diff options
| -rw-r--r-- | android_keymaster/keymaster_enforcement.cpp | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp index bc42511..dc533a0 100644 --- a/android_keymaster/keymaster_enforcement.cpp +++ b/android_keymaster/keymaster_enforcement.cpp @@ -148,6 +148,7 @@ KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthProxy& auth_set, keymaster_operation_handle_t op_handle) { int auth_type_index = -1; int trusted_confirmation_index = -1; + bool no_auth_required = false; for (size_t pos = 0; pos < auth_set.size(); ++pos) { switch (auth_set[pos].tag) { case KM_TAG_USER_AUTH_TYPE: @@ -159,7 +160,9 @@ KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthProxy& auth_set, break; case KM_TAG_NO_AUTH_REQUIRED: case KM_TAG_AUTH_TIMEOUT: - // If no auth is required or if auth is timeout-based, we have nothing to check. + // If no auth is required or if auth is timeout-based, we have nothing to check. + no_auth_required = true; + break; default: break; } @@ -171,6 +174,11 @@ KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthProxy& auth_set, return KM_ERROR_NO_USER_CONFIRMATION; } + // If NO_AUTH_REQUIRED or AUTH_TIMEOUT was set, we need not check an auth token. + if (no_auth_required) { + return KM_ERROR_OK; + } + // Note that at this point we should be able to assume that authentication is required, because // authentication is required if KM_TAG_NO_AUTH_REQUIRED is absent. However, there are legacy // keys which have no authentication-related tags, so we assume that absence is equivalent to |