Use vector to pass around keys
In the future the key size for new master keys will increase.
To maintain backwards compatibility the size of the key
can no longer be assumed. To help communicate the actual
size of the key, it will be passed around in a vector.
Bug: 121272336
Test: Ran Keystore CTS tests against Walleye,
no new test failures observed
Change-Id: Ie74eaf5226398e2300eb266ddda269473593e9d4
Merged-In: I4c05acb15b77959f2bf89abbdc325904fffb497a
diff --git a/keystore/blob.cpp b/keystore/blob.cpp
index ca5cb74..c8a9cbf 100644
--- a/keystore/blob.cpp
+++ b/keystore/blob.cpp
@@ -64,12 +64,12 @@
* Encrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv' and write
* output to 'out' (which may be the same location as 'in') and 128-bit tag to 'tag'.
*/
-ResponseCode AES_gcm_encrypt(const uint8_t* in, uint8_t* out, size_t len, const uint8_t* key,
- const uint8_t* iv, uint8_t* tag) {
+ResponseCode AES_gcm_encrypt(const uint8_t* in, uint8_t* out, size_t len,
+ const std::vector<uint8_t>& key, const uint8_t* iv, uint8_t* tag) {
const EVP_CIPHER* cipher = EVP_aes_128_gcm();
EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
- EVP_EncryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key, iv);
+ EVP_EncryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key.data(), iv);
EVP_CIPHER_CTX_set_padding(ctx.get(), 0 /* no padding needed with GCM */);
std::unique_ptr<uint8_t[]> out_tmp(new uint8_t[len]);
@@ -96,12 +96,13 @@
* Decrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv', checking
* 128-bit tag at 'tag' and writing plaintext to 'out' (which may be the same location as 'in').
*/
-ResponseCode AES_gcm_decrypt(const uint8_t* in, uint8_t* out, size_t len, const uint8_t* key,
- const uint8_t* iv, const uint8_t* tag) {
+ResponseCode AES_gcm_decrypt(const uint8_t* in, uint8_t* out, size_t len,
+ const std::vector<uint8_t> key, const uint8_t* iv,
+ const uint8_t* tag) {
const EVP_CIPHER* cipher = EVP_aes_128_gcm();
EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
- EVP_DecryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key, iv);
+ EVP_DecryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key.data(), iv);
EVP_CIPHER_CTX_set_padding(ctx.get(), 0 /* no padding needed with GCM */);
EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, kGcmTagLength, const_cast<uint8_t*>(tag));
@@ -205,7 +206,8 @@
}
}
-ResponseCode Blob::writeBlob(const std::string& filename, const uint8_t* aes_key, State state) {
+ResponseCode Blob::writeBlob(const std::string& filename, const std::vector<uint8_t>& aes_key,
+ State state) {
ALOGV("writing blob %s", filename.c_str());
const size_t dataLength = mBlob.length;
@@ -254,7 +256,8 @@
return ResponseCode::NO_ERROR;
}
-ResponseCode Blob::readBlob(const std::string& filename, const uint8_t* aes_key, State state) {
+ResponseCode Blob::readBlob(const std::string& filename, const std::vector<uint8_t>& aes_key,
+ State state) {
ALOGV("reading blob %s", filename.c_str());
const int in = TEMP_FAILURE_RETRY(open(filename.c_str(), O_RDONLY));
if (in < 0) {
@@ -298,7 +301,7 @@
}
AES_KEY key;
- AES_set_decrypt_key(aes_key, kAesKeySize * 8, &key);
+ AES_set_decrypt_key(aes_key.data(), kAesKeySize * 8, &key);
AES_cbc_encrypt(blob.encrypted, blob.encrypted, encryptedLength, &key, blob.vector,
AES_DECRYPT);
key = {}; // clear key