From ea1764c9fa8e3f64302ee2098dd2ae18ddc5088c Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Thu, 23 May 2019 21:44:35 +0800 Subject: ext4crypt: support synthetic keys v3 on May update Re-implemented SP800Derive in C++, which is added as the new key derivation function in Android 9.0 May update. From file services/core/java/com/android/server/locksettings/SP800Derive.java in frameworks/base. This is required to get TWRP working on any Android device that has a screen lock set up after the May update. Change-Id: I5c1a51b110033f2b0b75d5e36fd8098c05e95179 --- crypto/ext4crypt/Decrypt.cpp | 27 ++++++++++++++------------- crypto/ext4crypt/HashPassword.cpp | 33 +++++++++++++++++++++++++++++++++ crypto/ext4crypt/HashPassword.h | 8 ++++++++ 3 files changed, 55 insertions(+), 13 deletions(-) diff --git a/crypto/ext4crypt/Decrypt.cpp b/crypto/ext4crypt/Decrypt.cpp index e69b64793..d8542dca7 100644 --- a/crypto/ext4crypt/Decrypt.cpp +++ b/crypto/ext4crypt/Decrypt.cpp @@ -244,13 +244,6 @@ bool Find_Handle(const std::string& spblob_path, std::string& handle_str) { return false; } -// The password data is stored in big endian and has to be swapped on little endian ARM -template -void endianswap(T *objp) { - unsigned char *memp = reinterpret_cast(objp); - std::reverse(memp, memp + sizeof(T)); -} - /* This is the structure of the data in the password data (*.pwd) file which the structure can be found * https://android.googlesource.com/platform/frameworks/base/+/android-8.0.0_r23/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java#187 */ struct password_data_struct { @@ -442,7 +435,8 @@ sp getKeystoreBinderRetry() { namespace keystore { #define SYNTHETIC_PASSWORD_VERSION_V1 1 -#define SYNTHETIC_PASSWORD_VERSION 2 +#define SYNTHETIC_PASSWORD_VERSION_V2 2 +#define SYNTHETIC_PASSWORD_VERSION_V3 3 #define SYNTHETIC_PASSWORD_PASSWORD_BASED 0 #define SYNTHETIC_PASSWORD_KEY_PREFIX "USRSKEY_synthetic_password_" #define USR_PRIVATE_KEY_PREFIX "USRPKEY_synthetic_password_" @@ -579,7 +573,8 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st return disk_decryption_secret_key; } unsigned char* byteptr = (unsigned char*)spblob_data.data(); - if (*byteptr != SYNTHETIC_PASSWORD_VERSION && *byteptr != SYNTHETIC_PASSWORD_VERSION_V1) { + if (*byteptr != SYNTHETIC_PASSWORD_VERSION_V2 && *byteptr != SYNTHETIC_PASSWORD_VERSION_V1 + && *byteptr != SYNTHETIC_PASSWORD_VERSION_V3) { printf("Unsupported synthetic password version %i\n", *byteptr); return disk_decryption_secret_key; } @@ -772,9 +767,10 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st } stop_keystore(); return disk_decryption_secret_key; - } else if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION) { - printf("spblob v2\n"); - /* Version 2 of the spblob is basically the same as version 1, but the order of getting the intermediate key and disk decryption key have been flip-flopped + } else if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V2 + || *synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V3) { + printf("spblob v2 / v3\n"); + /* Version 2 / 3 of the spblob is basically the same as version 1, but the order of getting the intermediate key and disk decryption key have been flip-flopped * as seen in https://android.googlesource.com/platform/frameworks/base/+/5025791ac6d1538224e19189397de8d71dcb1a12 */ /* First decrypt call found in @@ -926,7 +922,12 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st //printf("secret key: "); output_hex((const unsigned char*)secret_key, secret_key_real_size); printf("\n"); // The payload data from the keystore update is further personalized at https://android.googlesource.com/platform/frameworks/base/+/android-8.0.0_r23/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java#153 // We now have the disk decryption key! - disk_decryption_secret_key = PersonalizedHash(PERSONALIZATION_FBE_KEY, (const char*)secret_key, secret_key_real_size); + if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V3) { + // V3 uses SP800 instead of SHA512 + disk_decryption_secret_key = PersonalizedHashSP800(PERSONALIZATION_FBE_KEY, PERSONALISATION_CONTEXT, (const char*)secret_key, secret_key_real_size); + } else { + disk_decryption_secret_key = PersonalizedHash(PERSONALIZATION_FBE_KEY, (const char*)secret_key, secret_key_real_size); + } //printf("disk_decryption_secret_key: '%s'\n", disk_decryption_secret_key.c_str()); free(secret_key); return disk_decryption_secret_key; diff --git a/crypto/ext4crypt/HashPassword.cpp b/crypto/ext4crypt/HashPassword.cpp index 817c984bd..07ecb1f7d 100644 --- a/crypto/ext4crypt/HashPassword.cpp +++ b/crypto/ext4crypt/HashPassword.cpp @@ -27,11 +27,13 @@ #include #include #include +#include #include "HashPassword.h" #define PASS_PADDING_SIZE 128 #define SHA512_HEX_SIZE SHA512_DIGEST_LENGTH * 2 +#define SHA256_HEX_SIZE SHA256_DIGEST_LENGTH * 2 void* PersonalizedHashBinary(const char* prefix, const char* key, const size_t key_size) { size_t size = PASS_PADDING_SIZE + key_size; @@ -78,6 +80,37 @@ std::string PersonalizedHash(const char* prefix, const std::string& Password) { return PersonalizedHash(prefix, Password.c_str(), Password.size()); } +std::string PersonalizedHashSP800(const char* label, const char* context, const char* key, const size_t key_size) { + HMAC_CTX ctx; + HMAC_CTX_init(&ctx); + HMAC_Init_ex(&ctx, key, key_size, EVP_sha256(), NULL); + unsigned int counter = 1; + endianswap(&counter); + HMAC_Update(&ctx, (const unsigned char*)&counter, 4); + HMAC_Update(&ctx, (const unsigned char*)label, strlen(label)); + const unsigned char divider = 0; + HMAC_Update(&ctx, ÷r, 1); + HMAC_Update(&ctx, (const unsigned char*)context, strlen(context)); + unsigned int contextDisambiguation = strlen(context) * 8; + endianswap(&contextDisambiguation); + HMAC_Update(&ctx, (const unsigned char*)&contextDisambiguation, 4); + unsigned int finalValue = 256; + endianswap(&finalValue); + HMAC_Update(&ctx, (const unsigned char*)&finalValue, 4); + + unsigned char output[SHA256_DIGEST_LENGTH]; + unsigned int out_size = 0; + HMAC_Final(&ctx, output, &out_size); + + int index = 0; + char hex_hash[SHA256_HEX_SIZE + 1]; + for(index = 0; index < SHA256_DIGEST_LENGTH; index++) + sprintf(hex_hash + (index * 2), "%02x", output[index]); + hex_hash[SHA256_HEX_SIZE] = 0; + std::string ret = hex_hash; + return ret; +} + std::string HashPassword(const std::string& Password) { const char* prefix = FBE_PERSONALIZATION; return PersonalizedHash(prefix, Password); diff --git a/crypto/ext4crypt/HashPassword.h b/crypto/ext4crypt/HashPassword.h index 4be107b51..73880b1ba 100644 --- a/crypto/ext4crypt/HashPassword.h +++ b/crypto/ext4crypt/HashPassword.h @@ -26,11 +26,19 @@ #define PERSONALIZATION_FBE_KEY "fbe-key" #define PERSONALIZATION_USER_GK_AUTH "user-gk-authentication" #define PERSONALISATION_SECDISCARDABLE "secdiscardable-transform" +#define PERSONALISATION_CONTEXT "android-synthetic-password-personalization-context" void* PersonalizedHashBinary(const char* prefix, const char* key, const size_t key_size); std::string PersonalizedHash(const char* prefix, const char* key, const size_t key_size); std::string PersonalizedHash(const char* prefix, const std::string& Password); +std::string PersonalizedHashSP800(const char* label, const char* context, const char* key, const size_t key_size); std::string HashPassword(const std::string& Password); +template +void endianswap(T *objp) { + unsigned char *memp = reinterpret_cast(objp); + std::reverse(memp, memp + sizeof(T)); +} + #endif -- cgit v1.2.3