cryptohome: Deprecate EncryptScryptBlob and DecryptScryptBlob.
This marks EncryptScryptBlob and DecryptedScryptBlob as deprecated. It
will be deleted once the final auth blocks land.
BUG=chromium:1069904
TEST=FEATURES=test emerge-${BOARD} cryptohome
Change-Id: I35166eb149f54625c8ebf88c963bebeac1a58a1e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2485907
Tested-by: Greg Kerr <kerrnel@chromium.org>
Auto-Submit: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Daniil Lunev <dlunev@chromium.org>
Commit-Queue: Daniil Lunev <dlunev@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
diff --git a/cryptohome/crypto.cc b/cryptohome/crypto.cc
index 1cde763..b44c3cf 100644
--- a/cryptohome/crypto.cc
+++ b/cryptohome/crypto.cc
@@ -379,7 +379,7 @@
VaultKeyset* keyset) const {
SecureBlob blob = SecureBlob(serialized.wrapped_keyset());
SecureBlob decrypted(blob.size());
- if (!CryptoLib::DecryptScryptBlob(blob, key, &decrypted, error)) {
+ if (!CryptoLib::DeprecatedDecryptScryptBlob(blob, key, &decrypted, error)) {
LOG(ERROR) << "Wrapped keyset Scrypt decrypt failed.";
return false;
}
@@ -390,8 +390,8 @@
SecureBlob wrapped_chaps_key = SecureBlob(serialized.wrapped_chaps_key());
chaps_key.resize(wrapped_chaps_key.size());
// Perform a Scrypt operation on wrapped chaps key.
- if (!CryptoLib::DecryptScryptBlob(wrapped_chaps_key, key, &chaps_key,
- error)) {
+ if (!CryptoLib::DeprecatedDecryptScryptBlob(wrapped_chaps_key, key,
+ &chaps_key, error)) {
LOG(ERROR) << "Chaps key scrypt decrypt failed.";
return false;
}
@@ -403,8 +403,8 @@
SecureBlob wrapped_reset_seed = SecureBlob(serialized.wrapped_reset_seed());
reset_seed.resize(wrapped_reset_seed.size());
// Perform a Scrypt operation on wrapped reset seed.
- if (!CryptoLib::DecryptScryptBlob(wrapped_reset_seed, key, &reset_seed,
- error)) {
+ if (!CryptoLib::DeprecatedDecryptScryptBlob(wrapped_reset_seed, key,
+ &reset_seed, error)) {
LOG(ERROR) << "Reset seed scrypt decrypt failed.";
return false;
}
@@ -743,14 +743,14 @@
SecureBlob local_blob = SecureBlob::Combine(blob, hash);
SecureBlob cipher_text;
- if (!CryptoLib::EncryptScryptBlob(local_blob, key, &cipher_text)) {
+ if (!CryptoLib::DeprecatedEncryptScryptBlob(local_blob, key, &cipher_text)) {
LOG(ERROR) << "Scrypt encrypt of keyset blob failed.";
return false;
}
SecureBlob wrapped_chaps_key;
- if (!CryptoLib::EncryptScryptBlob(vault_keyset.chaps_key(), key,
- &wrapped_chaps_key)) {
+ if (!CryptoLib::DeprecatedEncryptScryptBlob(vault_keyset.chaps_key(), key,
+ &wrapped_chaps_key)) {
LOG(ERROR) << "Scrypt encrypt of chaps key failed.";
return false;
}
@@ -768,8 +768,8 @@
// If there is a reset seed, encrypt and store it.
if (vault_keyset.reset_seed().size() != 0) {
SecureBlob wrapped_reset_seed;
- if (!CryptoLib::EncryptScryptBlob(vault_keyset.reset_seed(), key,
- &wrapped_reset_seed)) {
+ if (!CryptoLib::DeprecatedEncryptScryptBlob(vault_keyset.reset_seed(), key,
+ &wrapped_reset_seed)) {
LOG(ERROR) << "Scrypt encrypt of reset seed failed.";
return false;
}
diff --git a/cryptohome/cryptolib.cc b/cryptohome/cryptolib.cc
index 7f28dd7..0ceb1d9 100644
--- a/cryptohome/cryptolib.cc
+++ b/cryptohome/cryptolib.cc
@@ -1100,9 +1100,10 @@
}
// static
-bool CryptoLib::EncryptScryptBlob(const brillo::SecureBlob& blob,
- const brillo::SecureBlob& key_source,
- brillo::SecureBlob* wrapped_blob) {
+bool CryptoLib::DeprecatedEncryptScryptBlob(
+ const brillo::SecureBlob& blob,
+ const brillo::SecureBlob& key_source,
+ brillo::SecureBlob* wrapped_blob) {
wrapped_blob->resize(blob.size() + kScryptMetadataSize);
brillo::SecureBlob salt =
@@ -1124,10 +1125,11 @@
}
// static
-bool CryptoLib::DecryptScryptBlob(const brillo::SecureBlob& wrapped_blob,
- const brillo::SecureBlob& key,
- brillo::SecureBlob* blob,
- CryptoError* error) {
+bool CryptoLib::DeprecatedDecryptScryptBlob(
+ const brillo::SecureBlob& wrapped_blob,
+ const brillo::SecureBlob& key,
+ brillo::SecureBlob* blob,
+ CryptoError* error) {
DCHECK(blob->size() >= wrapped_blob.size());
ScryptParameters params;
diff --git a/cryptohome/cryptolib.h b/cryptohome/cryptolib.h
index 61767c5..213ad9b 100644
--- a/cryptohome/cryptolib.h
+++ b/cryptohome/cryptolib.h
@@ -300,20 +300,21 @@
// - wrapped_blob: Pointer to blob where encrypted data is stored.
//
// Returns true on success, and false on failure.
- static bool EncryptScryptBlob(const brillo::SecureBlob& blob,
- const brillo::SecureBlob& key_source,
- brillo::SecureBlob* wrapped_blob);
+ static bool DeprecatedEncryptScryptBlob(const brillo::SecureBlob& blob,
+ const brillo::SecureBlob& key_source,
+ brillo::SecureBlob* wrapped_blob);
- // Companion decryption function for EncryptScryptBlob().
+ // Companion decryption function for DeprecatedEncryptScryptBlob().
// This decrypts the data blobs which were encrypted using
- // EncryptScryptBlob().
+ // DeprecatedEncryptScryptBlob().
//
// Returns true on success. On failure, false is returned, and
// |error| is set with the appropriate error code.
- static bool DecryptScryptBlob(const brillo::SecureBlob& wrapped_blob,
- const brillo::SecureBlob& key,
- brillo::SecureBlob* blob,
- CryptoError* error);
+ static bool DeprecatedDecryptScryptBlob(
+ const brillo::SecureBlob& wrapped_blob,
+ const brillo::SecureBlob& key,
+ brillo::SecureBlob* blob,
+ CryptoError* error);
// This verifies that the default scrypt params are used in production.
static void AssertProductionScryptParams();
diff --git a/cryptohome/cryptolib_unittest.cc b/cryptohome/cryptolib_unittest.cc
index a8b3e4b..30c710d 100644
--- a/cryptohome/cryptolib_unittest.cc
+++ b/cryptohome/cryptolib_unittest.cc
@@ -23,8 +23,8 @@
const std::string& original_str) {
brillo::SecureBlob decrypted_blob(wrapped_blob.size());
CryptoError error;
- EXPECT_TRUE(
- CryptoLib::DecryptScryptBlob(wrapped_blob, key, &decrypted_blob, &error));
+ EXPECT_TRUE(CryptoLib::DeprecatedDecryptScryptBlob(wrapped_blob, key,
+ &decrypted_blob, &error));
const std::string decrypted_str(decrypted_blob.begin(), decrypted_blob.end());
EXPECT_EQ(original_str, decrypted_str);
@@ -268,10 +268,11 @@
EXPECT_NE(iv, iv3);
}
-// These tests check that EncryptScryptBlob and DecryptScryptBlob continue to
-// perform the same function, and interoperate correctly, as they are re-written
-// and re-factored. These do not prove cryptographic properties of the
-// functions, or formal verification. They are sanity checks for compatibility.
+// These tests check that DeprecatedEncryptScryptBlob and
+// DeprecatedDecryptScryptBlob continue to perform the same function, and
+// interoperate correctly, as they are re-written and re-factored. These do not
+// prove cryptographic properties of the functions, or formal verification. They
+// are sanity checks for compatibility.
TEST(CryptoLibTest, EncryptScryptTest1) {
const std::string blob_str = "nOaVD3qRNqWhqQTDgyGb";
brillo::SecureBlob blob(blob_str.begin(), blob_str.end());
@@ -279,7 +280,8 @@
brillo::SecureBlob key_source(key_source_str.begin(), key_source_str.end());
brillo::SecureBlob wrapped_blob;
- EXPECT_TRUE(CryptoLib::EncryptScryptBlob(blob, key_source, &wrapped_blob));
+ EXPECT_TRUE(
+ CryptoLib::DeprecatedEncryptScryptBlob(blob, key_source, &wrapped_blob));
CheckBlob(blob, key_source, wrapped_blob, blob_str);