diff options
author | AnilKumar Chimata <anilc@codeaurora.org> | 2017-05-18 12:35:20 -0700 |
---|---|---|
committer | dianlujitao <dianlujitao@lineageos.org> | 2019-11-01 04:13:31 +0100 |
commit | d725454570d05ab2491ebbf25de4539259ef2d53 (patch) | |
tree | d8a89ec6e78b1e81ce168f748cb38e7d247c401e | |
parent | 5ce00a98a5e4f051432e2095230caf73359da8b9 (diff) | |
download | android_frameworks_base-d725454570d05ab2491ebbf25de4539259ef2d53.tar.gz android_frameworks_base-d725454570d05ab2491ebbf25de4539259ef2d53.tar.bz2 android_frameworks_base-d725454570d05ab2491ebbf25de4539259ef2d53.zip |
frameworks: base: Port password retention feature
Port password retention feature for HW FDE.
This patch also include these changes:
- Fix clearing of retained password
- keyguard: Fix password doesnot sanitize after verification
- LockSettings: fix the get password issue during boot up
- frameworks/base: Fix pattern update issue
CRs-Fixed: 2210986
Change-Id: I2def56b14c10229b72feccd1c97b281cad65f282
6 files changed, 79 insertions, 2 deletions
diff --git a/core/java/com/android/internal/widget/ILockSettings.aidl b/core/java/com/android/internal/widget/ILockSettings.aidl index 6897f641287..8a4b0489ec7 100644 --- a/core/java/com/android/internal/widget/ILockSettings.aidl +++ b/core/java/com/android/internal/widget/ILockSettings.aidl @@ -91,4 +91,6 @@ interface ILockSettings { in byte[] recoveryKeyBlob, in List<WrappedApplicationKey> applicationKeys); void closeSession(in String sessionId); + void sanitizePassword(); + String getPassword(); } diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java index 550daf250d2..1f49cab9897 100644 --- a/core/java/com/android/internal/widget/LockPatternUtils.java +++ b/core/java/com/android/internal/widget/LockPatternUtils.java @@ -810,6 +810,17 @@ public class LockPatternUtils { return true; } + /** + * clears stored password. + */ + public void sanitizePassword() { + try { + getLockSettings().sanitizePassword(); + } catch (RemoteException re) { + Log.e(TAG, "Couldn't sanitize password" + re); + } + } + private void updateCryptoUserInfo(int userId) { if (userId != UserHandle.USER_SYSTEM) { return; diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java index 2ff7266baec..9d75e43bd40 100644 --- a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java +++ b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java @@ -200,6 +200,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout boolean isValidPassword) { boolean dismissKeyguard = KeyguardUpdateMonitor.getCurrentUser() == userId; if (matched) { + mLockPatternUtils.sanitizePassword(); mCallback.reportUnlockAttempt(userId, true, 0); if (dismissKeyguard) { mDismissing = true; diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java index 83195301ff8..c4e617a4ac0 100644 --- a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java +++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java @@ -351,6 +351,7 @@ public class KeyguardPatternView extends LinearLayout implements KeyguardSecurit boolean isValidPattern) { boolean dismissKeyguard = KeyguardUpdateMonitor.getCurrentUser() == userId; if (matched) { + mLockPatternUtils.sanitizePassword(); mCallback.reportUnlockAttempt(userId, true, 0); if (dismissKeyguard) { mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Correct); diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java index 72f40cc0351..40c97f4cbe6 100644 --- a/services/core/java/com/android/server/StorageManagerService.java +++ b/services/core/java/com/android/server/StorageManagerService.java @@ -138,6 +138,7 @@ import com.android.internal.util.FastXmlSerializer; import com.android.internal.util.HexDump; import com.android.internal.util.IndentingPrintWriter; import com.android.internal.util.Preconditions; +import com.android.internal.widget.ILockSettings; import com.android.internal.widget.LockPatternUtils; import com.android.server.storage.AppFuseBridge; import com.android.server.wm.ActivityTaskManagerInternal; @@ -2512,8 +2513,22 @@ class StorageManagerService extends IStorageManager.Stub Slog.i(TAG, "changing encryption password..."); } + ILockSettings lockSettings = ILockSettings.Stub.asInterface( + ServiceManager.getService("lock_settings")); + String currentPassword="default_password"; try { - mVold.fdeChangePassword(type, password); + currentPassword = lockSettings.getPassword(); + } catch (Exception e) { + Slog.wtf(TAG, "Couldn't get password" + e); + } + + try { + mVold.fdeChangePassword(type, currentPassword, password); + try { + lockSettings.sanitizePassword(); + } catch (Exception e) { + Slog.wtf(TAG, "Couldn't sanitize password" + e); + } return 0; } catch (Exception e) { Slog.wtf(TAG, e); diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index d87154bf14a..0d98994ec82 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -174,6 +174,7 @@ public class LockSettingsService extends ILockSettings.Stub { // Order of holding lock: mSeparateChallengeLock -> mSpManager -> this // Do not call into ActivityManager while holding mSpManager lock. private final Object mSeparateChallengeLock = new Object(); + private static final String DEFAULT_PASSWORD = "default_password"; private final DeviceProvisionedObserver mDeviceProvisionedObserver = new DeviceProvisionedObserver(); @@ -195,6 +196,7 @@ public class LockSettingsService extends ILockSettings.Stub { private final SyntheticPasswordManager mSpManager; private final KeyStore mKeyStore; + private static String mSavePassword = DEFAULT_PASSWORD; private final RecoverableKeyStoreManager mRecoverableKeyStoreManager; @@ -1119,6 +1121,45 @@ public class LockSettingsService extends ILockSettings.Stub { return mStorage.hasCredential(userId); } + public void retainPassword(String password) { + if (LockPatternUtils.isDeviceEncryptionEnabled()) { + if (password != null) + mSavePassword = password; + else + mSavePassword = DEFAULT_PASSWORD; + } + } + + public void sanitizePassword() { + if (LockPatternUtils.isDeviceEncryptionEnabled()) { + mSavePassword = DEFAULT_PASSWORD; + } + } + + private boolean checkCryptKeeperPermissions() { + boolean permission_err = false; + try { + mContext.enforceCallingOrSelfPermission( + android.Manifest.permission.CRYPT_KEEPER, + "no permission to get the password"); + } catch (SecurityException e) { + permission_err = true; + } + return permission_err; + } + + public String getPassword() { + /** if calling process does't have crypt keeper or admin permissions, + * throw the exception. + */ + if (checkCryptKeeperPermissions()) + mContext.enforceCallingOrSelfPermission( + android.Manifest.permission.MANAGE_DEVICE_ADMINS, + "no crypt_keeper or admin permission to get the password"); + + return mSavePassword; + } + private void setKeystorePassword(byte[] password, int userHandle) { final KeyStore ks = KeyStore.getInstance(); // TODO(b/120484642): Update keystore to accept byte[] passwords @@ -1749,7 +1790,13 @@ public class LockSettingsService extends ILockSettings.Stub { public VerifyCredentialResponse checkCredential(byte[] credential, int type, int userId, ICheckCredentialProgressCallback progressCallback) throws RemoteException { checkPasswordReadPermission(userId); - return doVerifyCredential(credential, type, false, 0, userId, progressCallback); + VerifyCredentialResponse response = doVerifyCredential(credential, type, + false, 0, userId, progressCallback); + if ((response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) && + (userId == UserHandle.USER_OWNER)) { + retainPassword(credential); + } + return response; } @Override |