Merge "Revert "keystore: Allow network_stack uid to use AID_WIFI""
diff --git a/keystore-engine/keystore_backend_binder.cpp b/keystore-engine/keystore_backend_binder.cpp
index 9a7c63e..8b5a584 100644
--- a/keystore-engine/keystore_backend_binder.cpp
+++ b/keystore-engine/keystore_backend_binder.cpp
@@ -211,9 +211,9 @@
     promise = new OperationResultPromise();
     future = promise->get_future();
 
-    binder_result = service->finish(promise, handle, KeymasterArguments(params),
-                                    std::vector<uint8_t>() /* signature */,
-                                    std::vector<uint8_t>() /* entropy */, &error_code);
+    binder_result = service->finish(
+        promise, handle, KeymasterArguments(params), std::vector<uint8_t>() /* input */,
+        std::vector<uint8_t>() /* signature */, std::vector<uint8_t>() /* entropy */, &error_code);
 
     if (!binder_result.isOk()) {
         LOG(ERROR) << AT << "communication error while calling keystore";
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 93c537e..f3a7531 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -55,7 +55,6 @@
         "android.hardware.confirmationui@1.0",
         "android.hardware.keymaster@3.0",
         "android.hardware.keymaster@4.0",
-        "android.system.wifi.keystore@1.0",
         "libbase",
         "libbinder",
         "libcrypto",
@@ -74,7 +73,6 @@
         "libservices",
         "libsoftkeymasterdevice",
         "libutils",
-        "libwifikeystorehal",
     ],
     init_rc: ["keystore.rc"],
     aidl: {
diff --git a/keystore/binder/android/security/keystore/IKeystoreService.aidl b/keystore/binder/android/security/keystore/IKeystoreService.aidl
index 348964f..f230043 100644
--- a/keystore/binder/android/security/keystore/IKeystoreService.aidl
+++ b/keystore/binder/android/security/keystore/IKeystoreService.aidl
@@ -29,21 +29,29 @@
  * @hide
  */
 interface IKeystoreService {
+    @UnsupportedAppUsage
     int getState(int userId);
+    @UnsupportedAppUsage
     byte[] get(String name, int uid);
+    @UnsupportedAppUsage
     int insert(String name, in byte[] item, int uid, int flags);
+    @UnsupportedAppUsage
     int del(String name, int uid);
+    @UnsupportedAppUsage
     int exist(String name, int uid);
+    @UnsupportedAppUsage
     String[] list(String namePrefix, int uid);
-    int reset();
     int onUserPasswordChanged(int userId, String newPassword);
     int lock(int userId);
     int unlock(int userId, String userPassword);
     int isEmpty(int userId);
     String grant(String name, int granteeUid);
+    @UnsupportedAppUsage
     int ungrant(String name, int granteeUid);
     long getmtime(String name, int uid);
+    @UnsupportedAppUsage
     int is_hardware_backed(String string);
+    @UnsupportedAppUsage
     int clear_uid(long uid);
 
     int addRngEntropy(IKeystoreResponseCallback cb, in byte[] data, int flags);
@@ -58,7 +66,7 @@
     int begin(in IKeystoreOperationResultCallback cb, IBinder appToken, String alias, int purpose, boolean pruneable,
         in KeymasterArguments params, in byte[] entropy, int uid);
     int update(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input);
-    int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] signature,
+    int finish(in IKeystoreOperationResultCallback cb, IBinder token, in KeymasterArguments params, in byte[] input, in byte[] signature,
         in byte[] entropy);
     int abort(in IKeystoreResponseCallback cb, IBinder token);
     int addAuthToken(in byte[] authToken);
diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h
index d8e63c4..cb27268 100644
--- a/keystore/include/keystore/keystore_client.h
+++ b/keystore/include/keystore/keystore_client.h
@@ -160,7 +160,7 @@
     // keymaster_error_t on failure.
     virtual KeyStoreNativeReturnCode
     finishOperation(uint64_t handle, const keystore::AuthorizationSet& input_parameters,
-                    const std::string& signature_to_verify,
+                    const std::string& input_data, const std::string& signature_to_verify,
                     keystore::AuthorizationSet* output_parameters, std::string* output_data) = 0;
 
     // Aborts the operation associated with |handle|. Returns KM_ERROR_OK on
diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h
index 6726fe5..ed8ac44 100644
--- a/keystore/include/keystore/keystore_client_impl.h
+++ b/keystore/include/keystore/keystore_client_impl.h
@@ -76,6 +76,7 @@
                                              std::string* output_data) override;
     KeyStoreNativeReturnCode finishOperation(uint64_t handle,
                                              const keystore::AuthorizationSet& input_parameters,
+                                             const std::string& input_data,
                                              const std::string& signature_to_verify,
                                              keystore::AuthorizationSet* output_parameters,
                                              std::string* output_data) override;
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index a28fd5f..5adc199 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -77,7 +77,6 @@
 }
 
 #define AIDL_RETURN(rc) (*_aidl_return = KeyStoreServiceReturnCode(rc).getErrorCode(), Status::ok())
-#define KEYSTORE_SERVICE_LOCK std::lock_guard<std::mutex> keystore_lock(keystoreServiceMutex_)
 
 std::pair<KeyStoreServiceReturnCode, bool> hadFactoryResetSinceIdRotation() {
     struct stat sbuf;
@@ -142,7 +141,6 @@
 }  // anonymous namespace
 
 Status KeyStoreService::getState(int32_t userId, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkBinderPermission(P_GET_STATE)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
         return Status::ok();
@@ -152,7 +150,6 @@
 }
 
 Status KeyStoreService::get(const String16& name, int32_t uid, ::std::vector<uint8_t>* item) {
-    KEYSTORE_SERVICE_LOCK;
     uid_t targetUid = getEffectiveUid(uid);
     if (!checkBinderPermission(P_GET, targetUid)) {
         // see keystore/keystore.h
@@ -182,7 +179,6 @@
 
 Status KeyStoreService::insert(const String16& name, const ::std::vector<uint8_t>& item,
                                int targetUid, int32_t flags, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     targetUid = getEffectiveUid(targetUid);
     KeyStoreServiceReturnCode result =
         checkBinderPermissionAndKeystoreState(P_INSERT, targetUid, flags & KEYSTORE_FLAG_ENCRYPTED);
@@ -208,7 +204,6 @@
 }
 
 Status KeyStoreService::del(const String16& name, int targetUid, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     targetUid = getEffectiveUid(targetUid);
     if (!checkBinderPermission(P_DELETE, targetUid)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
@@ -229,7 +224,6 @@
 }
 
 Status KeyStoreService::exist(const String16& name, int targetUid, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     targetUid = getEffectiveUid(targetUid);
     if (!checkBinderPermission(P_EXIST, targetUid)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
@@ -245,7 +239,6 @@
 
 Status KeyStoreService::list(const String16& prefix, int32_t targetUid,
                              ::std::vector<::android::String16>* matches) {
-    KEYSTORE_SERVICE_LOCK;
     targetUid = getEffectiveUid(targetUid);
     if (!checkBinderPermission(P_LIST, targetUid)) {
         return Status::fromServiceSpecificError(
@@ -284,7 +277,6 @@
  */
 Status KeyStoreService::listUidsOfAuthBoundKeys(std::vector<std::string>* uidsOut,
                                                 int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     const int32_t callingUid = IPCThreadState::self()->getCallingUid();
     const int32_t userId = get_user_id(callingUid);
     const int32_t appId = get_app_id(callingUid);
@@ -347,22 +339,8 @@
     return Status::ok();
 }
 
-Status KeyStoreService::reset(int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
-    if (!checkBinderPermission(P_RESET)) {
-        *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
-        return Status::ok();
-    }
-
-    uid_t callingUid = IPCThreadState::self()->getCallingUid();
-    mKeyStore->resetUser(get_user_id(callingUid), false);
-    *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
-    return Status::ok();
-}
-
 Status KeyStoreService::onUserPasswordChanged(int32_t userId, const String16& password,
                                               int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkBinderPermission(P_PASSWORD)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
         return Status::ok();
@@ -400,7 +378,6 @@
 }
 
 Status KeyStoreService::onUserAdded(int32_t userId, int32_t parentId, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkBinderPermission(P_USER_CHANGED)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
         return Status::ok();
@@ -426,7 +403,6 @@
 }
 
 Status KeyStoreService::onUserRemoved(int32_t userId, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkBinderPermission(P_USER_CHANGED)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
         return Status::ok();
@@ -438,7 +414,6 @@
 }
 
 Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkBinderPermission(P_LOCK)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
         return Status::ok();
@@ -458,7 +433,6 @@
 }
 
 Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkBinderPermission(P_UNLOCK)) {
         *aidl_return = static_cast<int32_t>(ResponseCode::PERMISSION_DENIED);
         return Status::ok();
@@ -489,7 +463,6 @@
 }
 
 Status KeyStoreService::isEmpty(int32_t userId, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkBinderPermission(P_IS_EMPTY)) {
         *aidl_return = static_cast<int32_t>(false);
         return Status::ok();
@@ -501,7 +474,6 @@
 
 Status KeyStoreService::grant(const String16& name, int32_t granteeUid,
                               ::android::String16* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
     auto result =
         checkBinderPermissionAndKeystoreState(P_GRANT, /*targetUid=*/-1, /*checkUnlocked=*/false);
@@ -522,7 +494,6 @@
 }
 
 Status KeyStoreService::ungrant(const String16& name, int32_t granteeUid, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
     KeyStoreServiceReturnCode result =
         checkBinderPermissionAndKeystoreState(P_GRANT, /*targetUid=*/-1, /*checkUnlocked=*/false);
@@ -543,7 +514,6 @@
 }
 
 Status KeyStoreService::getmtime(const String16& name, int32_t uid, int64_t* time) {
-    KEYSTORE_SERVICE_LOCK;
     uid_t targetUid = getEffectiveUid(uid);
     if (!checkBinderPermission(P_GET, targetUid)) {
         ALOGW("permission denied for %d: getmtime", targetUid);
@@ -582,13 +552,11 @@
 }
 
 Status KeyStoreService::is_hardware_backed(const String16& keyType, int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     *aidl_return = static_cast<int32_t>(mKeyStore->isHardwareBacked(keyType) ? 1 : 0);
     return Status::ok();
 }
 
 Status KeyStoreService::clear_uid(int64_t targetUid64, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     uid_t targetUid = getEffectiveUid(targetUid64);
     if (!checkBinderPermissionSelfOrSystem(P_CLEAR_UID, targetUid)) {
         return AIDL_RETURN(ResponseCode::PERMISSION_DENIED);
@@ -628,7 +596,6 @@
 Status KeyStoreService::addRngEntropy(
     const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb,
     const ::std::vector<uint8_t>& entropy, int32_t flags, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     auto device = mKeyStore->getDevice(flagsToSecurityLevel(flags));
     if (!device) {
         return AIDL_RETURN(ErrorCode::HARDWARE_TYPE_UNAVAILABLE);
@@ -645,7 +612,6 @@
     const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb,
     const String16& name, const KeymasterArguments& params, const ::std::vector<uint8_t>& entropy,
     int uid, int flags, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100
     uid_t originalUid = IPCThreadState::self()->getCallingUid();
     uid = getEffectiveUid(uid);
@@ -707,7 +673,6 @@
     const String16& name, const ::android::security::keymaster::KeymasterBlob& clientId,
     const ::android::security::keymaster::KeymasterBlob& appData, int32_t uid,
     int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
 
     uid_t targetUid = getEffectiveUid(uid);
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
@@ -754,7 +719,6 @@
     const ::android::sp<::android::security::keystore::IKeystoreKeyCharacteristicsCallback>& cb,
     const String16& name, const KeymasterArguments& params, int32_t format,
     const ::std::vector<uint8_t>& keyData, int uid, int flags, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     uid = getEffectiveUid(uid);
     auto logOnScopeExit = android::base::make_scope_guard([&] {
         if (__android_log_security()) {
@@ -811,7 +775,6 @@
     const ::android::security::keymaster::KeymasterBlob& clientId,
     const ::android::security::keymaster::KeymasterBlob& appData, int32_t uid,
     int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
 
     uid_t targetUid = getEffectiveUid(uid);
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
@@ -847,7 +810,6 @@
                               bool pruneable, const KeymasterArguments& params,
                               const ::std::vector<uint8_t>& entropy, int32_t uid,
                               int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
     uid_t targetUid = getEffectiveUid(uid);
     if (!is_granted_to(callingUid, targetUid)) {
@@ -896,7 +858,6 @@
                                const ::android::sp<::android::IBinder>& token,
                                const ::android::security::keymaster::KeymasterArguments& params,
                                const ::std::vector<uint8_t>& input, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkAllowedOperationParams(params.getParameters())) {
         return AIDL_RETURN(ErrorCode::INVALID_ARGUMENT);
     }
@@ -919,9 +880,9 @@
 Status KeyStoreService::finish(const ::android::sp<IKeystoreOperationResultCallback>& cb,
                                const ::android::sp<::android::IBinder>& token,
                                const ::android::security::keymaster::KeymasterArguments& params,
+                               const ::std::vector<uint8_t>& input,
                                const ::std::vector<uint8_t>& signature,
                                const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     if (!checkAllowedOperationParams(params.getParameters())) {
         return AIDL_RETURN(ErrorCode::INVALID_ARGUMENT);
     }
@@ -931,7 +892,7 @@
         return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
     }
 
-    dev->finish(token, params.getParameters(), {}, signature, entropy,
+    dev->finish(token, params.getParameters(), input, signature, entropy,
                 [this, cb, token](OperationResult result_) {
                     mKeyStore->removeOperationDevice(token);
                     cb->onFinished(result_);
@@ -943,7 +904,6 @@
 Status KeyStoreService::abort(const ::android::sp<IKeystoreResponseCallback>& cb,
                               const ::android::sp<::android::IBinder>& token,
                               int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     auto dev = mKeyStore->getOperationDevice(token);
     if (!dev) {
         return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
@@ -959,7 +919,6 @@
 
 Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,
                                      int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
 
     // TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to
     // receive a HardwareAuthToken, rather than an opaque byte array.
@@ -1010,7 +969,6 @@
 Status KeyStoreService::attestKey(
     const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb,
     const String16& name, const KeymasterArguments& params, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     // check null output if method signature is updated and return ErrorCode::OUTPUT_PARAMETER_NULL
     if (!checkAllowedOperationParams(params.getParameters())) {
         return AIDL_RETURN(ErrorCode::INVALID_ARGUMENT);
@@ -1070,7 +1028,6 @@
 Status KeyStoreService::attestDeviceIds(
     const ::android::sp<::android::security::keystore::IKeystoreCertificateChainCallback>& cb,
     const KeymasterArguments& params, int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     // check null output if method signature is updated and return ErrorCode::OUTPUT_PARAMETER_NULL
 
     if (!checkAllowedOperationParams(params.getParameters())) {
@@ -1163,7 +1120,6 @@
 }
 
 Status KeyStoreService::onDeviceOffBody(int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     // TODO(tuckeris): add permission check.  This should be callable from ClockworkHome only.
     mKeyStore->getAuthTokenTable().onDeviceOffBody();
     *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
@@ -1176,7 +1132,6 @@
     const ::android::String16& wrappingKeyAlias, const ::std::vector<uint8_t>& maskingKey,
     const KeymasterArguments& params, int64_t rootSid, int64_t fingerprintSid,
     int32_t* _aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
 
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
 
@@ -1226,19 +1181,16 @@
                                                   const ::std::vector<uint8_t>& extraData,
                                                   const String16& locale, int32_t uiOptionsAsFlags,
                                                   int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     return mKeyStore->getConfirmationManager().presentConfirmationPrompt(
         listener, promptText, extraData, locale, uiOptionsAsFlags, aidl_return);
 }
 
 Status KeyStoreService::cancelConfirmationPrompt(const sp<IBinder>& listener,
                                                  int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     return mKeyStore->getConfirmationManager().cancelConfirmationPrompt(listener, aidl_return);
 }
 
 Status KeyStoreService::isConfirmationPromptSupported(bool* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     return mKeyStore->getConfirmationManager().isConfirmationPromptSupported(aidl_return);
 }
 
@@ -1356,7 +1308,6 @@
 
 Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
                                                     int32_t* aidl_return) {
-    KEYSTORE_SERVICE_LOCK;
     mKeyStore->getEnforcementPolicy().set_device_locked(isShowing, userId);
     *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
 
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 96d0c07..a395e6c 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -66,7 +66,6 @@
     ::android::binder::Status listUidsOfAuthBoundKeys(std::vector<::std::string>* uids,
                                                       int32_t* _aidl_return) override;
 
-    ::android::binder::Status reset(int32_t* _aidl_return) override;
     ::android::binder::Status onUserPasswordChanged(int32_t userId,
                                                     const ::android::String16& newPassword,
                                                     int32_t* _aidl_return) override;
@@ -126,8 +125,8 @@
     finish(const ::android::sp<::android::security::keystore::IKeystoreOperationResultCallback>& cb,
            const ::android::sp<::android::IBinder>& token,
            const ::android::security::keymaster::KeymasterArguments& params,
-           const ::std::vector<uint8_t>& signature, const ::std::vector<uint8_t>& entropy,
-           int32_t* _aidl_return) override;
+           const ::std::vector<uint8_t>& input, const ::std::vector<uint8_t>& signature,
+           const ::std::vector<uint8_t>& entropy, int32_t* _aidl_return) override;
     ::android::binder::Status
     abort(const ::android::sp<::android::security::keystore::IKeystoreResponseCallback>& cb,
           const ::android::sp<::android::IBinder>& token, int32_t* _aidl_return) override;
@@ -231,18 +230,6 @@
                                          std::vector<KeyParameter>* params);
 
     sp<KeyStore> mKeyStore;
-
-    /**
-     * This mutex locks keystore operations from concurrent execution.
-     * The keystore service has always been conceptually single threaded. Even with the introduction
-     * of keymaster workers, it was assumed that the dispatcher thread executes exclusively on
-     * certain code paths. With the introduction of wifi Keystore service in the keystore process
-     * this assumption no longer holds as the hwbinder thread servicing this interface makes
-     * functions (rather than IPC) calls into keystore. This mutex protects the keystore logic
-     * from concurrent execution.
-     */
-    std::mutex keystoreServiceMutex_;
-
 };
 
 };  // namespace keystore
diff --git a/keystore/keystore_cli.cpp b/keystore/keystore_cli.cpp
index 2705a19..428a9bc 100644
--- a/keystore/keystore_cli.cpp
+++ b/keystore/keystore_cli.cpp
@@ -47,21 +47,6 @@
     /* [WRONG_PASSWORD + 3] = */ "Wrong password (4 tries left)",
 };
 
-#define NO_ARG_INT_RETURN(cmd) \
-    do { \
-        if (strcmp(argv[1], #cmd) == 0) { \
-            int32_t ret = -1; \
-            service->cmd(&ret); \
-            if (ret < 0) { \
-                fprintf(stderr, "%s: could not connect: %d\n", argv[0], ret); \
-                return 1; \
-            } else { \
-                printf(#cmd ": %s (%d)\n", responses[ret], ret); \
-                return 0; \
-            } \
-        } \
-    } while (0)
-
 #define SINGLE_ARG_INT_RETURN(cmd) \
     do { \
         if (strcmp(argv[1], #cmd) == 0) { \
@@ -242,8 +227,6 @@
                 argc < 4 ? -1 : atoi(argv[3]));
     }
 
-    NO_ARG_INT_RETURN(reset);
-
     // TODO: notifyUserPasswordChanged
 
     SINGLE_INT_ARG_INT_RETURN(lock);
diff --git a/keystore/keystore_cli_v2.cpp b/keystore/keystore_cli_v2.cpp
index b46b221..4f69eb0 100644
--- a/keystore/keystore_cli_v2.cpp
+++ b/keystore/keystore_cli_v2.cpp
@@ -416,16 +416,10 @@
         return result.getErrorCode();
     }
     AuthorizationSet empty_params;
-    size_t num_input_bytes_consumed;
     std::string output_data;
-    result = keystore->updateOperation(handle, empty_params, "data_to_sign",
-                                       &num_input_bytes_consumed, &output_params, &output_data);
-    if (!result.isOk()) {
-        printf("Sign: UpdateOperation failed: %d\n", result.getErrorCode());
-        return result.getErrorCode();
-    }
-    result = keystore->finishOperation(handle, empty_params, std::string() /*signature_to_verify*/,
-                                       &output_params, &output_data);
+    result = keystore->finishOperation(handle, empty_params, "data_to_sign",
+                                       std::string() /*signature_to_verify*/, &output_params,
+                                       &output_data);
     if (!result.isOk()) {
         printf("Sign: FinishOperation failed: %d\n", result.getErrorCode());
         return result.getErrorCode();
@@ -436,18 +430,8 @@
     output_data.clear();
     result =
         keystore->beginOperation(KeyPurpose::VERIFY, name, sign_params, &output_params, &handle);
-    if (!result.isOk()) {
-        printf("Verify: BeginOperation failed: %d\n", result.getErrorCode());
-        return result.getErrorCode();
-    }
-    result = keystore->updateOperation(handle, empty_params, "data_to_sign",
-                                       &num_input_bytes_consumed, &output_params, &output_data);
-    if (!result.isOk()) {
-        printf("Verify: UpdateOperation failed: %d\n", result.getErrorCode());
-        return result.getErrorCode();
-    }
-    result = keystore->finishOperation(handle, empty_params, signature_to_verify, &output_params,
-                                       &output_data);
+    result = keystore->finishOperation(handle, empty_params, "data_to_sign", signature_to_verify,
+                                       &output_params, &output_data);
     if (result == ErrorCode::VERIFICATION_FAILED) {
         printf("Verify: Failed to verify signature.\n");
         return result.getErrorCode();
diff --git a/keystore/keystore_client_impl.cpp b/keystore/keystore_client_impl.cpp
index 3fca4c9..f888683 100644
--- a/keystore/keystore_client_impl.cpp
+++ b/keystore/keystore_client_impl.cpp
@@ -166,16 +166,9 @@
         return false;
     }
     AuthorizationSet empty_params;
-    size_t num_input_bytes_consumed;
     AuthorizationSet ignored_params;
-    result = updateOperation(handle, empty_params, input_data, &num_input_bytes_consumed,
-                             &ignored_params, output_data);
-    if (!result.isOk()) {
-        ALOGE("UpdateOperation failed: %d", result.getErrorCode());
-        return false;
-    }
-    result =
-        finishOperation(handle, empty_params, signature_to_verify, &ignored_params, output_data);
+    result = finishOperation(handle, empty_params, input_data, signature_to_verify, &ignored_params,
+                             output_data);
     if (!result.isOk()) {
         ALOGE("FinishOperation failed: %d", result.getErrorCode());
         return false;
@@ -384,6 +377,7 @@
 
 KeyStoreNativeReturnCode
 KeystoreClientImpl::finishOperation(uint64_t handle, const AuthorizationSet& input_parameters,
+                                    const std::string& input_data,
                                     const std::string& signature_to_verify,
                                     AuthorizationSet* output_parameters, std::string* output_data) {
     if (active_operations_.count(handle) == 0) {
@@ -391,12 +385,14 @@
     }
     int32_t error_code;
     auto hidlSignature = blob2hidlVec(signature_to_verify);
+    auto hidlInput = blob2hidlVec(input_data);
     android::sp<OperationResultPromise> promise(new OperationResultPromise{});
     auto future = promise->get_future();
     auto binder_result = keystore_->finish(
         promise, active_operations_[handle],
         android::security::keymaster::KeymasterArguments(input_parameters.hidl_data()),
-        (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(), &error_code);
+        (std::vector<uint8_t>)hidlInput, (std::vector<uint8_t>)hidlSignature, hidl_vec<uint8_t>(),
+        &error_code);
     if (!binder_result.isOk()) return ResponseCode::SYSTEM_ERROR;
     KeyStoreNativeReturnCode rc(error_code);
     if (!rc.isOk()) return rc;
diff --git a/keystore/keystore_main.cpp b/keystore/keystore_main.cpp
index ef68d92..91ebd12 100644
--- a/keystore/keystore_main.cpp
+++ b/keystore/keystore_main.cpp
@@ -19,14 +19,11 @@
 #include <android-base/logging.h>
 #include <android/hidl/manager/1.2/IServiceManager.h>
 #include <android/security/keystore/IKeystoreService.h>
-#include <android/system/wifi/keystore/1.0/IKeystore.h>
 #include <binder/IPCThreadState.h>
 #include <binder/IServiceManager.h>
-#include <hidl/HidlTransportSupport.h>
 #include <keymasterV4_0/Keymaster3.h>
 #include <keymasterV4_0/Keymaster4.h>
 #include <utils/StrongPointer.h>
-#include <wifikeystorehal/keystore.h>
 
 #include <keystore/keystore_hidl_support.h>
 #include <keystore/keystore_return_types.h>
@@ -43,15 +40,12 @@
  * the maximum space we needed, so boundary checks on buffers are omitted. */
 
 using ::android::sp;
-using ::android::hardware::configureRpcThreadpool;
 using ::android::hardware::hidl_string;
 using ::android::hardware::hidl_vec;
 using ::android::hardware::keymaster::V4_0::ErrorCode;
 using ::android::hardware::keymaster::V4_0::HmacSharingParameters;
 using ::android::hardware::keymaster::V4_0::SecurityLevel;
 using ::android::hidl::manager::V1_2::IServiceManager;
-using ::android::system::wifi::keystore::V1_0::IKeystore;
-using ::android::system::wifi::keystore::V1_0::implementation::Keystore;
 
 using ::keystore::keymaster::support::Keymaster;
 using ::keystore::keymaster::support::Keymaster3;
@@ -160,16 +154,6 @@
     android::status_t ret = sm->addService(android::String16("android.security.keystore"), service);
     CHECK(ret == android::OK) << "Couldn't register binder service!";
 
-    /**
-     * Register the wifi keystore HAL service to run in passthrough mode.
-     * This will spawn off a new thread which will service the HIDL
-     * transactions.
-     */
-    configureRpcThreadpool(1, false /* callerWillJoin */);
-    android::sp<IKeystore> wifiKeystoreHalService = new Keystore();
-    android::status_t err = wifiKeystoreHalService->registerAsService();
-    CHECK(err == android::OK) << "Cannot register wifi keystore HAL service: " << err;
-
     /*
      * This thread is just going to process Binder transactions.
      */
diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp
index d17fcdd..8b9e28d 100644
--- a/keystore/permissions.cpp
+++ b/keystore/permissions.cpp
@@ -57,8 +57,6 @@
 user_euid user_euids[] = {{AID_VPN, AID_SYSTEM},
                           {AID_WIFI, AID_SYSTEM},
                           {AID_ROOT, AID_SYSTEM},
-                          {AID_WIFI, AID_KEYSTORE},
-                          {AID_KEYSTORE, AID_WIFI},
                           {AID_FSVERITY_CERT, AID_ROOT},
                           {AID_FSVERITY_CERT, AID_SYSTEM},
 
diff --git a/keystore/user_state.cpp b/keystore/user_state.cpp
index 8d993e2..30dfe3c 100644
--- a/keystore/user_state.cpp
+++ b/keystore/user_state.cpp
@@ -37,7 +37,7 @@
 
 UserState::UserState(uid_t userId)
     : mMasterKeyEntry(".masterkey", "user_" + std::to_string(userId), userId, /* masterkey */ true),
-      mUserId(userId), mState(STATE_UNINITIALIZED), mRetry(MAX_RETRY) {}
+      mUserId(userId), mState(STATE_UNINITIALIZED) {}
 
 bool UserState::operator<(const UserState& rhs) const {
     return getUserId() < rhs.getUserId();
@@ -69,9 +69,6 @@
 
 void UserState::setState(State state) {
     mState = state;
-    if (mState == STATE_NO_ERROR || mState == STATE_UNINITIALIZED) {
-        mRetry = MAX_RETRY;
-    }
 }
 
 void UserState::zeroizeMasterKeysInMemory() {
@@ -208,23 +205,9 @@
         }
         return response;
     }
-    if (mRetry <= 0) {
-        reset();
-        return ResponseCode::UNINITIALIZED;
-    }
-    --mRetry;
-    switch (mRetry) {
-    case 0:
-        return ResponseCode::WRONG_PASSWORD_0;
-    case 1:
-        return ResponseCode::WRONG_PASSWORD_1;
-    case 2:
-        return ResponseCode::WRONG_PASSWORD_2;
-    case 3:
-        return ResponseCode::WRONG_PASSWORD_3;
-    default:
-        return ResponseCode::WRONG_PASSWORD_3;
-    }
+
+    LOG(ERROR) << "Invalid password presented";
+    return ResponseCode::WRONG_PASSWORD_0;
 }
 
 bool UserState::reset() {
diff --git a/keystore/user_state.h b/keystore/user_state.h
index 620aaa5..75d99d9 100644
--- a/keystore/user_state.h
+++ b/keystore/user_state.h
@@ -55,8 +55,6 @@
     void setState(State state);
     State getState() const { return mState; }
 
-    int8_t getRetry() const { return mRetry; }
-
     void zeroizeMasterKeysInMemory();
     bool deleteMasterKey();
 
@@ -81,7 +79,6 @@
     static constexpr int MASTER_KEY_SIZE_BYTES = kAes256KeySizeBytes;
     static constexpr int MASTER_KEY_SIZE_BITS = MASTER_KEY_SIZE_BYTES * 8;
 
-    static constexpr int MAX_RETRY = 4;
     static constexpr size_t SALT_SIZE = 16;
 
     void generateKeyFromPassword(std::vector<uint8_t>& key, const android::String8& pw,
@@ -94,7 +91,6 @@
 
     uid_t mUserId;
     State mState;
-    int8_t mRetry;
 
     std::vector<uint8_t> mMasterKey;
     uint8_t mSalt[SALT_SIZE];