1 /* 2 * Copyright 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <keymaster/km_openssl/aes_key.h> 18 19 #include <assert.h> 20 21 #include <keymaster/new> 22 23 #include <openssl/err.h> 24 #include <openssl/rand.h> 25 26 #include "aes_operation.h" 27 28 namespace keymaster { 29 30 static AesOperationFactory encrypt_factory(KM_PURPOSE_ENCRYPT); 31 static AesOperationFactory decrypt_factory(KM_PURPOSE_DECRYPT); 32 GetOperationFactory(keymaster_purpose_t purpose) const33 OperationFactory* AesKeyFactory::GetOperationFactory(keymaster_purpose_t purpose) const { 34 switch (purpose) { 35 case KM_PURPOSE_ENCRYPT: 36 return &encrypt_factory; 37 case KM_PURPOSE_DECRYPT: 38 return &decrypt_factory; 39 default: 40 return nullptr; 41 } 42 } 43 LoadKey(KeymasterKeyBlob && key_material,const AuthorizationSet &,AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced,UniquePtr<Key> * key) const44 keymaster_error_t AesKeyFactory::LoadKey(KeymasterKeyBlob&& key_material, 45 const AuthorizationSet& /* additional_params */, 46 AuthorizationSet&& hw_enforced, 47 AuthorizationSet&& sw_enforced, 48 UniquePtr<Key>* key) const { 49 if (!key) 50 return KM_ERROR_OUTPUT_PARAMETER_NULL; 51 52 uint32_t min_mac_length = 0; 53 if (hw_enforced.Contains(TAG_BLOCK_MODE, KM_MODE_GCM) || 54 sw_enforced.Contains(TAG_BLOCK_MODE, KM_MODE_GCM)) { 55 56 if (!hw_enforced.GetTagValue(TAG_MIN_MAC_LENGTH, &min_mac_length) && 57 !sw_enforced.GetTagValue(TAG_MIN_MAC_LENGTH, &min_mac_length)) { 58 59 LOG_E("AES-GCM key must have KM_TAG_MIN_MAC_LENGTH", 0); 60 return KM_ERROR_INVALID_KEY_BLOB; 61 } 62 } 63 64 keymaster_error_t error = KM_ERROR_OK; 65 key->reset(new (std::nothrow) AesKey(move(key_material), move(hw_enforced), move(sw_enforced), 66 this)); 67 if (!key->get()) 68 error = KM_ERROR_MEMORY_ALLOCATION_FAILED; 69 return error; 70 } 71 validate_algorithm_specific_new_key_params(const AuthorizationSet & key_description) const72 keymaster_error_t AesKeyFactory::validate_algorithm_specific_new_key_params( 73 const AuthorizationSet& key_description) const { 74 if (key_description.Contains(TAG_BLOCK_MODE, KM_MODE_GCM)) { 75 uint32_t min_tag_length; 76 if (!key_description.GetTagValue(TAG_MIN_MAC_LENGTH, &min_tag_length)) 77 return KM_ERROR_MISSING_MIN_MAC_LENGTH; 78 79 if (min_tag_length % 8 != 0) 80 return KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH; 81 82 if (min_tag_length < kMinGcmTagLength || min_tag_length > kMaxGcmTagLength) 83 return KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH; 84 } else { 85 // Not GCM 86 if (key_description.find(TAG_MIN_MAC_LENGTH) != -1) { 87 LOG_W("KM_TAG_MIN_MAC_LENGTH found for non AES-GCM key", 0); 88 return KM_ERROR_INVALID_TAG; 89 } 90 } 91 92 return KM_ERROR_OK; 93 } 94 95 } // namespace keymaster 96