EL2密钥增强

Signed-off-by: l30052632 <liutenglong2@huawei.com>
2024-11-27 09:10:33 +00:00 · 2023-11-20 21:48:21 +08:00 · 2023-11-20 21:48:21 +08:00 · 6034c3d194
commit 6034c3d194
parent b7433bb8cf
4 changed files with 37 additions and 20 deletions
--- a/services/storage_daemon/crypto/src/base_key.cpp
+++ b/services/storage_daemon/crypto/src/base_key.cpp
@ -420,7 +420,8 @@ bool BaseKey::Decrypt(const UserAuth &auth)
        ret = HuksMaster::GetInstance().DecryptKey(keyContext_, auth, keyInfo_);
    } else if (keyEncryptType_ == OpensslCrypto::KEY_CRYPT_OPENSSL) {
        LOGI("Enhanced decrypt key start");
-        ret = OpensslCrypto::GetInstance().DecryptWithoutHuks(auth.secret, keyContext_.encrypted, keyInfo_.key, keyContext_.shield, keyContext_.secDiscard);
+        ret = OpensslCrypto::GetInstance().DecryptWithoutHuks(auth.secret, keyContext_.encrypted,
+                                                              keyInfo_.key, keyContext_.shield, keyContext_.secDiscard);
    }
    keyContext_.encrypted.Clear();
    keyContext_.shield.Clear();
--- a/services/storage_daemon/crypto/src/openssl_crypto.cpp
+++ b/services/storage_daemon/crypto/src/openssl_crypto.cpp
@ -1,3 +1,17 @@
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 #include "base_key.h"
 #include "err.h"
 #include "huks_master.h"
@ -11,7 +25,8 @@

 namespace OHOS {
 namespace StorageDaemon {
-bool OpensslCrypto::DecryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &cipherText, KeyBlob &plainText, KeyBlob &shield, KeyBlob &secDiscard)
+bool OpensslCrypto::DecryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &cipherText,
+                                       KeyBlob &plainText, KeyBlob &shield, KeyBlob &secDiscard)
 {
    shield = HashAndClip(preKey, secDiscard, RANDOM_NUMBER_SIZE);
    if (cipherText.size < GCM_NONCE_BYTES + GCM_MAC_BYTES) {
@ -25,16 +40,16 @@ bool OpensslCrypto::DecryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &cip
        return false;
    }
    if (EVP_DecryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
-                                reinterpret_cast<const uint8_t*>(shield.data.get()),
-                                reinterpret_cast<const uint8_t*>(cipherText.data.get())) != OPENSSL_SUCCESS_FLAG) {
+                           reinterpret_cast<const uint8_t*>(shield.data.get()),
+                           reinterpret_cast<const uint8_t*>(cipherText.data.get())) != OPENSSL_SUCCESS_FLAG) {
        LOGE("Openssl error: %{public}lu ", ERR_get_error());
        return false;
    }
    plainText = KeyBlob(cipherText.size - GCM_NONCE_BYTES - GCM_MAC_BYTES);
    int outlen;
    if (EVP_DecryptUpdate(ctx.get(), reinterpret_cast<uint8_t*>(plainText.data.get()), &outlen,
-                            reinterpret_cast<const uint8_t*>(cipherText.data.get() + GCM_NONCE_BYTES),
-                            plainText.size) != OPENSSL_SUCCESS_FLAG) {
+                          reinterpret_cast<const uint8_t*>(cipherText.data.get() + GCM_NONCE_BYTES),
+                          plainText.size) != OPENSSL_SUCCESS_FLAG) {
        LOGE("Openssl error: %{public}lu ", ERR_get_error());
        return false;
    }
@ -62,7 +77,9 @@ bool OpensslCrypto::DecryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &cip
    return true;
 }

-bool OpensslCrypto::EncryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &plainText, KeyBlob &cipherText, KeyBlob &shield, KeyBlob &secDiscard) {
+bool OpensslCrypto::EncryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &plainText,
+                                       KeyBlob &cipherText, KeyBlob &shield, KeyBlob &secDiscard)
+{
    shield = HashAndClip(preKey, secDiscard, RANDOM_NUMBER_SIZE);
    auto ctx = std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)>(
        EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free);
@ -72,16 +89,15 @@ bool OpensslCrypto::EncryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &pla
    }
    cipherText = KeyBlob(GCM_NONCE_BYTES + plainText.size + GCM_MAC_BYTES);
    if (EVP_EncryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
-                                reinterpret_cast<const uint8_t*>(shield.data.get()),
-                                reinterpret_cast<const uint8_t*>(cipherText.data.get())) != OPENSSL_SUCCESS_FLAG) {
+                           reinterpret_cast<const uint8_t*>(shield.data.get()),
+                           reinterpret_cast<const uint8_t*>(cipherText.data.get())) != OPENSSL_SUCCESS_FLAG) {
        LOGE("Openssl error: %{public}lu ", ERR_get_error());
        return false;
    }
    int outlen;
-    if (EVP_EncryptUpdate(
-                ctx.get(), reinterpret_cast<uint8_t*>(cipherText.data.get() + GCM_NONCE_BYTES),
-                &outlen, reinterpret_cast<const uint8_t*>(plainText.data.get()), plainText.size)
-                != OPENSSL_SUCCESS_FLAG) {
+    if (EVP_EncryptUpdate(ctx.get(), reinterpret_cast<uint8_t*>(cipherText.data.get() + GCM_NONCE_BYTES),
+                          &outlen, reinterpret_cast<const uint8_t*>(plainText.data.get()), plainText.size) !=
+                          OPENSSL_SUCCESS_FLAG) {
        LOGE("Openssl error: %{public}lu ", ERR_get_error());
        return false;
    }
@ -100,8 +116,8 @@ bool OpensslCrypto::EncryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &pla
        return false;
    }
    if (EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, GCM_MAC_BYTES,
-                                reinterpret_cast<uint8_t*> (cipherText.data.get() +
-                                GCM_NONCE_BYTES + plainText.size)) != OPENSSL_SUCCESS_FLAG) {
+                            reinterpret_cast<uint8_t*> (cipherText.data.get() +
+                            GCM_NONCE_BYTES + plainText.size)) != OPENSSL_SUCCESS_FLAG) {
        LOGE("Openssl error: %{public}lu ", ERR_get_error());
        return false;
    }
--- a/services/storage_daemon/include/crypto/base_key.h
+++ b/services/storage_daemon/include/crypto/base_key.h
@ -85,7 +85,6 @@ private:

    KeyContext keyContext_ {};
    uint8_t keyLen_ {};
-
 };
 } // namespace StorageDaemon
 } // namespace OHOS
--- a/services/storage_daemon/include/crypto/openssl_crypto.h
+++ b/services/storage_daemon/include/crypto/openssl_crypto.h
@ -1,6 +1,5 @@
-
 /*
- * Copyright (c) 2021 Huawei Device Co., Ltd.
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
@ -27,8 +26,10 @@ public:
        static OpensslCrypto instance;
        return instance;
    }
-    bool DecryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &cipherText, KeyBlob &plainText, KeyBlob &shield, KeyBlob &secDiscard);
-    bool EncryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &plainText, KeyBlob &cipherText, KeyBlob &shield, KeyBlob &secDiscard);
+    bool DecryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &cipherText,
+                            KeyBlob &plainText, KeyBlob &shield, KeyBlob &secDiscard);
+    bool EncryptWithoutHuks(const KeyBlob &preKey, const KeyBlob &plainText,
+                            KeyBlob &cipherText, KeyBlob &shield, KeyBlob &secDiscard);
    KeyBlob HashAndClip(const KeyBlob &prefix, const KeyBlob &payload, uint32_t length);
    void MkdirVersionCheck(const std::string &pathtemp);
    enum KeyEncryptType {