Merge changes from topic "vold-keystore2-fixes"

* changes:
  Remove unused constants and cleanup KeyStorage.cpp
  Remove unused parameter "salt" from stretchSecret()
  Use AServiceManager_waitForService() to connect to keystore2
This commit is contained in:
Satya Tangirala 2021-05-12 22:32:32 +00:00 committed by Gerrit Code Review
commit 98692ab9bb
3 changed files with 7 additions and 22 deletions

View file

@ -45,8 +45,6 @@
#include <cutils/properties.h>
#include <hardware/hw_auth_token.h>
extern "C" {
#include "crypto_scrypt.h"
@ -60,24 +58,18 @@ const KeyAuthentication kEmptyAuthentication{""};
static constexpr size_t AES_KEY_BYTES = 32;
static constexpr size_t GCM_NONCE_BYTES = 12;
static constexpr size_t GCM_MAC_BYTES = 16;
static constexpr size_t SALT_BYTES = 1 << 4;
static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
static constexpr size_t STRETCHED_BYTES = 1 << 6;
static constexpr uint32_t AUTH_TIMEOUT = 30; // Seconds
static const char* kCurrentVersion = "1";
static const char* kRmPath = "/system/bin/rm";
static const char* kSecdiscardPath = "/system/bin/secdiscard";
static const char* kStretch_none = "none";
static const char* kStretch_nopassword = "nopassword";
static const std::string kStretchPrefix_scrypt = "scrypt ";
static const char* kHashPrefix_secdiscardable = "Android secdiscardable SHA512";
static const char* kHashPrefix_keygen = "Android key wrapping key generation SHA512";
static const char* kFn_encrypted_key = "encrypted_key";
static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
static const char* kFn_salt = "salt";
static const char* kFn_secdiscardable = "secdiscardable";
static const char* kFn_stretching = "stretching";
static const char* kFn_version = "version";
@ -154,7 +146,7 @@ static bool generateKeyStorageKey(Keymaster& keymaster, const std::string& appId
.GcmModeMinMacLen(GCM_MAC_BYTES * 8)
.Authorization(km::TAG_APPLICATION_ID, appId)
.Authorization(km::TAG_NO_AUTH_REQUIRED);
LOG(DEBUG) << "Generating \"key storage\" key that doesn't need auth token";
LOG(DEBUG) << "Generating \"key storage\" key";
return generateKeymasterKey(keymaster, paramBuilder, key);
}
@ -415,7 +407,7 @@ static std::string getStretching(const KeyAuthentication& auth) {
}
static bool stretchSecret(const std::string& stretching, const std::string& secret,
const std::string& salt, std::string* stretched) {
std::string* stretched) {
if (stretching == kStretch_nopassword) {
if (!secret.empty()) {
LOG(WARNING) << "Password present but stretching is nopassword";
@ -432,10 +424,9 @@ static bool stretchSecret(const std::string& stretching, const std::string& secr
}
static bool generateAppId(const KeyAuthentication& auth, const std::string& stretching,
const std::string& salt, const std::string& secdiscardable_hash,
std::string* appId) {
const std::string& secdiscardable_hash, std::string* appId) {
std::string stretched;
if (!stretchSecret(stretching, auth.secret, salt, &stretched)) return false;
if (!stretchSecret(stretching, auth.secret, &stretched)) return false;
*appId = secdiscardable_hash + stretched;
const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
@ -570,9 +561,8 @@ bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBu
if (!createSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
std::string stretching = getStretching(auth);
if (!writeStringToFile(stretching, dir + "/" + kFn_stretching)) return false;
std::string salt;
std::string appId;
if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
std::string encryptedKey;
if (auth.usesKeymaster()) {
Keymaster keymaster;
@ -621,9 +611,8 @@ bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffe
if (!readSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
std::string stretching;
if (!readFileToString(dir + "/" + kFn_stretching, &stretching)) return false;
std::string salt;
std::string appId;
if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
std::string encryptedMessage;
if (!readFileToString(dir + "/" + kFn_encrypted_key, &encryptedMessage)) return false;
if (auth.usesKeymaster()) {

View file

@ -27,10 +27,6 @@ namespace android {
namespace vold {
// Represents the information needed to decrypt a disk encryption key.
// If "token" is nonempty, it is passed in as a required Gatekeeper auth token.
// If "token" and "secret" are nonempty, "secret" is appended to the application-specific
// binary needed to unlock.
// If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process.
class KeyAuthentication {
public:
KeyAuthentication(const std::string& s) : secret{s} {};

View file

@ -104,7 +104,7 @@ bool KeymasterOperation::finish(std::string* output) {
}
Keymaster::Keymaster() {
::ndk::SpAIBinder binder(AServiceManager_getService(keystore2_service_name));
::ndk::SpAIBinder binder(AServiceManager_waitForService(keystore2_service_name));
auto keystore2Service = ks2::IKeystoreService::fromBinder(binder);
if (!keystore2Service) {