diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2017-09-21 21:53:38 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-09-21 21:53:38 +0000 |
commit | 2541243b9f984fb7f9473cd32e23f5fae2b48034 (patch) | |
tree | b1dd8ee97fdcc83b25c45784e7df302b3296fcf5 | |
parent | 0ff784916bc1ad40287e71d3ca711e85f9c69eb9 (diff) | |
parent | 163b073e3163785d343a0cb3dc0a07f3943601d2 (diff) | |
download | security-2541243b9f984fb7f9473cd32e23f5fae2b48034.tar.gz |
release-request-a84b3435-75fa-41e8-bd3c-ca0f4cbd5cc5-for-git_oc-m2-release-4352002 snap-temp-L88700000105039240
Change-Id: I9ab06b8dc00daea830f87d5a98cb4ac26e6d1cc2
-rw-r--r-- | keystore/blob.cpp | 5 | ||||
-rw-r--r-- | keystore/grant_store.cpp | 21 | ||||
-rw-r--r-- | keystore/grant_store.h | 11 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 32 | ||||
-rw-r--r-- | keystore/keystore.cpp | 16 | ||||
-rw-r--r-- | keystore/keystore.h | 4 |
6 files changed, 62 insertions, 27 deletions
diff --git a/keystore/blob.cpp b/keystore/blob.cpp index a33334ee..625d0576 100644 --- a/keystore/blob.cpp +++ b/keystore/blob.cpp @@ -272,8 +272,9 @@ ResponseCode Blob::readBlob(const std::string& filename, const uint8_t* aes_key, return ResponseCode::VALUE_CORRUPTED; } - if ((isEncrypted() || isSuperEncrypted()) && (state != STATE_NO_ERROR)) { - return ResponseCode::LOCKED; + if ((isEncrypted() || isSuperEncrypted())) { + if (state == STATE_LOCKED) return ResponseCode::LOCKED; + if (state == STATE_UNINITIALIZED) return ResponseCode::UNINITIALIZED; } if (fileLength < offsetof(blobv3, value)) return ResponseCode::VALUE_CORRUPTED; diff --git a/keystore/grant_store.cpp b/keystore/grant_store.cpp index 9c2e591e..2fb09c17 100644 --- a/keystore/grant_store.cpp +++ b/keystore/grant_store.cpp @@ -25,8 +25,10 @@ static constexpr uint64_t kInvalidGrantNo = std::numeric_limits<uint64_t>::max() static const char* kKeystoreGrantInfix = "_KEYSTOREGRANT_"; static constexpr size_t kKeystoreGrantInfixLength = 15; -Grant::Grant(const std::string& alias, const std::string& key_file, const uint64_t grant_no) - : alias_(alias), key_file_(key_file), grant_no_(grant_no) {} +Grant::Grant(const std::string& alias, const std::string& owner_dir_name, const uid_t owner_uid, + const uint64_t grant_no) + : alias_(alias), owner_dir_name_(owner_dir_name), owner_uid_(owner_uid), + grant_no_(grant_no) {} static std::pair<uint64_t, std::string> parseGrantAlias(const std::string& grantAlias) { auto pos = grantAlias.rfind(kKeystoreGrantInfix); @@ -39,7 +41,8 @@ static std::pair<uint64_t, std::string> parseGrantAlias(const std::string& grant return {grant_no, wrapped_alias}; } -std::string GrantStore::put(const uid_t uid, const std::string& alias, const std::string& key_file) { +std::string GrantStore::put(const uid_t uid, const std::string& alias, + const std::string& owner_dir_name, const uid_t owner_uid) { std::stringstream s; s << alias << kKeystoreGrantInfix; auto& uid_grant_list = grants_[uid]; @@ -47,10 +50,12 @@ std::string GrantStore::put(const uid_t uid, const std::string& alias, const std bool success = false; auto iterator = std::find_if(uid_grant_list.begin(), uid_grant_list.end(), [&](auto& entry) { - return success = entry.alias_ == alias && entry.key_file_ == key_file; + return success = entry.alias_ == alias && entry.owner_dir_name_ == owner_dir_name + && entry.owner_uid_ == owner_uid; }); while (!success) { - std::tie(iterator, success) = uid_grant_list.emplace(alias, key_file, std::rand()); + std::tie(iterator, success) = uid_grant_list.emplace(alias, owner_dir_name, owner_uid, + std::rand()); } s << iterator->grant_no_; return s.str(); @@ -70,10 +75,10 @@ const Grant* GrantStore::get(const uid_t uid, const std::string& alias) const { return &(*grant); } -bool GrantStore::removeByFileName(const uid_t uid, const std::string& fileName) { - auto& uid_grant_list = grants_.operator[](uid); +bool GrantStore::removeByFileAlias(const uid_t uid, const std::string& alias) { + auto& uid_grant_list = grants_[uid]; for (auto i = uid_grant_list.begin(); i != uid_grant_list.end(); ++i) { - if (i->key_file_ == fileName) { + if (i->alias_ == alias) { uid_grant_list.erase(i); return true; } diff --git a/keystore/grant_store.h b/keystore/grant_store.h index 43e814ed..ab03630e 100644 --- a/keystore/grant_store.h +++ b/keystore/grant_store.h @@ -32,9 +32,11 @@ namespace keystore { */ class Grant { public: - Grant(const std::string& alias, const std::string& key_file, const uint64_t grant_no); + Grant(const std::string& alias, const std::string& owner_dir_name, const uid_t owner_uid, + const uint64_t grant_no); std::string alias_; - std::string key_file_; + std::string owner_dir_name_; + uid_t owner_uid_; uint64_t grant_no_; operator const uint64_t&() const { return grant_no_; } @@ -52,9 +54,10 @@ public: class GrantStore { public: GrantStore() : grants_() {} - std::string put(const uid_t uid, const std::string& alias, const std::string& key_file); + std::string put(const uid_t uid, const std::string& alias, const std::string& owner_dir_name, + const uid_t owner_uid); const Grant* get(const uid_t uid, const std::string& alias) const; - bool removeByFileName(const uid_t uid, const std::string& filename); + bool removeByFileAlias(const uid_t uid, const std::string& alias); // GrantStore is neither copyable nor movable. GrantStore(const GrantStore&) = delete; diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index c33a1d06..310d8e2d 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -526,7 +526,7 @@ String16 KeyStoreService::grant(const String16& name, int32_t granteeUid) { return String16(); } - return String16(mKeyStore->addGrant(filename.string(), String8(name).string(), granteeUid).c_str()); + return String16(mKeyStore->addGrant(String8(name).string(), granteeUid, callingUid).c_str()); } KeyStoreServiceReturnCode KeyStoreService::ungrant(const String16& name, int32_t granteeUid) { @@ -543,8 +543,8 @@ KeyStoreServiceReturnCode KeyStoreService::ungrant(const String16& name, int32_t return (errno != ENOENT) ? ResponseCode::SYSTEM_ERROR : ResponseCode::KEY_NOT_FOUND; } - return mKeyStore->removeGrant(filename.string(), granteeUid) ? ResponseCode::NO_ERROR - : ResponseCode::KEY_NOT_FOUND; + return mKeyStore->removeGrant(name8, granteeUid) ? ResponseCode::NO_ERROR + : ResponseCode::KEY_NOT_FOUND; } int64_t KeyStoreService::getmtime(const String16& name, int32_t uid) { @@ -800,7 +800,26 @@ KeyStoreService::getKeyCharacteristics(const String16& name, const hidl_vec<uint KeyStoreServiceReturnCode rc = mKeyStore->getKeyForName(&keyBlob, name8, targetUid, TYPE_KEYMASTER_10); - if (!rc.isOk()) { + if (rc == ResponseCode::UNINITIALIZED) { + /* + * If we fail reading the blob because the master key is missing we try to retrieve the + * key characteristics from the characteristics file. This happens when auth-bound + * keys are used after a screen lock has been removed by the user. + */ + rc = mKeyStore->getKeyForName(&keyBlob, name8, targetUid, TYPE_KEY_CHARACTERISTICS); + if (!rc.isOk()) { + return rc; + } + AuthorizationSet keyCharacteristics; + // TODO write one shot stream buffer to avoid copying (twice here) + std::string charBuffer(reinterpret_cast<const char*>(keyBlob.getValue()), + keyBlob.getLength()); + std::stringstream charStream(charBuffer); + keyCharacteristics.Deserialize(&charStream); + + outCharacteristics->softwareEnforced = keyCharacteristics.hidl_data(); + return rc; + } else if (!rc.isOk()) { return rc; } @@ -1078,7 +1097,10 @@ void KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, K // If per-operation auth is needed we need to begin the operation and // the client will need to authorize that operation before calling // update. Any other auth issues stop here. - if (!authResult.isOk() && authResult != ResponseCode::OP_AUTH_NEEDED) return; + if (!authResult.isOk() && authResult != ResponseCode::OP_AUTH_NEEDED) { + result->resultCode = authResult; + return; + } addAuthTokenToParams(&opParams, authToken); diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp index ab386ad8..8037335f 100644 --- a/keystore/keystore.cpp +++ b/keystore/keystore.cpp @@ -24,6 +24,7 @@ #include <openssl/bio.h> #include <utils/String16.h> +#include <utils/String8.h> #include <keystore/IKeystoreService.h> @@ -39,6 +40,7 @@ const char* KeyStore::sMetaDataFile = ".metadata"; const android::String16 KeyStore::sRSAKeyType("RSA"); using namespace keystore; +using android::String8; KeyStore::KeyStore(Entropy* entropy, const km_device_t& device, const km_device_t& fallback, bool allowNewFallback) @@ -414,12 +416,13 @@ ResponseCode KeyStore::list(const android::String8& prefix, return ResponseCode::NO_ERROR; } -std::string KeyStore::addGrant(const char* filename, const char* alias, uid_t granteeUid) { - return mGrants.put(granteeUid, alias, filename); +std::string KeyStore::addGrant(const char* alias, uid_t granterUid, uid_t granteeUid) { + return mGrants.put(granteeUid, alias, getUserStateByUid(granterUid)->getUserDirName(), + granterUid); } -bool KeyStore::removeGrant(const char* filename, uid_t granteeUid) { - return mGrants.removeByFileName(granteeUid, filename); +bool KeyStore::removeGrant(const char* alias, uid_t granteeUid) { + return mGrants.removeByFileAlias(granteeUid, alias); } ResponseCode KeyStore::importKey(const uint8_t* key, size_t keyLen, const char* filename, @@ -502,7 +505,7 @@ ResponseCode KeyStore::getKeyForName(Blob* keyBlob, const android::String8& keyN uid_t userId = get_user_id(uid); ResponseCode responseCode = get(filepath8.string(), keyBlob, type, userId); - if (responseCode == ResponseCode::NO_ERROR) { + if (responseCode != ResponseCode::KEY_NOT_FOUND) { return responseCode; } @@ -519,7 +522,8 @@ ResponseCode KeyStore::getKeyForName(Blob* keyBlob, const android::String8& keyN // They might be using a granted key. auto grant = mGrants.get(uid, keyName.string()); if (!grant) return ResponseCode::KEY_NOT_FOUND; - filepath8 = grant->key_file_.c_str(); + filepath8.format("%s/%s", grant->owner_dir_name_.c_str(), + getKeyNameForUid(String8(grant->alias_.c_str()), grant->owner_uid_, type).c_str()); // It is a granted key. Try to load it. return get(filepath8.string(), keyBlob, type, userId); diff --git a/keystore/keystore.h b/keystore/keystore.h index a08508ff..39761bbc 100644 --- a/keystore/keystore.h +++ b/keystore/keystore.h @@ -87,8 +87,8 @@ class KeyStore { ResponseCode list(const android::String8& prefix, android::Vector<android::String16>* matches, uid_t userId); - std::string addGrant(const char* filename, const char* alias, uid_t granteeUid); - bool removeGrant(const char* filename, uid_t granteeUid); + std::string addGrant(const char* alias, uid_t granterUid, uid_t granteeUid); + bool removeGrant(const char* alias, uid_t granteeUid); ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId, int32_t flags); |