cryptohome: Mount to operate on VaultKeyset
Stop passing around raw SerializedVaultKeyset and operate with the
VaultKeyset wrapper only. We still need to call to
VaultKeyset::serialized in multiple places, but at least we don't have
SerializedVaultKeyset as a part of any interfaces.
BUG=chromium:1124561
TEST=unittest
Change-Id: I6edf66ea51d910fe8f6f23a0f6109e2f2f1839be
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2465548
Tested-by: Daniil Lunev <dlunev@chromium.org>
Commit-Queue: Daniil Lunev <dlunev@chromium.org>
Reviewed-by: Leo Lai <cylai@google.com>
diff --git a/cryptohome/mount.cc b/cryptohome/mount.cc
index 857d720..0e45a66 100644
--- a/cryptohome/mount.cc
+++ b/cryptohome/mount.cc
@@ -355,10 +355,9 @@
// Attempt to decrypt the vault keyset with the specified credentials.
VaultKeyset vault_keyset;
vault_keyset.Initialize(platform_, crypto_);
- SerializedVaultKeyset serialized;
MountError local_mount_error = MOUNT_ERROR_NONE;
int index = -1;
- if (!DecryptVaultKeyset(credentials, &vault_keyset, &serialized, &index,
+ if (!DecryptVaultKeyset(credentials, &vault_keyset, &index,
&local_mount_error)) {
*mount_error = local_mount_error;
if (recreate_on_decrypt_fatal && local_mount_error == MOUNT_ERROR_FATAL) {
@@ -386,9 +385,9 @@
return false;
}
- if (!serialized.has_wrapped_chaps_key()) {
+ if (!vault_keyset.serialized().has_wrapped_chaps_key()) {
vault_keyset.CreateRandomChapsKey();
- ReEncryptVaultKeyset(credentials, index, &vault_keyset, &serialized);
+ ReEncryptVaultKeyset(credentials, index, &vault_keyset);
}
SecureBlob local_chaps_key(vault_keyset.chaps_key().begin(),
@@ -677,8 +676,7 @@
VaultKeyset vault_keyset;
vault_keyset.Initialize(platform_, crypto_);
vault_keyset.CreateRandom();
- SerializedVaultKeyset serialized;
- if (!AddVaultKeyset(credentials, &vault_keyset, &serialized)) {
+ if (!AddVaultKeyset(credentials, &vault_keyset)) {
LOG(ERROR) << "Failed to add vault keyset to new user";
return false;
}
@@ -686,17 +684,18 @@
// the existence test. (All new-format calls must populate the
// label on creation.)
if (!credentials.key_data().label().empty()) {
- *serialized.mutable_key_data() = credentials.key_data();
+ *vault_keyset.mutable_serialized()->mutable_key_data() =
+ credentials.key_data();
}
if (credentials.key_data().type() == KeyData::KEY_TYPE_CHALLENGE_RESPONSE) {
- *serialized.mutable_signature_challenge_info() =
+ *vault_keyset.mutable_serialized()->mutable_signature_challenge_info() =
credentials.challenge_credentials_keyset_info();
}
// TODO(wad) move to storage by label-derivative and not number.
if (!StoreVaultKeysetForUser(obfuscated_username,
0, // first key
- &serialized)) {
+ &vault_keyset)) {
LOG(ERROR) << "Failed to store vault keyset for new user";
return false;
}
@@ -736,7 +735,7 @@
keyset.mutable_serialized()->set_last_activity_timestamp(
timestamp.ToInternalValue());
if (!StoreTimestampForUser(obfuscated_username, active_key_index,
- keyset.mutable_serialized())) {
+ &keyset)) {
return false;
}
if (user_timestamp_cache_->initialized()) {
@@ -749,7 +748,7 @@
bool Mount::StoreVaultKeysetForUser(const std::string& obfuscated_username,
int index,
- SerializedVaultKeyset* serialized) const {
+ VaultKeyset* vault_keyset) const {
if (index < 0 || index > kKeyFileMax) {
LOG(ERROR) << "Attempted to store an invalid key index: " << index;
return false;
@@ -759,22 +758,23 @@
VaultKeyset keyset;
keyset.Initialize(platform_, crypto_);
homedirs_->LoadVaultKeysetForUser(obfuscated_username, index, &keyset);
- if (serialized->has_last_activity_timestamp()) {
+ if (vault_keyset->serialized().has_last_activity_timestamp()) {
keyset.mutable_serialized()->set_last_activity_timestamp(
- serialized->last_activity_timestamp());
- if (MessageDifferencer::Equals(*serialized, keyset.serialized())) {
+ vault_keyset->serialized().last_activity_timestamp());
+ if (MessageDifferencer::Equals(vault_keyset->serialized(),
+ keyset.serialized())) {
LOG(INFO) << "Only the timestamp has changed, should not store keyset.";
- return StoreTimestampForUser(obfuscated_username, index, serialized);
+ return StoreTimestampForUser(obfuscated_username, index, vault_keyset);
}
}
}
- if (serialized->has_last_activity_timestamp()) {
- if (!StoreTimestampForUser(obfuscated_username, index, serialized)) {
+ if (vault_keyset->serialized().has_last_activity_timestamp()) {
+ if (!StoreTimestampForUser(obfuscated_username, index, vault_keyset)) {
return false;
}
}
- brillo::Blob final_blob(serialized->ByteSizeLong());
- serialized->SerializeWithCachedSizesToArray(
+ brillo::Blob final_blob(vault_keyset->serialized().ByteSizeLong());
+ vault_keyset->serialized().SerializeWithCachedSizesToArray(
static_cast<google::protobuf::uint8*>(final_blob.data()));
return platform_->WriteFileAtomicDurable(
GetUserLegacyKeyFileForUser(obfuscated_username, index), final_blob,
@@ -783,9 +783,9 @@
bool Mount::StoreTimestampForUser(const std::string& obfuscated_username,
int index,
- SerializedVaultKeyset* serialized) const {
+ VaultKeyset* vault_keyset) const {
Timestamp timestamp;
- timestamp.set_timestamp(serialized->last_activity_timestamp());
+ timestamp.set_timestamp(vault_keyset->serialized().last_activity_timestamp());
std::string timestamp_str;
if (!timestamp.SerializeToString(×tamp_str)) {
return false;
@@ -796,14 +796,14 @@
LOG(ERROR) << "Failed writing to timestamp file";
return false;
}
- if (!serialized->timestamp_file_exists()) {
+ if (!vault_keyset->serialized().timestamp_file_exists()) {
// The first time we write to a timestamp file we need to update the
// vault_keyset to indicate that the timestamp is stored separately.
// The initial 0 timestamp is also written to the vault_keyset which
// means a timestamp will exist and can be read in case of a rollback.
- serialized->set_timestamp_file_exists(true);
- brillo::Blob blob(serialized->ByteSizeLong());
- serialized->SerializeWithCachedSizesToArray(
+ vault_keyset->mutable_serialized()->set_timestamp_file_exists(true);
+ brillo::Blob blob(vault_keyset->serialized().ByteSizeLong());
+ vault_keyset->serialized().SerializeWithCachedSizesToArray(
static_cast<google::protobuf::uint8*>(blob.data()));
return platform_->WriteFileAtomicDurable(
GetUserLegacyKeyFileForUser(obfuscated_username, index), blob,
@@ -888,14 +888,12 @@
bool Mount::DecryptVaultKeyset(const Credentials& credentials,
VaultKeyset* vault_keyset,
- SerializedVaultKeyset* serialized,
int* index,
MountError* error) const {
*error = MOUNT_ERROR_NONE;
if (!homedirs_->GetValidKeyset(credentials, vault_keyset, index, error))
return false;
- *serialized = vault_keyset->serialized();
// Calling EnsureTpm here handles the case where a user logged in while
// cryptohome was taking TPM ownership. In that case, their vault keyset
@@ -912,21 +910,15 @@
return true;
}
- SerializedVaultKeyset new_serialized;
- new_serialized.CopyFrom(*serialized);
// This is not considered a fatal error. Re-saving with the desired
// protection is ideal, but not required.
- if (ReEncryptVaultKeyset(credentials, *index, vault_keyset,
- &new_serialized)) {
- serialized->CopyFrom(new_serialized);
- }
+ ReEncryptVaultKeyset(credentials, *index, vault_keyset);
return true;
}
bool Mount::AddVaultKeyset(const Credentials& credentials,
- VaultKeyset* vault_keyset,
- SerializedVaultKeyset* serialized) const {
+ VaultKeyset* vault_keyset) const {
// We don't do passkey to wrapper conversion because it is salted during save
const SecureBlob passkey = credentials.passkey();
@@ -943,7 +935,8 @@
const auto salt =
CryptoLib::CreateSecureRandomBlob(CRYPTOHOME_DEFAULT_KEY_SALT_SIZE);
if (!crypto_->EncryptVaultKeyset(*vault_keyset, passkey, salt,
- obfuscated_username, serialized)) {
+ obfuscated_username,
+ vault_keyset->mutable_serialized())) {
LOG(ERROR) << "Encrypting vault keyset failed";
return false;
}
@@ -953,17 +946,23 @@
bool Mount::ReEncryptVaultKeyset(const Credentials& credentials,
int key_index,
- VaultKeyset* vault_keyset,
- SerializedVaultKeyset* serialized) const {
+ VaultKeyset* vault_keyset) const {
+ // Save the initial serialized proto so we can roll-back any changes if we
+ // failed to re-save.
+ SerializedVaultKeyset old_serialized;
+ old_serialized.CopyFrom(vault_keyset->serialized());
+
std::string obfuscated_username =
credentials.GetObfuscatedUsername(system_salt_);
- uint64_t label = serialized->le_label();
- if (!AddVaultKeyset(credentials, vault_keyset, serialized)) {
+ uint64_t label = vault_keyset->serialized().le_label();
+ if (!AddVaultKeyset(credentials, vault_keyset)) {
LOG(ERROR) << "Couldn't add keyset.";
+ vault_keyset->mutable_serialized()->CopyFrom(old_serialized);
return false;
}
- if ((serialized->flags() & SerializedVaultKeyset::LE_CREDENTIAL) != 0) {
+ if ((vault_keyset->serialized().flags() &
+ SerializedVaultKeyset::LE_CREDENTIAL) != 0) {
if (!crypto_->RemoveLECredential(label)) {
// This is non-fatal error.
LOG(ERROR) << "Failed to remove label = " << label;
@@ -976,8 +975,9 @@
// label uniqueness. This means that we will still be able to use the
// lack of KeyData in the future as input to migration.
if (!StoreVaultKeysetForUser(credentials.GetObfuscatedUsername(system_salt_),
- key_index, serialized)) {
+ key_index, vault_keyset)) {
LOG(ERROR) << "Write to master key failed";
+ vault_keyset->mutable_serialized()->CopyFrom(old_serialized);
return false;
}
diff --git a/cryptohome/mount.h b/cryptohome/mount.h
index 01bb4a6..a9bdda9 100644
--- a/cryptohome/mount.h
+++ b/cryptohome/mount.h
@@ -301,25 +301,21 @@
std::string* key_signature,
std::string* filename_key_signature) const;
- virtual bool StoreVaultKeysetForUser(
- const std::string& obfuscated_username,
- int index,
- SerializedVaultKeyset* encrypted_keyset) const;
+ virtual bool StoreVaultKeysetForUser(const std::string& obfuscated_username,
+ int index,
+ VaultKeyset* vault_keyset) const;
virtual bool StoreTimestampForUser(const std::string& obfuscated_username,
int index,
- SerializedVaultKeyset* serialized) const;
+ VaultKeyset* vault_keyset) const;
// Encrypts and adds the VaultKeyset to the serialized store
//
// Parameters
// credentials - The Credentials for the user
// vault_keyset (IN/OUT) - The VaultKeyset to save
- // serialized (IN/OUT) - The SerializedVaultKeyset to add the encrypted
- // VaultKeyset to
bool AddVaultKeyset(const Credentials& credentials,
- VaultKeyset* vault_keyset,
- SerializedVaultKeyset* serialized) const;
+ VaultKeyset* vault_keyset) const;
// Resaves the vault keyset, restoring on failure. The vault_keyset supplied
// is encrypted and stored in the wrapped_keyset parameter of serialized,
@@ -328,11 +324,9 @@
// Parameters
// credentials - The Credentials for the user
// vault_keyset (IN/OUT) - The VaultKeyset to save
- // serialized (IN/OUT) - The serialized container to be saved
bool ReEncryptVaultKeyset(const Credentials& credentials,
int index,
- VaultKeyset* vault_keyset,
- SerializedVaultKeyset* serialized) const;
+ VaultKeyset* vault_keyset) const;
// Check if the vault keyset needs re-encryption.
//
@@ -347,12 +341,10 @@
// Parameters
// credentials - The user credentials to use
// vault_keyset (OUT) - The unencrypted vault keyset on success
- // serialized (OUT) - The keyset container as deserialized from disk
// index (OUT) - The keyset index from disk
// error (OUT) - The specific error when decrypting
bool DecryptVaultKeyset(const Credentials& credentials,
VaultKeyset* vault_keyset,
- SerializedVaultKeyset* serialized,
int* index,
MountError* error) const;
diff --git a/cryptohome/mount_unittest.cc b/cryptohome/mount_unittest.cc
index 67b5fd1..b27b181 100644
--- a/cryptohome/mount_unittest.cc
+++ b/cryptohome/mount_unittest.cc
@@ -1238,8 +1238,9 @@
// Successful DecryptValutKeyset for tpm-backed keyset should
// lead to a call to DeclareTpmFirmwareStable().
EXPECT_CALL(tpm_, DeclareTpmFirmwareStable());
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ vault_keyset.mutable_serialized()->CopyFrom(serialized);
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1251,7 +1252,8 @@
(serialized_tpm.flags() & SerializedVaultKeyset::PCR_BOUND));
EXPECT_EQ(SerializedVaultKeyset::TPM_WRAPPED,
(serialized_tpm.flags() & SerializedVaultKeyset::TPM_WRAPPED));
- EXPECT_EQ(0, (serialized.flags() & SerializedVaultKeyset::SCRYPT_WRAPPED));
+ EXPECT_EQ(0,
+ (serialized_tpm.flags() & SerializedVaultKeyset::SCRYPT_WRAPPED));
// Does it use scrypt for key derivation?
EXPECT_EQ(SerializedVaultKeyset::SCRYPT_DERIVED,
(serialized_tpm.flags() & SerializedVaultKeyset::SCRYPT_DERIVED));
@@ -1337,8 +1339,9 @@
user->InjectKeyset(&platform_, true);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ vault_keyset.mutable_serialized()->CopyFrom(serialized);
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1399,15 +1402,14 @@
user->InjectKeyset(&platform_, true);
VaultKeyset vault_keyset;
vault_keyset.Initialize(&platform_, mount_->crypto());
- SerializedVaultKeyset serialized;
MountError error;
int key_index = -1;
// First we decrypt the vault to load the chaps key.
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
EXPECT_EQ(key_index, 0);
- EXPECT_EQ(serialized.has_wrapped_chaps_key(), true);
+ EXPECT_EQ(vault_keyset.serialized().has_wrapped_chaps_key(), true);
SecureBlob local_chaps(vault_keyset.chaps_key().begin(),
vault_keyset.chaps_key().end());
@@ -1422,8 +1424,8 @@
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
// Compare the pre mount chaps key to the post mount key.
ASSERT_EQ(local_chaps.size(), vault_keyset.chaps_key().size());
@@ -1448,27 +1450,26 @@
user->InjectKeyset(&platform_, true);
VaultKeyset vault_keyset;
vault_keyset.Initialize(&platform_, mount_->crypto());
- SerializedVaultKeyset serialized;
MountError error;
int key_index = -1;
EXPECT_CALL(platform_, ReadFile(user->keyset_path, _))
.Times(2)
.WillRepeatedly(DoAll(SetArgPointee<1>(user->credentials), Return(true)));
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
vault_keyset.clear_chaps_key();
EXPECT_CALL(platform_, WriteFileAtomicDurable(user->keyset_path, _, _))
.WillRepeatedly(DoAll(SaveArg<1>(&(user->credentials)), Return(true)));
- ASSERT_TRUE(mount_->ReEncryptVaultKeyset(credentials, key_index,
- &vault_keyset, &serialized));
+ ASSERT_TRUE(
+ mount_->ReEncryptVaultKeyset(credentials, key_index, &vault_keyset));
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
EXPECT_EQ(key_index, 0);
- EXPECT_EQ(serialized.has_wrapped_chaps_key(), false);
+ EXPECT_EQ(vault_keyset.serialized().has_wrapped_chaps_key(), false);
user->InjectUserPaths(&platform_, chronos_uid_, chronos_gid_, shared_gid_,
kDaemonGid, ShouldTestEcryptfs());
@@ -1481,9 +1482,9 @@
EXPECT_CALL(platform_, ReadFile(user->keyset_path, _))
.WillRepeatedly(DoAll(SetArgPointee<1>(user->credentials), Return(true)));
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
- EXPECT_EQ(serialized.has_wrapped_chaps_key(), true);
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
+ EXPECT_EQ(vault_keyset.serialized().has_wrapped_chaps_key(), true);
EXPECT_EQ(vault_keyset.chaps_key().size(), CRYPTOHOME_CHAPS_KEY_LENGTH);
}
@@ -1498,11 +1499,10 @@
VaultKeyset pin_vault_keyset;
pin_vault_keyset.Initialize(&platform_, mount_->crypto());
- SerializedVaultKeyset serialized;
MountError error;
int key_index = -1;
ASSERT_TRUE(mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset,
- &serialized, &key_index, &error));
+ &key_index, &error));
}
TEST_P(MountTest, MountCryptohomeLECredentialsMigrate) {
@@ -1534,7 +1534,7 @@
MountError error;
int key_index = -1;
ASSERT_TRUE(mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset,
- &serialized, &key_index, &error));
+ &key_index, &error));
// Check the inserted data from migration.
ASSERT_TRUE(LoadSerializedKeyset(creds, &serialized));
@@ -1563,14 +1563,14 @@
VaultKeyset pin_vault_keyset;
pin_vault_keyset.Initialize(&platform_, mount_->crypto());
- SerializedVaultKeyset serialized;
MountError error;
int key_index = -1;
ASSERT_TRUE(mount_->DecryptVaultKeyset(*pin_credentials_, &pin_vault_keyset,
- &serialized, &key_index, &error));
+ &key_index, &error));
// Check the returned data.
- ASSERT_TRUE(serialized.flags() & SerializedVaultKeyset::LE_CREDENTIAL);
+ ASSERT_TRUE(pin_vault_keyset.serialized().flags() &
+ SerializedVaultKeyset::LE_CREDENTIAL);
}
TEST_P(MountTest, MountCryptohomeNoChange) {
@@ -1592,9 +1592,10 @@
MountError error;
int key_index = -1;
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
EXPECT_EQ(key_index, 0);
+ serialized.CopyFrom(vault_keyset.serialized());
user->InjectUserPaths(&platform_, chronos_uid_, chronos_gid_, shared_gid_,
kDaemonGid, ShouldTestEcryptfs());
@@ -1608,8 +1609,9 @@
user->InjectKeyset(&platform_, true);
SerializedVaultKeyset new_serialized;
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &new_serialized, &key_index, &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
+ new_serialized.CopyFrom(vault_keyset.serialized());
SecureBlob lhs;
GetKeysetBlob(serialized, &lhs);
@@ -1819,12 +1821,11 @@
vault_keyset.Initialize(&platform_, mount_->crypto());
MountError error;
- cryptohome::SerializedVaultKeyset serialized;
// Migrate to TPM-wrapped from the original Scrypt-wrapped
error = MOUNT_ERROR_NONE;
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1836,10 +1837,10 @@
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
- unsigned int flags = serialized.flags();
+ unsigned int flags = vault_keyset.serialized().flags();
EXPECT_EQ((flags & SerializedVaultKeyset::TPM_WRAPPED),
SerializedVaultKeyset::TPM_WRAPPED);
EXPECT_EQ((flags & SerializedVaultKeyset::SCRYPT_WRAPPED), 0);
@@ -1847,9 +1848,9 @@
if (flags & SerializedVaultKeyset::SCRYPT_WRAPPED) {
EXPECT_CALL(platform_, ReadFile(user->keyset_path, _))
.WillOnce(DoAll(SetArgPointee<1>(migrated_keyset), Return(true)));
- serialized.set_flags(flags & ~SerializedVaultKeyset::SCRYPT_WRAPPED);
- EXPECT_TRUE(mount_->ReEncryptVaultKeyset(credentials, 0, &vault_keyset,
- &serialized));
+ vault_keyset.mutable_serialized()->set_flags(
+ flags & ~SerializedVaultKeyset::SCRYPT_WRAPPED);
+ EXPECT_TRUE(mount_->ReEncryptVaultKeyset(credentials, 0, &vault_keyset));
}
// Now we have the TPM-wrapped keyset with correct flags
@@ -1860,8 +1861,8 @@
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
@@ -1874,8 +1875,8 @@
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ ASSERT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
}
@@ -1932,36 +1933,36 @@
vault_keyset.Initialize(&platform_, mount_->crypto());
MountError error;
- cryptohome::SerializedVaultKeyset serialized;
error = MOUNT_ERROR_NONE;
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
// Now set both flags and write it
- unsigned int flags = serialized.flags();
+ unsigned int flags = vault_keyset.serialized().flags();
EXPECT_EQ((flags & SerializedVaultKeyset::TPM_WRAPPED),
SerializedVaultKeyset::TPM_WRAPPED);
EXPECT_EQ((flags & SerializedVaultKeyset::SCRYPT_WRAPPED), 0);
- serialized.set_flags(flags | SerializedVaultKeyset::TPM_WRAPPED |
- SerializedVaultKeyset::SCRYPT_WRAPPED);
+ vault_keyset.mutable_serialized()->set_flags(
+ flags | SerializedVaultKeyset::TPM_WRAPPED |
+ SerializedVaultKeyset::SCRYPT_WRAPPED);
EXPECT_TRUE(mount_->StoreVaultKeysetForUser(user->obfuscated_username, 0,
- &serialized));
+ &vault_keyset));
// When we call DecryptVaultKeyset, it should re-encrypt
// the keys and write with only one flag set
error = MOUNT_ERROR_NONE;
user->InjectKeyset(&platform_, true);
- EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset,
- &serialized, &key_index, &error));
+ EXPECT_TRUE(mount_->DecryptVaultKeyset(credentials, &vault_keyset, &key_index,
+ &error));
ASSERT_EQ(error, MOUNT_ERROR_NONE);
ASSERT_NE(migrated_keyset.size(), 0);
- flags = serialized.flags();
+ flags = vault_keyset.serialized().flags();
ASSERT_EQ(SerializedVaultKeyset::TPM_WRAPPED,
(flags & SerializedVaultKeyset::TPM_WRAPPED));
ASSERT_EQ(0, (flags & SerializedVaultKeyset::SCRYPT_WRAPPED));