Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e9d7d483 authored by Eric Biggers's avatar Eric Biggers
Browse files

LockSettingsService: remove redundant calls to verifyChallenge() 

Both unlockLskfBasedProtector() and unlockTokenBasedProtector() do a
Gatekeeper verification immediately after decrypting the SP.  Therefore,
it's redundant for doVerifyCredential() to do it again.

Similarly, the same thing is redundant in
setLockCredentialWithSpLocked() too, since either
unlockLskfBasedProtector() or unlockTokenBasedProtector() was just
called to get the SP in the first place.

Remove these redundant calls to verifyChallenge() to simplify the code
and improve performance.

Bug: 269394345
Test: atest AuthBoundKeyTest
Test: atest com.android.server.locksettings
Change-Id: Ib73b4a082793458cedb7d06d3f81b77abb427426
parent 1a12606c

services/core/java/com/android/server/locksettings/LockSettingsService.java

+2 −15
Original line number Diff line number Diff line
@@ -2157,17 +2157,6 @@ public class LockSettingsService extends ILockSettings.Stub { 
                // credential has matched

                mBiometricDeferredQueue.addPendingLockoutResetForUser(userId,

                        authResult.syntheticPassword.deriveGkPassword());



                // perform verifyChallenge with synthetic password which generates the real GK auth

                // token and response for the current user

                response = mSpManager.verifyChallenge(getGateKeeperService(),

                        authResult.syntheticPassword, 0L /* challenge */, userId);

                if (response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {

                    // This shouldn't really happen: the unwrapping of SP succeeds, but SP doesn't

                    // match the recorded GK password handle.

                    Slog.wtf(TAG, "verifyChallenge with SP failed.");

                    return VerifyCredentialResponse.ERROR;

                }

            }

        }

        if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {
@@ -2774,7 +2763,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
     *

     * Also maintains the invariants described in {@link SyntheticPasswordManager} by

     * setting/clearing the protection (by the SP) on the user's auth-bound Keystore keys when the

     * LSKF is added/removed, respectively.  If the new LSKF is nonempty, then the Gatekeeper auth

     * LSKF is added/removed, respectively.  If an LSKF is being added, then the Gatekeeper auth

     * token is also refreshed.

     */

    @GuardedBy("mSpManager")
@@ -2790,9 +2779,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
            // not needed by synchronizeUnifiedWorkChallengeForProfiles()

            profilePasswords = null;



            if (mSpManager.hasSidForUser(userId)) {

                mSpManager.verifyChallenge(getGateKeeperService(), sp, 0L, userId);

            } else {

            if (!mSpManager.hasSidForUser(userId)) {

                mSpManager.newSidForUser(getGateKeeperService(), sp, userId);

                mSpManager.verifyChallenge(getGateKeeperService(), sp, 0L, userId);

                setKeystorePassword(sp.deriveKeyStorePassword(), userId);