Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / system / keymaster / 13fbe3e93247943c26e7ca2ed27b6d650282b8bf / . / unencrypted_key_blob.cpp
blob: 43a7c251b857a8661e579e8415ad23ff6ea5a352 [file] [log] [blame]
Shawn Willden13fbe3e2015-05-23 03:36:30 +0000[diff] [blame^]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <assert.h>
18
19#include <openssl/aes.h>
20#include <openssl/sha.h>
21
22#include <keymaster/android_keymaster_utils.h>
23
24#include "ae.h"
25#include "unencrypted_key_blob.h"
26#include "ocb_utils.h"
27#include "openssl_err.h"
28
29namespace keymaster {
30
31UnencryptedKeyBlob::UnencryptedKeyBlob(const AuthorizationSet& enforced,
32 const AuthorizationSet& unenforced,
33 const AuthorizationSet& hidden,
34 const uint8_t* unencrypted_key,
35 size_t unencrypted_key_length, const uint8_t* master_key,
36 size_t master_key_length, const uint8_t nonce[NONCE_LENGTH])
37 : KeyBlob(enforced, unenforced), hidden_(hidden) {
38 // Check that KeyBlob ctor succeeded.
39 if (error_ != KM_ERROR_OK)
40 return;
41
42 if (hidden_.is_valid() == AuthorizationSet::ALLOCATION_FAILURE) {
43 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
44 return;
45 }
46
47 if (hidden_.is_valid() != AuthorizationSet::OK) {
48 error_ = KM_ERROR_UNKNOWN_ERROR;
49 return;
50 }
51
52 unencrypted_key_material_.reset(new uint8_t[unencrypted_key_length]);
53 if (!unencrypted_key_material_.get()) {
54 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
55 return;
56 }
57
58 unencrypted_key_material_length_ = unencrypted_key_length;
59 memcpy(unencrypted_key_material_.get(), unencrypted_key, unencrypted_key_length);
60 EncryptKey(master_key, master_key_length, nonce);
61}
62
63UnencryptedKeyBlob::UnencryptedKeyBlob(const keymaster_key_blob_t& key,
64 const AuthorizationSet& hidden, const uint8_t* master_key,
65 size_t master_key_length)
66 : KeyBlob(key), hidden_(hidden) {
67 // Check that KeyBlob ctor succeeded.
68 if (error_ != KM_ERROR_OK)
69 return;
70 DecryptKey(master_key, master_key_length);
71}
72
73void UnencryptedKeyBlob::EncryptKey(const uint8_t* master_key, size_t master_key_length,
74 const uint8_t* nonce) {
75 UniquePtr<AeCtx> ctx(InitializeKeyWrappingContext(master_key, master_key_length));
76 if (error_ != KM_ERROR_OK)
77 return;
78
79 UniquePtr<uint8_t[]> encrypted_key_material(new uint8_t[unencrypted_key_material_length()]);
80 UniquePtr<uint8_t[]> tag(new uint8_t[TAG_LENGTH]);
81 UniquePtr<uint8_t[]> nonce_copy(new uint8_t[NONCE_LENGTH]);
82 if (!encrypted_key_material.get() || !tag.get() || !nonce_copy.get()) {
83 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
84 return;
85 }
86 memcpy(nonce_copy.get(), nonce, NONCE_LENGTH);
87
88 int ae_err =
89 ae_encrypt(ctx->get(), nonce, unencrypted_key_material(), unencrypted_key_material_length(),
90 NULL /* additional data */, 0 /* additional data length */,
91 encrypted_key_material.get(), tag.get(), 1 /* final */);
92 if (ae_err < 0) {
93 LOG_E("Error %d while encrypting key", ae_err);
94 error_ = KM_ERROR_UNKNOWN_ERROR;
95 return;
96 }
97 assert(ae_err == static_cast<int>(unencrypted_key_material_length()));
98
99 SetEncryptedKey(encrypted_key_material.release(), unencrypted_key_material_length(),
100 nonce_copy.release(), tag.release());
101}
102
103void UnencryptedKeyBlob::DecryptKey(const uint8_t* master_key, size_t master_key_length) {
104 UniquePtr<AeCtx> ctx(InitializeKeyWrappingContext(master_key, master_key_length));
105 if (error_ != KM_ERROR_OK)
106 return;
107
108 unencrypted_key_material_length_ = key_material_length();
109 unencrypted_key_material_.reset(new uint8_t[unencrypted_key_material_length_]);
110 int ae_err = ae_decrypt(ctx->get(), nonce(), encrypted_key_material(), key_material_length(),
111 NULL /* additional data */, 0 /* additional data length */,
112 unencrypted_key_material_.get(), tag(), 1 /* final */);
113 if (ae_err == AE_INVALID) {
114 // Authentication failed! Decryption probably succeeded(ish), but we don't want to return
115 // any data when the authentication fails, so clear it.
116 memset_s(unencrypted_key_material_.get(), 0, unencrypted_key_material_length());
117 LOG_E("Failed to validate authentication tag during key decryption", 0);
118 error_ = KM_ERROR_INVALID_KEY_BLOB;
119 return;
120 } else if (ae_err < 0) {
121 LOG_E("Failed to decrypt key, error: %d", ae_err);
122 error_ = KM_ERROR_UNKNOWN_ERROR;
123 return;
124 }
125 assert(ae_err == static_cast<int>(unencrypted_key_material_length()));
126 error_ = KM_ERROR_OK;
127}
128
129AeCtx* UnencryptedKeyBlob::InitializeKeyWrappingContext(const uint8_t* master_key,
130 size_t master_key_length) {
131 size_t derivation_data_length;
132 UniquePtr<const uint8_t[]> derivation_data(BuildDerivationData(&derivation_data_length));
133 if (derivation_data.get() == NULL) {
134 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
135 return NULL;
136 }
137
138 UniquePtr<AeCtx> ctx(new AeCtx);
139
140 SHA256_CTX sha256_ctx;
141 UniquePtr<uint8_t[]> hash_buf(new uint8_t[SHA256_DIGEST_LENGTH]);
142 Eraser hash_eraser(hash_buf.get(), SHA256_DIGEST_LENGTH);
143 UniquePtr<uint8_t[]> derived_key(new uint8_t[AES_BLOCK_SIZE]);
144 Eraser derived_key_eraser(derived_key.get(), AES_BLOCK_SIZE);
145
146 if (ctx.get() == NULL || hash_buf.get() == NULL || derived_key.get() == NULL) {
147 error_ = KM_ERROR_MEMORY_ALLOCATION_FAILED;
148 return NULL;
149 }
150
151 Eraser sha256_ctx_eraser(sha256_ctx);
152
153 // Hash derivation data.
154 SHA256_Init(&sha256_ctx);
155 SHA256_Update(&sha256_ctx, derivation_data.get(), derivation_data_length);
156 SHA256_Final(hash_buf.get(), &sha256_ctx);
157
158 // Encrypt hash with master key to build derived key.
159 AES_KEY aes_key;
160 Eraser aes_key_eraser(AES_KEY);
161 if (AES_set_encrypt_key(master_key, master_key_length * 8, &aes_key) != 0) {
162 error_ = TranslateLastOpenSslError();
163 return NULL;
164 }
165 AES_encrypt(hash_buf.get(), derived_key.get(), &aes_key);
166
167 // Set up AES OCB context using derived key.
168 if (ae_init(ctx->get(), derived_key.get(), AES_BLOCK_SIZE /* key length */, NONCE_LENGTH,
169 TAG_LENGTH) == AE_SUCCESS)
170 return ctx.release();
171 else {
172 memset_s(ctx->get(), 0, ae_ctx_sizeof());
173 return NULL;
174 }
175}
176
177const uint8_t* UnencryptedKeyBlob::BuildDerivationData(size_t* derivation_data_length) const {
178 *derivation_data_length =
179 hidden_.SerializedSize() + enforced().SerializedSize() + unenforced().SerializedSize();
180 uint8_t* derivation_data = new uint8_t[*derivation_data_length];
181 if (derivation_data != NULL) {
182 uint8_t* buf = derivation_data;
183 uint8_t* end = derivation_data + *derivation_data_length;
184 buf = hidden_.Serialize(buf, end);
185 buf = enforced().Serialize(buf, end);
186 buf = unenforced().Serialize(buf, end);
187 }
188 return derivation_data;
189}
190
191} // namespace keymaster