Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 6e5ccd7f4a73a54d4c3f4a7441780fab0d5238dc
commit6e5ccd7f4a73a54d4c3f4a7441780fab0d5238dc[log] [tgz]
authorEric Biggers <ebiggers@google.com>Wed Jan 17 03:54:11 2024 +0000
committerEric Biggers <ebiggers@google.com>Wed Jan 17 18:36:57 2024 +0000
treed3cc06d93bd5bde7431ed053fe7e8e71f2aa260f
parentd68e691d0a2d65385f08e7e98b1865e72457fdc1 [diff]
keystore: eliminate redundant key stretching

Since the Keystore password is a high-entropy synthetic password, key
stretching is not required.  Therefore, improve the performance of
encrypting and decrypting Keystore user super keys by using HKDF instead
of 8192-iteration PBKDF2.  PBKDF2 continues to be used for decrypting
old keys, when AES-GCM decryption using the HKDF-derived key fails.

Bug: 296464083
Bug: 314391626
Test: atest -p --include-subdirs system/security/keystore2
Test: Upgraded a device and verified the old super keys can still be
      decrypted.
Test: Verified via logcat that super key creation got faster.
Change-Id: Ib7976671ecf886e6308b66e6b1fdfb4b21346afb
2 files changed
tree: d3cc06d93bd5bde7431ed053fe7e8e71f2aa260f
  1. fsverity/
  2. fsverity_init/
  3. identity/
  4. keystore/
  5. keystore-engine/
  6. keystore2/
  7. ondevice-signing/
  8. prng_seeder/
  9. provisioner/
  10. rustfmt.toml ⇨ ../../build/soong/scripts/rustfmt.toml
  11. .clang-format
  12. .gitignore
  13. Android.bp
  14. METADATA
  15. MODULE_LICENSE_APACHE2
  16. NOTICE
  17. OWNERS
  18. PREUPLOAD.cfg