Android无法解锁debug
16lz
2021-12-04
Android密码验证这条流程几乎没什么log,遇到无法解锁或者解锁慢的问题需要手动添加log
(1)frameworks层log
/frameworks/base/services/core/java/com/android/server/locksettings/LockSettingsService.java
private static final boolean DEBUG = false; //改为trueprivate VerifyCredentialResponse doVerifyCredential(String credential, int credentialType,1542 boolean hasChallenge, long challenge, int userId,1543 ICheckCredentialProgressCallback progressCallback) throws RemoteException {1544 if (TextUtils.isEmpty(credential)) {1545 throw new IllegalArgumentException("Credential can't be null or empty");1546 }1547 if (userId == USER_FRP && Settings.Global.getInt(mContext.getContentResolver(),1548 Settings.Global.DEVICE_PROVISIONED, 0) != 0) {1549 Slog.e(TAG, "FRP credential can only be verified prior to provisioning.");1550 return VerifyCredentialResponse.ERROR;1551 }1552 VerifyCredentialResponse response = null;+Slog.d(TAG, "debug_unlock call spBasedDoVerifyCredential begin");1553 response = spBasedDoVerifyCredential(credential, credentialType, hasChallenge, challenge,1554 userId, progressCallback);+Slog.d(TAG, "debug_unlock call spBasedDoVerifyCredential end, (response==null)="+(response==null)+" userId="+userId);1555 // The user employs synthetic password based credential.1556 if (response != null) {1557 return response;1558 }15591560 if (userId == USER_FRP) {1561 Slog.wtf(TAG, "Unexpected FRP credential type, should be SP based.");1562 return VerifyCredentialResponse.ERROR;1563 }15641565 final CredentialHash storedHash = mStorage.readCredentialHash(userId);1566 if (storedHash.type != credentialType) {1567 Slog.wtf(TAG, "doVerifyCredential type mismatch with stored credential??"1568 + " stored: " + storedHash.type + " passed in: " + credentialType);1569 return VerifyCredentialResponse.ERROR;1570 }15711572 boolean shouldReEnrollBaseZero = storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN1573 && storedHash.isBaseZeroPattern;15741575 String credentialToVerify;1576 if (shouldReEnrollBaseZero) {1577 credentialToVerify = LockPatternUtils.patternStringToBaseZero(credential);1578 } else {1579 credentialToVerify = credential;1580 }1581+Slog.d(TAG, "call verifyCredential begin");1582 response = verifyCredential(userId, storedHash, credentialToVerify,1583 hasChallenge, challenge, progressCallback);+Slog.d(TAG, "debug_unlock call verifyCredential end, response.getResponseCode()="+response.getResponseCode());15841585 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {1586 mStrongAuth.reportSuccessfulStrongAuthUnlock(userId);1587 if (shouldReEnrollBaseZero) {1588 setLockCredentialInternal(credential, storedHash.type, credentialToVerify,1589 DevicePolicyManager.PASSWORD_QUALITY_SOMETHING, userId);1590 }1591 }15921593 return response;1594 }1638 private VerifyCredentialResponse verifyCredential(int userId, CredentialHash storedHash,1639 String credential, boolean hasChallenge, long challenge,1640 ICheckCredentialProgressCallback progressCallback) throws RemoteException {+Slog.d(TAG, "debug_unlock call verifyCredential enter");1641 if ((storedHash == null || storedHash.hash.length == 0) && TextUtils.isEmpty(credential)) {1642 // don't need to pass empty credentials to GateKeeper1643 return VerifyCredentialResponse.OK;1644 }16451646 if (storedHash == null || TextUtils.isEmpty(credential)) {1647 return VerifyCredentialResponse.ERROR;1648 }16491650 // We're potentially going to be doing a bunch of disk I/O below as part1651 // of unlocking the user, so yell if calling from the main thread.1652 StrictMode.noteDiskRead();16531654 if (storedHash.version == CredentialHash.VERSION_LEGACY) {1655 final byte[] hash;1656 if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {1657 hash = LockPatternUtils.patternToHash(LockPatternUtils.stringToPattern(credential));1658 } else {1659 hash = mLockPatternUtils.passwordToHash(credential, userId);1660 }1661 if (Arrays.equals(hash, storedHash.hash)) {1662 if (storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN) {1663 unlockKeystore(LockPatternUtils.patternStringToBaseZero(credential), userId);1664 } else {1665 unlockKeystore(credential, userId);1666 }1667 // Users with legacy credentials don't have credential-backed1668 // FBE keys, so just pass through a fake token/secret1669 Slog.i(TAG, "Unlocking user with fake token: " + userId);1670 final byte[] fakeToken = String.valueOf(userId).getBytes();1671 unlockUser(userId, fakeToken, fakeToken);16721673 // migrate credential to GateKeeper+Slog.d(TAG, "debug_unlock call setLockCredentialInternal begin");1674 setLockCredentialInternal(credential, storedHash.type, null,1675 storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN1676 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING1677 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC1678 /* TODO(roosa): keep the same password quality */, userId);1679 if (!hasChallenge) {1680 notifyActivePasswordMetricsAvailable(credential, userId);1681 return VerifyCredentialResponse.OK;1682 }1683 // Fall through to get the auth token. Technically this should never happen,1684 // as a user that had a legacy credential would have to unlock their device1685 // before getting to a flow with a challenge, but supporting for consistency.1686 } else {1687 return VerifyCredentialResponse.ERROR;1688 }1689 }+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge begin");1690 GateKeeperResponse gateKeeperResponse = getGateKeeperService()1691 .verifyChallenge(userId, challenge, storedHash.hash, credential.getBytes());1692 VerifyCredentialResponse response = convertResponse(gateKeeperResponse);1693 boolean shouldReEnroll = gateKeeperResponse.getShouldReEnroll();1694+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge end, response.getResponseCode()="+response.getResponseCode()+" shouldReEnroll="+shouldReEnroll);1695 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {16961697 // credential has matched16981699 if (progressCallback != null) {1700 progressCallback.onCredentialVerified();1701 }1702 notifyActivePasswordMetricsAvailable(credential, userId);1703 unlockKeystore(credential, userId);17041705 Slog.i(TAG, "Unlocking user " + userId + " with token length "1706 + response.getPayload().length);1707 unlockUser(userId, response.getPayload(), secretFromCredential(credential));17081709 if (isManagedProfileWithSeparatedLock(userId)) {1710 TrustManager trustManager =1711 (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE);1712 trustManager.setDeviceLockedForUser(userId, false);1713 }1714 int reEnrollQuality = storedHash.type == LockPatternUtils.CREDENTIAL_TYPE_PATTERN1715 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING1716 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC1717 /* TODO(roosa): keep the same password quality */;1718 if (shouldReEnroll) {+Slog.d(TAG, "debug_unlock should reenroll, call setLockCredentialInternal once more begin");1719 setLockCredentialInternal(credential, storedHash.type, credential,1720 reEnrollQuality, userId);1721 } else {1722 // Now that we've cleared of all required GK migration, let's do the final1723 // migration to synthetic password.1724 synchronized (mSpManager) {1725 if (shouldMigrateToSyntheticPasswordLocked(userId)) {1726 AuthenticationToken auth = initializeSyntheticPasswordLocked(1727 storedHash.hash, credential, storedHash.type, reEnrollQuality,1728 userId);1729 activateEscrowTokens(auth, userId);1730 }1731 }1732 }1733 } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) {1734 if (response.getTimeout() > 0) {1735 requireStrongAuth(STRONG_AUTH_REQUIRED_AFTER_LOCKOUT, userId);1736 }1737 }1738+Slog.d(TAG, "debug_unlock verifyCredential start to return, response="+response);1739 return response;1740 }2085 private VerifyCredentialResponse spBasedDoVerifyCredential(String userCredential, int2086 credentialType, boolean hasChallenge, long challenge, int userId,2087 ICheckCredentialProgressCallback progressCallback) throws RemoteException {2088 if (DEBUG) Slog.d(TAG, "spBasedDoVerifyCredential: user=" + userId);2089 if (credentialType == LockPatternUtils.CREDENTIAL_TYPE_NONE) {2090 userCredential = null;2091 }20922093 final AuthenticationResult authResult;2094 VerifyCredentialResponse response;2095 synchronized (mSpManager) {2096 if (!isSyntheticPasswordBasedCredentialLocked(userId)) {2097 return null;2098 }2099 if (userId == USER_FRP) {+Slog.d(TAG, "debug_unlock call mSpManager.verifyFrpCredential()");2100 return mSpManager.verifyFrpCredential(getGateKeeperService(),2101 userCredential, credentialType, progressCallback);2102 }21032104 long handle = getSyntheticPasswordHandleLocked(userId);+Slog.d(TAG, "debug_unlock call mSpManager.unwrapPasswordBasedSyntheticPassword() begin");2105 authResult = mSpManager.unwrapPasswordBasedSyntheticPassword(2106 getGateKeeperService(), handle, userCredential, userId);21072108 if (authResult.credentialType != credentialType) {2109 Slog.e(TAG, "Credential type mismatch.");2110 return VerifyCredentialResponse.ERROR;2111 }2112 response = authResult.gkResponse;2113 // credential has matched+Slog.d(TAG, "debug_unlock call mSpManager.unwrapPasswordBasedSyntheticPassword() end, response.getResponseCode()="+response.getResponseCode());2114 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {2115 // perform verifyChallenge with synthetic password which generates the real GK auth2116 // token and response for the current user+Slog.d(TAG, "debug_unlock call mSpManager.verifyChallenge() begin");2117 response = mSpManager.verifyChallenge(getGateKeeperService(), authResult.authToken,2118 challenge, userId);+Slog.d(TAG, "debug_unlock call mSpManager.verifyChallenge() end, response.getResponseCode()="+response.getResponseCode());2119 if (response.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {2120 // This shouldn't really happen: the unwrapping of SP succeeds, but SP doesn't2121 // match the recorded GK password handle.2122 Slog.wtf(TAG, "verifyChallenge with SP failed.");2123 return VerifyCredentialResponse.ERROR;2124 }2125 }2126 }21272128 if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) {2129 if (progressCallback != null) {2130 progressCallback.onCredentialVerified();2131 }2132 notifyActivePasswordMetricsAvailable(userCredential, userId);2133 unlockKeystore(authResult.authToken.deriveKeyStorePassword(), userId);21342135 final byte[] secret = authResult.authToken.deriveDiskEncryptionKey();2136 Slog.i(TAG, "Unlocking user " + userId + " with secret only, length " + secret.length);2137 unlockUser(userId, null, secret);21382139 activateEscrowTokens(authResult.authToken, userId);21402141 if (isManagedProfileWithSeparatedLock(userId)) {2142 TrustManager trustManager =2143 (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE);2144 trustManager.setDeviceLockedForUser(userId, false);2145 }2146 mStrongAuth.reportSuccessfulStrongAuthUnlock(userId);2147 } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) {2148 if (response.getTimeout() > 0) {2149 requireStrongAuth(STRONG_AUTH_REQUIRED_AFTER_LOCKOUT, userId);2150 }2151 }21522153 return response;2154 }
/frameworks/base/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
public VerifyCredentialResponse verifyFrpCredential(IGateKeeperService gatekeeper,627 String userCredential, int credentialType,628 ICheckCredentialProgressCallback progressCallback) throws RemoteException {629 PersistentData persistentData = mStorage.readPersistentDataBlock();+Slog.d(TAG, "debug_unlock persistentData.type="+persistentData.type);630 if (persistentData.type == PersistentData.TYPE_SP) {631 PasswordData pwd = PasswordData.fromBytes(persistentData.payload);632 byte[] pwdToken = computePasswordToken(userCredential, pwd);633634 GateKeeperResponse response = gatekeeper.verifyChallenge(fakeUid(persistentData.userId),635 0 /* challenge */, pwd.passwordHandle, passwordTokenToGkInput(pwdToken));636 return VerifyCredentialResponse.fromGateKeeperResponse(response);637 } else if (persistentData.type == PersistentData.TYPE_SP_WEAVER) {638 PasswordData pwd = PasswordData.fromBytes(persistentData.payload);639 byte[] pwdToken = computePasswordToken(userCredential, pwd);640 int weaverSlot = persistentData.userId;641642 return weaverVerify(weaverSlot, passwordTokenToWeaverKey(pwdToken)).stripPayload();643 } else {644 Log.e(TAG, "persistentData.type must be TYPE_SP or TYPE_SP_WEAVER, but is "645 + persistentData.type);646 return VerifyCredentialResponse.ERROR;647 }648 } 785 public AuthenticationResult unwrapPasswordBasedSyntheticPassword(IGateKeeperService gatekeeper,786 long handle, String credential, int userId) throws RemoteException {787 if (credential == null) {788 credential = DEFAULT_PASSWORD;789 }790 AuthenticationResult result = new AuthenticationResult();791 PasswordData pwd = PasswordData.fromBytes(loadState(PASSWORD_DATA_NAME, handle, userId));792 result.credentialType = pwd.passwordType;793 byte[] pwdToken = computePasswordToken(credential, pwd);794795 final byte[] applicationId;796 final long sid;797 int weaverSlot = loadWeaverSlot(handle, userId);+Slog.d(TAG, "debug_unlock weaverSlot="+weaverSlot);798 if (weaverSlot != INVALID_WEAVER_SLOT) {799 // Weaver based user password800 if (!isWeaverAvailable()) {801 Log.e(TAG, "No weaver service to unwrap password based SP");802 result.gkResponse = VerifyCredentialResponse.ERROR;803 return result;804 }805 result.gkResponse = weaverVerify(weaverSlot, passwordTokenToWeaverKey(pwdToken));806 if (result.gkResponse.getResponseCode() != VerifyCredentialResponse.RESPONSE_OK) {807 return result;808 }809 sid = GateKeeper.INVALID_SECURE_USER_ID;810 applicationId = transformUnderWeaverSecret(pwdToken, result.gkResponse.getPayload());811 } else {812 byte[] gkPwdToken = passwordTokenToGkInput(pwdToken);+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge begin");813 GateKeeperResponse response = gatekeeper.verifyChallenge(fakeUid(userId), 0L,814 pwd.passwordHandle, gkPwdToken);815 int responseCode = response.getResponseCode();+Slog.d(TAG, "debug_unlock call gatekeeper.verifyChallenge end responseCode="+responseCode);816 if (responseCode == GateKeeperResponse.RESPONSE_OK) {817 result.gkResponse = VerifyCredentialResponse.OK;818 if (response.getShouldReEnroll()) {819 GateKeeperResponse reenrollResponse = gatekeeper.enroll(fakeUid(userId),820 pwd.passwordHandle, gkPwdToken, gkPwdToken);821 if (reenrollResponse.getResponseCode() == GateKeeperResponse.RESPONSE_OK) {822 pwd.passwordHandle = reenrollResponse.getPayload();823 saveState(PASSWORD_DATA_NAME, pwd.toBytes(), handle, userId);824 synchronizeFrpPassword(pwd,825 pwd.passwordType == LockPatternUtils.CREDENTIAL_TYPE_PATTERN826 ? DevicePolicyManager.PASSWORD_QUALITY_SOMETHING827 : DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC828 /* TODO(roosa): keep the same password quality */,829 userId);830 } else {831 Log.w(TAG, "Fail to re-enroll user password for user " + userId);832 // continue the flow anyway833 }834 }835 } else if (responseCode == GateKeeperResponse.RESPONSE_RETRY) {836 result.gkResponse = new VerifyCredentialResponse(response.getTimeout());837 return result;838 } else {839 result.gkResponse = VerifyCredentialResponse.ERROR;840 return result;841 }842 sid = sidFromPasswordHandle(pwd.passwordHandle);843 applicationId = transformUnderSecdiscardable(pwdToken,844 loadSecdiscardable(handle, userId));845 }846847 result.authToken = unwrapSyntheticPasswordBlob(handle, SYNTHETIC_PASSWORD_PASSWORD_BASED,848 applicationId, sid, userId);849850 // Perform verifyChallenge to refresh auth tokens for GK if user password exists.851 result.gkResponse = verifyChallenge(gatekeeper, result.authToken, 0L, userId);852 return result;853 }
(2)native层
/system/core/gatekeeperd/gatekeeperd.cpp
140 virtual int enroll(uint32_t uid,141 const uint8_t *current_password_handle, uint32_t current_password_handle_length,142 const uint8_t *current_password, uint32_t current_password_length,143 const uint8_t *desired_password, uint32_t desired_password_length,144 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {145 IPCThreadState* ipc = IPCThreadState::self();146 const int calling_pid = ipc->getCallingPid();147 const int calling_uid = ipc->getCallingUid();+ALOGD("debug_unlock, gatekeeper enroll enter\n");148 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {149 return PERMISSION_DENIED;150 }151152 // Make sure to clear any state from before factory reset as soon as a credential is153 // enrolled (which may happen during device setup).154 clear_state_if_needed();155156 // need a desired password to enroll157 if (desired_password_length == 0) return -EINVAL;158159 int ret;160 if (hw_device != nullptr) {161 const gatekeeper::password_handle_t *handle =162 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);163164 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {165 // handle is being re-enrolled from a software version. HAL probably won't accept166 // the handle as valid, so we nullify it and enroll from scratch167 current_password_handle = NULL;168 current_password_handle_length = 0;169 current_password = NULL;170 current_password_length = 0;171 }172173 android::hardware::hidl_vec<uint8_t> curPwdHandle;174 curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle),175 current_password_handle_length);176 android::hardware::hidl_vec<uint8_t> curPwd;177 curPwd.setToExternal(const_cast<uint8_t*>(current_password),178 current_password_length);179 android::hardware::hidl_vec<uint8_t> newPwd;180 newPwd.setToExternal(const_cast<uint8_t*>(desired_password),181 desired_password_length);182+ALOGI("debug_unlock hardware gatekeeper enroll begin.");183 Return<void> hwRes = hw_device->enroll(uid, curPwdHandle, curPwd, newPwd,184 [&ret, enrolled_password_handle, enrolled_password_handle_length]185 (const GatekeeperResponse &rsp) {+ALOGI("debug_unlock hardware gatekeeper enroll end. rsp.code=%d, rsp.timeout=%d", rsp.code, rsp.timeout);186 ret = static_cast<int>(rsp.code); // propagate errors187 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {188 if (enrolled_password_handle != nullptr &&189 enrolled_password_handle_length != nullptr) {190 *enrolled_password_handle = new uint8_t[rsp.data.size()];191 *enrolled_password_handle_length = rsp.data.size();192 memcpy(*enrolled_password_handle, rsp.data.data(),193 *enrolled_password_handle_length);194 }195 ret = 0; // all success states are reported as 0196 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) {197 ret = rsp.timeout;198 }199 });200 if (!hwRes.isOk()) {201 ALOGE("enroll transaction failed\n");202 ret = -1;203 }204 } else {+ALOGI("debug_unlock software enroll begin.");205 ret = soft_device->enroll(uid,206 current_password_handle, current_password_handle_length,207 current_password, current_password_length,208 desired_password, desired_password_length,209 enrolled_password_handle, enrolled_password_handle_length);210 }+ALOGI("debug_unlock gatekeeper ret=%d\n", ret);211212 if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr ||213 *enrolled_password_handle_length != sizeof(password_handle_t))) {214 ret = GATEKEEPER_RESPONSE_ERROR;215 ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n",216 *enrolled_password_handle, *enrolled_password_handle_length);217 }218219 if (ret == GATEKEEPER_RESPONSE_OK) {220 gatekeeper::password_handle_t *handle =221 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);222 store_sid(uid, handle->user_id);223 bool rr;224225 // immediately verify this password so we don't ask the user to enter it again226 // if they just created it.227 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,228 desired_password_length, &rr);229 }230231 return ret;232 }244 virtual int verifyChallenge(uint32_t uid, uint64_t challenge,245 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,246 const uint8_t *provided_password, uint32_t provided_password_length,247 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {248 IPCThreadState* ipc = IPCThreadState::self();249 const int calling_pid = ipc->getCallingPid();250 const int calling_uid = ipc->getCallingUid();+ALOGD("debug_unlock, gatekeeper verifyChallenge enter\n");251 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {252 return PERMISSION_DENIED;253 }254255 // can't verify if we're missing either param256 if ((enrolled_password_handle_length | provided_password_length) == 0)257 return -EINVAL;258259 int ret;260 if (hw_device != nullptr) {261 const gatekeeper::password_handle_t *handle =262 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);263 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to264 // a HAL if there was none before265 if (handle->version == 0 || handle->hardware_backed) {266 android::hardware::hidl_vec<uint8_t> curPwdHandle;267 curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle),268 enrolled_password_handle_length);269 android::hardware::hidl_vec<uint8_t> enteredPwd;270 enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password),271 provided_password_length);+ALOGD("debug_unlock, hardware gatekeeper verify begin\n");272 Return<void> hwRes = hw_device->verify(uid, challenge, curPwdHandle, enteredPwd,273 [&ret, request_reenroll, auth_token, auth_token_length]274 (const GatekeeperResponse &rsp) {275 ret = static_cast<int>(rsp.code); // propagate errors276 if (auth_token != nullptr && auth_token_length != nullptr &&277 rsp.code >= GatekeeperStatusCode::STATUS_OK) {278 *auth_token = new uint8_t[rsp.data.size()];279 *auth_token_length = rsp.data.size();280 memcpy(*auth_token, rsp.data.data(), *auth_token_length);281 if (request_reenroll != nullptr) {282 *request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL);283 }284 ret = 0; // all success states are reported as 0285 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&286 rsp.timeout > 0) {287 ret = rsp.timeout;288 }289 });290 if (!hwRes.isOk()) {291 ALOGE("verify transaction failed\n");292 ret = -1;293 }294 } else {295 // upgrade scenario, a HAL has been added to this device where there was none before296 SoftGateKeeperDevice soft_dev;+ALOGD("debug_unlock, software verify begin\n");297 ret = soft_dev.verify(uid, challenge,298 enrolled_password_handle, enrolled_password_handle_length,299 provided_password, provided_password_length, auth_token, auth_token_length,300 request_reenroll);301302 if (ret == 0) {303 // success! re-enroll with HAL304 *request_reenroll = true;305 }306 }307 } else {+ALOGD("debug_unlock, software verify begin\n");308 ret = soft_device->verify(uid, challenge,309 enrolled_password_handle, enrolled_password_handle_length,310 provided_password, provided_password_length, auth_token, auth_token_length,311 request_reenroll);312 }313+ALOGD("debug_unlock, verifyChallenge ret=%d\n", ret);314 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {315 // TODO: cache service?316 sp<IServiceManager> sm = defaultServiceManager();317 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));318 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);319 if (service != NULL) {320 auto ret = service->addAuthToken(*auth_token, *auth_token_length);321 if (!ret.isOk()) {322 ALOGE("Failure sending auth token to KeyStore: %" PRId32, int32_t(ret));323 }324 } else {325 ALOGE("Unable to communicate with KeyStore");326 }327 }328329 if (ret == 0) {330 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(331 enrolled_password_handle)->user_id);332 }333+ALOGD("debug_unlock, verifyChallenge return ret=%d\n", ret);334 return ret;335 }
项目上在take MTK 提供的某个漏洞patch 导致在设置特定次数锁会出现一个问题“一个setting下清空锁屏密码后会无法进入锁屏密码设置的情况”
log输出:
03-13 13:35:22.602 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :303-13 13:35:22.602 473 473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.602 473 473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.602 473 473 I gatekeeperd: gatekeeper hw_device->verify before: �,6403-13 13:35:22.621 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): 003-13 13:35:22.621 473 473 I gatekeeperd: gatekeeper verify end. ret: 003-13 13:35:22.640 792 1020 D LockSettingsService: setLockCredentialWithAuthTokenLocked: user=003-13 13:35:22.684 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :503-13 13:35:22.685 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :103-13 13:35:22.685 473 473 I gatekeeperd: enroll03-13 13:35:22.695 473 473 I gatekeeperd: hardware gatekeeper enroll begin.03-13 13:35:22.695 473 473 I gatekeeperd: enroll end. ret: 003-13 13:35:22.696 473 473 I gatekeeperd: internal verify begin.03-13 13:35:22.696 473 473 I gatekeeperd: verify.......03-13 13:35:22.696 473 473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.696 473 473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.696 473 473 I gatekeeperd: gatekeeper hw_device->verify before: m,6403-13 13:35:22.707 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -103-13 13:35:22.707 473 473 I gatekeeperd: gatekeeper verify end. ret: -103-13 13:35:22.707 473 473 I gatekeeperd: internal verify end.03-13 13:35:22.779 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :103-13 13:35:22.779 473 473 I gatekeeperd: enroll03-13 13:35:22.789 473 473 I gatekeeperd: hardware gatekeeper enroll begin.03-13 13:35:22.789 473 473 I gatekeeperd: enroll end. ret: 003-13 13:35:22.789 473 473 I gatekeeperd: internal verify begin.03-13 13:35:22.789 473 473 I gatekeeperd: verify.......03-13 13:35:22.789 473 473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.789 473 473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.789 473 473 I gatekeeperd: gatekeeper hw_device->verify before: �,6403-13 13:35:22.800 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -103-13 13:35:22.800 473 473 I gatekeeperd: gatekeeper verify end. ret: -103-13 13:35:22.800 473 473 I gatekeeperd: internal verify end.03-13 13:35:22.804 473 473 I GateKeeperService: BnGateKeeperService::onTransact....code = :303-13 13:35:22.804 473 473 I gatekeeperd: verifyChallenge start.03-13 13:35:22.805 473 473 I gatekeeperd: hardware gatekeeper verify begin.03-13 13:35:22.805 473 473 I gatekeeperd: gatekeeper hw_device->verify before: �,6403-13 13:35:22.815 473 473 I gatekeeperd: gatekeeper static_cast<int>(rsp.code): -103-13 13:35:22.815 473 473 I gatekeeperd: gatekeeper verify end. ret: -103-13 13:35:22.815 792 1020 D LockSettingsService: setAuthlessUserKeyProtectiond: user=003-13 13:35:22.820 792 1020 D LockSettingsService: fixateNewestUserKeyAuth: user=003-13 13:35:22.969 792 1020 V LockSettingsService: Remove keystore profile key for user: 0
在tee中验证密码:
/hardware/interfaces/gatekeeper/1.0/default/Gatekeeper.cpp
85 Return<void> Gatekeeper::verify(uint32_t uid,86 uint64_t challenge,87 const hidl_vec<uint8_t>& enrolledPasswordHandle,88 const hidl_vec<uint8_t>& providedPassword,89 verify_cb cb)90 {91 GatekeeperResponse rsp;92 uint8_t *auth_token = nullptr;93 uint32_t auth_token_length = 0;94 bool request_reenroll = false;95 96 int ret = device->verify(device, uid, challenge,97 enrolledPasswordHandle.data(), enrolledPasswordHandle.size(),98 providedPassword.data(), providedPassword.size(),99 &auth_token, &auth_token_length,100 &request_reenroll);101 if (!ret) {102 rsp.data.setToExternal(auth_token, auth_token_length, true);103 if (request_reenroll) {104 rsp.code = GatekeeperStatusCode::STATUS_REENROLL;105 } else {106 rsp.code = GatekeeperStatusCode::STATUS_OK;107 }108 } else if (ret > 0) {109 rsp.timeout = ret;110 rsp.code = GatekeeperStatusCode::ERROR_RETRY_TIMEOUT;111 } else {112 rsp.code = GatekeeperStatusCode::ERROR_GENERAL_FAILURE;113 }114 cb(rsp);115 return Void();116 }
更多相关文章
- Android(安卓)屏幕设置
- [APP] Android(安卓)开发笔记 006-使用短信验证SDK进行短信验证
- scrollview 滚动条
- android实践项目一实现简单的验证码和spinner下拉选项效果
- Android(安卓)属性动画(Property Animation) 完全解析 (下)
- Android(安卓)设置EditText光标Curso颜色及粗细
- Android修改字体样式
- Android中的常用的对话框
- android EditText使用指南