Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #define LOG_TAG "keystore" |
| 18 | |
| 19 | #include "user_state.h" |
| 20 | |
| 21 | #include <dirent.h> |
| 22 | #include <fcntl.h> |
| 23 | #include <stdio.h> |
| 24 | #include <stdlib.h> |
| 25 | #include <sys/stat.h> |
| 26 | |
Branden Archer | cefbcbc | 2018-12-28 12:24:53 -0800 | [diff] [blame] | 27 | #include <openssl/digest.h> |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 28 | #include <openssl/evp.h> |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 29 | #include <openssl/rand.h> |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 30 | |
Logan Chien | cdc813f | 2018-04-23 13:52:28 +0800 | [diff] [blame] | 31 | #include <log/log.h> |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 32 | |
| 33 | #include "blob.h" |
| 34 | #include "keystore_utils.h" |
| 35 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 36 | namespace keystore { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 37 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 38 | UserState::UserState(uid_t userId) |
| 39 | : mMasterKeyEntry(".masterkey", "user_" + std::to_string(userId), userId, /* masterkey */ true), |
Shawn Willden | 688d3ab | 2019-10-02 11:55:27 -0600 | [diff] [blame] | 40 | mUserId(userId), mState(STATE_UNINITIALIZED) {} |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 41 | |
| 42 | bool UserState::operator<(const UserState& rhs) const { |
| 43 | return getUserId() < rhs.getUserId(); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 44 | } |
| 45 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 46 | bool UserState::operator<(uid_t userId) const { |
| 47 | return getUserId() < userId; |
| 48 | } |
| 49 | |
| 50 | bool operator<(uid_t userId, const UserState& rhs) { |
| 51 | return userId < rhs.getUserId(); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 52 | } |
| 53 | |
| 54 | bool UserState::initialize() { |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 55 | if ((mkdir(mMasterKeyEntry.user_dir().c_str(), S_IRUSR | S_IWUSR | S_IXUSR) < 0) && |
| 56 | (errno != EEXIST)) { |
| 57 | ALOGE("Could not create directory '%s'", mMasterKeyEntry.user_dir().c_str()); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 58 | return false; |
| 59 | } |
| 60 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 61 | if (mMasterKeyEntry.hasKeyBlob()) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 62 | setState(STATE_LOCKED); |
| 63 | } else { |
| 64 | setState(STATE_UNINITIALIZED); |
| 65 | } |
| 66 | |
| 67 | return true; |
| 68 | } |
| 69 | |
| 70 | void UserState::setState(State state) { |
| 71 | mState = state; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 72 | } |
| 73 | |
| 74 | void UserState::zeroizeMasterKeysInMemory() { |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 75 | memset(mMasterKey.data(), 0, mMasterKey.size()); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 76 | memset(mSalt, 0, sizeof(mSalt)); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 77 | } |
| 78 | |
| 79 | bool UserState::deleteMasterKey() { |
| 80 | setState(STATE_UNINITIALIZED); |
| 81 | zeroizeMasterKeysInMemory(); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 82 | return unlink(mMasterKeyEntry.getKeyBlobPath().c_str()) == 0 || errno == ENOENT; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 83 | } |
| 84 | |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 85 | ResponseCode UserState::initialize(const android::String8& pw) { |
| 86 | if (!generateMasterKey()) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 87 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 88 | } |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 89 | ResponseCode response = writeMasterKey(pw); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 90 | if (response != ResponseCode::NO_ERROR) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 91 | return response; |
| 92 | } |
| 93 | setupMasterKeys(); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 94 | return ResponseCode::NO_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 95 | } |
| 96 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 97 | ResponseCode UserState::copyMasterKey(LockedUserState<UserState>* src) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 98 | if (mState != STATE_UNINITIALIZED) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 99 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 100 | } |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 101 | if ((*src)->getState() != STATE_NO_ERROR) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 102 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 103 | } |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 104 | mMasterKey = (*src)->mMasterKey; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 105 | setupMasterKeys(); |
| 106 | return copyMasterKeyFile(src); |
| 107 | } |
| 108 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 109 | ResponseCode UserState::copyMasterKeyFile(LockedUserState<UserState>* src) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 110 | /* Copy the master key file to the new user. Unfortunately we don't have the src user's |
| 111 | * password so we cannot generate a new file with a new salt. |
| 112 | */ |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 113 | int in = TEMP_FAILURE_RETRY(open((*src)->getMasterKeyFileName().c_str(), O_RDONLY)); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 114 | if (in < 0) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 115 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 116 | } |
Shawn Willden | e983058 | 2017-04-18 10:47:57 -0600 | [diff] [blame] | 117 | blobv3 rawBlob; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 118 | size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob)); |
| 119 | if (close(in) != 0) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 120 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 121 | } |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 122 | int out = TEMP_FAILURE_RETRY(open(mMasterKeyEntry.getKeyBlobPath().c_str(), |
| 123 | O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR)); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 124 | if (out < 0) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 125 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 126 | } |
| 127 | size_t outLength = writeFully(out, (uint8_t*)&rawBlob, length); |
| 128 | if (close(out) != 0) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 129 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 130 | } |
| 131 | if (outLength != length) { |
| 132 | ALOGW("blob not fully written %zu != %zu", outLength, length); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 133 | unlink(mMasterKeyEntry.getKeyBlobPath().c_str()); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 134 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 135 | } |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 136 | return ResponseCode::NO_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 137 | } |
| 138 | |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 139 | ResponseCode UserState::writeMasterKey(const android::String8& pw) { |
Shawn Willden | 17b8709 | 2019-10-01 17:43:43 -0600 | [diff] [blame] | 140 | std::vector<uint8_t> passwordKey(mMasterKey.size()); |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 141 | generateKeyFromPassword(passwordKey, pw, mSalt); |
Shawn Willden | 17b8709 | 2019-10-01 17:43:43 -0600 | [diff] [blame] | 142 | auto blobType = TYPE_MASTER_KEY_AES256; |
| 143 | if (mMasterKey.size() == kAes128KeySizeBytes) { |
| 144 | blobType = TYPE_MASTER_KEY; |
| 145 | } |
| 146 | Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt), blobType); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 147 | auto lockedEntry = LockedKeyBlobEntry::get(mMasterKeyEntry); |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 148 | return lockedEntry.writeBlobs(masterKeyBlob, {}, passwordKey, STATE_NO_ERROR); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 149 | } |
| 150 | |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 151 | ResponseCode UserState::readMasterKey(const android::String8& pw) { |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 152 | |
| 153 | auto lockedEntry = LockedKeyBlobEntry::get(mMasterKeyEntry); |
| 154 | |
| 155 | int in = TEMP_FAILURE_RETRY(open(mMasterKeyEntry.getKeyBlobPath().c_str(), O_RDONLY)); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 156 | if (in < 0) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 157 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 158 | } |
| 159 | |
| 160 | // We read the raw blob to just to get the salt to generate the AES key, then we create the Blob |
| 161 | // to use with decryptBlob |
Shawn Willden | e983058 | 2017-04-18 10:47:57 -0600 | [diff] [blame] | 162 | blobv3 rawBlob; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 163 | size_t length = readFully(in, (uint8_t*)&rawBlob, sizeof(rawBlob)); |
| 164 | if (close(in) != 0) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 165 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 166 | } |
| 167 | // find salt at EOF if present, otherwise we have an old file |
| 168 | uint8_t* salt; |
| 169 | if (length > SALT_SIZE && rawBlob.info == SALT_SIZE) { |
| 170 | salt = (uint8_t*)&rawBlob + length - SALT_SIZE; |
| 171 | } else { |
Yi Kong | d291675 | 2018-07-26 17:44:27 -0700 | [diff] [blame] | 172 | salt = nullptr; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 173 | } |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 174 | |
Branden Archer | d031573 | 2019-01-10 14:56:05 -0800 | [diff] [blame] | 175 | size_t masterKeySize = MASTER_KEY_SIZE_BYTES; |
| 176 | if (rawBlob.type == TYPE_MASTER_KEY) { |
Shawn Willden | 17b8709 | 2019-10-01 17:43:43 -0600 | [diff] [blame] | 177 | masterKeySize = kAes128KeySizeBytes; |
Branden Archer | d031573 | 2019-01-10 14:56:05 -0800 | [diff] [blame] | 178 | } |
| 179 | |
| 180 | std::vector<uint8_t> passwordKey(masterKeySize); |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 181 | generateKeyFromPassword(passwordKey, pw, salt); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 182 | Blob masterKeyBlob, dummyBlob; |
| 183 | ResponseCode response; |
| 184 | std::tie(response, masterKeyBlob, dummyBlob) = |
| 185 | lockedEntry.readBlobs(passwordKey, STATE_NO_ERROR); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 186 | if (response == ResponseCode::SYSTEM_ERROR) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 187 | return response; |
| 188 | } |
Branden Archer | d031573 | 2019-01-10 14:56:05 -0800 | [diff] [blame] | 189 | |
| 190 | size_t masterKeyBlobLength = static_cast<size_t>(masterKeyBlob.getLength()); |
| 191 | |
| 192 | if (response == ResponseCode::NO_ERROR && masterKeyBlobLength == masterKeySize) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 193 | // If salt was missing, generate one and write a new master key file with the salt. |
Yi Kong | d291675 | 2018-07-26 17:44:27 -0700 | [diff] [blame] | 194 | if (salt == nullptr) { |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 195 | if (!generateSalt()) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 196 | return ResponseCode::SYSTEM_ERROR; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 197 | } |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 198 | response = writeMasterKey(pw); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 199 | } |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 200 | if (response == ResponseCode::NO_ERROR) { |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 201 | mMasterKey = std::vector<uint8_t>(masterKeyBlob.getValue(), |
| 202 | masterKeyBlob.getValue() + masterKeyBlob.getLength()); |
| 203 | |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 204 | setupMasterKeys(); |
| 205 | } |
| 206 | return response; |
| 207 | } |
Shawn Willden | 688d3ab | 2019-10-02 11:55:27 -0600 | [diff] [blame] | 208 | |
| 209 | LOG(ERROR) << "Invalid password presented"; |
| 210 | return ResponseCode::WRONG_PASSWORD_0; |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 211 | } |
| 212 | |
| 213 | bool UserState::reset() { |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 214 | DIR* dir = opendir(mMasterKeyEntry.user_dir().c_str()); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 215 | if (!dir) { |
| 216 | // If the directory doesn't exist then nothing to do. |
| 217 | if (errno == ENOENT) { |
| 218 | return true; |
| 219 | } |
| 220 | ALOGW("couldn't open user directory: %s", strerror(errno)); |
| 221 | return false; |
| 222 | } |
| 223 | |
| 224 | struct dirent* file; |
Yi Kong | d291675 | 2018-07-26 17:44:27 -0700 | [diff] [blame] | 225 | while ((file = readdir(dir)) != nullptr) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 226 | // skip . and .. |
| 227 | if (!strcmp(".", file->d_name) || !strcmp("..", file->d_name)) { |
| 228 | continue; |
| 229 | } |
| 230 | |
| 231 | unlinkat(dirfd(dir), file->d_name, 0); |
| 232 | } |
| 233 | closedir(dir); |
| 234 | return true; |
| 235 | } |
| 236 | |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 237 | void UserState::generateKeyFromPassword(std::vector<uint8_t>& key, const android::String8& pw, |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 238 | uint8_t* salt) { |
| 239 | size_t saltSize; |
Yi Kong | d291675 | 2018-07-26 17:44:27 -0700 | [diff] [blame] | 240 | if (salt != nullptr) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 241 | saltSize = SALT_SIZE; |
| 242 | } else { |
| 243 | // Pre-gingerbread used this hardwired salt, readMasterKey will rewrite these when found |
| 244 | salt = (uint8_t*)"keystore"; |
| 245 | // sizeof = 9, not strlen = 8 |
| 246 | saltSize = sizeof("keystore"); |
| 247 | } |
| 248 | |
Branden Archer | cefbcbc | 2018-12-28 12:24:53 -0800 | [diff] [blame] | 249 | const EVP_MD* digest = EVP_sha256(); |
| 250 | |
| 251 | // SHA1 was used prior to increasing the key size |
Shawn Willden | 17b8709 | 2019-10-01 17:43:43 -0600 | [diff] [blame] | 252 | if (key.size() == kAes128KeySizeBytes) { |
Branden Archer | cefbcbc | 2018-12-28 12:24:53 -0800 | [diff] [blame] | 253 | digest = EVP_sha1(); |
| 254 | } |
| 255 | |
| 256 | PKCS5_PBKDF2_HMAC(reinterpret_cast<const char*>(pw.string()), pw.length(), salt, saltSize, 8192, |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 257 | digest, key.size(), key.data()); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 258 | } |
| 259 | |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 260 | bool UserState::generateSalt() { |
| 261 | return RAND_bytes(mSalt, sizeof(mSalt)); |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 262 | } |
| 263 | |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 264 | bool UserState::generateMasterKey() { |
Branden Archer | f5953d7 | 2019-01-10 09:08:18 -0800 | [diff] [blame] | 265 | mMasterKey.resize(MASTER_KEY_SIZE_BYTES); |
| 266 | if (!RAND_bytes(mMasterKey.data(), mMasterKey.size())) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 267 | return false; |
| 268 | } |
Branden Archer | 44d1afa | 2018-12-28 09:10:49 -0800 | [diff] [blame] | 269 | if (!generateSalt()) { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 270 | return false; |
| 271 | } |
| 272 | return true; |
| 273 | } |
| 274 | |
| 275 | void UserState::setupMasterKeys() { |
Shawn Willden | c1d1fee | 2016-01-26 22:44:56 -0700 | [diff] [blame] | 276 | setState(STATE_NO_ERROR); |
| 277 | } |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 278 | |
| 279 | LockedUserState<UserState> UserStateDB::getUserState(uid_t userId) { |
| 280 | std::unique_lock<std::mutex> lock(locked_state_mutex_); |
| 281 | decltype(mMasterKeys.begin()) it; |
| 282 | bool inserted; |
| 283 | std::tie(it, inserted) = mMasterKeys.emplace(userId, userId); |
| 284 | if (inserted) { |
| 285 | if (!it->second.initialize()) { |
| 286 | /* There's not much we can do if initialization fails. Trying to |
| 287 | * unlock the keystore for that user will fail as well, so any |
| 288 | * subsequent request for this user will just return SYSTEM_ERROR. |
| 289 | */ |
| 290 | ALOGE("User initialization failed for %u; subsequent operations will fail", userId); |
| 291 | } |
| 292 | } |
| 293 | return get(std::move(lock), &it->second); |
| 294 | } |
| 295 | |
| 296 | LockedUserState<UserState> UserStateDB::getUserStateByUid(uid_t uid) { |
| 297 | return getUserState(get_user_id(uid)); |
| 298 | } |
| 299 | |
| 300 | LockedUserState<const UserState> UserStateDB::getUserState(uid_t userId) const { |
| 301 | std::unique_lock<std::mutex> lock(locked_state_mutex_); |
| 302 | auto it = mMasterKeys.find(userId); |
| 303 | if (it == mMasterKeys.end()) return {}; |
| 304 | return get(std::move(lock), &it->second); |
| 305 | } |
| 306 | |
| 307 | LockedUserState<const UserState> UserStateDB::getUserStateByUid(uid_t uid) const { |
| 308 | return getUserState(get_user_id(uid)); |
| 309 | } |
| 310 | |
| 311 | } // namespace keystore |