Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3cdf8af0 authored by Eric Biggers's avatar Eric Biggers
Browse files

Rename AuthenticationResult#gkResponse 

Rename it to just 'response'.  It is not specific to Gatekeeper.
No functional change.

Test: atest FrameworksServicesTests:com.android.server.locksettings
Bug: 320392352
Bug: 395976735
Flag: EXEMPT refactor
Change-Id: I534608f76d4eb972a0bba03eea2e3698e2a29848
parent eb5bb034

services/core/java/com/android/server/locksettings/LockSettingsService.java

+3 −3
Original line number Diff line number Diff line
@@ -1963,7 +1963,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
            final long oldProtectorId = getCurrentLskfBasedProtectorId(userId);

            AuthenticationResult authResult = mSpManager.unlockLskfBasedProtector(

                    getGateKeeperService(), oldProtectorId, savedCredential, userId, null);

            VerifyCredentialResponse response = authResult.gkResponse;

            VerifyCredentialResponse response = authResult.response;

            SyntheticPassword sp = authResult.syntheticPassword;



            if (sp == null) {
@@ -2470,7 +2470,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
            }

            authResult = mSpManager.unlockLskfBasedProtector(

                    getGateKeeperService(), protectorId, credential, userId, progressCallback);

            response = reportResultToSoftwareRateLimiter(authResult.gkResponse, lskfId, credential);

            response = reportResultToSoftwareRateLimiter(authResult.response, lskfId, credential);



            if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {

                if ((flags & VERIFY_FLAG_WRITE_REPAIR_MODE_PW) != 0) {
@@ -3461,7 +3461,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
            Slog.w(TAG, "Invalid escrow token supplied");

            return false;

        }

        if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {

        if (result.response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {

            // Most likely, an untrusted credential reset happened in the past which

            // changed the synthetic password

            Slog.e(TAG, "Obsolete token: synthetic password decrypted but it fails GK "

services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java

+25 −24
Original line number Diff line number Diff line
@@ -198,7 +198,7 @@ class SyntheticPasswordManager { 
        // null:  user does not have a lockscreen (but password / token passes verification)

        // ERROR: password / token fails verification

        // RETRY: password / token verification is throttled at the moment.

        @Nullable public VerifyCredentialResponse gkResponse;

        @Nullable public VerifyCredentialResponse response;

        // For unlockLskfBasedProtector() this is set to true if the protector uses Weaver.

        public boolean usedWeaver;

    }
@@ -1383,7 +1383,7 @@ class SyntheticPasswordManager { 
        if (protectorId == SyntheticPasswordManager.NULL_PROTECTOR_ID) {

            // This should never happen, due to the migration done in LSS.onThirdPartyAppsStarted().

            Slogf.wtf(TAG, "Synthetic password not found for user %d", userId);

            result.gkResponse = VerifyCredentialResponse.ERROR;

            result.response = VerifyCredentialResponse.ERROR;

            return result;

        }
@@ -1402,7 +1402,7 @@ class SyntheticPasswordManager { 
            Slogf.e(TAG, "Credential type mismatch: stored type is %s but provided type is %s",

                    LockPatternUtils.credentialTypeToString(storedType),

                    LockPatternUtils.credentialTypeToString(credential.getType()));

            result.gkResponse = VerifyCredentialResponse.ERROR;

            result.response = VerifyCredentialResponse.ERROR;

            return result;

        }
@@ -1420,16 +1420,17 @@ class SyntheticPasswordManager { 
                final IWeaver weaver = getWeaverService();

                if (weaver == null) {

                    Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable");

                    result.gkResponse = VerifyCredentialResponse.ERROR;

                    result.response = VerifyCredentialResponse.ERROR;

                    return result;

                }

                weaverKey = stretchedLskfToWeaverKey(stretchedLskf);

                result.gkResponse = weaverVerify(weaver, weaverSlot, weaverKey);

                if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {

                result.response = weaverVerify(weaver, weaverSlot, weaverKey);

                if (result.response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {

                    return result;

                }

                protectorSecret = transformUnderWeaverSecret(stretchedLskf,

                        result.gkResponse.getGatekeeperHAT());

                protectorSecret =

                        transformUnderWeaverSecret(

                                stretchedLskf, result.response.getGatekeeperHAT());

            } else {

                // Weaver is unavailable, so the protector uses Gatekeeper to verify the LSKF,

                // unless the LSKF is empty in which case Gatekeeper might not have been used at
@@ -1437,7 +1438,7 @@ class SyntheticPasswordManager { 
                if (pwd == null || pwd.passwordHandle == null) {

                    if (!credential.isNone()) {

                        Slog.e(TAG, "Missing Gatekeeper password handle for nonempty LSKF");

                        result.gkResponse = VerifyCredentialResponse.ERROR;

                        result.response = VerifyCredentialResponse.ERROR;

                        return result;

                    }

                } else {
@@ -1448,12 +1449,12 @@ class SyntheticPasswordManager { 
                                pwd.passwordHandle, gkPassword);

                    } catch (RemoteException e) {

                        Slog.e(TAG, "gatekeeper verify failed", e);

                        result.gkResponse = VerifyCredentialResponse.ERROR;

                        result.response = VerifyCredentialResponse.ERROR;

                        return result;

                    }

                    int responseCode = response.getResponseCode();

                    if (responseCode == GateKeeperResponse.RESPONSE_OK) {

                        result.gkResponse = VerifyCredentialResponse.OK;

                        result.response = VerifyCredentialResponse.OK;

                        if (response.getShouldReEnroll()) {

                            GateKeeperResponse reenrollResponse;

                            try {
@@ -1479,11 +1480,11 @@ class SyntheticPasswordManager { 
                            }

                        }

                    } else if (responseCode == GateKeeperResponse.RESPONSE_RETRY) {

                        result.gkResponse = VerifyCredentialResponse.fromTimeout(

                                response.getTimeout());

                        result.response =

                                VerifyCredentialResponse.fromTimeout(response.getTimeout());

                        return result;

                    } else  {

                        result.gkResponse = VerifyCredentialResponse.ERROR;

                        result.response = VerifyCredentialResponse.ERROR;

                        return result;

                    }

                    sid = sidFromPasswordHandle(pwd.passwordHandle);
@@ -1491,7 +1492,7 @@ class SyntheticPasswordManager { 
                byte[] secdiscardable = loadSecdiscardable(protectorId, userId);

                if (secdiscardable == null) {

                    Slog.e(TAG, "secdiscardable file not found");

                    result.gkResponse = VerifyCredentialResponse.ERROR;

                    result.response = VerifyCredentialResponse.ERROR;

                    return result;

                }

                protectorSecret = transformUnderSecdiscardable(stretchedLskf, secdiscardable);
@@ -1509,7 +1510,7 @@ class SyntheticPasswordManager { 
                    PROTECTOR_TYPE_LSKF_BASED, protectorSecret, sid, userId);



            // Perform verifyChallenge to refresh auth tokens for GK if user password exists.

            result.gkResponse = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId);

            result.response = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId);



            // Upgrade case: store the metrics if the device did not have stored metrics before,

            // should only happen once on old protectors.
@@ -1563,7 +1564,7 @@ class SyntheticPasswordManager { 
        byte[] data = loadState(SP_BLOB_NAME, protectorId, userId);

        if (data == null) {

            AuthenticationResult result = new AuthenticationResult();

            result.gkResponse = VerifyCredentialResponse.ERROR;

            result.response = VerifyCredentialResponse.ERROR;

            Slogf.w(TAG, "spblob not found for protector %016x, user %d", protectorId, userId);

            return result;

        }
@@ -1599,7 +1600,7 @@ class SyntheticPasswordManager { 
        byte[] secdiscardable = loadSecdiscardable(protectorId, userId);

        if (secdiscardable == null) {

            Slog.e(TAG, "secdiscardable file not found");

            result.gkResponse = VerifyCredentialResponse.ERROR;

            result.response = VerifyCredentialResponse.ERROR;

            return result;

        }

        int slotId = loadWeaverSlot(protectorId, userId);
@@ -1607,7 +1608,7 @@ class SyntheticPasswordManager { 
            final IWeaver weaver = getWeaverService();

            if (weaver == null) {

                Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable");

                result.gkResponse = VerifyCredentialResponse.ERROR;

                result.response = VerifyCredentialResponse.ERROR;

                return result;

            }

            VerifyCredentialResponse response = weaverVerify(weaver, slotId, null);
@@ -1615,7 +1616,7 @@ class SyntheticPasswordManager { 
                    response.getGatekeeperHAT() == null) {

                Slog.e(TAG,

                        "Failed to retrieve Weaver secret when unlocking token-based protector");

                result.gkResponse = VerifyCredentialResponse.ERROR;

                result.response = VerifyCredentialResponse.ERROR;

                return result;

            }

            secdiscardable = SyntheticPasswordCrypto.decrypt(response.getGatekeeperHAT(),
@@ -1625,14 +1626,14 @@ class SyntheticPasswordManager { 
        result.syntheticPassword = unwrapSyntheticPasswordBlob(protectorId, expectedProtectorType,

                protectorSecret, 0L, userId);

        if (result.syntheticPassword != null) {

            result.gkResponse = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId);

            if (result.gkResponse == null) {

            result.response = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId);

            if (result.response == null) {

                // The user currently has no password. return OK with null payload so null

                // is propagated to unlockUser()

                result.gkResponse = VerifyCredentialResponse.OK;

                result.response = VerifyCredentialResponse.OK;

            }

        } else {

            result.gkResponse = VerifyCredentialResponse.ERROR;

            result.response = VerifyCredentialResponse.ERROR;

        }

        return result;

    }