diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2017-09-12 20:13:45 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2017-09-12 20:13:45 +0000 |
commit | f08fb3449b68b31fa9b60a7c3c9018b318bf4e59 (patch) | |
tree | 23942d4d915bf9b4c76ba5a2b5685a8b44dd0e15 | |
parent | 827243a97217ed8c64542efd3a72e430e9b84b22 (diff) | |
parent | d714a676de8bf2bf87ea9b7efc04bc5a743eef45 (diff) | |
download | security-f08fb3449b68b31fa9b60a7c3c9018b318bf4e59.tar.gz |
Merge "Fix use of auth-bound keys after screen lock removal" into oc-mr1-dev
-rw-r--r-- | keystore/blob.cpp | 5 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 21 | ||||
-rw-r--r-- | keystore/keystore.cpp | 2 |
3 files changed, 24 insertions, 4 deletions
diff --git a/keystore/blob.cpp b/keystore/blob.cpp index a33334ee..625d0576 100644 --- a/keystore/blob.cpp +++ b/keystore/blob.cpp @@ -272,8 +272,9 @@ ResponseCode Blob::readBlob(const std::string& filename, const uint8_t* aes_key, return ResponseCode::VALUE_CORRUPTED; } - if ((isEncrypted() || isSuperEncrypted()) && (state != STATE_NO_ERROR)) { - return ResponseCode::LOCKED; + if ((isEncrypted() || isSuperEncrypted())) { + if (state == STATE_LOCKED) return ResponseCode::LOCKED; + if (state == STATE_UNINITIALIZED) return ResponseCode::UNINITIALIZED; } if (fileLength < offsetof(blobv3, value)) return ResponseCode::VALUE_CORRUPTED; diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 3a57e07e..621c5058 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -800,7 +800,26 @@ KeyStoreService::getKeyCharacteristics(const String16& name, const hidl_vec<uint KeyStoreServiceReturnCode rc = mKeyStore->getKeyForName(&keyBlob, name8, targetUid, TYPE_KEYMASTER_10); - if (!rc.isOk()) { + if (rc == ResponseCode::UNINITIALIZED) { + /* + * If we fail reading the blob because the master key is missing we try to retrieve the + * key characteristics from the characteristics file. This happens when auth-bound + * keys are used after a screen lock has been removed by the user. + */ + rc = mKeyStore->getKeyForName(&keyBlob, name8, targetUid, TYPE_KEY_CHARACTERISTICS); + if (!rc.isOk()) { + return rc; + } + AuthorizationSet keyCharacteristics; + // TODO write one shot stream buffer to avoid copying (twice here) + std::string charBuffer(reinterpret_cast<const char*>(keyBlob.getValue()), + keyBlob.getLength()); + std::stringstream charStream(charBuffer); + keyCharacteristics.Deserialize(&charStream); + + outCharacteristics->softwareEnforced = keyCharacteristics.hidl_data(); + return rc; + } else if (!rc.isOk()) { return rc; } diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp index ab386ad8..1564a641 100644 --- a/keystore/keystore.cpp +++ b/keystore/keystore.cpp @@ -502,7 +502,7 @@ ResponseCode KeyStore::getKeyForName(Blob* keyBlob, const android::String8& keyN uid_t userId = get_user_id(uid); ResponseCode responseCode = get(filepath8.string(), keyBlob, type, userId); - if (responseCode == ResponseCode::NO_ERROR) { + if (responseCode != ResponseCode::KEY_NOT_FOUND) { return responseCode; } |