Move auth token checking to begin
Auth tokens will now be checked on begin and then used for all
subsequent calls for that operation, this means that things like
auth timeouts will only be checked on begin, and operation that starts
at timeout - .00001 will now be able to be used to completion.
One exception to this is keys that use per operation authorization.
Begin for these operations must succeed so that the application gets a
handle to authorize. For those keys if the application calls update
before authorizing the operation the call will fail. For these keys
begin will return OP_AUTH_NEEDED so let the caller know more work is
needed before using the operation.
(cherry picked from commit aebbfc2ba548064e4f537154bab6ec60dfe4115e)
Change-Id: I3da4f93a076c0ed2d8630ca8cd1608e9bad2c2ff
diff --git a/keystore/operation.h b/keystore/operation.h
index a312528..fb9583f 100644
--- a/keystore/operation.h
+++ b/keystore/operation.h
@@ -17,6 +17,7 @@
#ifndef KEYSTORE_OPERATION_H_
#define KEYSTORE_OPERATION_H_
+#include <hardware/hw_auth_token.h>
#include <hardware/keymaster1.h>
#include <binder/Binder.h>
#include <binder/IBinder.h>
@@ -54,6 +55,8 @@
const keymaster_key_characteristics_t** outCharacteristics);
bool removeOperation(sp<IBinder> token);
bool hasPruneableOperation();
+ bool getOperationAuthToken(sp<IBinder> token, const hw_auth_token_t** outToken);
+ bool setOperationAuthToken(sp<IBinder> token, const hw_auth_token_t* authToken);
sp<IBinder> getOldestPruneableOperation();
std::vector<sp<IBinder>> getOperationsForToken(sp<IBinder> appToken);
@@ -68,6 +71,7 @@
const keymaster1_device_t* device;
Unique_keymaster_key_characteristics characteristics;
sp<IBinder> appToken;
+ std::unique_ptr<const hw_auth_token_t*> authToken;
};
std::map<sp<IBinder>, struct Operation> mMap;
std::vector<sp<IBinder>> mLru;