Loading services/core/java/com/android/server/locksettings/LockSettingsService.java +3 −3 Original line number Diff line number Diff line Loading @@ -1957,7 +1957,7 @@ public class LockSettingsService extends ILockSettings.Stub { final long oldProtectorId = getCurrentLskfBasedProtectorId(userId); AuthenticationResult authResult = mSpManager.unlockLskfBasedProtector( getGateKeeperService(), oldProtectorId, savedCredential, userId, null); VerifyCredentialResponse response = authResult.gkResponse; VerifyCredentialResponse response = authResult.response; SyntheticPassword sp = authResult.syntheticPassword; if (sp == null) { Loading Loading @@ -2464,7 +2464,7 @@ public class LockSettingsService extends ILockSettings.Stub { } authResult = mSpManager.unlockLskfBasedProtector( getGateKeeperService(), protectorId, credential, userId, progressCallback); response = reportResultToSoftwareRateLimiter(authResult.gkResponse, lskfId, credential); response = reportResultToSoftwareRateLimiter(authResult.response, lskfId, credential); if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) { if ((flags & VERIFY_FLAG_WRITE_REPAIR_MODE_PW) != 0) { Loading Loading @@ -3456,7 +3456,7 @@ public class LockSettingsService extends ILockSettings.Stub { Slog.w(TAG, "Invalid escrow token supplied"); return false; } if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { if (result.response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { // Most likely, an untrusted credential reset happened in the past which // changed the synthetic password Slog.e(TAG, "Obsolete token: synthetic password decrypted but it fails GK " Loading services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java +25 −24 Original line number Diff line number Diff line Loading @@ -198,7 +198,7 @@ class SyntheticPasswordManager { // null: user does not have a lockscreen (but password / token passes verification) // ERROR: password / token fails verification // RETRY: password / token verification is throttled at the moment. @Nullable public VerifyCredentialResponse gkResponse; @Nullable public VerifyCredentialResponse response; // For unlockLskfBasedProtector() this is set to true if the protector uses Weaver. public boolean usedWeaver; } Loading Loading @@ -1383,7 +1383,7 @@ class SyntheticPasswordManager { if (protectorId == SyntheticPasswordManager.NULL_PROTECTOR_ID) { // This should never happen, due to the migration done in LSS.onThirdPartyAppsStarted(). Slogf.wtf(TAG, "Synthetic password not found for user %d", userId); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } Loading @@ -1402,7 +1402,7 @@ class SyntheticPasswordManager { Slogf.e(TAG, "Credential type mismatch: stored type is %s but provided type is %s", LockPatternUtils.credentialTypeToString(storedType), LockPatternUtils.credentialTypeToString(credential.getType())); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } Loading @@ -1420,16 +1420,17 @@ class SyntheticPasswordManager { final IWeaver weaver = getWeaverService(); if (weaver == null) { Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } weaverKey = stretchedLskfToWeaverKey(stretchedLskf); result.gkResponse = weaverVerify(weaver, weaverSlot, weaverKey); if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { result.response = weaverVerify(weaver, weaverSlot, weaverKey); if (result.response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { return result; } protectorSecret = transformUnderWeaverSecret(stretchedLskf, result.gkResponse.getGatekeeperHAT()); protectorSecret = transformUnderWeaverSecret( stretchedLskf, result.response.getGatekeeperHAT()); } else { // Weaver is unavailable, so the protector uses Gatekeeper to verify the LSKF, // unless the LSKF is empty in which case Gatekeeper might not have been used at Loading @@ -1437,7 +1438,7 @@ class SyntheticPasswordManager { if (pwd == null || pwd.passwordHandle == null) { if (!credential.isNone()) { Slog.e(TAG, "Missing Gatekeeper password handle for nonempty LSKF"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } } else { Loading @@ -1448,12 +1449,12 @@ class SyntheticPasswordManager { pwd.passwordHandle, gkPassword); } catch (RemoteException e) { Slog.e(TAG, "gatekeeper verify failed", e); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } int responseCode = response.getResponseCode(); if (responseCode == GateKeeperResponse.RESPONSE_OK) { result.gkResponse = VerifyCredentialResponse.OK; result.response = VerifyCredentialResponse.OK; if (response.getShouldReEnroll()) { GateKeeperResponse reenrollResponse; try { Loading @@ -1479,11 +1480,11 @@ class SyntheticPasswordManager { } } } else if (responseCode == GateKeeperResponse.RESPONSE_RETRY) { result.gkResponse = VerifyCredentialResponse.fromTimeout( response.getTimeout()); result.response = VerifyCredentialResponse.fromTimeout(response.getTimeout()); return result; } else { result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } sid = sidFromPasswordHandle(pwd.passwordHandle); Loading @@ -1491,7 +1492,7 @@ class SyntheticPasswordManager { byte[] secdiscardable = loadSecdiscardable(protectorId, userId); if (secdiscardable == null) { Slog.e(TAG, "secdiscardable file not found"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } protectorSecret = transformUnderSecdiscardable(stretchedLskf, secdiscardable); Loading @@ -1509,7 +1510,7 @@ class SyntheticPasswordManager { PROTECTOR_TYPE_LSKF_BASED, protectorSecret, sid, userId); // Perform verifyChallenge to refresh auth tokens for GK if user password exists. result.gkResponse = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); result.response = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); // Upgrade case: store the metrics if the device did not have stored metrics before, // should only happen once on old protectors. Loading Loading @@ -1563,7 +1564,7 @@ class SyntheticPasswordManager { byte[] data = loadState(SP_BLOB_NAME, protectorId, userId); if (data == null) { AuthenticationResult result = new AuthenticationResult(); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; Slogf.w(TAG, "spblob not found for protector %016x, user %d", protectorId, userId); return result; } Loading Loading @@ -1599,7 +1600,7 @@ class SyntheticPasswordManager { byte[] secdiscardable = loadSecdiscardable(protectorId, userId); if (secdiscardable == null) { Slog.e(TAG, "secdiscardable file not found"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } int slotId = loadWeaverSlot(protectorId, userId); Loading @@ -1607,7 +1608,7 @@ class SyntheticPasswordManager { final IWeaver weaver = getWeaverService(); if (weaver == null) { Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } VerifyCredentialResponse response = weaverVerify(weaver, slotId, null); Loading @@ -1615,7 +1616,7 @@ class SyntheticPasswordManager { response.getGatekeeperHAT() == null) { Slog.e(TAG, "Failed to retrieve Weaver secret when unlocking token-based protector"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } secdiscardable = SyntheticPasswordCrypto.decrypt(response.getGatekeeperHAT(), Loading @@ -1625,14 +1626,14 @@ class SyntheticPasswordManager { result.syntheticPassword = unwrapSyntheticPasswordBlob(protectorId, expectedProtectorType, protectorSecret, 0L, userId); if (result.syntheticPassword != null) { result.gkResponse = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); if (result.gkResponse == null) { result.response = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); if (result.response == null) { // The user currently has no password. return OK with null payload so null // is propagated to unlockUser() result.gkResponse = VerifyCredentialResponse.OK; result.response = VerifyCredentialResponse.OK; } } else { result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; } return result; } Loading Loading
services/core/java/com/android/server/locksettings/LockSettingsService.java +3 −3 Original line number Diff line number Diff line Loading @@ -1957,7 +1957,7 @@ public class LockSettingsService extends ILockSettings.Stub { final long oldProtectorId = getCurrentLskfBasedProtectorId(userId); AuthenticationResult authResult = mSpManager.unlockLskfBasedProtector( getGateKeeperService(), oldProtectorId, savedCredential, userId, null); VerifyCredentialResponse response = authResult.gkResponse; VerifyCredentialResponse response = authResult.response; SyntheticPassword sp = authResult.syntheticPassword; if (sp == null) { Loading Loading @@ -2464,7 +2464,7 @@ public class LockSettingsService extends ILockSettings.Stub { } authResult = mSpManager.unlockLskfBasedProtector( getGateKeeperService(), protectorId, credential, userId, progressCallback); response = reportResultToSoftwareRateLimiter(authResult.gkResponse, lskfId, credential); response = reportResultToSoftwareRateLimiter(authResult.response, lskfId, credential); if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) { if ((flags & VERIFY_FLAG_WRITE_REPAIR_MODE_PW) != 0) { Loading Loading @@ -3456,7 +3456,7 @@ public class LockSettingsService extends ILockSettings.Stub { Slog.w(TAG, "Invalid escrow token supplied"); return false; } if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { if (result.response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { // Most likely, an untrusted credential reset happened in the past which // changed the synthetic password Slog.e(TAG, "Obsolete token: synthetic password decrypted but it fails GK " Loading
services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java +25 −24 Original line number Diff line number Diff line Loading @@ -198,7 +198,7 @@ class SyntheticPasswordManager { // null: user does not have a lockscreen (but password / token passes verification) // ERROR: password / token fails verification // RETRY: password / token verification is throttled at the moment. @Nullable public VerifyCredentialResponse gkResponse; @Nullable public VerifyCredentialResponse response; // For unlockLskfBasedProtector() this is set to true if the protector uses Weaver. public boolean usedWeaver; } Loading Loading @@ -1383,7 +1383,7 @@ class SyntheticPasswordManager { if (protectorId == SyntheticPasswordManager.NULL_PROTECTOR_ID) { // This should never happen, due to the migration done in LSS.onThirdPartyAppsStarted(). Slogf.wtf(TAG, "Synthetic password not found for user %d", userId); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } Loading @@ -1402,7 +1402,7 @@ class SyntheticPasswordManager { Slogf.e(TAG, "Credential type mismatch: stored type is %s but provided type is %s", LockPatternUtils.credentialTypeToString(storedType), LockPatternUtils.credentialTypeToString(credential.getType())); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } Loading @@ -1420,16 +1420,17 @@ class SyntheticPasswordManager { final IWeaver weaver = getWeaverService(); if (weaver == null) { Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } weaverKey = stretchedLskfToWeaverKey(stretchedLskf); result.gkResponse = weaverVerify(weaver, weaverSlot, weaverKey); if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { result.response = weaverVerify(weaver, weaverSlot, weaverKey); if (result.response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) { return result; } protectorSecret = transformUnderWeaverSecret(stretchedLskf, result.gkResponse.getGatekeeperHAT()); protectorSecret = transformUnderWeaverSecret( stretchedLskf, result.response.getGatekeeperHAT()); } else { // Weaver is unavailable, so the protector uses Gatekeeper to verify the LSKF, // unless the LSKF is empty in which case Gatekeeper might not have been used at Loading @@ -1437,7 +1438,7 @@ class SyntheticPasswordManager { if (pwd == null || pwd.passwordHandle == null) { if (!credential.isNone()) { Slog.e(TAG, "Missing Gatekeeper password handle for nonempty LSKF"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } } else { Loading @@ -1448,12 +1449,12 @@ class SyntheticPasswordManager { pwd.passwordHandle, gkPassword); } catch (RemoteException e) { Slog.e(TAG, "gatekeeper verify failed", e); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } int responseCode = response.getResponseCode(); if (responseCode == GateKeeperResponse.RESPONSE_OK) { result.gkResponse = VerifyCredentialResponse.OK; result.response = VerifyCredentialResponse.OK; if (response.getShouldReEnroll()) { GateKeeperResponse reenrollResponse; try { Loading @@ -1479,11 +1480,11 @@ class SyntheticPasswordManager { } } } else if (responseCode == GateKeeperResponse.RESPONSE_RETRY) { result.gkResponse = VerifyCredentialResponse.fromTimeout( response.getTimeout()); result.response = VerifyCredentialResponse.fromTimeout(response.getTimeout()); return result; } else { result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } sid = sidFromPasswordHandle(pwd.passwordHandle); Loading @@ -1491,7 +1492,7 @@ class SyntheticPasswordManager { byte[] secdiscardable = loadSecdiscardable(protectorId, userId); if (secdiscardable == null) { Slog.e(TAG, "secdiscardable file not found"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } protectorSecret = transformUnderSecdiscardable(stretchedLskf, secdiscardable); Loading @@ -1509,7 +1510,7 @@ class SyntheticPasswordManager { PROTECTOR_TYPE_LSKF_BASED, protectorSecret, sid, userId); // Perform verifyChallenge to refresh auth tokens for GK if user password exists. result.gkResponse = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); result.response = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); // Upgrade case: store the metrics if the device did not have stored metrics before, // should only happen once on old protectors. Loading Loading @@ -1563,7 +1564,7 @@ class SyntheticPasswordManager { byte[] data = loadState(SP_BLOB_NAME, protectorId, userId); if (data == null) { AuthenticationResult result = new AuthenticationResult(); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; Slogf.w(TAG, "spblob not found for protector %016x, user %d", protectorId, userId); return result; } Loading Loading @@ -1599,7 +1600,7 @@ class SyntheticPasswordManager { byte[] secdiscardable = loadSecdiscardable(protectorId, userId); if (secdiscardable == null) { Slog.e(TAG, "secdiscardable file not found"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } int slotId = loadWeaverSlot(protectorId, userId); Loading @@ -1607,7 +1608,7 @@ class SyntheticPasswordManager { final IWeaver weaver = getWeaverService(); if (weaver == null) { Slog.e(TAG, "Protector uses Weaver, but Weaver is unavailable"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } VerifyCredentialResponse response = weaverVerify(weaver, slotId, null); Loading @@ -1615,7 +1616,7 @@ class SyntheticPasswordManager { response.getGatekeeperHAT() == null) { Slog.e(TAG, "Failed to retrieve Weaver secret when unlocking token-based protector"); result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; return result; } secdiscardable = SyntheticPasswordCrypto.decrypt(response.getGatekeeperHAT(), Loading @@ -1625,14 +1626,14 @@ class SyntheticPasswordManager { result.syntheticPassword = unwrapSyntheticPasswordBlob(protectorId, expectedProtectorType, protectorSecret, 0L, userId); if (result.syntheticPassword != null) { result.gkResponse = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); if (result.gkResponse == null) { result.response = verifyChallenge(gatekeeper, result.syntheticPassword, 0L, userId); if (result.response == null) { // The user currently has no password. return OK with null payload so null // is propagated to unlockUser() result.gkResponse = VerifyCredentialResponse.OK; result.response = VerifyCredentialResponse.OK; } } else { result.gkResponse = VerifyCredentialResponse.ERROR; result.response = VerifyCredentialResponse.ERROR; } return result; } Loading
