Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 71db85fd authored by Kevin Chyn's avatar Kevin Chyn
Browse files

Generate challenge and reset lockout only if user has enrolled biometrics 

Fixes: 132723654

Test: Lockout reset still works
Change-Id: I28fcbd22cd0b89082d5183382649d9c3095dd595
parent bb081124

services/core/java/com/android/server/biometrics/BiometricService.java

+2 −3
Original line number Diff line number Diff line
@@ -760,7 +760,6 @@ public class BiometricService extends SystemService { 
        @Override // Binder call

        public int canAuthenticate(String opPackageName) {

            checkPermission();

            checkAppOp(opPackageName, Binder.getCallingUid());



            final int userId = UserHandle.getCallingUserId();

            final long ident = Binder.clearCallingIdentity();
@@ -833,9 +832,9 @@ public class BiometricService extends SystemService { 
    }



    private void checkPermission() {

        if (getContext().checkCallingPermission(USE_FINGERPRINT)

        if (getContext().checkCallingOrSelfPermission(USE_FINGERPRINT)

                != PackageManager.PERMISSION_GRANTED) {

            getContext().enforceCallingPermission(USE_BIOMETRIC,

            getContext().enforceCallingOrSelfPermission(USE_BIOMETRIC,

                    "Must have USE_BIOMETRIC permission");

        }

    }

services/core/java/com/android/server/locksettings/LockSettingsService.java

+7 −5
Original line number Diff line number Diff line
@@ -421,8 +421,9 @@ public class LockSettingsService extends ILockSettings.Stub { 
                    new PasswordSlotManager());

        }



        public boolean hasBiometrics() {

            return BiometricManager.hasBiometrics(mContext);

        public boolean hasEnrolledBiometrics() {

            BiometricManager bm = mContext.getSystemService(BiometricManager.class);

            return bm.canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS;

        }



        public int binderGetCallingUid() {
@@ -2502,7 +2503,8 @@ public class LockSettingsService extends ILockSettings.Stub { 
        // TODO: When lockout is handled under the HAL for all biometrics (fingerprint),

        // we need to generate challenge for each one, have it signed by GK and reset lockout

        // for each modality.

        if (!hasChallenge && pm.hasSystemFeature(PackageManager.FEATURE_FACE)) {

        if (!hasChallenge && pm.hasSystemFeature(PackageManager.FEATURE_FACE)

                && mInjector.hasEnrolledBiometrics()) {

            challenge = mContext.getSystemService(FaceManager.class).generateChallenge();

        }
@@ -2544,8 +2546,8 @@ public class LockSettingsService extends ILockSettings.Stub { 
        if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {

            notifyActivePasswordMetricsAvailable(credentialType, userCredential, userId);

            unlockKeystore(authResult.authToken.deriveKeyStorePassword(), userId);

            // Reset lockout

            if (mInjector.hasBiometrics()) {

            // Reset lockout only if user has enrolled templates

            if (mInjector.hasEnrolledBiometrics()) {

                BiometricManager bm = mContext.getSystemService(BiometricManager.class);

                Slog.i(TAG, "Resetting lockout, length: "

                        + authResult.gkResponse.getPayload().length);

services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTestable.java

+1 −1
Original line number Diff line number Diff line
@@ -110,7 +110,7 @@ public class LockSettingsServiceTestable extends LockSettingsService { 
        }



        @Override

        public boolean hasBiometrics() {

        public boolean hasEnrolledBiometrics() {

            return false;

        }