5 files changed, 75 insertions, 17 deletions
diff --git a/crypto/ext4crypt/Android.mk b/crypto/ext4crypt/Android.mk
index 8e77cdf30..0c6ef5b56 100644
--- a/crypto/ext4crypt/Android.mk
+++ b/crypto/ext4crypt/Android.mk
@@ -45,7 +45,11 @@ ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 26; echo $$?),0)
             LOCAL_SHARED_LIBRARIES += libkeyutils
         endif
     endif
-    LOCAL_REQUIRED_MODULES := keystore_auth
+    ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 28; echo $$?),0)
+        LOCAL_REQUIRED_MODULES := keystore_auth
+    else
+        LOCAL_ADDITIONAL_DEPENDENCIES := keystore_auth
+    endif
 else
     #7.x rules
     LOCAL_SRC_FILES += Ext4Crypt.cpp Keymaster.cpp KeyStorage.cpp
diff --git a/crypto/ext4crypt/Decrypt.cpp b/crypto/ext4crypt/Decrypt.cpp
index 3eeaaf877..d8542dca7 100644
--- a/crypto/ext4crypt/Decrypt.cpp
+++ b/crypto/ext4crypt/Decrypt.cpp
@@ -244,13 +244,6 @@ bool Find_Handle(const std::string& spblob_path, std::string& handle_str) {
 	return false;
 }
 
-// The password data is stored in big endian and has to be swapped on little endian ARM
-template <class T>
-void endianswap(T *objp) {
-	unsigned char *memp = reinterpret_cast<unsigned char*>(objp);
-	std::reverse(memp, memp + sizeof(T));
-}
-
 /* This is the structure of the data in the password data (*.pwd) file which the structure can be found
  * https://android.googlesource.com/platform/frameworks/base/+/android-8.0.0_r23/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java#187 */
 struct password_data_struct {
@@ -442,7 +435,8 @@ sp<IBinder> getKeystoreBinderRetry() {
 namespace keystore {
 
 #define SYNTHETIC_PASSWORD_VERSION_V1 1
-#define SYNTHETIC_PASSWORD_VERSION 2
+#define SYNTHETIC_PASSWORD_VERSION_V2 2
+#define SYNTHETIC_PASSWORD_VERSION_V3 3
 #define SYNTHETIC_PASSWORD_PASSWORD_BASED 0
 #define SYNTHETIC_PASSWORD_KEY_PREFIX "USRSKEY_synthetic_password_"
 #define USR_PRIVATE_KEY_PREFIX "USRPKEY_synthetic_password_"
@@ -579,7 +573,8 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st
 		return disk_decryption_secret_key;
 	}
 	unsigned char* byteptr = (unsigned char*)spblob_data.data();
-	if (*byteptr != SYNTHETIC_PASSWORD_VERSION && *byteptr != SYNTHETIC_PASSWORD_VERSION_V1) {
+	if (*byteptr != SYNTHETIC_PASSWORD_VERSION_V2 && *byteptr != SYNTHETIC_PASSWORD_VERSION_V1
+			&& *byteptr != SYNTHETIC_PASSWORD_VERSION_V3) {
 		printf("Unsupported synthetic password version %i\n", *byteptr);
 		return disk_decryption_secret_key;
 	}
@@ -772,9 +767,10 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st
 		}
 		stop_keystore();
 		return disk_decryption_secret_key;
-	} else if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION) {
-		printf("spblob v2\n");
-		/* Version 2 of the spblob is basically the same as version 1, but the order of getting the intermediate key and disk decryption key have been flip-flopped
+	} else if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V2
+			|| *synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V3) {
+		printf("spblob v2 / v3\n");
+		/* Version 2 / 3 of the spblob is basically the same as version 1, but the order of getting the intermediate key and disk decryption key have been flip-flopped
 		 * as seen in https://android.googlesource.com/platform/frameworks/base/+/5025791ac6d1538224e19189397de8d71dcb1a12
 		 */
 		/* First decrypt call found in
@@ -926,7 +922,12 @@ std::string unwrapSyntheticPasswordBlob(const std::string& spblob_path, const st
 		//printf("secret key:  "); output_hex((const unsigned char*)secret_key, secret_key_real_size); printf("\n");
 		// The payload data from the keystore update is further personalized at https://android.googlesource.com/platform/frameworks/base/+/android-8.0.0_r23/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java#153
 		// We now have the disk decryption key!
-		disk_decryption_secret_key = PersonalizedHash(PERSONALIZATION_FBE_KEY, (const char*)secret_key, secret_key_real_size);
+		if (*synthetic_password_version == SYNTHETIC_PASSWORD_VERSION_V3) {
+			// V3 uses SP800 instead of SHA512
+			disk_decryption_secret_key = PersonalizedHashSP800(PERSONALIZATION_FBE_KEY, PERSONALISATION_CONTEXT, (const char*)secret_key, secret_key_real_size);
+		} else {
+			disk_decryption_secret_key = PersonalizedHash(PERSONALIZATION_FBE_KEY, (const char*)secret_key, secret_key_real_size);
+		}
 		//printf("disk_decryption_secret_key: '%s'\n", disk_decryption_secret_key.c_str());
 		free(secret_key);
 		return disk_decryption_secret_key;
@@ -1336,7 +1337,11 @@ bool Decrypt_User(const userid_t user_id, const std::string& Password) {
 		printf("e4crypt_unlock_user_key returned fail\n");
 		return false;
 	}
-	if (!e4crypt_prepare_user_storage(nullptr, user_id, 0, flags)) {
+#ifdef USE_KEYSTORAGE_4
+		if (!e4crypt_prepare_user_storage("", user_id, 0, flags)) {
+#else
+		if (!e4crypt_prepare_user_storage(nullptr, user_id, 0, flags)) {
+#endif
 		printf("failed to e4crypt_prepare_user_storage\n");
 		return false;
 	}
diff --git a/crypto/ext4crypt/HashPassword.cpp b/crypto/ext4crypt/HashPassword.cpp
index 817c984bd..07ecb1f7d 100644
--- a/crypto/ext4crypt/HashPassword.cpp
+++ b/crypto/ext4crypt/HashPassword.cpp
@@ -27,11 +27,13 @@
 #include <string>
 #include <stdlib.h>
 #include <openssl/sha.h>
+#include <openssl/hmac.h>
 
 #include "HashPassword.h"
 
 #define PASS_PADDING_SIZE 128
 #define SHA512_HEX_SIZE SHA512_DIGEST_LENGTH * 2
+#define SHA256_HEX_SIZE SHA256_DIGEST_LENGTH * 2
 
 void* PersonalizedHashBinary(const char* prefix, const char* key, const size_t key_size) {
 	size_t size = PASS_PADDING_SIZE + key_size;
@@ -78,6 +80,37 @@ std::string PersonalizedHash(const char* prefix, const std::string& Password) {
 	return PersonalizedHash(prefix, Password.c_str(), Password.size());
 }
 
+std::string PersonalizedHashSP800(const char* label, const char* context, const char* key, const size_t key_size) {
+	HMAC_CTX ctx;
+	HMAC_CTX_init(&ctx);
+	HMAC_Init_ex(&ctx, key, key_size, EVP_sha256(), NULL);
+	unsigned int counter = 1;
+	endianswap(&counter);
+	HMAC_Update(&ctx, (const unsigned char*)&counter, 4);
+	HMAC_Update(&ctx, (const unsigned char*)label, strlen(label));
+	const unsigned char divider = 0;
+	HMAC_Update(&ctx, &divider, 1);
+	HMAC_Update(&ctx, (const unsigned char*)context, strlen(context));
+	unsigned int contextDisambiguation = strlen(context) * 8;
+	endianswap(&contextDisambiguation);
+	HMAC_Update(&ctx, (const unsigned char*)&contextDisambiguation, 4);
+	unsigned int finalValue = 256;
+	endianswap(&finalValue);
+	HMAC_Update(&ctx, (const unsigned char*)&finalValue, 4);
+
+	unsigned char output[SHA256_DIGEST_LENGTH];
+	unsigned int out_size = 0;
+	HMAC_Final(&ctx, output, &out_size);
+
+	int index = 0;
+	char hex_hash[SHA256_HEX_SIZE + 1];
+	for(index = 0; index < SHA256_DIGEST_LENGTH; index++)
+		sprintf(hex_hash + (index * 2), "%02x", output[index]);
+	hex_hash[SHA256_HEX_SIZE] = 0;
+	std::string ret = hex_hash;
+	return ret;
+}
+
 std::string HashPassword(const std::string& Password) {
 	const char* prefix = FBE_PERSONALIZATION;
 	return PersonalizedHash(prefix, Password);
diff --git a/crypto/ext4crypt/HashPassword.h b/crypto/ext4crypt/HashPassword.h
index 4be107b51..73880b1ba 100644
--- a/crypto/ext4crypt/HashPassword.h
+++ b/crypto/ext4crypt/HashPassword.h
@@ -26,11 +26,19 @@
 #define PERSONALIZATION_FBE_KEY "fbe-key"
 #define PERSONALIZATION_USER_GK_AUTH "user-gk-authentication"
 #define PERSONALISATION_SECDISCARDABLE "secdiscardable-transform"
+#define PERSONALISATION_CONTEXT "android-synthetic-password-personalization-context"
 
 void* PersonalizedHashBinary(const char* prefix, const char* key, const size_t key_size);
 
 std::string PersonalizedHash(const char* prefix, const char* key, const size_t key_size);
 std::string PersonalizedHash(const char* prefix, const std::string& Password);
+std::string PersonalizedHashSP800(const char* label, const char* context, const char* key, const size_t key_size);
 std::string HashPassword(const std::string& Password);
 
+template <class T>
+void endianswap(T *objp) {
+	unsigned char *memp = reinterpret_cast<unsigned char*>(objp);
+	std::reverse(memp, memp + sizeof(T));
+}
+
 #endif
diff --git a/crypto/scrypt/Scrypt.mk b/crypto/scrypt/Scrypt.mk
index baa41eca6..67e73c80f 100644
--- a/crypto/scrypt/Scrypt.mk
+++ b/crypto/scrypt/Scrypt.mk
@@ -27,7 +27,11 @@ LOCAL_CFLAGS += $(target_c_flags)
 LOCAL_C_INCLUDES += $(target_c_includes) $(commands_recovery_local_path)/crypto/scrypt/lib/util
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE:= libscrypttwrp_static
-LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
+ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 28; echo $$?),0)
+    LOCAL_REQUIRED_MODULES := $(local_additional_dependencies)
+else
+    LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
+endif
 include $(BUILD_STATIC_LIBRARY)
 
 ########################################
@@ -42,5 +46,9 @@ LOCAL_C_INCLUDES += $(host_c_includes) $(commands_recovery_local_path)/crypto/sc
 LOCAL_LDLIBS += -ldl
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE:= libscrypttwrp_static
-LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
+ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 28; echo $$?),0)
+    LOCAL_REQUIRED_MODULES := $(local_additional_dependencies)
+else
+    LOCAL_ADDITIONAL_DEPENDENCIES := $(local_additional_dependencies)
+endif
 include $(BUILD_HOST_STATIC_LIBRARY)