CryptfsScryptHidlizationEquivalence_test.cpp revision 2ad849b607e35670a9dcf8f0f6b0dfca02a776dd
1/* 2** 3** Copyright 2017, The Android Open Source Project 4** 5** Licensed under the Apache License, Version 2.0 (the "License"); 6** you may not use this file except in compliance with the License. 7** You may obtain a copy of the License at 8** 9** http://www.apache.org/licenses/LICENSE-2.0 10** 11** Unless required by applicable law or agreed to in writing, software 12** distributed under the License is distributed on an "AS IS" BASIS, 13** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14** See the License for the specific language governing permissions and 15** limitations under the License. 16*/ 17 18#define LOG_TAG "scrypt_test" 19#include <log/log.h> 20 21#include <hardware/keymaster0.h> 22#include <hardware/keymaster1.h> 23#include <cstring> 24#include <gtest/gtest.h> 25 26#include "../cryptfs.h" 27#include "../Keymaster.h" 28 29#ifdef CONFIG_HW_DISK_ENCRYPTION 30#include "cryptfs_hw.h" 31#endif 32 33#define min(a, b) ((a) < (b) ? (a) : (b)) 34 35/* Maximum allowed keymaster blob size. */ 36#define KEYMASTER_BLOB_SIZE 2048 37 38/* Key Derivation Function algorithms */ 39#define KDF_PBKDF2 1 40#define KDF_SCRYPT 2 41/* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */ 42#define KDF_SCRYPT_KEYMASTER 5 43 44#define KEY_LEN_BYTES 16 45 46#define DEFAULT_PASSWORD "default_password" 47 48#define RSA_KEY_SIZE 2048 49#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 50#define RSA_EXPONENT 0x10001 51#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second 52 53static int keymaster_init(keymaster0_device_t **keymaster0_dev, 54 keymaster1_device_t **keymaster1_dev) 55{ 56 int rc; 57 58 const hw_module_t* mod; 59 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 60 if (rc) { 61 ALOGE("could not find any keystore module"); 62 goto err; 63 } 64 65 SLOGI("keymaster module name is %s", mod->name); 66 SLOGI("keymaster version is %d", mod->module_api_version); 67 68 *keymaster0_dev = NULL; 69 *keymaster1_dev = NULL; 70 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) { 71 SLOGI("Found keymaster1 module, using keymaster1 API."); 72 rc = keymaster1_open(mod, keymaster1_dev); 73 } else { 74 SLOGI("Found keymaster0 module, using keymaster0 API."); 75 rc = keymaster0_open(mod, keymaster0_dev); 76 } 77 78 if (rc) { 79 ALOGE("could not open keymaster device in %s (%s)", 80 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 81 goto err; 82 } 83 84 return 0; 85 86err: 87 *keymaster0_dev = NULL; 88 *keymaster1_dev = NULL; 89 return rc; 90} 91 92/* Should we use keymaster? */ 93static int keymaster_check_compatibility_old() 94{ 95 keymaster0_device_t *keymaster0_dev = 0; 96 keymaster1_device_t *keymaster1_dev = 0; 97 int rc = 0; 98 99 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 100 SLOGE("Failed to init keymaster"); 101 rc = -1; 102 goto out; 103 } 104 105 if (keymaster1_dev) { 106 rc = 1; 107 goto out; 108 } 109 110 if (!keymaster0_dev || !keymaster0_dev->common.module) { 111 rc = -1; 112 goto out; 113 } 114 115 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2 116 // should work. 117 if (keymaster0_dev->common.module->module_api_version 118 < KEYMASTER_MODULE_API_VERSION_0_3) { 119 rc = 0; 120 goto out; 121 } 122 123 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 124 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 125 rc = 1; 126 } 127 128out: 129 if (keymaster1_dev) { 130 keymaster1_close(keymaster1_dev); 131 } 132 if (keymaster0_dev) { 133 keymaster0_close(keymaster0_dev); 134 } 135 return rc; 136} 137 138/* Create a new keymaster key and store it in this footer */ 139static int keymaster_create_key_old(struct crypt_mnt_ftr *ftr) 140{ 141 uint8_t* key = 0; 142 keymaster0_device_t *keymaster0_dev = 0; 143 keymaster1_device_t *keymaster1_dev = 0; 144 145 if (ftr->keymaster_blob_size) { 146 SLOGI("Already have key"); 147 return 0; 148 } 149 150 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 151 SLOGE("Failed to init keymaster"); 152 return -1; 153 } 154 155 int rc = 0; 156 size_t key_size = 0; 157 if (keymaster1_dev) { 158 keymaster_key_param_t params[] = { 159 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */ 160 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA), 161 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE), 162 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT), 163 164 /* The only allowed purpose for this key is signing. */ 165 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN), 166 167 /* Padding & digest specifications. */ 168 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 169 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 170 171 /* Require that the key be usable in standalone mode. File system isn't available. */ 172 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE), 173 174 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */ 175 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED), 176 177 /* Rate-limit key usage attempts, to rate-limit brute force */ 178 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT), 179 }; 180 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 181 keymaster_key_blob_t key_blob; 182 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set, 183 &key_blob, 184 NULL /* characteristics */); 185 if (error != KM_ERROR_OK) { 186 SLOGE("Failed to generate keymaster1 key, error %d", error); 187 rc = -1; 188 goto out; 189 } 190 191 key = (uint8_t*)key_blob.key_material; 192 key_size = key_blob.key_material_size; 193 } 194 else if (keymaster0_dev) { 195 keymaster_rsa_keygen_params_t params; 196 memset(¶ms, '\0', sizeof(params)); 197 params.public_exponent = RSA_EXPONENT; 198 params.modulus_size = RSA_KEY_SIZE; 199 200 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms, 201 &key, &key_size)) { 202 SLOGE("Failed to generate keypair"); 203 rc = -1; 204 goto out; 205 } 206 } else { 207 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device"); 208 rc = -1; 209 goto out; 210 } 211 212 if (key_size > KEYMASTER_BLOB_SIZE) { 213 SLOGE("Keymaster key too large for crypto footer"); 214 rc = -1; 215 goto out; 216 } 217 218 memcpy(ftr->keymaster_blob, key, key_size); 219 ftr->keymaster_blob_size = key_size; 220 221out: 222 if (keymaster0_dev) 223 keymaster0_close(keymaster0_dev); 224 if (keymaster1_dev) 225 keymaster1_close(keymaster1_dev); 226 free(key); 227 return rc; 228} 229 230/* This signs the given object using the keymaster key. */ 231static int keymaster_sign_object_old(struct crypt_mnt_ftr *ftr, 232 const unsigned char *object, 233 const size_t object_size, 234 unsigned char **signature, 235 size_t *signature_size) 236{ 237 int rc = 0; 238 keymaster0_device_t *keymaster0_dev = 0; 239 keymaster1_device_t *keymaster1_dev = 0; 240 241 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 242 size_t to_sign_size = sizeof(to_sign); 243 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 244 245 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 246 SLOGE("Failed to init keymaster"); 247 rc = -1; 248 goto out; 249 } 250 251 // To sign a message with RSA, the message must satisfy two 252 // constraints: 253 // 254 // 1. The message, when interpreted as a big-endian numeric value, must 255 // be strictly less than the public modulus of the RSA key. Note 256 // that because the most significant bit of the public modulus is 257 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 258 // key), an n-bit message with most significant bit 0 always 259 // satisfies this requirement. 260 // 261 // 2. The message must have the same length in bits as the public 262 // modulus of the RSA key. This requirement isn't mathematically 263 // necessary, but is necessary to ensure consistency in 264 // implementations. 265 switch (ftr->kdf_type) { 266 case KDF_SCRYPT_KEYMASTER: 267 // This ensures the most significant byte of the signed message 268 // is zero. We could have zero-padded to the left instead, but 269 // this approach is slightly more robust against changes in 270 // object size. However, it's still broken (but not unusably 271 // so) because we really should be using a proper deterministic 272 // RSA padding function, such as PKCS1. 273 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 274 SLOGI("Signing safely-padded object"); 275 break; 276 default: 277 SLOGE("Unknown KDF type %d", ftr->kdf_type); 278 rc = -1; 279 goto out; 280 } 281 282 if (keymaster0_dev) { 283 keymaster_rsa_sign_params_t params; 284 params.digest_type = DIGEST_NONE; 285 params.padding_type = PADDING_NONE; 286 287 rc = keymaster0_dev->sign_data(keymaster0_dev, 288 ¶ms, 289 ftr->keymaster_blob, 290 ftr->keymaster_blob_size, 291 to_sign, 292 to_sign_size, 293 signature, 294 signature_size); 295 goto out; 296 } else if (keymaster1_dev) { 297 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size }; 298 keymaster_key_param_t params[] = { 299 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 300 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 301 }; 302 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 303 keymaster_operation_handle_t op_handle; 304 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 305 ¶m_set, NULL /* out_params */, 306 &op_handle); 307 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) { 308 // Key usage has been rate-limited. Wait a bit and try again. 309 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT); 310 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 311 ¶m_set, NULL /* out_params */, 312 &op_handle); 313 } 314 if (error != KM_ERROR_OK) { 315 SLOGE("Error starting keymaster signature transaction: %d", error); 316 rc = -1; 317 goto out; 318 } 319 320 keymaster_blob_t input = { to_sign, to_sign_size }; 321 size_t input_consumed; 322 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */, 323 &input, &input_consumed, NULL /* out_params */, 324 NULL /* output */); 325 if (error != KM_ERROR_OK) { 326 SLOGE("Error sending data to keymaster signature transaction: %d", error); 327 rc = -1; 328 goto out; 329 } 330 if (input_consumed != to_sign_size) { 331 // This should never happen. If it does, it's a bug in the keymaster implementation. 332 SLOGE("Keymaster update() did not consume all data."); 333 keymaster1_dev->abort(keymaster1_dev, op_handle); 334 rc = -1; 335 goto out; 336 } 337 338 keymaster_blob_t tmp_sig; 339 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */, 340 NULL /* verify signature */, NULL /* out_params */, 341 &tmp_sig); 342 if (error != KM_ERROR_OK) { 343 SLOGE("Error finishing keymaster signature transaction: %d", error); 344 rc = -1; 345 goto out; 346 } 347 348 *signature = (uint8_t*)tmp_sig.data; 349 *signature_size = tmp_sig.data_length; 350 } else { 351 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device."); 352 rc = -1; 353 goto out; 354 } 355 356 out: 357 if (keymaster1_dev) 358 keymaster1_close(keymaster1_dev); 359 if (keymaster0_dev) 360 keymaster0_close(keymaster0_dev); 361 362 return rc; 363} 364 365 366/* Should we use keymaster? */ 367static int keymaster_check_compatibility_new() 368{ 369 return keymaster_compatibility_cryptfs_scrypt(); 370} 371 372/* Create a new keymaster key and store it in this footer */ 373static int keymaster_create_key_new(struct crypt_mnt_ftr *ftr) 374{ 375 if (ftr->keymaster_blob_size) { 376 SLOGI("Already have key"); 377 return 0; 378 } 379 380 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT, 381 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE, 382 &ftr->keymaster_blob_size); 383 if (rc) { 384 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) { 385 SLOGE("Keymaster key blob to large)"); 386 ftr->keymaster_blob_size = 0; 387 } 388 SLOGE("Failed to generate keypair"); 389 return -1; 390 } 391 return 0; 392} 393 394/* This signs the given object using the keymaster key. */ 395static int keymaster_sign_object_new(struct crypt_mnt_ftr *ftr, 396 const unsigned char *object, 397 const size_t object_size, 398 unsigned char **signature, 399 size_t *signature_size) 400{ 401 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 402 size_t to_sign_size = sizeof(to_sign); 403 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 404 405 // To sign a message with RSA, the message must satisfy two 406 // constraints: 407 // 408 // 1. The message, when interpreted as a big-endian numeric value, must 409 // be strictly less than the public modulus of the RSA key. Note 410 // that because the most significant bit of the public modulus is 411 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 412 // key), an n-bit message with most significant bit 0 always 413 // satisfies this requirement. 414 // 415 // 2. The message must have the same length in bits as the public 416 // modulus of the RSA key. This requirement isn't mathematically 417 // necessary, but is necessary to ensure consistency in 418 // implementations. 419 switch (ftr->kdf_type) { 420 case KDF_SCRYPT_KEYMASTER: 421 // This ensures the most significant byte of the signed message 422 // is zero. We could have zero-padded to the left instead, but 423 // this approach is slightly more robust against changes in 424 // object size. However, it's still broken (but not unusably 425 // so) because we really should be using a proper deterministic 426 // RSA padding function, such as PKCS1. 427 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 428 SLOGI("Signing safely-padded object"); 429 break; 430 default: 431 SLOGE("Unknown KDF type %d", ftr->kdf_type); 432 return -1; 433 } 434 return keymaster_sign_object_for_cryptfs_scrypt(ftr->keymaster_blob, ftr->keymaster_blob_size, 435 KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign, to_sign_size, signature, signature_size); 436} 437 438namespace android { 439 440class CryptFsTest : public testing::Test { 441protected: 442 virtual void SetUp() { 443 } 444 445 virtual void TearDown() { 446 } 447}; 448 449TEST_F(CryptFsTest, ScryptHidlizationEquivalenceTest) { 450 crypt_mnt_ftr ftr; 451 ftr.kdf_type = KDF_SCRYPT_KEYMASTER; 452 ftr.keymaster_blob_size = 0; 453 454 ASSERT_EQ(0, keymaster_create_key_old(&ftr)); 455 456 uint8_t *sig1 = nullptr; 457 uint8_t *sig2 = nullptr; 458 size_t sig_size1 = 123456789; 459 size_t sig_size2 = 123456789; 460 uint8_t object[] = "the object"; 461 462 ASSERT_EQ(1, keymaster_check_compatibility_old()); 463 ASSERT_EQ(1, keymaster_check_compatibility_new()); 464 ASSERT_EQ(0, keymaster_sign_object_old(&ftr, object, 10, &sig1, &sig_size1)); 465 ASSERT_EQ(0, keymaster_sign_object_new(&ftr, object, 10, &sig2, &sig_size2)); 466 467 ASSERT_EQ(sig_size1, sig_size2); 468 ASSERT_NE(nullptr, sig1); 469 ASSERT_NE(nullptr, sig2); 470 EXPECT_EQ(0, memcmp(sig1, sig2, sig_size1)); 471 free(sig1); 472 free(sig2); 473} 474 475} 476