Android密码验证这条流程几乎没什么log,遇到无法解锁或者解锁慢的问题需要手动添加log
(1)frameworks层log
/frameworks/base/services/core/java/com/android/server/locksettings/LockSettingsService.java
private static final boolean DEBUG = false; //改为true
private VerifyCredentialResponse doVerifyCredential(String credential, int credentialType,
1542 boolean hasChallenge, long challenge, int userId,
1543 ICheckCredentialProgressCallback progressCallback) throws RemoteException {
1544 if (TextUtils.isEmpty(credential)) {
1545 throw new IllegalArgumentException("Credential can't be null or empty");
1546 }
1547 if (userId == USER_FRP && Settings.Global.getInt(mContext.getContentResolver(),
1548 Settings.Global.DEVICE_PROVISIONED, 0) != 0) {
1549 Slog.e(TAG, "FRP credential can only be verified prior to provisioning.");
1550 return VerifyCredentialResponse.ERROR;
1551 }
1552 VerifyCredentialResponse response = null;
+Slog.d(TAG, "debug_unlock call spBasedDoVerifyCredential begin");
1553 response = spBasedDoVerifyCredential(credential, credentialType, hasChallenge, challenge,
1554 userId, progressCallback);
+Slog.d(TAG, "debug_unlock call spBasedDoVerifyCredential end, (response==null)="+(response==null)+" userId="+userId);
1555 // The user employs synthetic password based credential.
1556 if (response != null) {
1557 return response;
1558 }
1559
1560 if (userId == USER_FRP) {
1561 Slog.wtf(TAG, "Unexpected FRP credential type, should be SP based.");
1562 return VerifyCredentialResponse.ERROR;
1563 }
1564
1565 final CredentialHash storedHash = mStorage.readCredentialHash(userId);
1566 if (storedHash.type != credentialType) {
1567 Slog.wtf(TAG, "doVerifyCredential type mismatch with stored credential??"
1568 + " stored: " + storedHash.type + " passed in: " + credentialType);
1569 return VerifyCredentialResponse.ERROR;
1570 }
1571
1572 boolean shouldReEnrollBaseZero = storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN
1573 && storedHash.isBaseZeroPattern;
1574
1575 String credentialToVerify;
1576 if (shouldReEnrollBaseZero) {
1577 credentialToVerify = LockPatternUtils.patternStringToBaseZero(credential);
1578 } else {
1579 credentialToVerify = credential;
1580 }
1581
+Slog.d(TAG, "call verifyCredential begin");
1582 response = verifyCredential(userId, storedHash, credentialToVerify,
1583 hasChallenge, challenge, progressCallback);
+Slog.d(TAG, "debug_unlock call verifyCredential end, response.getResponseCode()="+response.getResponseCode());
1584
1585 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {
1586 mStrongAuth.reportSuccessfulStrongAuthUnlock(userId);
1587 if (shouldReEnrollBaseZero) {
1588 setLockCredentialInternal(credential, storedHash.type, credentialToVerify,
1589 DevicePolicyManager.PASSWORD_QUALITY_SOMETHING, userId);
1590 }
1591 }
1592
1593 return response;
1594 }
1638 private VerifyCredentialResponse verifyCredential(int userId, CredentialHash storedHash,
1639 String credential, boolean hasChallenge, long challenge,
1640 ICheckCredentialProgressCallback progressCallback) throws RemoteException {
+Slog.d(TAG, "debug_unlock call verifyCredential enter");
1641 if ((storedHash == null || storedHash.hash.length == 0) && TextUtils.isEmpty(credential)) {
1642 // don't need to pass empty credentials to GateKeeper
1643 return VerifyCredentialResponse.OK;
1644 }
1645
1646 if (storedHash == null || TextUtils.isEmpty(credential)) {
1647 return VerifyCredentialResponse.ERROR;
1648 }
1649
1650 // We're potentially going to be doing a bunch of disk I/O below as part
1651 // of unlocking the user, so yell if calling from the main thread.
1652 StrictMode.noteDiskRead();
1653
1654 if (storedHash.version == CredentialHash.VERSION_LEGACY) {
1655 final byte[] hash;
1656 if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {
1657 hash = LockPatternUtils.patternToHash(LockPatternUtils.stringToPattern(credential));
1658 } else {
1659 hash = mLockPatternUtils.passwordToHash(credential, userId);
1660 }
1661 if (Arrays.equals(hash, storedHash.hash)) {
1662 if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {
1663 unlockKeystore(LockPatternUtils.patternStringToBaseZero(credential), userId);
1664 } else {
1665 unlockKeystore(credential, userId);
1666 }
1667 // Users with legacy credentials don't have credential-backed
1668 // FBE keys, so just pass through a fake token/secret
1669 Slog.i(TAG, "Unlocking user with fake token: " + userId);
1670 final byte[] fakeToken = String.valueOf(userId).getBytes();
1671 unlockUser(userId, fakeToken, fakeToken);
1672
1673 // migrate credential to GateKeeper
+Slog.d(TAG, "debug_unlock call setLockCredentialInternal begin");
1674 setLockCredentialInternal(credential, storedHash.type, null,
1675 storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN
1676 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING
1677 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC
1678 /* TODO(roosa): keep the same password quality */, userId);
1679 if (!hasChallenge) {
1680 notifyActivePasswordMetricsAvailable(credential, userId);
1681 return VerifyCredentialResponse.OK;
1682 }
1683 // Fall through to get the auth token. Technically this should never happen,
1684 // as a user that had a legacy credential would have to unlock their device
1685 // before getting to a flow with a challenge, but supporting for consistency.
1686 } else {
1687 return VerifyCredentialResponse.ERROR;
1688 }
1689 }
+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge begin");
1690 GateKeeperResponse gateKeeperResponse = getGateKeeperService()
1691 .verifyChallenge(userId, challenge, storedHash.hash, credential.getBytes());
1692 VerifyCredentialResponse response = convertResponse(gateKeeperResponse);
1693 boolean shouldReEnroll = gateKeeperResponse.getShouldReEnroll();
1694
+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge end, response.getResponseCode()="+response.getResponseCode()+" shouldReEnroll="+shouldReEnroll);
1695 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {
1696
1697 // credential has matched
1698
1699 if (progressCallback != null) {
1700 progressCallback.onCredentialVerified();
1701 }
1702 notifyActivePasswordMetricsAvailable(credential, userId);
1703 unlockKeystore(credential, userId);
1704
1705 Slog.i(TAG, "Unlocking user " + userId + " with token length "
1706 + response.getPayload().length);
1707 unlockUser(userId, response.getPayload(), secretFromCredential(credential));
1708
1709 if (isManagedProfileWithSeparatedLock(userId)) {
1710 TrustManager trustManager =
1711 (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE);
1712 trustManager.setDeviceLockedForUser(userId, false);
1713 }
1714 int reEnrollQuality = storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN
1715 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING
1716 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC
1717 /* TODO(roosa): keep the same password quality */;
1718 if (shouldReEnroll) {
+Slog.d(TAG, "debug_unlock should reenroll, call setLockCredentialInternal once more begin");
1719 setLockCredentialInternal(credential, storedHash.type, credential,
1720 reEnrollQuality, userId);
1721 } else {
1722 // Now that we've cleared of all required GK migration, let's do the final
1723 // migration to synthetic password.
1724 synchronized (mSpManager) {
1725 if (shouldMigrateToSyntheticPasswordLocked(userId)) {
1726 AuthenticationToken auth = initializeSyntheticPasswordLocked(
1727 storedHash.hash, credential, storedHash.type, reEnrollQuality,
1728 userId);
1729 activateEscrowTokens(auth, userId);
1730 }
1731 }
1732 }
1733 } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) {
1734 if (response.getTimeout() > 0) {
1735 requireStrongAuth(STRONG_AUTH_REQUIRED_AFTER_LOCKOUT, userId);
1736 }
1737 }
1738
+Slog.d(TAG, "debug_unlock verifyCredential start to return, response="+response);
1739 return response;
1740 }
2085 private VerifyCredentialResponse spBasedDoVerifyCredential(String userCredential, int
2086 credentialType, boolean hasChallenge, long challenge, int userId,
2087 ICheckCredentialProgressCallback progressCallback) throws RemoteException {
2088 if (DEBUG) Slog.d(TAG, "spBasedDoVerifyCredential: user=" + userId);
2089 if (credentialType == LockPatternUtils.CREDENTIAL_TYPE_NONE) {
2090 userCredential = null;
2091 }
2092
2093 final AuthenticationResult authResult;
2094 VerifyCredentialResponse response;
2095 synchronized (mSpManager) {
2096 if (!isSyntheticPasswordBasedCredentialLocked(userId)) {
2097 return null;
2098 }
2099 if (userId == USER_FRP) {
+Slog.d(TAG, "debug_unlock call mSpManager.verifyFrpCredential()");
2100 return mSpManager.verifyFrpCredential(getGateKeeperService(),
2101 userCredential, credentialType, progressCallback);
2102 }
2103
2104 long handle = getSyntheticPasswordHandleLocked(userId);
+Slog.d(TAG, "debug_unlock call mSpManager.unwrapPasswordBasedSyntheticPassword() begin");
2105 authResult = mSpManager.unwrapPasswordBasedSyntheticPassword(
2106 getGateKeeperService(), handle, userCredential, userId);
2107
2108 if (authResult.credentialType != credentialType) {
2109 Slog.e(TAG, "Credential type mismatch.");
2110 return VerifyCredentialResponse.ERROR;
2111 }
2112 response = authResult.gkResponse;
2113 // credential has matched
+Slog.d(TAG, "debug_unlock call mSpManager.unwrapPasswordBasedSyntheticPassword() end, response.getResponseCode()="+response.getResponseCode());
2114 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {
2115 // perform verifyChallenge with synthetic password which generates the real GK auth
2116 // token and response for the current user
+Slog.d(TAG, "debug_unlock call mSpManager.verifyChallenge() begin");
2117 response = mSpManager.verifyChallenge(getGateKeeperService(), authResult.authToken,
2118 challenge, userId);
+Slog.d(TAG, "debug_unlock call mSpManager.verifyChallenge() end, response.getResponseCode()="+response.getResponseCode());
2119 if (response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {
2120 // This shouldn't really happen: the unwrapping of SP succeeds, but SP doesn't
2121 // match the recorded GK password handle.
2122 Slog.wtf(TAG, "verifyChallenge with SP failed.");
2123 return VerifyCredentialResponse.ERROR;
2124 }
2125 }
2126 }
2127
2128 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {
2129 if (progressCallback != null) {
2130 progressCallback.onCredentialVerified();
2131 }
2132 notifyActivePasswordMetricsAvailable(userCredential, userId);
2133 unlockKeystore(authResult.authToken.deriveKeyStorePassword(), userId);
2134
2135 final byte[] secret = authResult.authToken.deriveDiskEncryptionKey();
2136 Slog.i(TAG, "Unlocking user " + userId + " with secret only, length " + secret.length);
2137 unlockUser(userId, null, secret);
2138
2139 activateEscrowTokens(authResult.authToken, userId);
2140
2141 if (isManagedProfileWithSeparatedLock(userId)) {
2142 TrustManager trustManager =
2143 (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE);
2144 trustManager.setDeviceLockedForUser(userId, false);
2145 }
2146 mStrongAuth.reportSuccessfulStrongAuthUnlock(userId);
2147 } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) {
2148 if (response.getTimeout() > 0) {
2149 requireStrongAuth(STRONG_AUTH_REQUIRED_AFTER_LOCKOUT, userId);
2150 }
2151 }
2152
2153 return response;
2154 }
/frameworks/base/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
public VerifyCredentialResponse verifyFrpCredential(IGateKeeperService gatekeeper,
627 String userCredential, int credentialType,
628 ICheckCredentialProgressCallback progressCallback) throws RemoteException {
629 PersistentData persistentData = mStorage.readPersistentDataBlock();
+Slog.d(TAG, "debug_unlock persistentData.type="+persistentData.type);
630 if (persistentData.type == PersistentData.TYPE_SP) {
631 PasswordData pwd = PasswordData.fromBytes(persistentData.payload);
632 byte[] pwdToken = computePasswordToken(userCredential, pwd);
633
634 GateKeeperResponse response = gatekeeper.verifyChallenge(fakeUid(persistentData.userId),
635 0 /* challenge */, pwd.passwordHandle, passwordTokenToGkInput(pwdToken));
636 return VerifyCredentialResponse.fromGateKeeperResponse(response);
637 } else if (persistentData.type == PersistentData.TYPE_SP_WEAVER) {
638 PasswordData pwd = PasswordData.fromBytes(persistentData.payload);
639 byte[] pwdToken = computePasswordToken(userCredential, pwd);
640 int weaverSlot = persistentData.userId;
641
642 return weaverVerify(weaverSlot, passwordTokenToWeaverKey(pwdToken)).stripPayload();
643 } else {
644 Log.e(TAG, "persistentData.type must be TYPE_SP or TYPE_SP_WEAVER, but is "
645 + persistentData.type);
646 return VerifyCredentialResponse.ERROR;
647 }
648 }
785 public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperService gatekeeper,
786 long handle, String credential, int userId) throws RemoteException {
787 if (credential == null) {
788 credential = DEFAULT_PASSWORD;
789 }
790 AuthenticationResult result = new AuthenticationResult();
791 PasswordData pwd = PasswordData.fromBytes(loadState(PASSWORD_DATA_NAME, handle, userId));
792 result.credentialType = pwd.passwordType;
793 byte[] pwdToken = computePasswordToken(credential, pwd);
794
795 final byte[] applicationId;
796 final long sid;
797 int weaverSlot = loadWeaverSlot(handle, userId);
+Slog.d(TAG, "debug_unlock weaverSlot="+weaverSlot);
798 if (weaverSlot != INVALID_WEAVER_SLOT) {
799 // Weaver based user password
800 if (!isWeaverAvailable()) {
801 Log.e(TAG, "No weaver service to unwrap password based SP");
802 result.gkResponse = VerifyCredentialResponse.ERROR;
803 return result;
804 }
805 result.gkResponse = weaverVerify(weaverSlot, passwordTokenToWeaverKey(pwdToken));
806 if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {
807 return result;
808 }
809 sid = GateKeeper.INVALID_SECURE_USER_ID;
810 applicationId = transformUnderWeaverSecret(pwdToken, result.gkResponse.getPayload());
811 } else {
812 byte[] gkPwdToken = passwordTokenToGkInput(pwdToken);
+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge begin");
813 GateKeeperResponse response = gatekeeper.verifyChallenge(fakeUid(userId), 0L,
814 pwd.passwordHandle, gkPwdToken);
815 int responseCode = response.getResponseCode();
+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge end responseCode="+responseCode);
816 if (responseCode == GateKeeperResponse.RESPONSE_OK) {
817 result.gkResponse = VerifyCredentialResponse.OK;
818 if (response.getShouldReEnroll()) {
819 GateKeeperResponse reenrollResponse = gatekeeper.enroll(fakeUid(userId),
820 pwd.passwordHandle, gkPwdToken, gkPwdToken);
821 if (reenrollResponse.getResponseCode() == GateKeeperResponse.RESPONSE_OK) {
822 pwd.passwordHandle = reenrollResponse.getPayload();
823 saveState(PASSWORD_DATA_NAME, pwd.toBytes(), handle, userId);
824 synchronizeFrpPassword(pwd,
825 pwd.passwordType == LockPatternUtils.CREDENTIAL_TYPE_PATTERN
826 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING
827 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC
828 /* TODO(roosa): keep the same password quality */,
829 userId);
830 } else {
831 Log.w(TAG, "Fail to re-enroll user password for user " + userId);
832 // continue the flow anyway
833 }
834 }
835 } else if (responseCode == GateKeeperResponse.RESPONSE_RETRY) {
836 result.gkResponse = new VerifyCredentialResponse(response.getTimeout());
837 return result;
838 } else {
839 result.gkResponse = VerifyCredentialResponse.ERROR;
840 return result;
841 }
842 sid = sidFromPasswordHandle(pwd.passwordHandle);
843 applicationId = transformUnderSecdiscardable(pwdToken,
844 loadSecdiscardable(handle, userId));
845 }
846
847 result.authToken = unwrapSyntheticPasswordBlob(handle, SYNTHETIC_PASSWORD_PASSWORD_BASED,
848 applicationId, sid, userId);
849
850 // Perform verifyChallenge to refresh auth tokens for GK if user password exists.
851 result.gkResponse = verifyChallenge(gatekeeper, result.authToken, 0L, userId);
852 return result;
853 }
(2)native层
/system/core/gatekeeperd/gatekeeperd.cpp
140 virtual int enroll(uint32_t uid,
141 const uint8_t *current_password_handle, uint32_t current_password_handle_length,
142 const uint8_t *current_password, uint32_t current_password_length,
143 const uint8_t *desired_password, uint32_t desired_password_length,
144 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
145 IPCThreadState* ipc = IPCThreadState::self();
146 const int calling_pid = ipc->getCallingPid();
147 const int calling_uid = ipc->getCallingUid();
+ALOGD("debug_unlock, gatekeeper enroll enter\n");
148 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
149 return PERMISSION_DENIED;
150 }
151
152 // Make sure to clear any state from before factory reset as soon as a credential is
153 // enrolled (which may happen during device setup).
154 clear_state_if_needed();
155
156 // need a desired password to enroll
157 if (desired_password_length == 0) return -EINVAL;
158
159 int ret;
160 if (hw_device != nullptr) {
161 const gatekeeper::password_handle_t *handle =
162 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);
163
164 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {
165 // handle is being re-enrolled from a software version. HAL probably won't accept
166 // the handle as valid, so we nullify it and enroll from scratch
167 current_password_handle = NULL;
168 current_password_handle_length = 0;
169 current_password = NULL;
170 current_password_length = 0;
171 }
172
173 android::hardware::hidl_vec<uint8_t> curPwdHandle;
174 curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle),
175 current_password_handle_length);
176 android::hardware::hidl_vec<uint8_t> curPwd;
177 curPwd.setToExternal(const_cast<uint8_t*>(current_password),
178 current_password_length);
179 android::hardware::hidl_vec<uint8_t> newPwd;
180 newPwd.setToExternal(const_cast<uint8_t*>(desired_password),
181 desired_password_length);
182
+ALOGI("debug_unlock hardware gatekeeper enroll begin.");
183 Return<void> hwRes = hw_device->enroll(uid, curPwdHandle, curPwd, newPwd,
184 [&ret, enrolled_password_handle, enrolled_password_handle_length]
185 (const GatekeeperResponse &rsp) {
+ALOGI("debug_unlock hardware gatekeeper enroll end. rsp.code=%d, rsp.timeout=%d", rsp.code, rsp.timeout);
186 ret = static_cast<int>(rsp.code); // propagate errors
187 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
188 if (enrolled_password_handle != nullptr &&
189 enrolled_password_handle_length != nullptr) {
190 *enrolled_password_handle = new uint8_t[rsp.data.size()];
191 *enrolled_password_handle_length = rsp.data.size();
192 memcpy(*enrolled_password_handle, rsp.data.data(),
193 *enrolled_password_handle_length);
194 }
195 ret = 0; // all success states are reported as 0
196 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) {
197 ret = rsp.timeout;
198 }
199 });
200 if (!hwRes.isOk()) {
201 ALOGE("enroll transaction failed\n");
202 ret = -1;
203 }
204 } else {
+ALOGI("debug_unlock software enroll begin.");
205 ret = soft_device->enroll(uid,
206 current_password_handle, current_password_handle_length,
207 current_password, current_password_length,
208 desired_password, desired_password_length,
209 enrolled_password_handle, enrolled_password_handle_length);
210 }
+ALOGI("debug_unlock gatekeeper ret=%d\n", ret);
211
212 if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr ||
213 *enrolled_password_handle_length != sizeof(password_handle_t))) {
214 ret = GATEKEEPER_RESPONSE_ERROR;
215 ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n",
216 *enrolled_password_handle, *enrolled_password_handle_length);
217 }
218
219 if (ret == GATEKEEPER_RESPONSE_OK) {
220 gatekeeper::password_handle_t *handle =
221 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
222 store_sid(uid, handle->user_id);
223 bool rr;
224
225 // immediately verify this password so we don't ask the user to enter it again
226 // if they just created it.
227 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,
228 desired_password_length, &rr);
229 }
230
231 return ret;
232 }
244 virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
245 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
246 const uint8_t *provided_password, uint32_t provided_password_length,
247 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
248 IPCThreadState* ipc = IPCThreadState::self();
249 const int calling_pid = ipc->getCallingPid();
250 const int calling_uid = ipc->getCallingUid();
+ALOGD("debug_unlock, gatekeeper verifyChallenge enter\n");
251 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
252 return PERMISSION_DENIED;
253 }
254
255 // can't verify if we're missing either param
256 if ((enrolled_password_handle_length | provided_password_length) == 0)
257 return -EINVAL;
258
259 int ret;
260 if (hw_device != nullptr) {
261 const gatekeeper::password_handle_t *handle =
262 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);
263 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to
264 // a HAL if there was none before
265 if (handle->version == 0 || handle->hardware_backed) {
266 android::hardware::hidl_vec<uint8_t> curPwdHandle;
267 curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle),
268 enrolled_password_handle_length);
269 android::hardware::hidl_vec<uint8_t> enteredPwd;
270 enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password),
271 provided_password_length);
+ALOGD("debug_unlock, hardware gatekeeper verify begin\n");
272 Return<void> hwRes = hw_device->verify(uid, challenge, curPwdHandle, enteredPwd,
273 [&ret, request_reenroll, auth_token, auth_token_length]
274 (const GatekeeperResponse &rsp) {
275 ret = static_cast<int>(rsp.code); // propagate errors
276 if (auth_token != nullptr && auth_token_length != nullptr &&
277 rsp.code >= GatekeeperStatusCode::STATUS_OK) {
278 *auth_token = new uint8_t[rsp.data.size()];
279 *auth_token_length = rsp.data.size();
280 memcpy(*auth_token, rsp.data.data(), *auth_token_length);
281 if (request_reenroll != nullptr) {
282 *request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL);
283 }
284 ret = 0; // all success states are reported as 0
285 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
286 rsp.timeout > 0) {
287 ret = rsp.timeout;
288 }
289 });
290 if (!hwRes.isOk()) {
291 ALOGE("verify transaction failed\n");
292 ret = -1;
293 }
294 } else {
295 // upgrade scenario, a HAL has been added to this device where there was none before
296 SoftGateKeeperDevice soft_dev;
+ALOGD("debug_unlock, software verify begin\n");
297 ret = soft_dev.verify(uid, challenge,
298 enrolled_password_handle, enrolled_password_handle_length,
299 provided_password, provided_password_length, auth_token, auth_token_length,
300 request_reenroll);
301
302 if (ret == 0) {
303 // success! re-enroll with HAL
304 *request_reenroll = true;
305 }
306 }
307 } else {
+ALOGD("debug_unlock, software verify begin\n");
308 ret = soft_device->verify(uid, challenge,
309 enrolled_password_handle, enrolled_password_handle_length,
310 provided_password, provided_password_length, auth_token, auth_token_length,
311 request_reenroll);
312 }
313
+ALOGD("debug_unlock, verifyChallenge ret=%d\n", ret);
314 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {
315 // TODO: cache service?
316 sp<IServiceManager> sm = defaultServiceManager();
317 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
318 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
319 if (service != NULL) {
320 auto ret = service->addAuthToken(*auth_token, *auth_token_length);
321 if (!ret.isOk()) {
322 ALOGE("Failure sending auth token to KeyStore: %" PRId32, int32_t(ret));
323 }
324 } else {
325 ALOGE("Unable to communicate with KeyStore");
326 }
327 }
328
329 if (ret == 0) {
330 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
331 enrolled_password_handle)->user_id);
332 }
333
+ALOGD("debug_unlock, verifyChallenge return ret=%d\n", ret);
334 return ret;
335 }
项目上在take MTK 提供的某个漏洞patch 导致在设置特定次数锁会出现一个问题“一个setting下清空锁屏密码后会无法进入锁屏密码设置的情况”
log输出:
03-13 13:35:22.602 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :3
03-13 13:35:22.602 473 473 I gatekeeperd: verifyChallenge start.
03-13 13:35:22.602 473 473 I gatekeeperd: hardware gatekeeper verify begin.
03-13 13:35:22.602 473 473 I gatekeeperd: gatekeeper hw_device->verify before: �,64
03-13 13:35:22.621 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): 0
03-13 13:35:22.621 473 473 I gatekeeperd: gatekeeper verify end. ret: 0
03-13 13:35:22.640 792 1020 D LockSettingsService: setLockCredentialWithAuthTokenLocked: user=0
03-13 13:35:22.684 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :5
03-13 13:35:22.685 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :1
03-13 13:35:22.685 473 473 I gatekeeperd: enroll
03-13 13:35:22.695 473 473 I gatekeeperd: hardware gatekeeper enroll begin.
03-13 13:35:22.695 473 473 I gatekeeperd: enroll end. ret: 0
03-13 13:35:22.696 473 473 I gatekeeperd: internal verify begin.
03-13 13:35:22.696 473 473 I gatekeeperd: verify.......
03-13 13:35:22.696 473 473 I gatekeeperd: verifyChallenge start.
03-13 13:35:22.696 473 473 I gatekeeperd: hardware gatekeeper verify begin.
03-13 13:35:22.696 473 473 I gatekeeperd: gatekeeper hw_device->verify before: m,64
03-13 13:35:22.707 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -1
03-13 13:35:22.707 473 473 I gatekeeperd: gatekeeper verify end. ret: -1
03-13 13:35:22.707 473 473 I gatekeeperd: internal verify end.
03-13 13:35:22.779 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :1
03-13 13:35:22.779 473 473 I gatekeeperd: enroll
03-13 13:35:22.789 473 473 I gatekeeperd: hardware gatekeeper enroll begin.
03-13 13:35:22.789 473 473 I gatekeeperd: enroll end. ret: 0
03-13 13:35:22.789 473 473 I gatekeeperd: internal verify begin.
03-13 13:35:22.789 473 473 I gatekeeperd: verify.......
03-13 13:35:22.789 473 473 I gatekeeperd: verifyChallenge start.
03-13 13:35:22.789 473 473 I gatekeeperd: hardware gatekeeper verify begin.
03-13 13:35:22.789 473 473 I gatekeeperd: gatekeeper hw_device->verify before: �,64
03-13 13:35:22.800 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -1
03-13 13:35:22.800 473 473 I gatekeeperd: gatekeeper verify end. ret: -1
03-13 13:35:22.800 473 473 I gatekeeperd: internal verify end.
03-13 13:35:22.804 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :3
03-13 13:35:22.804 473 473 I gatekeeperd: verifyChallenge start.
03-13 13:35:22.805 473 473 I gatekeeperd: hardware gatekeeper verify begin.
03-13 13:35:22.805 473 473 I gatekeeperd: gatekeeper hw_device->verify before: �,64
03-13 13:35:22.815 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -1
03-13 13:35:22.815 473 473 I gatekeeperd: gatekeeper verify end. ret: -1
03-13 13:35:22.815 792 1020 D LockSettingsService: setAuthlessUserKeyProtectiond: user=0
03-13 13:35:22.820 792 1020 D LockSettingsService: fixateNewestUserKeyAuth: user=0
03-13 13:35:22.969 792 1020 V LockSettingsService: Remove keystore profile key for user: 0
在tee中验证密码:
/hardware/interfaces/gatekeeper/1.0/default/Gatekeeper.cpp
85 Return<void> Gatekeeper::verify(uint32_t uid,
86 uint64_t challenge,
87 const hidl_vec<uint8_t>& enrolledPasswordHandle,
88 const hidl_vec<uint8_t>& providedPassword,
89 verify_cb cb)
90 {
91 GatekeeperResponse rsp;
92 uint8_t *auth_token = nullptr;
93 uint32_t auth_token_length = 0;
94 bool request_reenroll = false;
95
96 int ret = device->verify(device, uid, challenge,
97 enrolledPasswordHandle.data(), enrolledPasswordHandle.size(),
98 providedPassword.data(), providedPassword.size(),
99 &auth_token, &auth_token_length,
100 &request_reenroll);
101 if (!ret) {
102 rsp.data.setToExternal(auth_token, auth_token_length, true);
103 if (request_reenroll) {
104 rsp.code = GatekeeperStatusCode::STATUS_REENROLL;
105 } else {
106 rsp.code = GatekeeperStatusCode::STATUS_OK;
107 }
108 } else if (ret > 0) {
109 rsp.timeout = ret;
110 rsp.code = GatekeeperStatusCode::ERROR_RETRY_TIMEOUT;
111 } else {
112 rsp.code = GatekeeperStatusCode::ERROR_GENERAL_FAILURE;
113 }
114 cb(rsp);
115 return Void();
116 }
