTES + plaintext.size() + GCM_MAC_BYTES); ciphertext->resize(GCM_NONCE_BYTES + plaintext.size() + GCM_MAC_BYTES);
int outlen; int outlen;
if (1 != EVP_EncryptUpdate(ctx.get(), if (1 != EVP_EncryptUpdate(
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES), &outlen, ctx.get(), reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES),
reinterpret_cast<const uint8_t*>(plaintext.data()), plaintext.size())) { &outlen, reinterpret_cast<const uint8_t*>(plaintext.data()), plaintext.size())) {
logOpensslError(); logOpensslError();
return false; return false;
} }
@ -369,8 +365,10 @@ static bool encryptWithoutKeymaster(const std::string& preKey,
LOG(ERROR) << "GCM ciphertext length should be " << plaintext.size() << " was " << outlen; LOG(ERROR) << "GCM ciphertext length should be " << plaintext.size() << " was " << outlen;
return false; return false;
} }
if (1 != EVP_EncryptFinal_ex(ctx.get(), if (1 != EVP_EncryptFinal_ex(
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()), &outlen)) { ctx.get(),
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()),
&outlen)) {
logOpensslError(); logOpensslError();
return false; return false;
} }
@ -379,15 +377,16 @@ static bool encryptWithoutKeymaster(const std::string& preKey,
return false; return false;
} }
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, GCM_MAC_BYTES, if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, GCM_MAC_BYTES,
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()))) { reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES +
plaintext.size()))) {
logOpensslError(); logOpensslError();
return false; return false;
} }
return true; return true;
} }
static bool decryptWithoutKeymaster(const std::string& preKey, static bool decryptWithoutKeymaster(const std::string& preKey, const std::string& ciphertext,
const std::string& ciphertext, KeyBuffer* plaintext) { KeyBuffer* plaintext) {
if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) { if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) {
LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size(); LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size();
return false; return false;
@ -409,9 +408,9 @@ static bool decryptWithoutKeymaster(const std::string& preKey,
} }
*plaintext = KeyBuffer(ciphertext.size() - GCM_NONCE_BYTES - GCM_MAC_BYTES); *plaintext = KeyBuffer(ciphertext.size() - GCM_NONCE_BYTES - GCM_MAC_BYTES);
int outlen; int outlen;
if (1 != EVP_DecryptUpdate(ctx.get(), if (1 != EVP_DecryptUpdate(ctx.get(), reinterpret_cast<uint8_t*>(&(*plaintext)[0]), &outlen,
reinterpret_cast<uint8_t*>(&(*plaintext)[0]), &outlen, reinterpret_cast<const uint8_t*>(ciphertext.data() + GCM_NONCE_BYTES),
reinterpret_cast<const uint8_t*>(ciphertext.data() + GCM_NONCE_BYTES), plaintext->size())) { plaintext->size())) {
logOpensslError(); logOpensslError();
return false; return false;
} }
@ -420,13 +419,14 @@ static bool decryptWithoutKeymaster(const std::string& preKey,
return false; return false;
} }
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, GCM_MAC_BYTES, if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, GCM_MAC_BYTES,
const_cast<void *>( const_cast<void*>(reinterpret_cast<const void*>(
reinterpret_cast<const void*>(ciphertext.data() + GCM_NONCE_BYTES + plaintext->size())))) { ciphertext.data() + GCM_NONCE_BYTES + plaintext->size())))) {
logOpensslError(); logOpensslError();
return false; return false;
} }
if (1 != EVP_DecryptFinal_ex(ctx.get(), if (1 != EVP_DecryptFinal_ex(ctx.get(),
reinterpret_cast<uint8_t*>(&(*plaintext)[0] + plaintext->size()), &outlen)) { reinterpret_cast<uint8_t*>(&(*plaintext)[0] + plaintext->size()),
&outlen)) {
logOpensslError(); logOpensslError();
return false; return false;
} }
@ -519,7 +519,8 @@ bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffe
Keymaster keymaster; Keymaster keymaster;
if (!keymaster) return false; if (!keymaster) return false;
auto keyParams = beginParams(auth, appId); auto keyParams = beginParams(auth, appId);
if (!decryptWithKeymasterKey(keymaster, dir, keyParams, encryptedMessage, key)) return false; if (!decryptWithKeymasterKey(keymaster, dir, keyParams, encryptedMessage, key))
return false;
} else { } else {
if (!decryptWithoutKeymaster(appId, encryptedMessage, key)) return false; if (!decryptWithoutKeymaster(appId, encryptedMessage, key)) return false;
} }
@ -536,9 +537,7 @@ static bool deleteKey(const std::string& dir) {
} }
bool runSecdiscardSingle(const std::string& file) { bool runSecdiscardSingle(const std::string& file) {
if (ForkExecvp( if (ForkExecvp(std::vector<std::string>{kSecdiscardPath, "--", file}) != 0) {
std::vector<std::string>{kSecdiscardPath, "--",
file}) != 0) {
LOG(ERROR) << "secdiscard failed"; LOG(ERROR) << "secdiscard failed";
return false; return false;
} }

24
Keymaster.cpp
View file

@ -75,8 +75,7 @@ bool KeymasterOperation::finish(std::string* output) {
const hidl_vec<uint8_t>& _output) { const hidl_vec<uint8_t>& _output) {
km_error = ret; km_error = ret;
if (km_error != ErrorCode::OK) return; if (km_error != ErrorCode::OK) return;
if (output) if (output) output->assign(reinterpret_cast<const char*>(&_output[0]), _output.size());
output->assign(reinterpret_cast<const char*>(&_output[0]), _output.size());
}; };
auto error = mDevice->finish(mOpHandle, hidl_vec<KeyParameter>(), hidl_vec<uint8_t>(), auto error = mDevice->finish(mOpHandle, hidl_vec<KeyParameter>(), hidl_vec<uint8_t>(),
hidl_vec<uint8_t>(), hidlCb); hidl_vec<uint8_t>(), hidlCb);
@ -102,8 +101,7 @@ bool Keymaster::generateKey(const AuthorizationSet& inParams, std::string* key)
const KeyCharacteristics& /*ignored*/) { const KeyCharacteristics& /*ignored*/) {
km_error = ret; km_error = ret;
if (km_error != ErrorCode::OK) return; if (km_error != ErrorCode::OK) return;
if (key) if (key) key->assign(reinterpret_cast<const char*>(&keyBlob[0]), keyBlob.size());
key->assign(reinterpret_cast<const char*>(&keyBlob[0]), keyBlob.size());
}; };
auto error = mDevice->generateKey(inParams.hidl_data(), hidlCb); auto error = mDevice->generateKey(inParams.hidl_data(), hidlCb);
@ -156,8 +154,7 @@ bool Keymaster::upgradeKey(const std::string& oldKey, const AuthorizationSet& in
} }
KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key, KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key,
const AuthorizationSet& inParams, const AuthorizationSet& inParams, AuthorizationSet* outParams) {
AuthorizationSet* outParams) {
auto keyBlob = blob2hidlVec(key); auto keyBlob = blob2hidlVec(key);
uint64_t mOpHandle; uint64_t mOpHandle;
ErrorCode km_error; ErrorCode km_error;
@ -166,8 +163,7 @@ KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key,
uint64_t operationHandle) { uint64_t operationHandle) {
km_error = ret; km_error = ret;
if (km_error != ErrorCode::OK) return; if (km_error != ErrorCode::OK) return;
if (outParams) if (outParams) *outParams = _outParams;
*outParams = _outParams;
mOpHandle = operationHandle; mOpHandle = operationHandle;
}; };
@ -184,9 +180,9 @@ KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key,
} }
bool Keymaster::isSecure() { bool Keymaster::isSecure() {
bool _isSecure = false; bool _isSecure = false;
auto rc = mDevice->getHardwareFeatures( auto rc =
[&] (bool isSecure, bool, bool, bool, bool, const hidl_string&, const hidl_string&) { mDevice->getHardwareFeatures([&](bool isSecure, bool, bool, bool, bool, const hidl_string&,
_isSecure = isSecure; }); const hidl_string&) { _isSecure = isSecure; });
return rc.isOk() && _isSecure; return rc.isOk() && _isSecure;
} }
@ -298,7 +294,8 @@ KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
if (op.errorCode() == ErrorCode::KEY_RATE_LIMIT_EXCEEDED) { if (op.errorCode() == ErrorCode::KEY_RATE_LIMIT_EXCEEDED) {
sleep(ratelimit); sleep(ratelimit);
continue; continue;
} else break; } else
break;
} }
if (op.errorCode() == ErrorCode::KEY_REQUIRES_UPGRADE) { if (op.errorCode() == ErrorCode::KEY_REQUIRES_UPGRADE) {
@ -318,7 +315,8 @@ KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
} }
if (!op.finish(&output)) { if (!op.finish(&output)) {
LOG(ERROR) << "Error finalizing keymaster signature transaction: " << int32_t(op.errorCode()); LOG(ERROR) << "Error finalizing keymaster signature transaction: "
<< int32_t(op.errorCode());
return KeymasterSignResult::error; return KeymasterSignResult::error;
} }

20
Keymaster.h
View file

@ -23,8 +23,8 @@
#include <string> #include <string>
#include <utility> #include <utility>
#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
#include <android-base/macros.h> #include <android-base/macros.h>
#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
#include "authorization_set.h" #include "authorization_set.h"
@ -69,9 +69,7 @@ class KeymasterOperation {
mError = std::move(rhs.mError); mError = std::move(rhs.mError);
} }
// Construct an object in an error state for error returns // Construct an object in an error state for error returns
KeymasterOperation() KeymasterOperation() : mDevice{nullptr}, mOpHandle{0}, mError{ErrorCode::UNKNOWN_ERROR} {}
: mDevice{nullptr}, mOpHandle{0},
mError {ErrorCode::UNKNOWN_ERROR} {}
// Move Assignment // Move Assignment
KeymasterOperation& operator=(KeymasterOperation&& rhs) { KeymasterOperation& operator=(KeymasterOperation&& rhs) {
mDevice = std::move(rhs.mDevice); mDevice = std::move(rhs.mDevice);
@ -85,9 +83,7 @@ class KeymasterOperation {
private: private:
KeymasterOperation(const sp<IKeymasterDevice>& d, uint64_t h) KeymasterOperation(const sp<IKeymasterDevice>& d, uint64_t h)
: mDevice{d}, mOpHandle{h}, mError{ErrorCode::OK} {} : mDevice{d}, mOpHandle{h}, mError{ErrorCode::OK} {}
KeymasterOperation(ErrorCode error) KeymasterOperation(ErrorCode error) : mDevice{nullptr}, mOpHandle{0}, mError{error} {}
: mDevice{nullptr}, mOpHandle{0},
mError {error} {}
bool updateCompletely(const char* input, size_t inputLen, bool updateCompletely(const char* input, size_t inputLen,
const std::function<void(const char*, size_t)> consumer); const std::function<void(const char*, size_t)> consumer);
@ -146,12 +142,9 @@ enum class KeymasterSignResult {
}; };
int keymaster_compatibility_cryptfs_scrypt(); int keymaster_compatibility_cryptfs_scrypt();
int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
uint64_t rsa_exponent, uint32_t ratelimit, uint8_t* key_buffer,
uint32_t ratelimit, uint32_t key_buffer_size, uint32_t* key_out_size);
uint8_t* key_buffer,
uint32_t key_buffer_size,
uint32_t* key_out_size);
int keymaster_upgrade_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent, int keymaster_upgrade_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
uint32_t ratelimit, const uint8_t* key_blob, uint32_t ratelimit, const uint8_t* key_blob,
@ -162,5 +155,4 @@ KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
const uint8_t* key_blob, size_t key_blob_size, uint32_t ratelimit, const uint8_t* object, const uint8_t* key_blob, size_t key_blob_size, uint32_t ratelimit, const uint8_t* object,
const size_t object_size, uint8_t** signature_buffer, size_t* signature_buffer_size); const size_t object_size, uint8_t** signature_buffer, size_t* signature_buffer_size);
#endif #endif