cryptfs: Make decrypted key buffers large enough
Looking at the EVP_DecryptUpdate() documentation, we need a buffer which isn't just the keysize, but also provides the cipher block length minus one byte extra. For EVP_aes_128_cbc(), that block length is 16, but we use the maximum block length to be safe for any future cipher change. For two of our decrypted_master_key usages, the buffer was already sufficiently sized. But for one of our instances, in cryptfs_enable_internal(), the buffer was previously smaller than this. So this CL represents a possible behavior change if we were ever overrunning that buffer. Bug: 73079191, 73176599 Test: Flashed an encrypted sailfish and it booted. Change-Id: Ic5043340910dc7d625e6e5baedbca5bd4b2bfb03
This commit is contained in:
Greg Kaiser
parent
1452b27d4e
commit
4a35ef0a53
1 changed files with 8 additions and 5 deletions
13
cryptfs.cpp
13
cryptfs.cpp
|
|
@ -98,6 +98,11 @@ extern "C" {
|
|||
|
||||
#define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
|
||||
|
||||
// EVP_DecryptUpdate() requires not just our key length, but up to
|
||||
// block length - 1 additional bytes for its work. We provide a buffer
|
||||
// size that will work for all possible ciphers.
|
||||
#define DECRYPTED_MASTER_KEY_BUF_SIZE (KEY_LEN_BYTES + EVP_MAX_BLOCK_LENGTH - 1)
|
||||
|
||||
static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
|
||||
|
||||
static unsigned char saved_master_key[KEY_LEN_BYTES];
|
||||
|
|
@ -1595,8 +1600,7 @@ static int do_crypto_complete(const char *mount_point)
|
|||
static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
|
||||
const char *passwd, const char *mount_point, const char *label)
|
||||
{
|
||||
/* Allocate enough space for a 256 bit key, but we may use less */
|
||||
unsigned char decrypted_master_key[32];
|
||||
unsigned char decrypted_master_key[DECRYPTED_MASTER_KEY_BUF_SIZE];
|
||||
char crypto_blkdev[MAXPATHLEN];
|
||||
char real_blkdev[MAXPATHLEN];
|
||||
char tmp_mount_point[64];
|
||||
|
|
@ -1853,8 +1857,7 @@ int cryptfs_check_passwd(const char *passwd)
|
|||
int cryptfs_verify_passwd(const char *passwd)
|
||||
{
|
||||
struct crypt_mnt_ftr crypt_ftr;
|
||||
/* Allocate enough space for a 256 bit key, but we may use less */
|
||||
unsigned char decrypted_master_key[32];
|
||||
unsigned char decrypted_master_key[DECRYPTED_MASTER_KEY_BUF_SIZE];
|
||||
char encrypted_state[PROPERTY_VALUE_MAX];
|
||||
int rc;
|
||||
|
||||
|
|
@ -2004,7 +2007,7 @@ static int vold_unmountAll(void) {
|
|||
|
||||
int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
|
||||
char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
|
||||
unsigned char decrypted_master_key[KEY_LEN_BYTES];
|
||||
unsigned char decrypted_master_key[DECRYPTED_MASTER_KEY_BUF_SIZE];
|
||||
int rc=-1, i;
|
||||
struct crypt_mnt_ftr crypt_ftr;
|
||||
struct crypt_persist_data *pdata;
|
||||
|
|
|
|||
Loading…
Reference in a new issue