Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / c5e8f36d92b74db04106eb368dd113493f739149^! / . / keystore / key_store_service.cpp
commitc5e8f36d92b74db04106eb368dd113493f739149[log] [tgz]
authorShawn Willden <swillden@google.com>Thu Aug 31 09:23:06 2017 -0600
committerShawn Willden <swillden@google.com>Fri Sep 01 14:20:40 2017 +0000
tree6e2da381a9e6f1250ca7f335719db634e94ff5fc
parent30ab32703c5dfec13dc65fa47218c1252fd488c4 [diff] [blame]
Return OP_AUTH_NEEDED when necessary.

During the keystore refactor that was part of the Treble work, this
return code was lost.  As a result, some usage flows of
fingerprint-bound keys are broken in O.  This CL fixes them.

Bug: 63085740
Test: Manually verified with https://github.com/googlesamples/android-FingerprintDialog
Change-Id: I3d3a3122474d2c4084cd7d0257a1df00b0316159
(cherry picked from commit ad8c55f3591c835ff20b954f47ebcfeccde8cb83)

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 24a096c..8a95257 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp

@@ -1073,12 +1073,12 @@
     persistedCharacteristics.Subtract(teeEnforced);
     characteristics.softwareEnforced = persistedCharacteristics.hidl_data();
 
-    result->resultCode = getAuthToken(characteristics, 0, purpose, &authToken,
-                                      /*failOnTokenMissing*/ false);
+    auto authResult = getAuthToken(characteristics, 0, purpose, &authToken,
+                                   /*failOnTokenMissing*/ false);
     // If per-operation auth is needed we need to begin the operation and
     // the client will need to authorize that operation before calling
     // update. Any other auth issues stop here.
-    if (!result->resultCode.isOk() && result->resultCode != ResponseCode::OP_AUTH_NEEDED) return;
+    if (!authResult.isOk() && authResult != ResponseCode::OP_AUTH_NEEDED) return;
 
     addAuthTokenToParams(&opParams, authToken);
 
@@ -1153,6 +1153,7 @@
         result->handle, keyid, purpose, dev, appToken, std::move(characteristics), pruneable);
     assert(characteristics.teeEnforced.size() == 0);
     assert(characteristics.softwareEnforced.size() == 0);
+    result->token = operationToken;
 
     if (authToken) {
         mOperationMap.setOperationAuthToken(operationToken, authToken);
@@ -1162,8 +1163,9 @@
     // application should get an auth token using the handle before the
     // first call to update, which will fail if keystore hasn't received the
     // auth token.
-    // All fields but "token" were set in the begin operation's callback.
-    result->token = operationToken;
+    result->resultCode = authResult;
+
+    // Other result fields were set in the begin operation's callback.
 }
 
 void KeyStoreService::update(const sp<IBinder>& token, const hidl_vec<KeyParameter>& params,