Return OP_AUTH_NEEDED when necessary.

During the keystore refactor that was part of the Treble work, this return code was lost. As a result, some usage flows of fingerprint-bound keys are broken in O. This CL fixes them. Bug: 63085740 Test: Manually verified with https://github.com/googlesamples/android-FingerprintDialog Change-Id: I3d3a3122474d2c4084cd7d0257a1df00b0316159 (cherry picked from commit ad8c55f3591c835ff20b954f47ebcfeccde8cb83)
author: Shawn Willden <swillden@google.com> 2017-08-31 09:23:06 -0600
committer: Shawn Willden <swillden@google.com> 2017-09-01 14:20:40 +0000
commit: c5e8f36d92b74db04106eb368dd113493f739149 (patch)
tree: 6e2da381a9e6f1250ca7f335719db634e94ff5fc
parent: 30ab32703c5dfec13dc65fa47218c1252fd488c4 (diff)
download: security-c5e8f36d92b74db04106eb368dd113493f739149.tar.gz
1 files changed, 7 insertions, 5 deletions
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 24a096c0..8a952572 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -1073,12 +1073,12 @@ void KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, K
     persistedCharacteristics.Subtract(teeEnforced);
     characteristics.softwareEnforced = persistedCharacteristics.hidl_data();
 
-    result->resultCode = getAuthToken(characteristics, 0, purpose, &authToken,
-                                      /*failOnTokenMissing*/ false);
+    auto authResult = getAuthToken(characteristics, 0, purpose, &authToken,
+                                   /*failOnTokenMissing*/ false);
     // If per-operation auth is needed we need to begin the operation and
     // the client will need to authorize that operation before calling
     // update. Any other auth issues stop here.
-    if (!result->resultCode.isOk() && result->resultCode != ResponseCode::OP_AUTH_NEEDED) return;
+    if (!authResult.isOk() && authResult != ResponseCode::OP_AUTH_NEEDED) return;
 
     addAuthTokenToParams(&opParams, authToken);
 
@@ -1153,6 +1153,7 @@ void KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, K
         result->handle, keyid, purpose, dev, appToken, std::move(characteristics), pruneable);
     assert(characteristics.teeEnforced.size() == 0);
     assert(characteristics.softwareEnforced.size() == 0);
+    result->token = operationToken;
 
     if (authToken) {
         mOperationMap.setOperationAuthToken(operationToken, authToken);
@@ -1162,8 +1163,9 @@ void KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, K
     // application should get an auth token using the handle before the
     // first call to update, which will fail if keystore hasn't received the
     // auth token.
-    // All fields but "token" were set in the begin operation's callback.
-    result->token = operationToken;
+    result->resultCode = authResult;
+
+    // Other result fields were set in the begin operation's callback.
 }
 
 void KeyStoreService::update(const sp<IBinder>& token, const hidl_vec<KeyParameter>& params,
author	Shawn Willden <swillden@google.com>	2017-08-31 09:23:06 -0600
committer	Shawn Willden <swillden@google.com>	2017-09-01 14:20:40 +0000
commit	c5e8f36d92b74db04106eb368dd113493f739149 (patch)
tree	6e2da381a9e6f1250ca7f335719db634e94ff5fc
parent	30ab32703c5dfec13dc65fa47218c1252fd488c4 (diff)
download	security-c5e8f36d92b74db04106eb368dd113493f739149.tar.gz