Increase the master key size to 256 bits
NIAP certification finds that the 128 bit key size is insufficient
and requires a 256 bit key size. This change increases the
size of new master keys to 256 bits. Any existing master keys are
not changed and continue to be supported.
A new BlobType, TYPE_MASTER_KEY_AES256, is used to signal when a
key is the new larger size.
Bug: 121272336
Test: (1) Ran Keystore CTS tests against Walleye,
no new test failures observed.
(2) Created keys in build without change, moved to build
with change and verified old key could be loaded and
used. Also, a new key could be created with the
increased size and could be reloaded after a reboot.
Change-Id: Ie120f514bc1db7a8a9eeaaf842178bafe128ee19
Merged-In: If00331c303e6cc7bc95a2ab624d0e19bec4e587e
diff --git a/keystore/blob.cpp b/keystore/blob.cpp
index c8a9cbf..c3956f0 100644
--- a/keystore/blob.cpp
+++ b/keystore/blob.cpp
@@ -60,13 +60,28 @@
size_t mSize;
};
+/**
+ * Returns a EVP_CIPHER appropriate for the given key, based on the key's size.
+ */
+const EVP_CIPHER* getAesCipherForKey(const std::vector<uint8_t>& key) {
+ const EVP_CIPHER* cipher = EVP_aes_256_gcm();
+ if (key.size() == kAes128KeySizeBytes) {
+ cipher = EVP_aes_128_gcm();
+ }
+ return cipher;
+}
+
/*
- * Encrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv' and write
- * output to 'out' (which may be the same location as 'in') and 128-bit tag to 'tag'.
+ * Encrypt 'len' data at 'in' with AES-GCM, using 128-bit or 256-bit key at 'key', 96-bit IV at
+ * 'iv' and write output to 'out' (which may be the same location as 'in') and 128-bit tag to
+ * 'tag'.
*/
ResponseCode AES_gcm_encrypt(const uint8_t* in, uint8_t* out, size_t len,
const std::vector<uint8_t>& key, const uint8_t* iv, uint8_t* tag) {
- const EVP_CIPHER* cipher = EVP_aes_128_gcm();
+
+ // There can be 128-bit and 256-bit keys
+ const EVP_CIPHER* cipher = getAesCipherForKey(key);
+
EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
EVP_EncryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key.data(), iv);
@@ -93,13 +108,17 @@
}
/*
- * Decrypt 'len' data at 'in' with AES-GCM, using 128-bit key at 'key', 96-bit IV at 'iv', checking
- * 128-bit tag at 'tag' and writing plaintext to 'out' (which may be the same location as 'in').
+ * Decrypt 'len' data at 'in' with AES-GCM, using 128-bit or 256-bit key at 'key', 96-bit IV at
+ * 'iv', checking 128-bit tag at 'tag' and writing plaintext to 'out'(which may be the same
+ * location as 'in').
*/
ResponseCode AES_gcm_decrypt(const uint8_t* in, uint8_t* out, size_t len,
const std::vector<uint8_t> key, const uint8_t* iv,
const uint8_t* tag) {
- const EVP_CIPHER* cipher = EVP_aes_128_gcm();
+
+ // There can be 128-bit and 256-bit keys
+ const EVP_CIPHER* cipher = getAesCipherForKey(key);
+
EVP_CIPHER_CTX_Ptr ctx(EVP_CIPHER_CTX_new());
EVP_DecryptInit_ex(ctx.get(), cipher, nullptr /* engine */, key.data(), iv);
diff --git a/keystore/blob.h b/keystore/blob.h
index 4a35842..dc70709 100644
--- a/keystore/blob.h
+++ b/keystore/blob.h
@@ -30,6 +30,7 @@
constexpr size_t kAesKeySize = 128 / 8;
constexpr size_t kGcmTagLength = 128 / 8;
constexpr size_t kGcmIvLength = 96 / 8;
+constexpr size_t kAes128KeySizeBytes = 128 / 8;
/* Here is the file format. There are two parts in blob.value, the secret and
* the description. The secret is stored in ciphertext, and its original size
@@ -81,9 +82,9 @@
TYPE_KEY_PAIR = 3,
TYPE_KEYMASTER_10 = 4,
TYPE_KEY_CHARACTERISTICS = 5,
+ TYPE_MASTER_KEY_AES256 = 7,
} BlobType;
-
class Blob {
public:
Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_t infoLength,
diff --git a/keystore/user_state.cpp b/keystore/user_state.cpp
index b482efd..aab6175 100644
--- a/keystore/user_state.cpp
+++ b/keystore/user_state.cpp
@@ -135,7 +135,8 @@
ResponseCode UserState::writeMasterKey(const android::String8& pw) {
std::vector<uint8_t> passwordKey(MASTER_KEY_SIZE_BYTES);
generateKeyFromPassword(passwordKey, pw, mSalt);
- Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt), TYPE_MASTER_KEY);
+ Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt),
+ TYPE_MASTER_KEY_AES256);
return masterKeyBlob.writeBlob(mMasterKeyFile, passwordKey, STATE_NO_ERROR);
}
@@ -159,14 +160,23 @@
} else {
salt = NULL;
}
- std::vector<uint8_t> passwordKey(MASTER_KEY_SIZE_BYTES);
+
+ size_t masterKeySize = MASTER_KEY_SIZE_BYTES;
+ if (rawBlob.type == TYPE_MASTER_KEY) {
+ masterKeySize = SHA1_DIGEST_SIZE_BYTES;
+ }
+
+ std::vector<uint8_t> passwordKey(masterKeySize);
generateKeyFromPassword(passwordKey, pw, salt);
Blob masterKeyBlob(rawBlob);
ResponseCode response = masterKeyBlob.readBlob(mMasterKeyFile, passwordKey, STATE_NO_ERROR);
if (response == ResponseCode::SYSTEM_ERROR) {
return response;
}
- if (response == ResponseCode::NO_ERROR && masterKeyBlob.getLength() == MASTER_KEY_SIZE_BYTES) {
+
+ size_t masterKeyBlobLength = static_cast<size_t>(masterKeyBlob.getLength());
+
+ if (response == ResponseCode::NO_ERROR && masterKeyBlobLength == masterKeySize) {
// If salt was missing, generate one and write a new master key file with the salt.
if (salt == NULL) {
if (!generateSalt()) {
diff --git a/keystore/user_state.h b/keystore/user_state.h
index 424dbf2..c4f3cd4 100644
--- a/keystore/user_state.h
+++ b/keystore/user_state.h
@@ -61,7 +61,7 @@
static const int SHA1_DIGEST_SIZE_BYTES = 16;
static const int SHA256_DIGEST_SIZE_BYTES = 32;
- static const int MASTER_KEY_SIZE_BYTES = SHA1_DIGEST_SIZE_BYTES;
+ static const int MASTER_KEY_SIZE_BYTES = SHA256_DIGEST_SIZE_BYTES;
static const int MASTER_KEY_SIZE_BITS = MASTER_KEY_SIZE_BYTES * 8;
static const int MAX_RETRY = 4;
