Fix handling of user password changes.

A bug introduced in a patch intended to upgrade keystore master keys
to use AES-256 and SHA-256 instead of AES-128 and SHA1 causes the
newly-updated master key to fail to be retrievable ever again.  Making
this worse, after five successive failures, keystore decided that all
the data is bad and wipes the user's keystore.  This problem happens
on every password change if the master key is 128 bits.  Luckily,
since the introduction of synthetic passwords to support escrow
tokens, the password presented to keystore is the synthetic password,
which never changes.  So this problem only crops up in devices that
did not have synthetic passwords (launched with Android N or earlier),
were not upgraded to O DR1 (when synthetic passwords were enabled by
default), were never factory reset or had their password removed and
re-added during all of that time and were then upgraded to P or Q,
when the master key upgrade code was present.

This CL fixes the upgrade process so that updated master keys can be
used.  It doesn't change the key size, the keys stay 128 bits, but now
they're readable and usable.  Factory resetting allows an entirely
new master key to be generated, which will be AES-256.

Note that the keystore master key is not really essential to the
security of Keystore keys.  They're also encrypted by the secure
world (TEE or SE), which is their primary protection.  The master key
just provides a cryptographic dependency on the user's password, so
that in the event of a secure world break the attacker still has to
brute force the user's password to recover the key material, or use of
the protected keys.

Bug: 129970023
Test: Manual
Change-Id: I8ce2bb2359cf822039c137bb6bb1fc225da47c29
(cherry picked from commit 3c04bca28a68b9a0148b9ec7fcd4f53d27b151a5)
diff --git a/keystore/blob.h b/keystore/blob.h
index ce488ec..e0bd146 100644
--- a/keystore/blob.h
+++ b/keystore/blob.h
@@ -37,6 +37,7 @@
 constexpr size_t kGcmTagLength = 128 / 8;
 constexpr size_t kGcmIvLength = 96 / 8;
 constexpr size_t kAes128KeySizeBytes = 128 / 8;
+constexpr size_t kAes256KeySizeBytes = 256 / 8;
 
 /* Here is the file format. There are two parts in blob.value, the secret and
  * the description. The secret is stored in ciphertext, and its original size
diff --git a/keystore/user_state.cpp b/keystore/user_state.cpp
index bc3f6d9..8d993e2 100644
--- a/keystore/user_state.cpp
+++ b/keystore/user_state.cpp
@@ -140,10 +140,13 @@
 }
 
 ResponseCode UserState::writeMasterKey(const android::String8& pw) {
-    std::vector<uint8_t> passwordKey(MASTER_KEY_SIZE_BYTES);
+    std::vector<uint8_t> passwordKey(mMasterKey.size());
     generateKeyFromPassword(passwordKey, pw, mSalt);
-    Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt),
-                       TYPE_MASTER_KEY_AES256);
+    auto blobType = TYPE_MASTER_KEY_AES256;
+    if (mMasterKey.size() == kAes128KeySizeBytes) {
+        blobType = TYPE_MASTER_KEY;
+    }
+    Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt), blobType);
     auto lockedEntry = LockedKeyBlobEntry::get(mMasterKeyEntry);
     return lockedEntry.writeBlobs(masterKeyBlob, {}, passwordKey, STATE_NO_ERROR);
 }
@@ -174,7 +177,7 @@
 
     size_t masterKeySize = MASTER_KEY_SIZE_BYTES;
     if (rawBlob.type == TYPE_MASTER_KEY) {
-        masterKeySize = SHA1_DIGEST_SIZE_BYTES;
+        masterKeySize = kAes128KeySizeBytes;
     }
 
     std::vector<uint8_t> passwordKey(masterKeySize);
@@ -263,7 +266,7 @@
     const EVP_MD* digest = EVP_sha256();
 
     // SHA1 was used prior to increasing the key size
-    if (key.size() == SHA1_DIGEST_SIZE_BYTES) {
+    if (key.size() == kAes128KeySizeBytes) {
         digest = EVP_sha1();
     }
 
diff --git a/keystore/user_state.h b/keystore/user_state.h
index b0671e3..620aaa5 100644
--- a/keystore/user_state.h
+++ b/keystore/user_state.h
@@ -75,14 +75,14 @@
     bool operator<(uid_t userId) const;
 
   private:
-    static const int SHA1_DIGEST_SIZE_BYTES = 16;
-    static const int SHA256_DIGEST_SIZE_BYTES = 32;
+    static constexpr int SHA1_DIGEST_SIZE_BYTES = 16;
+    static constexpr int SHA256_DIGEST_SIZE_BYTES = 32;
 
-    static const int MASTER_KEY_SIZE_BYTES = SHA256_DIGEST_SIZE_BYTES;
-    static const int MASTER_KEY_SIZE_BITS = MASTER_KEY_SIZE_BYTES * 8;
+    static constexpr int MASTER_KEY_SIZE_BYTES = kAes256KeySizeBytes;
+    static constexpr int MASTER_KEY_SIZE_BITS = MASTER_KEY_SIZE_BYTES * 8;
 
-    static const int MAX_RETRY = 4;
-    static const size_t SALT_SIZE = 16;
+    static constexpr int MAX_RETRY = 4;
+    static constexpr size_t SALT_SIZE = 16;
 
     void generateKeyFromPassword(std::vector<uint8_t>& key, const android::String8& pw,
                                  uint8_t* salt);