diff options
author | Shawn Willden <swillden@google.com> | 2017-08-31 09:23:06 -0600 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2017-09-01 14:20:40 +0000 |
commit | c5e8f36d92b74db04106eb368dd113493f739149 (patch) | |
tree | 6e2da381a9e6f1250ca7f335719db634e94ff5fc | |
parent | 30ab32703c5dfec13dc65fa47218c1252fd488c4 (diff) | |
download | security-c5e8f36d92b74db04106eb368dd113493f739149.tar.gz |
Return OP_AUTH_NEEDED when necessary.
During the keystore refactor that was part of the Treble work, this
return code was lost. As a result, some usage flows of
fingerprint-bound keys are broken in O. This CL fixes them.
Bug: 63085740
Test: Manually verified with https://github.com/googlesamples/android-FingerprintDialog
Change-Id: I3d3a3122474d2c4084cd7d0257a1df00b0316159
(cherry picked from commit ad8c55f3591c835ff20b954f47ebcfeccde8cb83)
-rw-r--r-- | keystore/key_store_service.cpp | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 24a096c0..8a952572 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -1073,12 +1073,12 @@ void KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, K persistedCharacteristics.Subtract(teeEnforced); characteristics.softwareEnforced = persistedCharacteristics.hidl_data(); - result->resultCode = getAuthToken(characteristics, 0, purpose, &authToken, - /*failOnTokenMissing*/ false); + auto authResult = getAuthToken(characteristics, 0, purpose, &authToken, + /*failOnTokenMissing*/ false); // If per-operation auth is needed we need to begin the operation and // the client will need to authorize that operation before calling // update. Any other auth issues stop here. - if (!result->resultCode.isOk() && result->resultCode != ResponseCode::OP_AUTH_NEEDED) return; + if (!authResult.isOk() && authResult != ResponseCode::OP_AUTH_NEEDED) return; addAuthTokenToParams(&opParams, authToken); @@ -1153,6 +1153,7 @@ void KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, K result->handle, keyid, purpose, dev, appToken, std::move(characteristics), pruneable); assert(characteristics.teeEnforced.size() == 0); assert(characteristics.softwareEnforced.size() == 0); + result->token = operationToken; if (authToken) { mOperationMap.setOperationAuthToken(operationToken, authToken); @@ -1162,8 +1163,9 @@ void KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, K // application should get an auth token using the handle before the // first call to update, which will fail if keystore hasn't received the // auth token. - // All fields but "token" were set in the begin operation's callback. - result->token = operationToken; + result->resultCode = authResult; + + // Other result fields were set in the begin operation's callback. } void KeyStoreService::update(const sp<IBinder>& token, const hidl_vec<KeyParameter>& params, |