From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Iulian Mocanu Date: Fri, 22 Feb 2019 15:44:55 +0100 Subject: [PATCH] keystore: add iv_size restriction for dal-keystore Dal-keystore support only 12-byte IV for AES-GCM algorithms to promote interoperability, efficiency, and simplicity of design. Restriction is related to GCM recommandation for situations in which efficiency is critical. Change-Id: I3829684ee322eefeffc6b3620061f2a8ac97b205 Signed-off-by: Iulian Mocanu Tracked-On: PKT-1776 Signed-off-by: Zhou Furong --- security/keystore/api_dal.c | 11 +++-------- security/keystore/dal_client.h | 6 ++++++ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/security/keystore/api_dal.c b/security/keystore/api_dal.c index 3a6b1c24de26..8dbba4da7223 100644 --- a/security/keystore/api_dal.c +++ b/security/keystore/api_dal.c @@ -798,15 +798,12 @@ int dal_keystore_encrypt(const uint8_t *client_ticket, int slot_id, ": keystore_encrypt slot_id=%d algo_spec=%d iv_size=%u isize=%u\n", slot_id, (int)algo_spec, iv_size, input_size); - if (!iv || iv_size < DAL_KEYSTORE_GCM_IV_SIZE || - iv_size > KEYSTORE_MAX_IV_SIZE) { - ks_err(KBUILD_MODNAME ": Incorrect input values to %s\n", + if (!iv || iv_size != DAL_KEYSTORE_GCM_IV_SIZE) { + ks_err(KBUILD_MODNAME ": Incorrect input values to %s\n", __func__); return -EINVAL; } - iv_size = DAL_KEYSTORE_GCM_IV_SIZE; - res = dal_calc_clientid(client_id, sizeof(client_id)); if (res) { @@ -952,14 +949,12 @@ int dal_keystore_decrypt(const uint8_t *client_ticket, int slot_id, ": keystore_decrypt slot_id=%d algo_spec=%d iv_size=%u isize=%u\n", slot_id, (int)algo_spec, iv_size, input_size); - if (!iv || iv_size < DAL_KEYSTORE_GCM_IV_SIZE || iv_size > KEYSTORE_MAX_IV_SIZE) { + if (!iv || iv_size != DAL_KEYSTORE_GCM_IV_SIZE) { ks_err(KBUILD_MODNAME ": Incorrect input values to %s\n", __func__); return -EINVAL; } - iv_size = DAL_KEYSTORE_GCM_IV_SIZE; - res = dal_calc_clientid(client_id, sizeof(client_id)); if (res) { diff --git a/security/keystore/dal_client.h b/security/keystore/dal_client.h index 059c919cfabe..cce8ab560231 100644 --- a/security/keystore/dal_client.h +++ b/security/keystore/dal_client.h @@ -22,6 +22,12 @@ #include #include +/** + * DAL_KEYSTORE_GCM_IV_SIZE - size of the Initialization Vector + * + * Dal-keystore supports only 12-byte IV for AES-GCM algorithms + * to promote interoperability, efficiency, and simplicity of design. + */ #define DAL_KEYSTORE_GCM_IV_SIZE 12 #define DAL_KEYSTORE_GCM_AUTH_SIZE 16 #define DAL_KEYSTORE_MAX_WRAP_KEY_LEN 49 -- https://clearlinux.org