diff options
author | Nathan Huckleberry <nhuck@google.com> | 2023-03-30 17:27:47 +0000 |
---|---|---|
committer | Nathan Huckleberry <nhuck@google.com> | 2023-05-31 19:51:21 +0000 |
commit | 204a044209bdfff4822ebafe4aba2ffadc6cbf2f (patch) | |
tree | e2dabf59fc7e225a17c384c03620f89fef6929d6 /keystore2/src/maintenance.rs | |
parent | f9494d172bb56c08d6859d8d51d38c682647f083 (diff) | |
download | security-204a044209bdfff4822ebafe4aba2ffadc6cbf2f.tar.gz |
Separate logic for user reset, remove, and init
Keystore2 super key handling is being refactored in preparation for
Unlocked-Only Storage.
This does not change the behavior of keystore2. It is a readability
change.
Currently, super_key.rs exposes one function for resetting, removing,
and initializing users:
- reset_or_init_user_and_get_user_state
This change breaks this function into smaller parts:
- reset_user
- init_user
- remove_user
- get_user_state
This simplifies the code in super_key.rs and allows it to act more like
a state machine.
Bug: 280502317
Bug: 277798192
Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove
PIN. Ensured unlock works. Added pin and biometric. Ensured unlock
works. Rebooted device. Ensured unlock works.
Change-Id: I4e27b41a76a8b45ca2bae6daabe51f2a985c2efe
Diffstat (limited to 'keystore2/src/maintenance.rs')
-rw-r--r-- | keystore2/src/maintenance.rs | 35 |
1 files changed, 16 insertions, 19 deletions
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs index 5efb798d..73dc8815 100644 --- a/keystore2/src/maintenance.rs +++ b/keystore2/src/maintenance.rs @@ -83,26 +83,24 @@ impl Maintenance { .context(ks_err!("unlock_screen_lock_bound_key failed"))?; } - match DB - .with(|db| { - skm.reset_or_init_user_and_get_user_state( - &mut db.borrow_mut(), - &LEGACY_IMPORTER, - user_id as u32, - password.as_ref(), - ) - }) - .context(ks_err!())? + if let UserState::LskfLocked = DB + .with(|db| skm.get_user_state(&mut db.borrow_mut(), &LEGACY_IMPORTER, user_id as u32)) + .context(ks_err!("Could not get user state while changing password!"))? { - UserState::LskfLocked => { - // Error - password can not be changed when the device is locked - Err(Error::Rc(ResponseCode::LOCKED)).context(ks_err!("Device is locked.")) + // Error - password can not be changed when the device is locked + return Err(Error::Rc(ResponseCode::LOCKED)).context(ks_err!("Device is locked.")); + } + + DB.with(|db| match password { + Some(pass) => { + skm.init_user(&mut db.borrow_mut(), &LEGACY_IMPORTER, user_id as u32, &pass) } - _ => { - // LskfLocked is the only error case for password change - Ok(()) + None => { + // User transitioned to swipe. + skm.reset_user(&mut db.borrow_mut(), &LEGACY_IMPORTER, user_id as u32) } - } + }) + .context(ks_err!("Failed to change user password!")) } fn add_or_remove_user(&self, user_id: i32) -> Result<()> { @@ -111,11 +109,10 @@ impl Maintenance { check_keystore_permission(KeystorePerm::ChangeUser).context(ks_err!())?; DB.with(|db| { - SUPER_KEY.write().unwrap().reset_user( + SUPER_KEY.write().unwrap().remove_user( &mut db.borrow_mut(), &LEGACY_IMPORTER, user_id as u32, - false, ) }) .context(ks_err!("Trying to delete keys from db."))?; |