1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "keystore"
18 
19 #include "user_state.h"
20 
21 #include <dirent.h>
22 #include <fcntl.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <sys/stat.h>
26 
27 #include <openssl/digest.h>
28 #include <openssl/evp.h>
29 #include <openssl/rand.h>
30 
31 #include <log/log.h>
32 
33 #include "blob.h"
34 #include "keystore_utils.h"
35 
36 namespace keystore {
37 
UserState(uid_t userId)38 UserState::UserState(uid_t userId)
39     : mMasterKeyEntry(".masterkey", "user_" + std::to_string(userId), userId, /* masterkey */ true),
40       mUserId(userId), mState(STATE_UNINITIALIZED) {}
41 
operator <(const UserState & rhs) const42 bool UserState::operator<(const UserState& rhs) const {
43     return getUserId() < rhs.getUserId();
44 }
45 
operator <(uid_t userId) const46 bool UserState::operator<(uid_t userId) const {
47     return getUserId() < userId;
48 }
49 
operator <(uid_t userId,const UserState & rhs)50 bool operator<(uid_t userId, const UserState& rhs) {
51     return userId < rhs.getUserId();
52 }
53 
initialize()54 bool UserState::initialize() {
55     if ((mkdir(mMasterKeyEntry.user_dir().c_str(), S_IRUSR | S_IWUSR | S_IXUSR) < 0) &&
56         (errno != EEXIST)) {
57         ALOGE("Could not create directory '%s'", mMasterKeyEntry.user_dir().c_str());
58         return false;
59     }
60 
61     if (mMasterKeyEntry.hasKeyBlob()) {
62         setState(STATE_LOCKED);
63     } else {
64         setState(STATE_UNINITIALIZED);
65     }
66 
67     return true;
68 }
69 
setState(State state)70 void UserState::setState(State state) {
71     mState = state;
72 }
73 
zeroizeMasterKeysInMemory()74 void UserState::zeroizeMasterKeysInMemory() {
75     memset(mMasterKey.data(), 0, mMasterKey.size());
76     memset(mSalt, 0, sizeof(mSalt));
77 }
78 
deleteMasterKey()79 bool UserState::deleteMasterKey() {
80     setState(STATE_UNINITIALIZED);
81     zeroizeMasterKeysInMemory();
82     return unlink(mMasterKeyEntry.getKeyBlobPath().c_str()) == 0 || errno == ENOENT;
83 }
84 
initialize(const android::String8 & pw)85 ResponseCode UserState::initialize(const android::String8& pw) {
86     if (!generateMasterKey()) {
87         return ResponseCode::SYSTEM_ERROR;
88     }
89     ResponseCode response = writeMasterKey(pw);
90     if (response != ResponseCode::NO_ERROR) {
91         return response;
92     }
93     setupMasterKeys();
94     return ResponseCode::NO_ERROR;
95 }
96 
copyMasterKey(LockedUserState<UserState> * src)97 ResponseCode UserState::copyMasterKey(LockedUserState<UserState>* src) {
98     if (mState != STATE_UNINITIALIZED) {
99         return ResponseCode::SYSTEM_ERROR;
100     }
101     if ((*src)->getState() != STATE_NO_ERROR) {
102         return ResponseCode::SYSTEM_ERROR;
103     }
104     mMasterKey = (*src)->mMasterKey;
105     setupMasterKeys();
106     return copyMasterKeyFile(src);
107 }
108 
copyMasterKeyFile(LockedUserState<UserState> * src)109 ResponseCode UserState::copyMasterKeyFile(LockedUserState<UserState>* src) {
110     /* Copy the master key file to the new user.  Unfortunately we don't have the src user's
111      * password so we cannot generate a new file with a new salt.
112      */
113     int in = TEMP_FAILURE_RETRY(open((*src)->getMasterKeyFileName().c_str(), O_RDONLY));
114     if (in < 0) {
115         return ResponseCode::SYSTEM_ERROR;
116     }
117     blobv3 rawBlob;
118     size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob));
119     if (close(in) != 0) {
120         return ResponseCode::SYSTEM_ERROR;
121     }
122     int out = TEMP_FAILURE_RETRY(open(mMasterKeyEntry.getKeyBlobPath().c_str(),
123                                       O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR));
124     if (out < 0) {
125         return ResponseCode::SYSTEM_ERROR;
126     }
127     size_t outLength = writeFully(out, (uint8_t*)&rawBlob, length);
128     if (close(out) != 0) {
129         return ResponseCode::SYSTEM_ERROR;
130     }
131     if (outLength != length) {
132         ALOGW("blob not fully written %zu != %zu", outLength, length);
133         unlink(mMasterKeyEntry.getKeyBlobPath().c_str());
134         return ResponseCode::SYSTEM_ERROR;
135     }
136     return ResponseCode::NO_ERROR;
137 }
138 
writeMasterKey(const android::String8 & pw)139 ResponseCode UserState::writeMasterKey(const android::String8& pw) {
140     std::vector<uint8_t> passwordKey(mMasterKey.size());
141     generateKeyFromPassword(passwordKey, pw, mSalt);
142     auto blobType = TYPE_MASTER_KEY_AES256;
143     if (mMasterKey.size() == kAes128KeySizeBytes) {
144         blobType = TYPE_MASTER_KEY;
145     }
146     Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt), blobType);
147     auto lockedEntry = LockedKeyBlobEntry::get(mMasterKeyEntry);
148     return lockedEntry.writeBlobs(masterKeyBlob, {}, passwordKey, STATE_NO_ERROR);
149 }
150 
readMasterKey(const android::String8 & pw)151 ResponseCode UserState::readMasterKey(const android::String8& pw) {
152 
153     auto lockedEntry = LockedKeyBlobEntry::get(mMasterKeyEntry);
154 
155     int in = TEMP_FAILURE_RETRY(open(mMasterKeyEntry.getKeyBlobPath().c_str(), O_RDONLY));
156     if (in < 0) {
157         return ResponseCode::SYSTEM_ERROR;
158     }
159 
160     // We read the raw blob to just to get the salt to generate the AES key, then we create the Blob
161     // to use with decryptBlob
162     blobv3 rawBlob;
163     size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob));
164     if (close(in) != 0) {
165         return ResponseCode::SYSTEM_ERROR;
166     }
167     // find salt at EOF if present, otherwise we have an old file
168     uint8_t* salt;
169     if (length > SALT_SIZE && rawBlob.info == SALT_SIZE) {
170         salt = (uint8_t*)&rawBlob + length - SALT_SIZE;
171     } else {
172         salt = nullptr;
173     }
174 
175     size_t masterKeySize = MASTER_KEY_SIZE_BYTES;
176     if (rawBlob.type == TYPE_MASTER_KEY) {
177         masterKeySize = kAes128KeySizeBytes;
178     }
179 
180     std::vector<uint8_t> passwordKey(masterKeySize);
181     generateKeyFromPassword(passwordKey, pw, salt);
182     Blob masterKeyBlob, dummyBlob;
183     ResponseCode response;
184     std::tie(response, masterKeyBlob, dummyBlob) =
185         lockedEntry.readBlobs(passwordKey, STATE_NO_ERROR);
186     if (response == ResponseCode::SYSTEM_ERROR) {
187         return response;
188     }
189 
190     size_t masterKeyBlobLength = static_cast<size_t>(masterKeyBlob.getLength());
191 
192     if (response == ResponseCode::NO_ERROR && masterKeyBlobLength == masterKeySize) {
193         // If salt was missing, generate one and write a new master key file with the salt.
194         if (salt == nullptr) {
195             if (!generateSalt()) {
196                 return ResponseCode::SYSTEM_ERROR;
197             }
198             response = writeMasterKey(pw);
199         }
200         if (response == ResponseCode::NO_ERROR) {
201             mMasterKey = std::vector<uint8_t>(masterKeyBlob.getValue(),
202                                               masterKeyBlob.getValue() + masterKeyBlob.getLength());
203 
204             setupMasterKeys();
205         }
206         return response;
207     }
208 
209     LOG(ERROR) << "Invalid password presented";
210     return ResponseCode::WRONG_PASSWORD_0;
211 }
212 
reset()213 bool UserState::reset() {
214     DIR* dir = opendir(mMasterKeyEntry.user_dir().c_str());
215     if (!dir) {
216         // If the directory doesn't exist then nothing to do.
217         if (errno == ENOENT) {
218             return true;
219         }
220         ALOGW("couldn't open user directory: %s", strerror(errno));
221         return false;
222     }
223 
224     struct dirent* file;
225     while ((file = readdir(dir)) != nullptr) {
226         // skip . and ..
227         if (!strcmp(".", file->d_name) || !strcmp("..", file->d_name)) {
228             continue;
229         }
230 
231         unlinkat(dirfd(dir), file->d_name, 0);
232     }
233     closedir(dir);
234     return true;
235 }
236 
generateKeyFromPassword(std::vector<uint8_t> & key,const android::String8 & pw,uint8_t * salt)237 void UserState::generateKeyFromPassword(std::vector<uint8_t>& key, const android::String8& pw,
238                                         uint8_t* salt) {
239     size_t saltSize;
240     if (salt != nullptr) {
241         saltSize = SALT_SIZE;
242     } else {
243         // Pre-gingerbread used this hardwired salt, readMasterKey will rewrite these when found
244         salt = (uint8_t*)"keystore";
245         // sizeof = 9, not strlen = 8
246         saltSize = sizeof("keystore");
247     }
248 
249     const EVP_MD* digest = EVP_sha256();
250 
251     // SHA1 was used prior to increasing the key size
252     if (key.size() == kAes128KeySizeBytes) {
253         digest = EVP_sha1();
254     }
255 
256     PKCS5_PBKDF2_HMAC(reinterpret_cast<const char*>(pw.string()), pw.length(), salt, saltSize, 8192,
257                       digest, key.size(), key.data());
258 }
259 
generateSalt()260 bool UserState::generateSalt() {
261     return RAND_bytes(mSalt, sizeof(mSalt));
262 }
263 
generateMasterKey()264 bool UserState::generateMasterKey() {
265     mMasterKey.resize(MASTER_KEY_SIZE_BYTES);
266     if (!RAND_bytes(mMasterKey.data(), mMasterKey.size())) {
267         return false;
268     }
269     if (!generateSalt()) {
270         return false;
271     }
272     return true;
273 }
274 
setupMasterKeys()275 void UserState::setupMasterKeys() {
276     setState(STATE_NO_ERROR);
277 }
278 
getUserState(uid_t userId)279 LockedUserState<UserState> UserStateDB::getUserState(uid_t userId) {
280     std::unique_lock<std::mutex> lock(locked_state_mutex_);
281     decltype(mMasterKeys.begin()) it;
282     bool inserted;
283     std::tie(it, inserted) = mMasterKeys.emplace(userId, userId);
284     if (inserted) {
285         if (!it->second.initialize()) {
286             /* There's not much we can do if initialization fails. Trying to
287              * unlock the keystore for that user will fail as well, so any
288              * subsequent request for this user will just return SYSTEM_ERROR.
289              */
290             ALOGE("User initialization failed for %u; subsequent operations will fail", userId);
291         }
292     }
293     return get(std::move(lock), &it->second);
294 }
295 
getUserStateByUid(uid_t uid)296 LockedUserState<UserState> UserStateDB::getUserStateByUid(uid_t uid) {
297     return getUserState(get_user_id(uid));
298 }
299 
getUserState(uid_t userId) const300 LockedUserState<const UserState> UserStateDB::getUserState(uid_t userId) const {
301     std::unique_lock<std::mutex> lock(locked_state_mutex_);
302     auto it = mMasterKeys.find(userId);
303     if (it == mMasterKeys.end()) return {};
304     return get(std::move(lock), &it->second);
305 }
306 
getUserStateByUid(uid_t uid) const307 LockedUserState<const UserState> UserStateDB::getUserStateByUid(uid_t uid) const {
308     return getUserState(get_user_id(uid));
309 }
310 
311 }  // namespace keystore
312