diff options
author | Shawn Willden <swillden@google.com> | 2019-10-02 08:58:22 -0600 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2019-10-02 09:16:11 -0600 |
commit | b951bc53174bc583e7b76c40982aa82da8b01854 (patch) | |
tree | 0243ef67f904bedec75afb7f0d6d5dded3f38922 | |
parent | 48a4d0f64a0882959a0a7965131b5ccfd32e153e (diff) | |
download | security-b951bc53174bc583e7b76c40982aa82da8b01854.tar.gz |
Encrypt AES-256 keystore master keys.
ag/5984229 that added support for AES-256 master keys inadvertently
caused them not to be encyrpted by the user's password. This is less
damaging to security than it might appear because these keys are also
encrypted by Keymaster, in the TEE or StrongBox.
Bug: 141955555
Test: Manually verify password is encryption on a userdebug build.
Change-Id: Ic5e82546df67346e4c348273cf4fe2bac382c9dc
-rw-r--r-- | keystore/blob.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/keystore/blob.cpp b/keystore/blob.cpp index eac8f11d..497f304c 100644 --- a/keystore/blob.cpp +++ b/keystore/blob.cpp @@ -228,7 +228,7 @@ Blob::Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_ mBlob->version = CURRENT_BLOB_VERSION; mBlob->type = uint8_t(type); - if (type == TYPE_MASTER_KEY) { + if (type == TYPE_MASTER_KEY || type == TYPE_MASTER_KEY_AES256) { mBlob->flags = KEYSTORE_FLAG_ENCRYPTED; } else { mBlob->flags = KEYSTORE_FLAG_NONE; |