From a405d0efb5aaeaa778d34823d903b060d07392cf Mon Sep 17 00:00:00 2001 From: Nathan Huckleberry Date: Tue, 28 Mar 2023 18:01:43 +0000 Subject: [PATCH] Make super_encrypt_on_key_init inline Keystore2 super key handling is being refactored in preparation for Unlocked-Only Storage. There's no reason to separate this function. It doesn't handle any complicated logic and makes control flow more difficult to understand. Bug: 280502317 Bug: 277798192 Test: Wiped device. Setup user with PIN. Ensured unlock works. Remove PIN. Ensured unlock works. Added pin and biometric. Ensured unlock works. Rebooted device. Ensured unlock works. Change-Id: Iafd31ae79a722910effaba98ac216d5b912dd348 --- keystore2/src/super_key.rs | 49 +++++++++++++++----------------------- 1 file changed, 19 insertions(+), 30 deletions(-) diff --git a/keystore2/src/super_key.rs b/keystore2/src/super_key.rs index cb9960f1..728be24d 100644 --- a/keystore2/src/super_key.rs +++ b/keystore2/src/super_key.rs @@ -683,33 +683,6 @@ impl SuperKeyManager { Ok((encrypted_key, metadata)) } - // Encrypt the given key blob with the user's super key, if the super key exists and the device - // is unlocked. If the super key exists and the device is locked, or LSKF is not setup, - // return error. Note that it is out of the scope of this function to check if super encryption - // is required. Such check should be performed before calling this function. - fn super_encrypt_on_key_init( - &self, - db: &mut KeystoreDB, - legacy_importer: &LegacyImporter, - user_id: UserId, - key_blob: &[u8], - ) -> Result<(Vec, BlobMetaData)> { - match self - .get_user_state(db, legacy_importer, user_id) - .context(ks_err!("Failed to get user state."))? - { - UserState::LskfUnlocked(super_key) => { - Self::encrypt_with_aes_super_key(key_blob, &super_key) - .context(ks_err!("Failed to encrypt the key.")) - } - UserState::LskfLocked => { - Err(Error::Rc(ResponseCode::LOCKED)).context(ks_err!("Device is locked.")) - } - UserState::Uninitialized => Err(Error::Rc(ResponseCode::UNINITIALIZED)) - .context(ks_err!("LSKF is not setup for the user.")), - } - } - // Helper function to encrypt a key with the given super key. Callers should select which super // key to be used. This is called when a key is super encrypted at its creation as well as at // its upgrade. @@ -744,9 +717,25 @@ impl SuperKeyManager { ) -> Result<(Vec, BlobMetaData)> { match Enforcements::super_encryption_required(domain, key_parameters, flags) { SuperEncryptionType::None => Ok((key_blob.to_vec(), BlobMetaData::new())), - SuperEncryptionType::LskfBound => self - .super_encrypt_on_key_init(db, legacy_importer, user_id, key_blob) - .context(ks_err!("Failed to super encrypt with LskfBound key.")), + SuperEncryptionType::LskfBound => { + // Encrypt the given key blob with the user's per-boot super key, if the per-boot + // super key is available. If the device is boot-locked or the LSKF is not setup, + // an error is returned. + match self + .get_user_state(db, legacy_importer, user_id) + .context(ks_err!("Failed to get user state."))? + { + UserState::LskfUnlocked(super_key) => { + Self::encrypt_with_aes_super_key(key_blob, &super_key) + .context(ks_err!("Failed to encrypt with LskfBound key.")) + } + UserState::LskfLocked => { + Err(Error::Rc(ResponseCode::LOCKED)).context(ks_err!("Device is locked.")) + } + UserState::Uninitialized => Err(Error::Rc(ResponseCode::UNINITIALIZED)) + .context(ks_err!("LSKF is not setup for the user.")), + } + } SuperEncryptionType::ScreenLockBound => { let entry = self.data.user_keys.get(&user_id).and_then(|e| e.screen_lock_bound.as_ref());