Revert "Revert "Large refactor to move context out of AndroidKeymaster.""

This reverts commit 13fbe3e93247943c26e7ca2ed27b6d650282b8bf.

Bug: 20912868, 19799085
Change-Id: Iadd6ce5cbe94956c2a2fe277f1bf5b108e4bcf57
diff --git a/ocb_utils.cpp b/ocb_utils.cpp
new file mode 100644
index 0000000..171d07e
--- /dev/null
+++ b/ocb_utils.cpp
@@ -0,0 +1,183 @@
+/*
+ * Copyright 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "ocb_utils.h"
+
+#include <assert.h>
+
+#include <openssl/aes.h>
+#include <openssl/sha.h>
+
+#include <hardware/keymaster_defs.h>
+#include <keymaster/authorization_set.h>
+#include <keymaster/android_keymaster_utils.h>
+
+#include "openssl_err.h"
+
+namespace keymaster {
+
+class AeCtx {
+  public:
+    AeCtx() : ctx_(ae_allocate(NULL)) {}
+    ~AeCtx() {
+        ae_clear(ctx_);
+        ae_free(ctx_);
+    }
+
+    ae_ctx* get() { return ctx_; }
+
+  private:
+    ae_ctx* ctx_;
+};
+
+static keymaster_error_t BuildDerivationData(const AuthorizationSet& hw_enforced,
+                                             const AuthorizationSet& sw_enforced,
+                                             const AuthorizationSet& hidden,
+                                             UniquePtr<uint8_t[]>* derivation_data,
+                                             size_t* derivation_data_length) {
+    *derivation_data_length =
+        hidden.SerializedSize() + hw_enforced.SerializedSize() + sw_enforced.SerializedSize();
+    derivation_data->reset(new uint8_t[*derivation_data_length]);
+    if (!derivation_data->get())
+        return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+
+    uint8_t* buf = derivation_data->get();
+    uint8_t* end = derivation_data->get() + *derivation_data_length;
+    buf = hidden.Serialize(buf, end);
+    buf = hw_enforced.Serialize(buf, end);
+    buf = sw_enforced.Serialize(buf, end);
+
+    return KM_ERROR_OK;
+}
+
+static keymaster_error_t InitializeKeyWrappingContext(const AuthorizationSet& hw_enforced,
+                                                      const AuthorizationSet& sw_enforced,
+                                                      const AuthorizationSet& hidden,
+                                                      const KeymasterKeyBlob& master_key,
+                                                      AeCtx* ctx) {
+    size_t derivation_data_length;
+    UniquePtr<uint8_t[]> derivation_data;
+    keymaster_error_t error = BuildDerivationData(hw_enforced, sw_enforced, hidden,
+                                                  &derivation_data, &derivation_data_length);
+    if (error != KM_ERROR_OK)
+        return error;
+
+    SHA256_CTX sha256_ctx;
+    UniquePtr<uint8_t[]> hash_buf(new uint8_t[SHA256_DIGEST_LENGTH]);
+    Eraser hash_eraser(hash_buf.get(), SHA256_DIGEST_LENGTH);
+    UniquePtr<uint8_t[]> derived_key(new uint8_t[AES_BLOCK_SIZE]);
+    Eraser derived_key_eraser(derived_key.get(), AES_BLOCK_SIZE);
+
+    if (!ctx->get() || !hash_buf.get() || !derived_key.get())
+        return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+
+    // Hash derivation data.
+    Eraser sha256_ctx_eraser(sha256_ctx);
+    SHA256_Init(&sha256_ctx);
+    SHA256_Update(&sha256_ctx, derivation_data.get(), derivation_data_length);
+    SHA256_Final(hash_buf.get(), &sha256_ctx);
+
+    // Encrypt hash with master key to build derived key.
+    AES_KEY aes_key;
+    Eraser aes_key_eraser(AES_KEY);
+    if (0 !=
+        AES_set_encrypt_key(master_key.key_material, master_key.key_material_size * 8, &aes_key))
+        return TranslateLastOpenSslError();
+
+    AES_encrypt(hash_buf.get(), derived_key.get(), &aes_key);
+
+    // Set up AES OCB context using derived key.
+    if (ae_init(ctx->get(), derived_key.get(), AES_BLOCK_SIZE /* key length */, OCB_NONCE_LENGTH,
+                OCB_TAG_LENGTH) != AE_SUCCESS) {
+        memset_s(ctx->get(), 0, ae_ctx_sizeof());
+        return KM_ERROR_UNKNOWN_ERROR;
+    }
+
+    return KM_ERROR_OK;
+}
+
+keymaster_error_t OcbEncryptKey(const AuthorizationSet& hw_enforced,
+                                const AuthorizationSet& sw_enforced, const AuthorizationSet& hidden,
+                                const KeymasterKeyBlob& master_key,
+                                const KeymasterKeyBlob& plaintext, const Buffer& nonce,
+                                KeymasterKeyBlob* ciphertext, Buffer* tag) {
+    assert(ciphertext && tag);
+
+    if (nonce.available_read() != OCB_NONCE_LENGTH)
+        return KM_ERROR_INVALID_ARGUMENT;
+
+    AeCtx ctx;
+    keymaster_error_t error =
+        InitializeKeyWrappingContext(hw_enforced, sw_enforced, hidden, master_key, &ctx);
+    if (error != KM_ERROR_OK)
+        return error;
+
+    ciphertext->Reset(plaintext.key_material_size);
+    if (!ciphertext->key_material)
+        return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+
+    int ae_err = ae_encrypt(ctx.get(), nonce.peek_read(), plaintext.key_material,
+                            plaintext.key_material_size, NULL /* additional data */,
+                            0 /* additional data length */, ciphertext->writable_data(),
+                            tag->peek_write(), 1 /* final */);
+    if (ae_err < 0) {
+        LOG_E("Error %d while encrypting key", ae_err);
+        return KM_ERROR_UNKNOWN_ERROR;
+    }
+    tag->advance_write(OCB_TAG_LENGTH);
+    assert(ae_err == static_cast<int>(plaintext.key_material_size));
+    return KM_ERROR_OK;
+}
+
+keymaster_error_t OcbDecryptKey(const AuthorizationSet& hw_enforced,
+                                const AuthorizationSet& sw_enforced, const AuthorizationSet& hidden,
+                                const KeymasterKeyBlob& master_key,
+                                const KeymasterKeyBlob& ciphertext, const Buffer& nonce,
+                                const Buffer& tag, KeymasterKeyBlob* plaintext) {
+    assert(plaintext);
+
+    if (nonce.available_read() != OCB_NONCE_LENGTH || tag.available_read() != OCB_TAG_LENGTH)
+        return KM_ERROR_INVALID_ARGUMENT;
+
+    AeCtx ctx;
+    keymaster_error_t error =
+        InitializeKeyWrappingContext(hw_enforced, sw_enforced, hidden, master_key, &ctx);
+    if (error != KM_ERROR_OK)
+        return error;
+
+    plaintext->Reset(ciphertext.key_material_size);
+    if (!plaintext->key_material)
+        return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+
+    int ae_err = ae_decrypt(ctx.get(), nonce.peek_read(), ciphertext.key_material,
+                            ciphertext.key_material_size, NULL /* additional data */,
+                            0 /* additional data length */, plaintext->writable_data(),
+                            tag.peek_read(), 1 /* final */);
+    if (ae_err == AE_INVALID) {
+        // Authentication failed!  Decryption probably succeeded(ish), but we don't want to return
+        // any data when the authentication fails, so clear it.
+        plaintext->Clear();
+        LOG_E("Failed to validate authentication tag during key decryption", 0);
+        return KM_ERROR_INVALID_KEY_BLOB;
+    } else if (ae_err < 0) {
+        LOG_E("Failed to decrypt key, error: %d", ae_err);
+        return KM_ERROR_UNKNOWN_ERROR;
+    }
+    assert(ae_err == static_cast<int>(ciphertext.key_material_size));
+    return KM_ERROR_OK;
+}
+
+}  // namespace keymaster