Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 4a1da2f371de41a397a019020d402b95b0d9dd7e^! / . / keystore / key_store_service.cpp
commit4a1da2f371de41a397a019020d402b95b0d9dd7e[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Mon Mar 26 15:02:38 2018 -0700
committerJanis Danisevskis <jdanis@google.com>Mon Mar 26 15:27:31 2018 -0700
treecfd9a032c4283d1e88859beac46090a2701a22a2
parentfa3a2f294ffc298da295ad33d8a5d8fbd26e6f3c [diff] [blame]
Deactivate fall back device for 3DES

Keystore has a software keymaster device for legacy support. It kicks in
when keymaster implementations < 3.0 fail to import or generate a key.
This provided support for symmetric key operation with KM0 which did not
support them but it also masked faulty keymaster implementations. Since
KM 3.0 we don't support fall back any more. With KM 4.0 3DES was
introduced and we decided not to support 3DES on oder devices to not
reinstate the fall back device problem. On older devices, however, that
still have KM0, 1, or 2 the fallback device would still kick in even for
3DES key.

This patch prevents this.

Test: Manual
Bug: 72654284
Change-Id: I26e4d15daa7cd8cc3c52765fb567fad241b83981

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 1b927b8..3e8783b 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp

@@ -818,6 +818,16 @@
     if (!error.isOk()) {
         ALOGE("Failed to generate key -> falling back to software keymaster");
         securityLevel = SecurityLevel::SOFTWARE;
+
+        // No fall back for 3DES
+        for (auto& param : params.getParameters()) {
+            auto algorithm = authorizationValue(TAG_ALGORITHM, param);
+            if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) {
+                *aidl_return = static_cast<int32_t>(ErrorCode::UNSUPPORTED_ALGORITHM);
+                return Status::ok();
+            }
+        }
+
         auto fallback = mKeyStore->getFallbackDevice();
         if (!fallback) {
             *aidl_return = static_cast<int32_t>(error);
@@ -1031,6 +1041,16 @@
     if (!error.isOk()) {
         ALOGE("Failed to import key -> falling back to software keymaster");
         securityLevel = SecurityLevel::SOFTWARE;
+
+        // No fall back for 3DES
+        for (auto& param : params.getParameters()) {
+            auto algorithm = authorizationValue(TAG_ALGORITHM, param);
+            if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) {
+                *aidl_return = static_cast<int32_t>(ErrorCode::UNSUPPORTED_ALGORITHM);
+                return Status::ok();
+            }
+        }
+
         auto fallback = mKeyStore->getFallbackDevice();
         if (!fallback) {
             *aidl_return = static_cast<int32_t>(error);