ext4crypt: support synthetic keys v3 on May update
Re-implemented SP800Derive in C++, which is added as the new key derivation function in Android 9.0 May update. From file services/core/java/com/android/server/locksettings/SP800Derive.java in frameworks/base. This is required to get TWRP working on any Android device that has a screen lock set up after the May update. Change-Id: I5c1a51b110033f2b0b75d5e36fd8098c05e95179
This commit is contained in:
Peter Cai
@@ -244,13 +244,6 @@ bool Find_Handle(const std::string& spblob_path, std::string& handle_str) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// The password data is stored in big endian and has to be swapped on little endian ARM
|
||||
template <class T>
|
||||
void endianswap(T *objp) {
|
||||
unsigned char *memp = reinterpret_cast<unsigned char*>(objp);
|
||||
std::reverse(memp, memp + sizeof(T));
|
||||
}
|
||||
|
||||
/* This is the structure of the data in the password data (*.pwd) file which the structure can be found
|
||||
* https://android.googlesource.com/platform/frameworks/base/+/android-8.0.0_r23/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java#187 */
|
||||
struct password_data_struct {
|
||||
@@ -442,7 +435,8 @@ sp<IBinder> getKeystoreBinderRetry() {
|
||||
namespace keystore {
|
||||
|
||||
#define SYNTHETIC_PASSWORD_VERSION_V1 1
|
||||
#define SYNTHETIC_PASSWORD_VERSION 2
|
||||
#define SYNTHETIC_PASSWORD_VERSION_V2 2
|
||||
#define SYNTHETIC_PASSWORD_VERSION_V3 3
|
||||
#define SYNTHETIC_PASSWORD_PASSWORD_BASED 0
|
||||
#define SYNTHETIC_PASSWORD_KEY_PREFIX "USRSKEY_synthetic_password_"
|
||||
#define USR_PRIVATE_KEY_PREFIX "USRPKEY_synthetic_password_"
|
||||
@@ -579,7 +573,8 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st
|
||||
return disk_decryption_secret_key;
|
||||
}
|
||||
unsigned char* byteptr = (unsigned char*)spblob_data.data();
|
||||
if (*byteptr != SYNTHETIC_PASSWORD_VERSION && *byteptr != SYNTHETIC_PASSWORD_VERSION_V1) {
|
||||
if (*byteptr != SYNTHETIC_PASSWORD_VERSION_V2 && *byteptr != SYNTHETIC_PASSWORD_VERSION_V1
|
||||
&& *byteptr != SYNTHETIC_PASSWORD_VERSION_V3) {
|
||||
printf("Unsupported synthetic password version %i\n", *byteptr);
|
||||
return disk_decryption_secret_key;
|
||||
}
|
||||
@@ -772,9 +767,10 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st
|
||||
}
|
||||
stop_keystore();
|
||||
return disk_decryption_secret_key;
|
||||
} else if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION) {
|
||||
printf("spblob v2\n");
|
||||
/* Version 2 of the spblob is basically the same as version 1, but the order of getting the intermediate key and disk decryption key have been flip-flopped
|
||||
} else if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V2
|
||||
|| *synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V3) {
|
||||
printf("spblob v2 / v3\n");
|
||||
/* Version 2 / 3 of the spblob is basically the same as version 1, but the order of getting the intermediate key and disk decryption key have been flip-flopped
|
||||
* as seen in https://android.googlesource.com/platform/frameworks/base/+/5025791ac6d1538224e19189397de8d71dcb1a12
|
||||
*/
|
||||
/* First decrypt call found in
|
||||
@@ -926,7 +922,12 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st
|
||||
//printf("secret key: "); output_hex((const unsigned char*)secret_key, secret_key_real_size); printf("\n");
|
||||
// The payload data from the keystore update is further personalized at https://android.googlesource.com/platform/frameworks/base/+/android-8.0.0_r23/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java#153
|
||||
// We now have the disk decryption key!
|
||||
disk_decryption_secret_key = PersonalizedHash(PERSONALIZATION_FBE_KEY, (const char*)secret_key, secret_key_real_size);
|
||||
if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V3) {
|
||||
// V3 uses SP800 instead of SHA512
|
||||
disk_decryption_secret_key = PersonalizedHashSP800(PERSONALIZATION_FBE_KEY, PERSONALISATION_CONTEXT, (const char*)secret_key, secret_key_real_size);
|
||||
} else {
|
||||
disk_decryption_secret_key = PersonalizedHash(PERSONALIZATION_FBE_KEY, (const char*)secret_key, secret_key_real_size);
|
||||
}
|
||||
//printf("disk_decryption_secret_key: '%s'\n", disk_decryption_secret_key.c_str());
|
||||
free(secret_key);
|
||||
return disk_decryption_secret_key;
|
||||
|
||||
@@ -27,11 +27,13 @@
|
||||
#include <string>
|
||||
#include <stdlib.h>
|
||||
#include <openssl/sha.h>
|
||||
#include <openssl/hmac.h>
|
||||
|
||||
#include "HashPassword.h"
|
||||
|
||||
#define PASS_PADDING_SIZE 128
|
||||
#define SHA512_HEX_SIZE SHA512_DIGEST_LENGTH * 2
|
||||
#define SHA256_HEX_SIZE SHA256_DIGEST_LENGTH * 2
|
||||
|
||||
void* PersonalizedHashBinary(const char* prefix, const char* key, const size_t key_size) {
|
||||
size_t size = PASS_PADDING_SIZE + key_size;
|
||||
@@ -78,6 +80,37 @@ std::string PersonalizedHash(const char* prefix, const std::string& Password) {
|
||||
return PersonalizedHash(prefix, Password.c_str(), Password.size());
|
||||
}
|
||||
|
||||
std::string PersonalizedHashSP800(const char* label, const char* context, const char* key, const size_t key_size) {
|
||||
HMAC_CTX ctx;
|
||||
HMAC_CTX_init(&ctx);
|
||||
HMAC_Init_ex(&ctx, key, key_size, EVP_sha256(), NULL);
|
||||
unsigned int counter = 1;
|
||||
endianswap(&counter);
|
||||
HMAC_Update(&ctx, (const unsigned char*)&counter, 4);
|
||||
HMAC_Update(&ctx, (const unsigned char*)label, strlen(label));
|
||||
const unsigned char divider = 0;
|
||||
HMAC_Update(&ctx, ÷r, 1);
|
||||
HMAC_Update(&ctx, (const unsigned char*)context, strlen(context));
|
||||
unsigned int contextDisambiguation = strlen(context) * 8;
|
||||
endianswap(&contextDisambiguation);
|
||||
HMAC_Update(&ctx, (const unsigned char*)&contextDisambiguation, 4);
|
||||
unsigned int finalValue = 256;
|
||||
endianswap(&finalValue);
|
||||
HMAC_Update(&ctx, (const unsigned char*)&finalValue, 4);
|
||||
|
||||
unsigned char output[SHA256_DIGEST_LENGTH];
|
||||
unsigned int out_size = 0;
|
||||
HMAC_Final(&ctx, output, &out_size);
|
||||
|
||||
int index = 0;
|
||||
char hex_hash[SHA256_HEX_SIZE + 1];
|
||||
for(index = 0; index < SHA256_DIGEST_LENGTH; index++)
|
||||
sprintf(hex_hash + (index * 2), "%02x", output[index]);
|
||||
hex_hash[SHA256_HEX_SIZE] = 0;
|
||||
std::string ret = hex_hash;
|
||||
return ret;
|
||||
}
|
||||
|
||||
std::string HashPassword(const std::string& Password) {
|
||||
const char* prefix = FBE_PERSONALIZATION;
|
||||
return PersonalizedHash(prefix, Password);
|
||||
|
||||
@@ -26,11 +26,19 @@
|
||||
#define PERSONALIZATION_FBE_KEY "fbe-key"
|
||||
#define PERSONALIZATION_USER_GK_AUTH "user-gk-authentication"
|
||||
#define PERSONALISATION_SECDISCARDABLE "secdiscardable-transform"
|
||||
#define PERSONALISATION_CONTEXT "android-synthetic-password-personalization-context"
|
||||
|
||||
void* PersonalizedHashBinary(const char* prefix, const char* key, const size_t key_size);
|
||||
|
||||
std::string PersonalizedHash(const char* prefix, const char* key, const size_t key_size);
|
||||
std::string PersonalizedHash(const char* prefix, const std::string& Password);
|
||||
std::string PersonalizedHashSP800(const char* label, const char* context, const char* key, const size_t key_size);
|
||||
std::string HashPassword(const std::string& Password);
|
||||
|
||||
template <class T>
|
||||
void endianswap(T *objp) {
|
||||
unsigned char *memp = reinterpret_cast<unsigned char*>(objp);
|
||||
std::reverse(memp, memp + sizeof(T));
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user