The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2007 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.internal.widget; |
| 18 | |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 19 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC; |
| 20 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC; |
| 21 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_COMPLEX; |
| 22 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_MANAGED; |
| 23 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC; |
| 24 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; |
| 25 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; |
| 26 | import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; |
| 27 | |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 28 | import android.annotation.IntDef; |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 29 | import android.annotation.Nullable; |
Dianne Hackborn | 87bba1e | 2010-02-26 17:25:54 -0800 | [diff] [blame] | 30 | import android.app.admin.DevicePolicyManager; |
Andrew Scull | 5f9e6f3 | 2016-08-02 14:22:17 +0100 | [diff] [blame] | 31 | import android.app.admin.PasswordMetrics; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 32 | import android.app.trust.IStrongAuthTracker; |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 33 | import android.app.trust.TrustManager; |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 34 | import android.content.ComponentName; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 35 | import android.content.ContentResolver; |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 36 | import android.content.Context; |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 37 | import android.content.pm.PackageManager; |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 38 | import android.content.pm.UserInfo; |
Paul Lawrence | 3a5a0be | 2014-09-25 09:26:34 -0700 | [diff] [blame] | 39 | import android.os.AsyncTask; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 40 | import android.os.Handler; |
Jason parks | f7b3cd4 | 2011-01-27 09:28:25 -0600 | [diff] [blame] | 41 | import android.os.IBinder; |
Xiyuan Xia | aa26294 | 2015-05-05 15:18:45 -0700 | [diff] [blame] | 42 | import android.os.Looper; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 43 | import android.os.Message; |
Jim Miller | 69ac988 | 2010-02-24 15:35:05 -0800 | [diff] [blame] | 44 | import android.os.RemoteException; |
| 45 | import android.os.ServiceManager; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 46 | import android.os.SystemClock; |
Dianne Hackborn | f02b60a | 2012-08-16 10:48:27 -0700 | [diff] [blame] | 47 | import android.os.UserHandle; |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 48 | import android.os.UserManager; |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 49 | import android.os.storage.IStorageManager; |
Paul Lawrence | 8e39736 | 2014-01-27 15:22:30 -0800 | [diff] [blame] | 50 | import android.os.storage.StorageManager; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 51 | import android.provider.Settings; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 52 | import android.text.TextUtils; |
| 53 | import android.util.Log; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 54 | import android.util.SparseIntArray; |
Kevin Chyn | a3e5582 | 2017-10-04 15:47:24 -0700 | [diff] [blame] | 55 | import android.util.SparseLongArray; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 56 | |
Rubin Xu | 0cbc19e | 2016-12-09 14:00:21 +0000 | [diff] [blame] | 57 | import com.android.internal.annotations.VisibleForTesting; |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 58 | import com.android.server.LocalServices; |
Kevin Chyn | b17d409 | 2018-10-01 19:07:03 -0700 | [diff] [blame] | 59 | |
Michael Jurka | 1254f2f | 2012-10-25 11:44:31 -0700 | [diff] [blame] | 60 | import com.google.android.collect.Lists; |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 61 | |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 62 | import libcore.util.HexEncoding; |
| 63 | |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 64 | import java.lang.annotation.Retention; |
| 65 | import java.lang.annotation.RetentionPolicy; |
Brian Carlstrom | 929a1c2 | 2011-02-01 21:54:09 -0800 | [diff] [blame] | 66 | import java.security.MessageDigest; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 67 | import java.security.NoSuchAlgorithmException; |
Jim Miller | 11b019d | 2010-01-20 16:34:45 -0800 | [diff] [blame] | 68 | import java.security.SecureRandom; |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 69 | import java.util.ArrayList; |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 70 | import java.util.Arrays; |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 71 | import java.util.Collection; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 72 | import java.util.List; |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 73 | import java.util.StringJoiner; |
Kevin Chyn | b17d409 | 2018-10-01 19:07:03 -0700 | [diff] [blame] | 74 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 75 | /** |
Brian Carlstrom | 5cfee3f | 2011-05-31 01:00:15 -0700 | [diff] [blame] | 76 | * Utilities for the lock pattern and its settings. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 77 | */ |
| 78 | public class LockPatternUtils { |
| 79 | |
| 80 | private static final String TAG = "LockPatternUtils"; |
Brian Colonna | a0ee004 | 2014-07-16 13:50:47 -0400 | [diff] [blame] | 81 | private static final boolean DEBUG = false; |
Adrian Roos | 8370e47 | 2017-07-23 14:35:59 +0200 | [diff] [blame] | 82 | private static final boolean FRP_CREDENTIAL_ENABLED = true; |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 83 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 84 | /** |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 85 | * The key to identify when the lock pattern enabled flag is being accessed for legacy reasons. |
Bryce Lee | 4614596 | 2015-12-14 14:39:10 -0800 | [diff] [blame] | 86 | */ |
| 87 | public static final String LEGACY_LOCK_PATTERN_ENABLED = "legacy_lock_pattern_enabled"; |
| 88 | |
| 89 | /** |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 90 | * The number of incorrect attempts before which we fall back on an alternative |
| 91 | * method of verifying the user, and resetting their lock pattern. |
| 92 | */ |
| 93 | public static final int FAILED_ATTEMPTS_BEFORE_RESET = 20; |
| 94 | |
| 95 | /** |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 96 | * The interval of the countdown for showing progress of the lockout. |
| 97 | */ |
| 98 | public static final long FAILED_ATTEMPT_COUNTDOWN_INTERVAL_MS = 1000L; |
| 99 | |
Jim Miller | 4f36995 | 2011-08-19 18:29:22 -0700 | [diff] [blame] | 100 | |
| 101 | /** |
| 102 | * This dictates when we start telling the user that continued failed attempts will wipe |
| 103 | * their device. |
| 104 | */ |
| 105 | public static final int FAILED_ATTEMPTS_BEFORE_WIPE_GRACE = 5; |
| 106 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 107 | /** |
| 108 | * The minimum number of dots in a valid pattern. |
| 109 | */ |
| 110 | public static final int MIN_LOCK_PATTERN_SIZE = 4; |
| 111 | |
| 112 | /** |
Adrian Roos | f80e66ce9 | 2015-01-15 23:27:24 +0100 | [diff] [blame] | 113 | * The minimum size of a valid password. |
| 114 | */ |
| 115 | public static final int MIN_LOCK_PASSWORD_SIZE = 4; |
| 116 | |
| 117 | /** |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 118 | * The minimum number of dots the user must include in a wrong pattern |
| 119 | * attempt for it to be counted against the counts that affect |
| 120 | * {@link #FAILED_ATTEMPTS_BEFORE_TIMEOUT} and {@link #FAILED_ATTEMPTS_BEFORE_RESET} |
| 121 | */ |
Jim Miller | 4f36995 | 2011-08-19 18:29:22 -0700 | [diff] [blame] | 122 | public static final int MIN_PATTERN_REGISTER_FAIL = MIN_LOCK_PATTERN_SIZE; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 123 | |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 124 | public static final int CREDENTIAL_TYPE_NONE = -1; |
| 125 | |
| 126 | public static final int CREDENTIAL_TYPE_PATTERN = 1; |
| 127 | |
| 128 | public static final int CREDENTIAL_TYPE_PASSWORD = 2; |
| 129 | |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 130 | /** |
| 131 | * Special user id for triggering the FRP verification flow. |
| 132 | */ |
| 133 | public static final int USER_FRP = UserHandle.USER_NULL + 1; |
| 134 | |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 135 | @Deprecated |
Jeff Sharkey | 7a96c39 | 2012-11-15 14:01:46 -0800 | [diff] [blame] | 136 | public final static String LOCKOUT_PERMANENT_KEY = "lockscreen.lockedoutpermanently"; |
Jeff Sharkey | 7a96c39 | 2012-11-15 14:01:46 -0800 | [diff] [blame] | 137 | public final static String PATTERN_EVER_CHOSEN_KEY = "lockscreen.patterneverchosen"; |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 138 | public final static String PASSWORD_TYPE_KEY = "lockscreen.password_type"; |
Adrian Roos | 230635e | 2015-01-07 20:50:29 +0100 | [diff] [blame] | 139 | @Deprecated |
| 140 | public final static String PASSWORD_TYPE_ALTERNATE_KEY = "lockscreen.password_type_alternate"; |
Jeff Sharkey | 7a96c39 | 2012-11-15 14:01:46 -0800 | [diff] [blame] | 141 | public final static String LOCK_PASSWORD_SALT_KEY = "lockscreen.password_salt"; |
| 142 | public final static String DISABLE_LOCKSCREEN_KEY = "lockscreen.disabled"; |
| 143 | public final static String LOCKSCREEN_OPTIONS = "lockscreen.options"; |
Adrian Roos | 230635e | 2015-01-07 20:50:29 +0100 | [diff] [blame] | 144 | @Deprecated |
Jim Miller | 6edf263 | 2011-09-05 16:03:14 -0700 | [diff] [blame] | 145 | public final static String LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK |
| 146 | = "lockscreen.biometric_weak_fallback"; |
Adrian Roos | 230635e | 2015-01-07 20:50:29 +0100 | [diff] [blame] | 147 | @Deprecated |
Danielle Millett | 7a07219 | 2011-10-03 17:36:01 -0400 | [diff] [blame] | 148 | public final static String BIOMETRIC_WEAK_EVER_CHOSEN_KEY |
| 149 | = "lockscreen.biometricweakeverchosen"; |
Jim Miller | a4edd15 | 2012-01-06 18:24:04 -0800 | [diff] [blame] | 150 | public final static String LOCKSCREEN_POWER_BUTTON_INSTANTLY_LOCKS |
| 151 | = "lockscreen.power_button_instantly_locks"; |
Adrian Roos | 230635e | 2015-01-07 20:50:29 +0100 | [diff] [blame] | 152 | @Deprecated |
Jim Miller | f45bb40 | 2013-08-20 18:58:32 -0700 | [diff] [blame] | 153 | public final static String LOCKSCREEN_WIDGETS_ENABLED = "lockscreen.widgets_enabled"; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 154 | |
Jeff Sharkey | 7a96c39 | 2012-11-15 14:01:46 -0800 | [diff] [blame] | 155 | public final static String PASSWORD_HISTORY_KEY = "lockscreen.passwordhistory"; |
Konstantin Lopyrev | 863f22d | 2010-05-12 17:16:58 -0700 | [diff] [blame] | 156 | |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 157 | private static final String LOCK_SCREEN_OWNER_INFO = Settings.Secure.LOCK_SCREEN_OWNER_INFO; |
| 158 | private static final String LOCK_SCREEN_OWNER_INFO_ENABLED = |
| 159 | Settings.Secure.LOCK_SCREEN_OWNER_INFO_ENABLED; |
| 160 | |
Andrei Stingaceanu | 6644cd9 | 2015-11-10 13:03:31 +0000 | [diff] [blame] | 161 | private static final String LOCK_SCREEN_DEVICE_OWNER_INFO = "lockscreen.device_owner_info"; |
| 162 | |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 163 | private static final String ENABLED_TRUST_AGENTS = "lockscreen.enabledtrustagents"; |
Adrian Roos | c13723f | 2016-01-12 20:29:03 +0100 | [diff] [blame] | 164 | private static final String IS_TRUST_USUALLY_MANAGED = "lockscreen.istrustusuallymanaged"; |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 165 | |
Ricky Wai | d398244 | 2016-05-24 19:27:08 +0100 | [diff] [blame] | 166 | public static final String PROFILE_KEY_NAME_ENCRYPT = "profile_key_name_encrypt_"; |
| 167 | public static final String PROFILE_KEY_NAME_DECRYPT = "profile_key_name_decrypt_"; |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 168 | public static final String SYNTHETIC_PASSWORD_KEY_PREFIX = "synthetic_password_"; |
| 169 | |
| 170 | public static final String SYNTHETIC_PASSWORD_HANDLE_KEY = "sp-handle"; |
| 171 | public static final String SYNTHETIC_PASSWORD_ENABLED_KEY = "enable-sp"; |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 172 | private static final String HISTORY_DELIMITER = ","; |
Ricky Wai | d398244 | 2016-05-24 19:27:08 +0100 | [diff] [blame] | 173 | |
Dianne Hackborn | df83afa | 2010-01-20 13:37:26 -0800 | [diff] [blame] | 174 | private final Context mContext; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 175 | private final ContentResolver mContentResolver; |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 176 | private DevicePolicyManager mDevicePolicyManager; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 177 | private ILockSettings mLockSettingsService; |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 178 | private UserManager mUserManager; |
Adrian Roos | 7a3bf7c | 2016-07-12 15:31:55 -0700 | [diff] [blame] | 179 | private final Handler mHandler; |
Kevin Chyn | a3e5582 | 2017-10-04 15:47:24 -0700 | [diff] [blame] | 180 | private final SparseLongArray mLockoutDeadlines = new SparseLongArray(); |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 181 | private Boolean mHasSecureLockScreen; |
Jim Miller | ee82f8f | 2012-10-01 16:26:18 -0700 | [diff] [blame] | 182 | |
Adrian Roos | c13723f | 2016-01-12 20:29:03 +0100 | [diff] [blame] | 183 | /** |
| 184 | * Use {@link TrustManager#isTrustUsuallyManaged(int)}. |
| 185 | * |
| 186 | * This returns the lazily-peristed value and should only be used by TrustManagerService. |
| 187 | */ |
| 188 | public boolean isTrustUsuallyManaged(int userId) { |
| 189 | if (!(mLockSettingsService instanceof ILockSettings.Stub)) { |
| 190 | throw new IllegalStateException("May only be called by TrustManagerService. " |
| 191 | + "Use TrustManager.isTrustUsuallyManaged()"); |
| 192 | } |
| 193 | try { |
| 194 | return getLockSettings().getBoolean(IS_TRUST_USUALLY_MANAGED, false, userId); |
| 195 | } catch (RemoteException e) { |
| 196 | return false; |
| 197 | } |
| 198 | } |
| 199 | |
| 200 | public void setTrustUsuallyManaged(boolean managed, int userId) { |
| 201 | try { |
| 202 | getLockSettings().setBoolean(IS_TRUST_USUALLY_MANAGED, managed, userId); |
| 203 | } catch (RemoteException e) { |
| 204 | // System dead. |
| 205 | } |
| 206 | } |
Andres Morales | 2397427 | 2015-05-14 22:42:26 -0700 | [diff] [blame] | 207 | |
Adrian Roos | 4ab7e59 | 2016-04-13 15:38:13 -0700 | [diff] [blame] | 208 | public void userPresent(int userId) { |
| 209 | try { |
| 210 | getLockSettings().userPresent(userId); |
| 211 | } catch (RemoteException e) { |
| 212 | throw e.rethrowFromSystemServer(); |
| 213 | } |
| 214 | } |
| 215 | |
Andres Morales | 2397427 | 2015-05-14 22:42:26 -0700 | [diff] [blame] | 216 | public static final class RequestThrottledException extends Exception { |
| 217 | private int mTimeoutMs; |
| 218 | public RequestThrottledException(int timeoutMs) { |
| 219 | mTimeoutMs = timeoutMs; |
| 220 | } |
| 221 | |
| 222 | /** |
| 223 | * @return The amount of time in ms before another request may |
| 224 | * be executed |
| 225 | */ |
| 226 | public int getTimeoutMs() { |
| 227 | return mTimeoutMs; |
| 228 | } |
| 229 | |
| 230 | } |
| 231 | |
Jim Miller | cd70988 | 2010-03-25 18:24:02 -0700 | [diff] [blame] | 232 | public DevicePolicyManager getDevicePolicyManager() { |
Jim Miller | 5b0fb3a | 2010-02-23 13:46:35 -0800 | [diff] [blame] | 233 | if (mDevicePolicyManager == null) { |
| 234 | mDevicePolicyManager = |
| 235 | (DevicePolicyManager)mContext.getSystemService(Context.DEVICE_POLICY_SERVICE); |
| 236 | if (mDevicePolicyManager == null) { |
| 237 | Log.e(TAG, "Can't get DevicePolicyManagerService: is it running?", |
| 238 | new IllegalStateException("Stack trace:")); |
| 239 | } |
| 240 | } |
| 241 | return mDevicePolicyManager; |
| 242 | } |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 243 | |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 244 | private UserManager getUserManager() { |
| 245 | if (mUserManager == null) { |
| 246 | mUserManager = UserManager.get(mContext); |
| 247 | } |
| 248 | return mUserManager; |
| 249 | } |
| 250 | |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 251 | private TrustManager getTrustManager() { |
| 252 | TrustManager trust = (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE); |
| 253 | if (trust == null) { |
| 254 | Log.e(TAG, "Can't get TrustManagerService: is it running?", |
| 255 | new IllegalStateException("Stack trace:")); |
| 256 | } |
| 257 | return trust; |
| 258 | } |
| 259 | |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 260 | public LockPatternUtils(Context context) { |
Dianne Hackborn | df83afa | 2010-01-20 13:37:26 -0800 | [diff] [blame] | 261 | mContext = context; |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 262 | mContentResolver = context.getContentResolver(); |
Adrian Roos | 7a3bf7c | 2016-07-12 15:31:55 -0700 | [diff] [blame] | 263 | |
| 264 | Looper looper = Looper.myLooper(); |
| 265 | mHandler = looper != null ? new Handler(looper) : null; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 266 | } |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 267 | |
Rubin Xu | 0cbc19e | 2016-12-09 14:00:21 +0000 | [diff] [blame] | 268 | @VisibleForTesting |
| 269 | public ILockSettings getLockSettings() { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 270 | if (mLockSettingsService == null) { |
Adrian Roos | 450ce9f | 2014-10-29 14:30:37 +0100 | [diff] [blame] | 271 | ILockSettings service = ILockSettings.Stub.asInterface( |
| 272 | ServiceManager.getService("lock_settings")); |
Adrian Roos | 138b833 | 2014-11-11 13:51:07 +0100 | [diff] [blame] | 273 | mLockSettingsService = service; |
Brad Fitzpatrick | 9088100 | 2010-08-23 18:30:08 -0700 | [diff] [blame] | 274 | } |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 275 | return mLockSettingsService; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 276 | } |
| 277 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 278 | public int getRequestedMinimumPasswordLength(int userId) { |
| 279 | return getDevicePolicyManager().getPasswordMinimumLength(null, userId); |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 280 | } |
| 281 | |
Pavel Grafov | 2e7929e | 2018-05-04 17:29:36 +0100 | [diff] [blame] | 282 | public int getMaximumPasswordLength(int quality) { |
| 283 | return getDevicePolicyManager().getPasswordMaximumLength(quality); |
| 284 | } |
| 285 | |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 286 | /** |
| 287 | * Gets the device policy password mode. If the mode is non-specific, returns |
| 288 | * MODE_PATTERN which allows the user to choose anything. |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 289 | */ |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 290 | public int getRequestedPasswordQuality(int userId) { |
| 291 | return getDevicePolicyManager().getPasswordQuality(null, userId); |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 292 | } |
| 293 | |
| 294 | private int getRequestedPasswordHistoryLength(int userId) { |
| 295 | return getDevicePolicyManager().getPasswordHistoryLength(null, userId); |
Konstantin Lopyrev | 3255823 | 2010-05-20 16:18:05 -0700 | [diff] [blame] | 296 | } |
| 297 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 298 | public int getRequestedPasswordMinimumLetters(int userId) { |
| 299 | return getDevicePolicyManager().getPasswordMinimumLetters(null, userId); |
Konstantin Lopyrev | a15dcfa | 2010-05-24 17:10:56 -0700 | [diff] [blame] | 300 | } |
| 301 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 302 | public int getRequestedPasswordMinimumUpperCase(int userId) { |
| 303 | return getDevicePolicyManager().getPasswordMinimumUpperCase(null, userId); |
Konstantin Lopyrev | a15dcfa | 2010-05-24 17:10:56 -0700 | [diff] [blame] | 304 | } |
| 305 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 306 | public int getRequestedPasswordMinimumLowerCase(int userId) { |
| 307 | return getDevicePolicyManager().getPasswordMinimumLowerCase(null, userId); |
Konstantin Lopyrev | a15dcfa | 2010-05-24 17:10:56 -0700 | [diff] [blame] | 308 | } |
| 309 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 310 | public int getRequestedPasswordMinimumNumeric(int userId) { |
| 311 | return getDevicePolicyManager().getPasswordMinimumNumeric(null, userId); |
Konstantin Lopyrev | a15dcfa | 2010-05-24 17:10:56 -0700 | [diff] [blame] | 312 | } |
| 313 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 314 | public int getRequestedPasswordMinimumSymbols(int userId) { |
| 315 | return getDevicePolicyManager().getPasswordMinimumSymbols(null, userId); |
Konstantin Lopyrev | a15dcfa | 2010-05-24 17:10:56 -0700 | [diff] [blame] | 316 | } |
| 317 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 318 | public int getRequestedPasswordMinimumNonLetter(int userId) { |
| 319 | return getDevicePolicyManager().getPasswordMinimumNonLetter(null, userId); |
Konstantin Lopyrev | c857740 | 2010-06-04 17:15:02 -0700 | [diff] [blame] | 320 | } |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 321 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 322 | public void reportFailedPasswordAttempt(int userId) { |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 323 | if (userId == USER_FRP && frpCredentialEnabled(mContext)) { |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 324 | return; |
| 325 | } |
Adrian Roos | 4f994eb | 2014-07-23 15:45:05 +0200 | [diff] [blame] | 326 | getDevicePolicyManager().reportFailedPasswordAttempt(userId); |
| 327 | getTrustManager().reportUnlockAttempt(false /* authenticated */, userId); |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 328 | } |
| 329 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 330 | public void reportSuccessfulPasswordAttempt(int userId) { |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 331 | if (userId == USER_FRP && frpCredentialEnabled(mContext)) { |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 332 | return; |
| 333 | } |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 334 | getDevicePolicyManager().reportSuccessfulPasswordAttempt(userId); |
| 335 | getTrustManager().reportUnlockAttempt(true /* authenticated */, userId); |
Jim Miller | 31f90b6 | 2010-01-20 13:35:20 -0800 | [diff] [blame] | 336 | } |
| 337 | |
Zachary Iqbal | 327323d | 2017-01-12 14:41:13 -0800 | [diff] [blame] | 338 | public void reportPasswordLockout(int timeoutMs, int userId) { |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 339 | if (userId == USER_FRP && frpCredentialEnabled(mContext)) { |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 340 | return; |
| 341 | } |
Zachary Iqbal | 327323d | 2017-01-12 14:41:13 -0800 | [diff] [blame] | 342 | getTrustManager().reportUnlockLockout(timeoutMs, userId); |
| 343 | } |
| 344 | |
Clara Bayarri | 51e41ad | 2016-02-11 17:48:53 +0000 | [diff] [blame] | 345 | public int getCurrentFailedPasswordAttempts(int userId) { |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 346 | if (userId == USER_FRP && frpCredentialEnabled(mContext)) { |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 347 | return 0; |
| 348 | } |
Clara Bayarri | 51e41ad | 2016-02-11 17:48:53 +0000 | [diff] [blame] | 349 | return getDevicePolicyManager().getCurrentFailedPasswordAttempts(userId); |
| 350 | } |
| 351 | |
| 352 | public int getMaximumFailedPasswordsForWipe(int userId) { |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 353 | if (userId == USER_FRP && frpCredentialEnabled(mContext)) { |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 354 | return 0; |
| 355 | } |
Clara Bayarri | 51e41ad | 2016-02-11 17:48:53 +0000 | [diff] [blame] | 356 | return getDevicePolicyManager().getMaximumFailedPasswordsForWipe( |
| 357 | null /* componentName */, userId); |
| 358 | } |
| 359 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 360 | private byte[] verifyCredential(byte[] credential, int type, long challenge, int userId) |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 361 | throws RequestThrottledException { |
| 362 | try { |
| 363 | VerifyCredentialResponse response = getLockSettings().verifyCredential(credential, |
| 364 | type, challenge, userId); |
| 365 | if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) { |
| 366 | return response.getPayload(); |
| 367 | } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) { |
| 368 | throw new RequestThrottledException(response.getTimeout()); |
| 369 | } else { |
| 370 | return null; |
| 371 | } |
| 372 | } catch (RemoteException re) { |
| 373 | return null; |
| 374 | } |
| 375 | } |
| 376 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 377 | private boolean checkCredential(byte[] credential, int type, int userId, |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 378 | @Nullable CheckCredentialProgressCallback progressCallback) |
| 379 | throws RequestThrottledException { |
| 380 | try { |
| 381 | VerifyCredentialResponse response = getLockSettings().checkCredential(credential, type, |
| 382 | userId, wrapCallback(progressCallback)); |
| 383 | |
| 384 | if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) { |
| 385 | return true; |
| 386 | } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) { |
| 387 | throw new RequestThrottledException(response.getTimeout()); |
| 388 | } else { |
| 389 | return false; |
| 390 | } |
| 391 | } catch (RemoteException re) { |
| 392 | return false; |
| 393 | } |
| 394 | } |
| 395 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 396 | /** |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 397 | * Check to see if a pattern matches the saved pattern. |
| 398 | * If pattern matches, return an opaque attestation that the challenge |
| 399 | * was verified. |
| 400 | * |
| 401 | * @param pattern The pattern to check. |
| 402 | * @param challenge The challenge to verify against the pattern |
| 403 | * @return the attestation that the challenge was verified, or null. |
| 404 | */ |
Andres Morales | 2397427 | 2015-05-14 22:42:26 -0700 | [diff] [blame] | 405 | public byte[] verifyPattern(List<LockPatternView.Cell> pattern, long challenge, int userId) |
| 406 | throws RequestThrottledException { |
Xiyuan Xia | aa26294 | 2015-05-05 15:18:45 -0700 | [diff] [blame] | 407 | throwIfCalledOnMainThread(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 408 | return verifyCredential(patternToByteArray(pattern), CREDENTIAL_TYPE_PATTERN, challenge, |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 409 | userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 410 | } |
| 411 | |
| 412 | /** |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 413 | * Check to see if a pattern matches the saved pattern. If no pattern exists, |
| 414 | * always returns true. |
| 415 | * @param pattern The pattern to check. |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 416 | * @return Whether the pattern matches the stored one. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 417 | */ |
Andres Morales | 2397427 | 2015-05-14 22:42:26 -0700 | [diff] [blame] | 418 | public boolean checkPattern(List<LockPatternView.Cell> pattern, int userId) |
| 419 | throws RequestThrottledException { |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 420 | return checkPattern(pattern, userId, null /* progressCallback */); |
| 421 | } |
| 422 | |
| 423 | /** |
| 424 | * Check to see if a pattern matches the saved pattern. If no pattern exists, |
| 425 | * always returns true. |
| 426 | * @param pattern The pattern to check. |
| 427 | * @return Whether the pattern matches the stored one. |
| 428 | */ |
| 429 | public boolean checkPattern(List<LockPatternView.Cell> pattern, int userId, |
| 430 | @Nullable CheckCredentialProgressCallback progressCallback) |
| 431 | throws RequestThrottledException { |
Xiyuan Xia | aa26294 | 2015-05-05 15:18:45 -0700 | [diff] [blame] | 432 | throwIfCalledOnMainThread(); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 433 | return checkCredential(patternToByteArray(pattern), CREDENTIAL_TYPE_PATTERN, userId, |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 434 | progressCallback); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 435 | } |
| 436 | |
| 437 | /** |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 438 | * Check to see if a password matches the saved password. |
| 439 | * If password matches, return an opaque attestation that the challenge |
| 440 | * was verified. |
| 441 | * |
| 442 | * @param password The password to check. |
| 443 | * @param challenge The challenge to verify against the password |
| 444 | * @return the attestation that the challenge was verified, or null. |
| 445 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 446 | public byte[] verifyPassword(byte[] password, long challenge, int userId) |
Andres Morales | 2397427 | 2015-05-14 22:42:26 -0700 | [diff] [blame] | 447 | throws RequestThrottledException { |
Xiyuan Xia | aa26294 | 2015-05-05 15:18:45 -0700 | [diff] [blame] | 448 | throwIfCalledOnMainThread(); |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 449 | return verifyCredential(password, CREDENTIAL_TYPE_PASSWORD, challenge, userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 450 | } |
| 451 | |
Ricky Wai | 53940d4 | 2016-04-05 15:29:24 +0100 | [diff] [blame] | 452 | |
| 453 | /** |
| 454 | * Check to see if a password matches the saved password. |
| 455 | * If password matches, return an opaque attestation that the challenge |
| 456 | * was verified. |
| 457 | * |
| 458 | * @param password The password to check. |
| 459 | * @param challenge The challenge to verify against the password |
| 460 | * @return the attestation that the challenge was verified, or null. |
| 461 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 462 | public byte[] verifyTiedProfileChallenge(byte[] password, boolean isPattern, long challenge, |
Ricky Wai | 53940d4 | 2016-04-05 15:29:24 +0100 | [diff] [blame] | 463 | int userId) throws RequestThrottledException { |
| 464 | throwIfCalledOnMainThread(); |
| 465 | try { |
| 466 | VerifyCredentialResponse response = |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 467 | getLockSettings().verifyTiedProfileChallenge(password, |
| 468 | isPattern ? CREDENTIAL_TYPE_PATTERN : CREDENTIAL_TYPE_PASSWORD, challenge, |
Ricky Wai | 53940d4 | 2016-04-05 15:29:24 +0100 | [diff] [blame] | 469 | userId); |
| 470 | |
| 471 | if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK) { |
| 472 | return response.getPayload(); |
| 473 | } else if (response.getResponseCode() == VerifyCredentialResponse.RESPONSE_RETRY) { |
| 474 | throw new RequestThrottledException(response.getTimeout()); |
| 475 | } else { |
| 476 | return null; |
| 477 | } |
| 478 | } catch (RemoteException re) { |
| 479 | return null; |
| 480 | } |
| 481 | } |
| 482 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 483 | /** |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 484 | * |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 485 | * Check to see if a password matches the saved password. If no password exists, |
| 486 | * always returns true. |
| 487 | * @param password The password to check. |
| 488 | * @return Whether the password matches the stored one. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 489 | */ |
Andres Morales | 2397427 | 2015-05-14 22:42:26 -0700 | [diff] [blame] | 490 | public boolean checkPassword(String password, int userId) throws RequestThrottledException { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 491 | byte[] passwordBytes = password != null ? password.getBytes() : null; |
| 492 | return checkPassword(passwordBytes, userId, null /* progressCallback */); |
| 493 | } |
| 494 | |
| 495 | |
| 496 | /** |
| 497 | * |
| 498 | * Check to see if a password matches the saved password. If no password exists, |
| 499 | * always returns true. |
| 500 | * @param password The password to check. |
| 501 | * @return Whether the password matches the stored one. |
| 502 | */ |
| 503 | public boolean checkPassword(byte[] password, int userId) throws RequestThrottledException { |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 504 | return checkPassword(password, userId, null /* progressCallback */); |
| 505 | } |
| 506 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 507 | // TODO(b/120484642): This method is necessary for vendor/qcom code and is a hidden api |
| 508 | /* * |
| 509 | * Check to see if a password matches the saved password. If no password exists, |
| 510 | * always returns true. |
| 511 | * @param password The password to check. |
| 512 | * @return Whether the password matches the stored one. |
| 513 | */ |
| 514 | public boolean checkPassword(String password, int userId, |
| 515 | @Nullable CheckCredentialProgressCallback progressCallback) |
| 516 | throws RequestThrottledException { |
| 517 | byte[] passwordBytes = password != null ? password.getBytes() : null; |
| 518 | throwIfCalledOnMainThread(); |
| 519 | return checkCredential(passwordBytes, CREDENTIAL_TYPE_PASSWORD, userId, progressCallback); |
| 520 | |
| 521 | } |
| 522 | |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 523 | /** |
| 524 | * Check to see if a password matches the saved password. If no password exists, |
| 525 | * always returns true. |
| 526 | * @param password The password to check. |
| 527 | * @return Whether the password matches the stored one. |
| 528 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 529 | |
| 530 | public boolean checkPassword(byte[] password, int userId, |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 531 | @Nullable CheckCredentialProgressCallback progressCallback) |
| 532 | throws RequestThrottledException { |
Xiyuan Xia | aa26294 | 2015-05-05 15:18:45 -0700 | [diff] [blame] | 533 | throwIfCalledOnMainThread(); |
Rubin Xu | 1de89b3 | 2016-11-30 20:03:13 +0000 | [diff] [blame] | 534 | return checkCredential(password, CREDENTIAL_TYPE_PASSWORD, userId, progressCallback); |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 535 | } |
| 536 | |
| 537 | /** |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 538 | * Check to see if vold already has the password. |
| 539 | * Note that this also clears vold's copy of the password. |
| 540 | * @return Whether the vold password matches or not. |
| 541 | */ |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 542 | public boolean checkVoldPassword(int userId) { |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 543 | try { |
| 544 | return getLockSettings().checkVoldPassword(userId); |
| 545 | } catch (RemoteException re) { |
| 546 | return false; |
| 547 | } |
| 548 | } |
| 549 | |
| 550 | /** |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 551 | * Returns the password history hash factor, needed to check new password against password |
| 552 | * history with {@link #checkPasswordHistory(String, byte[], int)} |
| 553 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 554 | public byte[] getPasswordHistoryHashFactor(byte[] currentPassword, int userId) { |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 555 | try { |
| 556 | return getLockSettings().getHashFactor(currentPassword, userId); |
| 557 | } catch (RemoteException e) { |
| 558 | Log.e(TAG, "failed to get hash factor", e); |
| 559 | return null; |
| 560 | } |
| 561 | } |
| 562 | |
| 563 | /** |
Konstantin Lopyrev | 863f22d | 2010-05-12 17:16:58 -0700 | [diff] [blame] | 564 | * Check to see if a password matches any of the passwords stored in the |
| 565 | * password history. |
| 566 | * |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 567 | * @param passwordToCheck The password to check. |
| 568 | * @param hashFactor Hash factor of the current user returned from |
| 569 | * {@link ILockSettings#getHashFactor} |
Konstantin Lopyrev | 863f22d | 2010-05-12 17:16:58 -0700 | [diff] [blame] | 570 | * @return Whether the password matches any in the history. |
| 571 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 572 | public boolean checkPasswordHistory(byte[] passwordToCheck, byte[] hashFactor, int userId) { |
| 573 | if (passwordToCheck == null || passwordToCheck.length == 0) { |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 574 | Log.e(TAG, "checkPasswordHistory: empty password"); |
Konstantin Lopyrev | 3255823 | 2010-05-20 16:18:05 -0700 | [diff] [blame] | 575 | return false; |
| 576 | } |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 577 | String passwordHistory = getString(PASSWORD_HISTORY_KEY, userId); |
| 578 | if (TextUtils.isEmpty(passwordHistory)) { |
| 579 | return false; |
| 580 | } |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 581 | int passwordHistoryLength = getRequestedPasswordHistoryLength(userId); |
Konstantin Lopyrev | 3255823 | 2010-05-20 16:18:05 -0700 | [diff] [blame] | 582 | if(passwordHistoryLength == 0) { |
| 583 | return false; |
| 584 | } |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 585 | String legacyHash = legacyPasswordToHash(passwordToCheck, userId); |
| 586 | String passwordHash = passwordToHistoryHash(passwordToCheck, hashFactor, userId); |
| 587 | String[] history = passwordHistory.split(HISTORY_DELIMITER); |
| 588 | // Password History may be too long... |
| 589 | for (int i = 0; i < Math.min(passwordHistoryLength, history.length); i++) { |
| 590 | if (history[i].equals(legacyHash) || history[i].equals(passwordHash)) { |
| 591 | return true; |
| 592 | } |
Konstantin Lopyrev | 3255823 | 2010-05-20 16:18:05 -0700 | [diff] [blame] | 593 | } |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 594 | return false; |
Konstantin Lopyrev | 863f22d | 2010-05-12 17:16:58 -0700 | [diff] [blame] | 595 | } |
| 596 | |
| 597 | /** |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 598 | * Check to see if the user has stored a lock pattern. |
| 599 | * @return Whether a saved pattern exists. |
| 600 | */ |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 601 | private boolean savedPatternExists(int userId) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 602 | try { |
Adrian Roos | 50bfeec | 2014-11-20 16:21:11 +0100 | [diff] [blame] | 603 | return getLockSettings().havePattern(userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 604 | } catch (RemoteException re) { |
| 605 | return false; |
| 606 | } |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 607 | } |
| 608 | |
| 609 | /** |
| 610 | * Check to see if the user has stored a lock pattern. |
| 611 | * @return Whether a saved pattern exists. |
| 612 | */ |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 613 | private boolean savedPasswordExists(int userId) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 614 | try { |
Adrian Roos | 50bfeec | 2014-11-20 16:21:11 +0100 | [diff] [blame] | 615 | return getLockSettings().havePassword(userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 616 | } catch (RemoteException re) { |
| 617 | return false; |
| 618 | } |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 619 | } |
| 620 | |
| 621 | /** |
The Android Open Source Project | ba87e3e | 2009-03-13 13:04:22 -0700 | [diff] [blame] | 622 | * Return true if the user has ever chosen a pattern. This is true even if the pattern is |
| 623 | * currently cleared. |
| 624 | * |
| 625 | * @return True if the user has ever chosen a pattern. |
| 626 | */ |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 627 | public boolean isPatternEverChosen(int userId) { |
| 628 | return getBoolean(PATTERN_EVER_CHOSEN_KEY, false, userId); |
Adrian Roos | dce0122 | 2015-01-07 22:39:01 +0100 | [diff] [blame] | 629 | } |
| 630 | |
| 631 | /** |
Bryan Mawhinney | e483b56 | 2017-05-15 14:46:05 +0100 | [diff] [blame] | 632 | * Records that the user has chosen a pattern at some time, even if the pattern is |
| 633 | * currently cleared. |
| 634 | */ |
| 635 | public void reportPatternWasChosen(int userId) { |
| 636 | setBoolean(PATTERN_EVER_CHOSEN_KEY, true, userId); |
| 637 | } |
| 638 | |
| 639 | /** |
Adrian Roos | dce0122 | 2015-01-07 22:39:01 +0100 | [diff] [blame] | 640 | * Used by device policy manager to validate the current password |
| 641 | * information it has. |
| 642 | */ |
| 643 | public int getActivePasswordQuality(int userId) { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 644 | int quality = getKeyguardStoredPasswordQuality(userId); |
Adrian Roos | dce0122 | 2015-01-07 22:39:01 +0100 | [diff] [blame] | 645 | |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 646 | if (isLockPasswordEnabled(quality, userId)) { |
| 647 | // Quality is a password and a password exists. Return the quality. |
| 648 | return quality; |
| 649 | } |
| 650 | |
| 651 | if (isLockPatternEnabled(quality, userId)) { |
| 652 | // Quality is a pattern and a pattern exists. Return the quality. |
| 653 | return quality; |
Dianne Hackborn | 85f2c9c | 2010-03-22 11:12:48 -0700 | [diff] [blame] | 654 | } |
Danielle Millett | c8fb532 | 2011-10-04 12:18:51 -0400 | [diff] [blame] | 655 | |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 656 | return PASSWORD_QUALITY_UNSPECIFIED; |
Dianne Hackborn | 85f2c9c | 2010-03-22 11:12:48 -0700 | [diff] [blame] | 657 | } |
Jim Miller | cd70988 | 2010-03-25 18:24:02 -0700 | [diff] [blame] | 658 | |
Dianne Hackborn | 85f2c9c | 2010-03-22 11:12:48 -0700 | [diff] [blame] | 659 | /** |
Ricky Wai | 4613fe4 | 2016-05-24 11:11:42 +0100 | [diff] [blame] | 660 | * Use it to reset keystore without wiping work profile |
| 661 | */ |
| 662 | public void resetKeyStore(int userId) { |
| 663 | try { |
| 664 | getLockSettings().resetKeyStore(userId); |
| 665 | } catch (RemoteException e) { |
| 666 | // It should not happen |
| 667 | Log.e(TAG, "Couldn't reset keystore " + e); |
| 668 | } |
| 669 | } |
| 670 | |
| 671 | /** |
Dianne Hackborn | df83afa | 2010-01-20 13:37:26 -0800 | [diff] [blame] | 672 | * Clear any lock pattern or password. |
| 673 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 674 | public void clearLock(byte[] savedCredential, int userHandle) { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 675 | final int currentQuality = getKeyguardStoredPasswordQuality(userHandle); |
| 676 | setKeyguardStoredPasswordQuality(PASSWORD_QUALITY_UNSPECIFIED, userHandle); |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 677 | |
Rubin Xu | a55b168 | 2017-01-31 10:06:56 +0000 | [diff] [blame] | 678 | try{ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 679 | getLockSettings().setLockCredential(null, CREDENTIAL_TYPE_NONE, |
| 680 | savedCredential, PASSWORD_QUALITY_UNSPECIFIED, userHandle); |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 681 | } catch (Exception e) { |
| 682 | Log.e(TAG, "Failed to clear lock", e); |
| 683 | setKeyguardStoredPasswordQuality(currentQuality, userHandle); |
| 684 | return; |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 685 | } |
| 686 | |
Xiaohui Chen | 86c69dd | 2015-08-27 15:44:02 -0700 | [diff] [blame] | 687 | if (userHandle == UserHandle.USER_SYSTEM) { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 688 | // Set the encryption password to default. |
| 689 | updateEncryptionPassword(StorageManager.CRYPT_TYPE_DEFAULT, null); |
Robin Lee | d39113e | 2016-01-22 15:44:49 +0000 | [diff] [blame] | 690 | setCredentialRequiredToDecrypt(false); |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 691 | } |
| 692 | |
Adrian Roos | f8f56bc | 2014-11-20 23:55:34 +0100 | [diff] [blame] | 693 | onAfterChangingPassword(userHandle); |
Dianne Hackborn | df83afa | 2010-01-20 13:37:26 -0800 | [diff] [blame] | 694 | } |
Jim Miller | 5b0fb3a | 2010-02-23 13:46:35 -0800 | [diff] [blame] | 695 | |
Dianne Hackborn | df83afa | 2010-01-20 13:37:26 -0800 | [diff] [blame] | 696 | /** |
Benjamin Franz | 51ed794 | 2015-04-07 16:34:56 +0100 | [diff] [blame] | 697 | * Disable showing lock screen at all for a given user. |
| 698 | * This is only meaningful if pattern, pin or password are not set. |
Jim Miller | 2a98a4c | 2010-11-19 18:49:26 -0800 | [diff] [blame] | 699 | * |
Benjamin Franz | 51ed794 | 2015-04-07 16:34:56 +0100 | [diff] [blame] | 700 | * @param disable Disables lock screen when true |
| 701 | * @param userId User ID of the user this has effect on |
| 702 | */ |
| 703 | public void setLockScreenDisabled(boolean disable, int userId) { |
| 704 | setBoolean(DISABLE_LOCKSCREEN_KEY, disable, userId); |
| 705 | } |
| 706 | |
| 707 | /** |
| 708 | * Determine if LockScreen is disabled for the current user. This is used to decide whether |
| 709 | * LockScreen is shown after reboot or after screen timeout / short press on power. |
| 710 | * |
| 711 | * @return true if lock screen is disabled |
Jim Miller | 2a98a4c | 2010-11-19 18:49:26 -0800 | [diff] [blame] | 712 | */ |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 713 | public boolean isLockScreenDisabled(int userId) { |
Evan Rosky | 2eff745 | 2016-06-09 12:32:33 -0700 | [diff] [blame] | 714 | if (isSecure(userId)) { |
| 715 | return false; |
| 716 | } |
| 717 | boolean disabledByDefault = mContext.getResources().getBoolean( |
| 718 | com.android.internal.R.bool.config_disableLockscreenByDefault); |
| 719 | boolean isSystemUser = UserManager.isSplitSystemUser() && userId == UserHandle.USER_SYSTEM; |
Christine Franks | 5856be8 | 2017-06-23 18:12:46 -0700 | [diff] [blame] | 720 | UserInfo userInfo = getUserManager().getUserInfo(userId); |
| 721 | boolean isDemoUser = UserManager.isDeviceInDemoMode(mContext) && userInfo != null |
| 722 | && userInfo.isDemo(); |
Evan Rosky | 2eff745 | 2016-06-09 12:32:33 -0700 | [diff] [blame] | 723 | return getBoolean(DISABLE_LOCKSCREEN_KEY, false, userId) |
Christine Franks | 5856be8 | 2017-06-23 18:12:46 -0700 | [diff] [blame] | 724 | || (disabledByDefault && !isSystemUser) |
| 725 | || isDemoUser; |
Jim Miller | 2a98a4c | 2010-11-19 18:49:26 -0800 | [diff] [blame] | 726 | } |
| 727 | |
| 728 | /** |
Jim Miller | 6edf263 | 2011-09-05 16:03:14 -0700 | [diff] [blame] | 729 | * Save a lock pattern. |
| 730 | * @param pattern The new pattern to save. |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 731 | * @param userId the user whose pattern is to be saved. |
Danielle Millett | 2364a22 | 2011-12-21 17:02:32 -0500 | [diff] [blame] | 732 | */ |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 733 | public void saveLockPattern(List<LockPatternView.Cell> pattern, int userId) { |
| 734 | this.saveLockPattern(pattern, null, userId); |
| 735 | } |
Danielle Millett | 2364a22 | 2011-12-21 17:02:32 -0500 | [diff] [blame] | 736 | /** |
| 737 | * Save a lock pattern. |
| 738 | * @param pattern The new pattern to save. |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 739 | * @param savedPattern The previously saved pattern, converted to byte[] format |
Adrian Roos | f8f56bc | 2014-11-20 23:55:34 +0100 | [diff] [blame] | 740 | * @param userId the user whose pattern is to be saved. |
| 741 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 742 | public void saveLockPattern(List<LockPatternView.Cell> pattern, byte[] savedPattern, |
| 743 | int userId) { |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 744 | if (!hasSecureLockScreen()) { |
| 745 | throw new UnsupportedOperationException( |
| 746 | "This operation requires the lock screen feature."); |
| 747 | } |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 748 | if (pattern == null || pattern.size() < MIN_LOCK_PATTERN_SIZE) { |
| 749 | throw new IllegalArgumentException("pattern must not be null and at least " |
| 750 | + MIN_LOCK_PATTERN_SIZE + " dots long."); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 751 | } |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 752 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 753 | final byte[] bytePattern = patternToByteArray(pattern); |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 754 | final int currentQuality = getKeyguardStoredPasswordQuality(userId); |
| 755 | setKeyguardStoredPasswordQuality(PASSWORD_QUALITY_SOMETHING, userId); |
| 756 | try { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 757 | getLockSettings().setLockCredential(bytePattern, CREDENTIAL_TYPE_PATTERN, savedPattern, |
| 758 | PASSWORD_QUALITY_SOMETHING, userId); |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 759 | } catch (Exception e) { |
| 760 | Log.e(TAG, "Couldn't save lock pattern", e); |
| 761 | setKeyguardStoredPasswordQuality(currentQuality, userId); |
| 762 | return; |
| 763 | } |
| 764 | // Update the device encryption password. |
| 765 | if (userId == UserHandle.USER_SYSTEM |
| 766 | && LockPatternUtils.isDeviceEncryptionEnabled()) { |
| 767 | if (!shouldEncryptWithCredentials(true)) { |
| 768 | clearEncryptionPassword(); |
| 769 | } else { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 770 | updateEncryptionPassword(StorageManager.CRYPT_TYPE_PATTERN, bytePattern); |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 771 | } |
| 772 | } |
| 773 | |
| 774 | reportPatternWasChosen(userId); |
| 775 | onAfterChangingPassword(userId); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 776 | } |
| 777 | |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 778 | private void updateCryptoUserInfo(int userId) { |
Xiaohui Chen | 86c69dd | 2015-08-27 15:44:02 -0700 | [diff] [blame] | 779 | if (userId != UserHandle.USER_SYSTEM) { |
Paul Lawrence | e51dcf9 | 2014-03-18 10:56:00 -0700 | [diff] [blame] | 780 | return; |
| 781 | } |
| 782 | |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 783 | final String ownerInfo = isOwnerInfoEnabled(userId) ? getOwnerInfo(userId) : ""; |
Paul Lawrence | e51dcf9 | 2014-03-18 10:56:00 -0700 | [diff] [blame] | 784 | |
| 785 | IBinder service = ServiceManager.getService("mount"); |
| 786 | if (service == null) { |
| 787 | Log.e(TAG, "Could not find the mount service to update the user info"); |
| 788 | return; |
| 789 | } |
| 790 | |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 791 | IStorageManager storageManager = IStorageManager.Stub.asInterface(service); |
Paul Lawrence | e51dcf9 | 2014-03-18 10:56:00 -0700 | [diff] [blame] | 792 | try { |
| 793 | Log.d(TAG, "Setting owner info"); |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 794 | storageManager.setField(StorageManager.OWNER_INFO_KEY, ownerInfo); |
Paul Lawrence | e51dcf9 | 2014-03-18 10:56:00 -0700 | [diff] [blame] | 795 | } catch (RemoteException e) { |
| 796 | Log.e(TAG, "Error changing user info", e); |
| 797 | } |
| 798 | } |
| 799 | |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 800 | public void setOwnerInfo(String info, int userId) { |
| 801 | setString(LOCK_SCREEN_OWNER_INFO, info, userId); |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 802 | updateCryptoUserInfo(userId); |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 803 | } |
| 804 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 805 | public void setOwnerInfoEnabled(boolean enabled, int userId) { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 806 | setBoolean(LOCK_SCREEN_OWNER_INFO_ENABLED, enabled, userId); |
| 807 | updateCryptoUserInfo(userId); |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 808 | } |
| 809 | |
| 810 | public String getOwnerInfo(int userId) { |
Adrian Roos | dce0122 | 2015-01-07 22:39:01 +0100 | [diff] [blame] | 811 | return getString(LOCK_SCREEN_OWNER_INFO, userId); |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 812 | } |
| 813 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 814 | public boolean isOwnerInfoEnabled(int userId) { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 815 | return getBoolean(LOCK_SCREEN_OWNER_INFO_ENABLED, false, userId); |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 816 | } |
| 817 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 818 | /** |
Andrei Stingaceanu | 6644cd9 | 2015-11-10 13:03:31 +0000 | [diff] [blame] | 819 | * Sets the device owner information. If the information is {@code null} or empty then the |
| 820 | * device owner info is cleared. |
| 821 | * |
| 822 | * @param info Device owner information which will be displayed instead of the user |
| 823 | * owner info. |
| 824 | */ |
| 825 | public void setDeviceOwnerInfo(String info) { |
| 826 | if (info != null && info.isEmpty()) { |
| 827 | info = null; |
| 828 | } |
| 829 | |
| 830 | setString(LOCK_SCREEN_DEVICE_OWNER_INFO, info, UserHandle.USER_SYSTEM); |
| 831 | } |
| 832 | |
| 833 | public String getDeviceOwnerInfo() { |
| 834 | return getString(LOCK_SCREEN_DEVICE_OWNER_INFO, UserHandle.USER_SYSTEM); |
| 835 | } |
| 836 | |
| 837 | public boolean isDeviceOwnerInfoEnabled() { |
| 838 | return getDeviceOwnerInfo() != null; |
| 839 | } |
| 840 | |
Jason parks | f7b3cd4 | 2011-01-27 09:28:25 -0600 | [diff] [blame] | 841 | /** Update the encryption password if it is enabled **/ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 842 | private void updateEncryptionPassword(final int type, final byte[] password) { |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 843 | if (!hasSecureLockScreen()) { |
| 844 | throw new UnsupportedOperationException( |
| 845 | "This operation requires the lock screen feature."); |
| 846 | } |
Amith Yamasani | cd410ba | 2014-10-17 11:16:58 -0700 | [diff] [blame] | 847 | if (!isDeviceEncryptionEnabled()) { |
Jason parks | f7b3cd4 | 2011-01-27 09:28:25 -0600 | [diff] [blame] | 848 | return; |
| 849 | } |
Paul Lawrence | 3a5a0be | 2014-09-25 09:26:34 -0700 | [diff] [blame] | 850 | final IBinder service = ServiceManager.getService("mount"); |
Jason parks | f7b3cd4 | 2011-01-27 09:28:25 -0600 | [diff] [blame] | 851 | if (service == null) { |
| 852 | Log.e(TAG, "Could not find the mount service to update the encryption password"); |
| 853 | return; |
| 854 | } |
| 855 | |
Paul Lawrence | 3a5a0be | 2014-09-25 09:26:34 -0700 | [diff] [blame] | 856 | new AsyncTask<Void, Void, Void>() { |
| 857 | @Override |
| 858 | protected Void doInBackground(Void... dummy) { |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 859 | IStorageManager storageManager = IStorageManager.Stub.asInterface(service); |
Paul Lawrence | 3a5a0be | 2014-09-25 09:26:34 -0700 | [diff] [blame] | 860 | try { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 861 | // TODO(b/120484642): This is a location where we still use a String for vold |
| 862 | String passwordString = password != null ? new String(password) : null; |
| 863 | storageManager.changeEncryptionPassword(type, passwordString); |
Paul Lawrence | 3a5a0be | 2014-09-25 09:26:34 -0700 | [diff] [blame] | 864 | } catch (RemoteException e) { |
| 865 | Log.e(TAG, "Error changing encryption password", e); |
| 866 | } |
| 867 | return null; |
| 868 | } |
| 869 | }.execute(); |
Jason parks | f7b3cd4 | 2011-01-27 09:28:25 -0600 | [diff] [blame] | 870 | } |
| 871 | |
Dianne Hackborn | 9327f4f | 2010-01-29 10:38:29 -0800 | [diff] [blame] | 872 | /** |
Jim Miller | cd70988 | 2010-03-25 18:24:02 -0700 | [diff] [blame] | 873 | * Save a lock password. Does not ensure that the password is as good |
Dianne Hackborn | 9327f4f | 2010-01-29 10:38:29 -0800 | [diff] [blame] | 874 | * as the requested mode, but will adjust the mode to be as good as the |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 875 | * password. |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 876 | * @param password The password to save |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 877 | * @param savedPassword The previously saved lock password, or null if none |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 878 | * @param requestedQuality {@see DevicePolicyManager#getPasswordQuality(android.content.ComponentName)} |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 879 | * @param userHandle The userId of the user to change the password for |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 880 | * |
| 881 | * @deprecated Pass password as a byte array |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 882 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 883 | @Deprecated |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 884 | public void saveLockPassword(String password, String savedPassword, int requestedQuality, |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 885 | int userHandle) { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 886 | byte[] passwordBytes = password != null ? password.getBytes() : null; |
| 887 | byte[] savedPasswordBytes = savedPassword != null ? savedPassword.getBytes() : null; |
| 888 | saveLockPassword(passwordBytes, savedPasswordBytes, requestedQuality, userHandle); |
| 889 | } |
| 890 | |
| 891 | /** |
| 892 | * Save a lock password. Does not ensure that the password is as good |
| 893 | * as the requested mode, but will adjust the mode to be as good as the |
| 894 | * password. |
| 895 | * @param password The password to save |
| 896 | * @param savedPassword The previously saved lock password, or null if none |
| 897 | * @param requestedQuality {@see DevicePolicyManager#getPasswordQuality( |
| 898 | * android.content.ComponentName)} |
| 899 | * @param userHandle The userId of the user to change the password for |
| 900 | */ |
| 901 | public void saveLockPassword(byte[] password, byte[] savedPassword, int requestedQuality, |
| 902 | int userHandle) { |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 903 | if (!hasSecureLockScreen()) { |
| 904 | throw new UnsupportedOperationException( |
| 905 | "This operation requires the lock screen feature."); |
| 906 | } |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 907 | if (password == null || password.length < MIN_LOCK_PASSWORD_SIZE) { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 908 | throw new IllegalArgumentException("password must not be null and at least " |
| 909 | + "of length " + MIN_LOCK_PASSWORD_SIZE); |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 910 | } |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 911 | |
Adrian Roos | ebf84c2 | 2018-12-06 17:50:41 +0100 | [diff] [blame] | 912 | if (requestedQuality < PASSWORD_QUALITY_NUMERIC) { |
| 913 | throw new IllegalArgumentException("quality must be at least NUMERIC, but was " |
| 914 | + requestedQuality); |
| 915 | } |
| 916 | |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 917 | final int currentQuality = getKeyguardStoredPasswordQuality(userHandle); |
| 918 | setKeyguardStoredPasswordQuality( |
| 919 | computePasswordQuality(CREDENTIAL_TYPE_PASSWORD, password, requestedQuality), |
| 920 | userHandle); |
| 921 | try { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 922 | getLockSettings().setLockCredential(password, CREDENTIAL_TYPE_PASSWORD, savedPassword, |
| 923 | requestedQuality, userHandle); |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 924 | } catch (Exception e) { |
| 925 | Log.e(TAG, "Unable to save lock password", e); |
| 926 | setKeyguardStoredPasswordQuality(currentQuality, userHandle); |
| 927 | return; |
| 928 | } |
| 929 | |
| 930 | updateEncryptionPasswordIfNeeded(password, |
| 931 | PasswordMetrics.computeForPassword(password).quality, userHandle); |
| 932 | updatePasswordHistory(password, userHandle); |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 933 | onAfterChangingPassword(userHandle); |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 934 | } |
| 935 | |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 936 | /** |
| 937 | * Update device encryption password if calling user is USER_SYSTEM and device supports |
| 938 | * encryption. |
| 939 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 940 | private void updateEncryptionPasswordIfNeeded(byte[] password, int quality, int userHandle) { |
Rubin Xu | a55b168 | 2017-01-31 10:06:56 +0000 | [diff] [blame] | 941 | // Update the device encryption password. |
| 942 | if (userHandle == UserHandle.USER_SYSTEM |
| 943 | && LockPatternUtils.isDeviceEncryptionEnabled()) { |
| 944 | if (!shouldEncryptWithCredentials(true)) { |
| 945 | clearEncryptionPassword(); |
| 946 | } else { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 947 | boolean numeric = quality == PASSWORD_QUALITY_NUMERIC; |
| 948 | boolean numericComplex = quality == PASSWORD_QUALITY_NUMERIC_COMPLEX; |
Rubin Xu | a55b168 | 2017-01-31 10:06:56 +0000 | [diff] [blame] | 949 | int type = numeric || numericComplex ? StorageManager.CRYPT_TYPE_PIN |
| 950 | : StorageManager.CRYPT_TYPE_PASSWORD; |
| 951 | updateEncryptionPassword(type, password); |
| 952 | } |
| 953 | } |
| 954 | } |
| 955 | |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 956 | /** |
| 957 | * Store the hash of the *current* password in the password history list, if device policy |
| 958 | * enforces password history requirement. |
| 959 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 960 | private void updatePasswordHistory(byte[] password, int userHandle) { |
| 961 | if (password == null || password.length == 0) { |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 962 | Log.e(TAG, "checkPasswordHistory: empty password"); |
| 963 | return; |
| 964 | } |
Rubin Xu | a55b168 | 2017-01-31 10:06:56 +0000 | [diff] [blame] | 965 | // Add the password to the password history. We assume all |
| 966 | // password hashes have the same length for simplicity of implementation. |
| 967 | String passwordHistory = getString(PASSWORD_HISTORY_KEY, userHandle); |
| 968 | if (passwordHistory == null) { |
| 969 | passwordHistory = ""; |
| 970 | } |
| 971 | int passwordHistoryLength = getRequestedPasswordHistoryLength(userHandle); |
| 972 | if (passwordHistoryLength == 0) { |
| 973 | passwordHistory = ""; |
| 974 | } else { |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 975 | final byte[] hashFactor = getPasswordHistoryHashFactor(password, userHandle); |
| 976 | String hash = passwordToHistoryHash(password, hashFactor, userHandle); |
| 977 | if (hash == null) { |
| 978 | Log.e(TAG, "Compute new style password hash failed, fallback to legacy style"); |
| 979 | hash = legacyPasswordToHash(password, userHandle); |
| 980 | } |
| 981 | if (TextUtils.isEmpty(passwordHistory)) { |
| 982 | passwordHistory = hash; |
| 983 | } else { |
| 984 | String[] history = passwordHistory.split(HISTORY_DELIMITER); |
| 985 | StringJoiner joiner = new StringJoiner(HISTORY_DELIMITER); |
| 986 | joiner.add(hash); |
| 987 | for (int i = 0; i < passwordHistoryLength - 1 && i < history.length; i++) { |
| 988 | joiner.add(history[i]); |
| 989 | } |
| 990 | passwordHistory = joiner.toString(); |
| 991 | } |
Rubin Xu | a55b168 | 2017-01-31 10:06:56 +0000 | [diff] [blame] | 992 | } |
| 993 | setString(PASSWORD_HISTORY_KEY, passwordHistory, userHandle); |
Rubin Xu | a55b168 | 2017-01-31 10:06:56 +0000 | [diff] [blame] | 994 | } |
| 995 | |
Jim Miller | cd70988 | 2010-03-25 18:24:02 -0700 | [diff] [blame] | 996 | /** |
Jim Miller | 6848dc8 | 2014-10-13 18:51:53 -0700 | [diff] [blame] | 997 | * Determine if the device supports encryption, even if it's set to default. This |
| 998 | * differs from isDeviceEncrypted() in that it returns true even if the device is |
| 999 | * encrypted with the default password. |
| 1000 | * @return true if device encryption is enabled |
| 1001 | */ |
| 1002 | public static boolean isDeviceEncryptionEnabled() { |
Paul Lawrence | 20be5d6 | 2016-02-26 13:51:17 -0800 | [diff] [blame] | 1003 | return StorageManager.isEncrypted(); |
Jim Miller | 6848dc8 | 2014-10-13 18:51:53 -0700 | [diff] [blame] | 1004 | } |
| 1005 | |
| 1006 | /** |
Paul Lawrence | 5c21c70 | 2016-01-29 13:26:19 -0800 | [diff] [blame] | 1007 | * Determine if the device is file encrypted |
| 1008 | * @return true if device is file encrypted |
| 1009 | */ |
| 1010 | public static boolean isFileEncryptionEnabled() { |
Paul Lawrence | 20be5d6 | 2016-02-26 13:51:17 -0800 | [diff] [blame] | 1011 | return StorageManager.isFileEncryptedNativeOrEmulated(); |
Paul Lawrence | 5c21c70 | 2016-01-29 13:26:19 -0800 | [diff] [blame] | 1012 | } |
| 1013 | |
| 1014 | /** |
Svetoslav | 16e4a1a | 2014-09-29 18:16:20 -0700 | [diff] [blame] | 1015 | * Clears the encryption password. |
| 1016 | */ |
| 1017 | public void clearEncryptionPassword() { |
| 1018 | updateEncryptionPassword(StorageManager.CRYPT_TYPE_DEFAULT, null); |
| 1019 | } |
| 1020 | |
| 1021 | /** |
Adrian Roos | 1572ee3 | 2014-09-01 16:24:32 +0200 | [diff] [blame] | 1022 | * Retrieves the quality mode for {@param userHandle}. |
| 1023 | * {@see DevicePolicyManager#getPasswordQuality(android.content.ComponentName)} |
| 1024 | * |
| 1025 | * @return stored password quality |
| 1026 | */ |
| 1027 | public int getKeyguardStoredPasswordQuality(int userHandle) { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 1028 | return (int) getLong(PASSWORD_TYPE_KEY, PASSWORD_QUALITY_UNSPECIFIED, userHandle); |
| 1029 | } |
| 1030 | |
| 1031 | private void setKeyguardStoredPasswordQuality(int quality, int userHandle) { |
| 1032 | setLong(PASSWORD_TYPE_KEY, quality, userHandle); |
Jim Miller | 6edf263 | 2011-09-05 16:03:14 -0700 | [diff] [blame] | 1033 | } |
| 1034 | |
Danielle Millett | 5839698 | 2011-09-30 13:55:07 -0400 | [diff] [blame] | 1035 | /** |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 1036 | * Returns the password quality of the given credential, promoting it to a higher level |
| 1037 | * if DevicePolicyManager has a stronger quality requirement. This value will be written |
| 1038 | * to PASSWORD_TYPE_KEY. |
| 1039 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1040 | private int computePasswordQuality(int type, byte[] credential, int requestedQuality) { |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 1041 | final int quality; |
| 1042 | if (type == CREDENTIAL_TYPE_PASSWORD) { |
| 1043 | int computedQuality = PasswordMetrics.computeForPassword(credential).quality; |
| 1044 | quality = Math.max(requestedQuality, computedQuality); |
| 1045 | } else if (type == CREDENTIAL_TYPE_PATTERN) { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 1046 | quality = PASSWORD_QUALITY_SOMETHING; |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 1047 | } else /* if (type == CREDENTIAL_TYPE_NONE) */ { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 1048 | quality = PASSWORD_QUALITY_UNSPECIFIED; |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 1049 | } |
| 1050 | return quality; |
| 1051 | } |
| 1052 | |
| 1053 | /** |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 1054 | * Enables/disables the Separate Profile Challenge for this {@param userHandle}. This is a no-op |
| 1055 | * for user handles that do not belong to a managed profile. |
Ricky Wai | dc283a8 | 2016-03-24 19:55:08 +0000 | [diff] [blame] | 1056 | * |
| 1057 | * @param userHandle Managed profile user id |
| 1058 | * @param enabled True if separate challenge is enabled |
| 1059 | * @param managedUserPassword Managed profile previous password. Null when {@param enabled} is |
| 1060 | * true |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 1061 | */ |
Ricky Wai | dc283a8 | 2016-03-24 19:55:08 +0000 | [diff] [blame] | 1062 | public void setSeparateProfileChallengeEnabled(int userHandle, boolean enabled, |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1063 | byte[] managedUserPassword) { |
Pavel Grafov | b319125 | 2017-07-14 12:30:31 +0100 | [diff] [blame] | 1064 | if (!isManagedProfile(userHandle)) { |
| 1065 | return; |
| 1066 | } |
| 1067 | try { |
| 1068 | getLockSettings().setSeparateProfileChallengeEnabled(userHandle, enabled, |
| 1069 | managedUserPassword); |
| 1070 | onAfterChangingPassword(userHandle); |
| 1071 | } catch (RemoteException e) { |
| 1072 | Log.e(TAG, "Couldn't update work profile challenge enabled"); |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 1073 | } |
| 1074 | } |
| 1075 | |
| 1076 | /** |
Pavel Grafov | b319125 | 2017-07-14 12:30:31 +0100 | [diff] [blame] | 1077 | * Returns true if {@param userHandle} is a managed profile with separate challenge. |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 1078 | */ |
| 1079 | public boolean isSeparateProfileChallengeEnabled(int userHandle) { |
Pavel Grafov | b319125 | 2017-07-14 12:30:31 +0100 | [diff] [blame] | 1080 | return isManagedProfile(userHandle) && hasSeparateChallenge(userHandle); |
| 1081 | } |
| 1082 | |
| 1083 | /** |
| 1084 | * Returns true if {@param userHandle} is a managed profile with unified challenge. |
| 1085 | */ |
| 1086 | public boolean isManagedProfileWithUnifiedChallenge(int userHandle) { |
| 1087 | return isManagedProfile(userHandle) && !hasSeparateChallenge(userHandle); |
| 1088 | } |
| 1089 | |
| 1090 | /** |
| 1091 | * Retrieves whether the current DPM allows use of the Profile Challenge. |
| 1092 | */ |
| 1093 | public boolean isSeparateProfileChallengeAllowed(int userHandle) { |
| 1094 | return isManagedProfile(userHandle) |
| 1095 | && getDevicePolicyManager().isSeparateProfileChallengeAllowed(userHandle); |
| 1096 | } |
| 1097 | |
| 1098 | /** |
| 1099 | * Retrieves whether the current profile and device locks can be unified. |
Pavel Grafov | c4f87e9 | 2017-10-26 16:34:25 +0100 | [diff] [blame] | 1100 | * @param userHandle profile user handle. |
Pavel Grafov | b319125 | 2017-07-14 12:30:31 +0100 | [diff] [blame] | 1101 | */ |
| 1102 | public boolean isSeparateProfileChallengeAllowedToUnify(int userHandle) { |
Pavel Grafov | c4f87e9 | 2017-10-26 16:34:25 +0100 | [diff] [blame] | 1103 | return getDevicePolicyManager().isProfileActivePasswordSufficientForParent(userHandle) |
| 1104 | && !getUserManager().hasUserRestriction( |
| 1105 | UserManager.DISALLOW_UNIFIED_PASSWORD, UserHandle.of(userHandle)); |
Pavel Grafov | b319125 | 2017-07-14 12:30:31 +0100 | [diff] [blame] | 1106 | } |
| 1107 | |
| 1108 | private boolean hasSeparateChallenge(int userHandle) { |
Ricky Wai | dc283a8 | 2016-03-24 19:55:08 +0000 | [diff] [blame] | 1109 | try { |
| 1110 | return getLockSettings().getSeparateProfileChallengeEnabled(userHandle); |
| 1111 | } catch (RemoteException e) { |
| 1112 | Log.e(TAG, "Couldn't get separate profile challenge enabled"); |
| 1113 | // Default value is false |
| 1114 | return false; |
| 1115 | } |
Clara Bayarri | a177111 | 2015-12-18 16:29:18 +0000 | [diff] [blame] | 1116 | } |
| 1117 | |
Pavel Grafov | b319125 | 2017-07-14 12:30:31 +0100 | [diff] [blame] | 1118 | private boolean isManagedProfile(int userHandle) { |
| 1119 | final UserInfo info = getUserManager().getUserInfo(userHandle); |
| 1120 | return info != null && info.isManagedProfile(); |
Clara Bayarri | d769391 | 2016-01-22 17:26:31 +0000 | [diff] [blame] | 1121 | } |
| 1122 | |
| 1123 | /** |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1124 | * Deserialize a pattern. |
| 1125 | * @param string The pattern serialized with {@link #patternToString} |
| 1126 | * @return The pattern. |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1127 | * @deprecated Pass patterns as byte[] and use byteArrayToPattern |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1128 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1129 | @Deprecated |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1130 | public static List<LockPatternView.Cell> stringToPattern(String string) { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 1131 | if (string == null) { |
| 1132 | return null; |
| 1133 | } |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1134 | return byteArrayToPattern(string.getBytes()); |
| 1135 | } |
| 1136 | |
| 1137 | /** |
| 1138 | * Deserialize a pattern. |
| 1139 | * @param bytes The pattern serialized with {@link #patternToByteArray} |
| 1140 | * @return The pattern. |
| 1141 | */ |
| 1142 | public static List<LockPatternView.Cell> byteArrayToPattern(byte[] bytes) { |
| 1143 | if (bytes == null) { |
| 1144 | return null; |
| 1145 | } |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 1146 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1147 | List<LockPatternView.Cell> result = Lists.newArrayList(); |
| 1148 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1149 | for (int i = 0; i < bytes.length; i++) { |
Andres Morales | e40bad8 | 2015-05-28 14:21:36 -0700 | [diff] [blame] | 1150 | byte b = (byte) (bytes[i] - '1'); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1151 | result.add(LockPatternView.Cell.of(b / 3, b % 3)); |
| 1152 | } |
| 1153 | return result; |
| 1154 | } |
| 1155 | |
| 1156 | /** |
| 1157 | * Serialize a pattern. |
| 1158 | * @param pattern The pattern. |
| 1159 | * @return The pattern in string form. |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1160 | * @deprecated Use patternToByteArray instead. |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1161 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1162 | @Deprecated |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1163 | public static String patternToString(List<LockPatternView.Cell> pattern) { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1164 | return new String(patternToByteArray(pattern)); |
| 1165 | } |
| 1166 | |
| 1167 | |
| 1168 | /** |
| 1169 | * Serialize a pattern. |
| 1170 | * @param pattern The pattern. |
| 1171 | * @return The pattern in byte array form. |
| 1172 | */ |
| 1173 | public static byte[] patternToByteArray(List<LockPatternView.Cell> pattern) { |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1174 | if (pattern == null) { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1175 | return new byte[0]; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1176 | } |
| 1177 | final int patternSize = pattern.size(); |
| 1178 | |
| 1179 | byte[] res = new byte[patternSize]; |
| 1180 | for (int i = 0; i < patternSize; i++) { |
| 1181 | LockPatternView.Cell cell = pattern.get(i); |
Andres Morales | e40bad8 | 2015-05-28 14:21:36 -0700 | [diff] [blame] | 1182 | res[i] = (byte) (cell.getRow() * 3 + cell.getColumn() + '1'); |
| 1183 | } |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1184 | return res; |
Andres Morales | e40bad8 | 2015-05-28 14:21:36 -0700 | [diff] [blame] | 1185 | } |
| 1186 | |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1187 | /** |
| 1188 | * Transform a pattern byte array to base zero form. |
| 1189 | * @param bytes pattern byte array. |
| 1190 | * @return The pattern in base zero form. |
| 1191 | */ |
| 1192 | public static byte[] patternByteArrayToBaseZero(byte[] bytes) { |
| 1193 | if (bytes == null) { |
| 1194 | return new byte[0]; |
Andres Morales | e40bad8 | 2015-05-28 14:21:36 -0700 | [diff] [blame] | 1195 | } |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1196 | final int patternSize = bytes.length; |
Andres Morales | e40bad8 | 2015-05-28 14:21:36 -0700 | [diff] [blame] | 1197 | byte[] res = new byte[patternSize]; |
Andres Morales | e40bad8 | 2015-05-28 14:21:36 -0700 | [diff] [blame] | 1198 | for (int i = 0; i < patternSize; i++) { |
| 1199 | res[i] = (byte) (bytes[i] - '1'); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1200 | } |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1201 | return res; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1202 | } |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1203 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1204 | /* |
| 1205 | * Generate an SHA-1 hash for the pattern. Not the most secure, but it is |
| 1206 | * at least a second level of protection. First level is that the file |
| 1207 | * is in a location only readable by the system process. |
| 1208 | * @param pattern the gesture pattern. |
| 1209 | * @return the hash of the pattern in a byte array. |
| 1210 | */ |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 1211 | public static byte[] patternToHash(List<LockPatternView.Cell> pattern) { |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1212 | if (pattern == null) { |
| 1213 | return null; |
| 1214 | } |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1215 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1216 | final int patternSize = pattern.size(); |
| 1217 | byte[] res = new byte[patternSize]; |
| 1218 | for (int i = 0; i < patternSize; i++) { |
| 1219 | LockPatternView.Cell cell = pattern.get(i); |
| 1220 | res[i] = (byte) (cell.getRow() * 3 + cell.getColumn()); |
| 1221 | } |
| 1222 | try { |
| 1223 | MessageDigest md = MessageDigest.getInstance("SHA-1"); |
| 1224 | byte[] hash = md.digest(res); |
| 1225 | return hash; |
| 1226 | } catch (NoSuchAlgorithmException nsa) { |
| 1227 | return res; |
| 1228 | } |
| 1229 | } |
| 1230 | |
Geoffrey Borggaard | 987672d2 | 2014-07-18 16:47:18 -0400 | [diff] [blame] | 1231 | private String getSalt(int userId) { |
| 1232 | long salt = getLong(LOCK_PASSWORD_SALT_KEY, 0, userId); |
Jim Miller | 11b019d | 2010-01-20 16:34:45 -0800 | [diff] [blame] | 1233 | if (salt == 0) { |
| 1234 | try { |
| 1235 | salt = SecureRandom.getInstance("SHA1PRNG").nextLong(); |
Geoffrey Borggaard | 987672d2 | 2014-07-18 16:47:18 -0400 | [diff] [blame] | 1236 | setLong(LOCK_PASSWORD_SALT_KEY, salt, userId); |
| 1237 | Log.v(TAG, "Initialized lock password salt for user: " + userId); |
Jim Miller | 11b019d | 2010-01-20 16:34:45 -0800 | [diff] [blame] | 1238 | } catch (NoSuchAlgorithmException e) { |
| 1239 | // Throw an exception rather than storing a password we'll never be able to recover |
| 1240 | throw new IllegalStateException("Couldn't get SecureRandom number", e); |
| 1241 | } |
| 1242 | } |
| 1243 | return Long.toHexString(salt); |
| 1244 | } |
| 1245 | |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 1246 | /** |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1247 | * Generate a hash for the given password. To avoid brute force attacks, we use a salted hash. |
| 1248 | * Not the most secure, but it is at least a second level of protection. First level is that |
| 1249 | * the file is in a location only readable by the system process. |
Narayan Kamath | 78108a3 | 2014-12-16 12:56:23 +0000 | [diff] [blame] | 1250 | * |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1251 | * @param password the gesture pattern. |
Narayan Kamath | 78108a3 | 2014-12-16 12:56:23 +0000 | [diff] [blame] | 1252 | * |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1253 | * @return the hash of the pattern in a byte array. |
| 1254 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1255 | public String legacyPasswordToHash(byte[] password, int userId) { |
| 1256 | if (password == null || password.length == 0) { |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1257 | return null; |
| 1258 | } |
Narayan Kamath | 78108a3 | 2014-12-16 12:56:23 +0000 | [diff] [blame] | 1259 | |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1260 | try { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1261 | // Previously the password was passed as a String with the following code: |
| 1262 | // byte[] saltedPassword = (password + getSalt(userId)).getBytes(); |
| 1263 | // The code below creates the identical digest preimage using byte arrays: |
| 1264 | byte[] salt = getSalt(userId).getBytes(); |
| 1265 | byte[] saltedPassword = Arrays.copyOf(password, password.length + salt.length); |
| 1266 | System.arraycopy(salt, 0, saltedPassword, password.length, salt.length); |
Narayan Kamath | 78108a3 | 2014-12-16 12:56:23 +0000 | [diff] [blame] | 1267 | byte[] sha1 = MessageDigest.getInstance("SHA-1").digest(saltedPassword); |
| 1268 | byte[] md5 = MessageDigest.getInstance("MD5").digest(saltedPassword); |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1269 | |
Narayan Kamath | 78108a3 | 2014-12-16 12:56:23 +0000 | [diff] [blame] | 1270 | byte[] combined = new byte[sha1.length + md5.length]; |
| 1271 | System.arraycopy(sha1, 0, combined, 0, sha1.length); |
| 1272 | System.arraycopy(md5, 0, combined, sha1.length, md5.length); |
| 1273 | |
| 1274 | final char[] hexEncoded = HexEncoding.encode(combined); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1275 | Arrays.fill(saltedPassword, (byte) 0); |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 1276 | return new String(hexEncoded); |
| 1277 | } catch (NoSuchAlgorithmException e) { |
| 1278 | throw new AssertionError("Missing digest algorithm: ", e); |
| 1279 | } |
| 1280 | } |
| 1281 | |
| 1282 | /** |
| 1283 | * Hash the password for password history check purpose. |
| 1284 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1285 | private String passwordToHistoryHash(byte[] passwordToHash, byte[] hashFactor, int userId) { |
| 1286 | if (passwordToHash == null || passwordToHash.length == 0 || hashFactor == null) { |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 1287 | return null; |
| 1288 | } |
| 1289 | try { |
| 1290 | MessageDigest sha256 = MessageDigest.getInstance("SHA-256"); |
| 1291 | sha256.update(hashFactor); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1292 | byte[] salt = getSalt(userId).getBytes(); |
| 1293 | byte[] saltedPassword = Arrays.copyOf(passwordToHash, passwordToHash.length |
| 1294 | + salt.length); |
| 1295 | System.arraycopy(salt, 0, saltedPassword, passwordToHash.length, salt.length); |
| 1296 | sha256.update(saltedPassword); |
| 1297 | Arrays.fill(saltedPassword, (byte) 0); |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 1298 | return new String(HexEncoding.encode(sha256.digest())); |
Narayan Kamath | 78108a3 | 2014-12-16 12:56:23 +0000 | [diff] [blame] | 1299 | } catch (NoSuchAlgorithmException e) { |
| 1300 | throw new AssertionError("Missing digest algorithm: ", e); |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1301 | } |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1302 | } |
| 1303 | |
| 1304 | /** |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 1305 | * @param userId the user for which to report the value |
| 1306 | * @return Whether the lock screen is secured. |
| 1307 | */ |
| 1308 | public boolean isSecure(int userId) { |
| 1309 | int mode = getKeyguardStoredPasswordQuality(userId); |
| 1310 | return isLockPatternEnabled(mode, userId) || isLockPasswordEnabled(mode, userId); |
| 1311 | } |
| 1312 | |
Adrian Roos | dce0122 | 2015-01-07 22:39:01 +0100 | [diff] [blame] | 1313 | public boolean isLockPasswordEnabled(int userId) { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 1314 | return isLockPasswordEnabled(getKeyguardStoredPasswordQuality(userId), userId); |
| 1315 | } |
| 1316 | |
| 1317 | private boolean isLockPasswordEnabled(int mode, int userId) { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 1318 | final boolean passwordEnabled = mode == PASSWORD_QUALITY_ALPHABETIC |
| 1319 | || mode == PASSWORD_QUALITY_NUMERIC |
| 1320 | || mode == PASSWORD_QUALITY_NUMERIC_COMPLEX |
| 1321 | || mode == PASSWORD_QUALITY_ALPHANUMERIC |
| 1322 | || mode == PASSWORD_QUALITY_COMPLEX |
| 1323 | || mode == PASSWORD_QUALITY_MANAGED; |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 1324 | return passwordEnabled && savedPasswordExists(userId); |
Jim Miller | 69aa4a9 | 2009-12-22 19:03:28 -0800 | [diff] [blame] | 1325 | } |
| 1326 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1327 | /** |
Adrian Roos | 230635e | 2015-01-07 20:50:29 +0100 | [diff] [blame] | 1328 | * @return Whether the lock pattern is enabled |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1329 | */ |
Adrian Roos | 50bfeec | 2014-11-20 16:21:11 +0100 | [diff] [blame] | 1330 | public boolean isLockPatternEnabled(int userId) { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 1331 | return isLockPatternEnabled(getKeyguardStoredPasswordQuality(userId), userId); |
Danielle Millett | 925a7d8 | 2012-03-19 18:02:20 -0400 | [diff] [blame] | 1332 | } |
| 1333 | |
Bryce Lee | 4614596 | 2015-12-14 14:39:10 -0800 | [diff] [blame] | 1334 | @Deprecated |
| 1335 | public boolean isLegacyLockPatternEnabled(int userId) { |
| 1336 | // Note: this value should default to {@code true} to avoid any reset that might result. |
| 1337 | // We must use a special key to read this value, since it will by default return the value |
| 1338 | // based on the new logic. |
| 1339 | return getBoolean(LEGACY_LOCK_PATTERN_ENABLED, true, userId); |
| 1340 | } |
| 1341 | |
| 1342 | @Deprecated |
| 1343 | public void setLegacyLockPatternEnabled(int userId) { |
| 1344 | setBoolean(Settings.Secure.LOCK_PATTERN_ENABLED, true, userId); |
| 1345 | } |
| 1346 | |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 1347 | private boolean isLockPatternEnabled(int mode, int userId) { |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 1348 | return mode == PASSWORD_QUALITY_SOMETHING && savedPatternExists(userId); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1349 | } |
| 1350 | |
| 1351 | /** |
| 1352 | * @return Whether the visible pattern is enabled. |
| 1353 | */ |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 1354 | public boolean isVisiblePatternEnabled(int userId) { |
| 1355 | return getBoolean(Settings.Secure.LOCK_PATTERN_VISIBLE, false, userId); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1356 | } |
| 1357 | |
| 1358 | /** |
| 1359 | * Set whether the visible pattern is enabled. |
| 1360 | */ |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 1361 | public void setVisiblePatternEnabled(boolean enabled, int userId) { |
Adrian Roos | dce0122 | 2015-01-07 22:39:01 +0100 | [diff] [blame] | 1362 | setBoolean(Settings.Secure.LOCK_PATTERN_VISIBLE, enabled, userId); |
Paul Lawrence | 878ba0a | 2014-08-20 13:08:01 -0700 | [diff] [blame] | 1363 | |
| 1364 | // Update for crypto if owner |
Xiaohui Chen | 86c69dd | 2015-08-27 15:44:02 -0700 | [diff] [blame] | 1365 | if (userId != UserHandle.USER_SYSTEM) { |
Paul Lawrence | 878ba0a | 2014-08-20 13:08:01 -0700 | [diff] [blame] | 1366 | return; |
| 1367 | } |
| 1368 | |
| 1369 | IBinder service = ServiceManager.getService("mount"); |
| 1370 | if (service == null) { |
| 1371 | Log.e(TAG, "Could not find the mount service to update the user info"); |
| 1372 | return; |
| 1373 | } |
| 1374 | |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 1375 | IStorageManager storageManager = IStorageManager.Stub.asInterface(service); |
Paul Lawrence | 878ba0a | 2014-08-20 13:08:01 -0700 | [diff] [blame] | 1376 | try { |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 1377 | storageManager.setField(StorageManager.PATTERN_VISIBLE_KEY, enabled ? "1" : "0"); |
Paul Lawrence | 878ba0a | 2014-08-20 13:08:01 -0700 | [diff] [blame] | 1378 | } catch (RemoteException e) { |
| 1379 | Log.e(TAG, "Error changing pattern visible state", e); |
| 1380 | } |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1381 | } |
| 1382 | |
Bryan Mawhinney | e483b56 | 2017-05-15 14:46:05 +0100 | [diff] [blame] | 1383 | public boolean isVisiblePatternEverChosen(int userId) { |
| 1384 | return getString(Settings.Secure.LOCK_PATTERN_VISIBLE, userId) != null; |
| 1385 | } |
| 1386 | |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1387 | /** |
Paul Lawrence | d8fdb33 | 2015-05-18 13:26:11 -0700 | [diff] [blame] | 1388 | * Set whether the visible password is enabled for cryptkeeper screen. |
| 1389 | */ |
| 1390 | public void setVisiblePasswordEnabled(boolean enabled, int userId) { |
| 1391 | // Update for crypto if owner |
Xiaohui Chen | 86c69dd | 2015-08-27 15:44:02 -0700 | [diff] [blame] | 1392 | if (userId != UserHandle.USER_SYSTEM) { |
Paul Lawrence | d8fdb33 | 2015-05-18 13:26:11 -0700 | [diff] [blame] | 1393 | return; |
| 1394 | } |
| 1395 | |
| 1396 | IBinder service = ServiceManager.getService("mount"); |
| 1397 | if (service == null) { |
| 1398 | Log.e(TAG, "Could not find the mount service to update the user info"); |
| 1399 | return; |
| 1400 | } |
| 1401 | |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 1402 | IStorageManager storageManager = IStorageManager.Stub.asInterface(service); |
Paul Lawrence | d8fdb33 | 2015-05-18 13:26:11 -0700 | [diff] [blame] | 1403 | try { |
Sudheer Shanka | 2250d56 | 2016-11-07 15:41:02 -0800 | [diff] [blame] | 1404 | storageManager.setField(StorageManager.PASSWORD_VISIBLE_KEY, enabled ? "1" : "0"); |
Paul Lawrence | d8fdb33 | 2015-05-18 13:26:11 -0700 | [diff] [blame] | 1405 | } catch (RemoteException e) { |
| 1406 | Log.e(TAG, "Error changing password visible state", e); |
| 1407 | } |
| 1408 | } |
| 1409 | |
| 1410 | /** |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1411 | * @return Whether tactile feedback for the pattern is enabled. |
| 1412 | */ |
| 1413 | public boolean isTactileFeedbackEnabled() { |
Jeff Sharkey | 5ed9d68 | 2012-10-10 14:28:27 -0700 | [diff] [blame] | 1414 | return Settings.System.getIntForUser(mContentResolver, |
| 1415 | Settings.System.HAPTIC_FEEDBACK_ENABLED, 1, UserHandle.USER_CURRENT) != 0; |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1416 | } |
| 1417 | |
| 1418 | /** |
| 1419 | * Set and store the lockout deadline, meaning the user can't attempt his/her unlock |
| 1420 | * pattern until the deadline has passed. |
| 1421 | * @return the chosen deadline. |
| 1422 | */ |
Andres Morales | 2397427 | 2015-05-14 22:42:26 -0700 | [diff] [blame] | 1423 | public long setLockoutAttemptDeadline(int userId, int timeoutMs) { |
| 1424 | final long deadline = SystemClock.elapsedRealtime() + timeoutMs; |
Adrian Roos | b7d81d9 | 2017-08-08 13:08:01 +0200 | [diff] [blame] | 1425 | if (userId == USER_FRP) { |
| 1426 | // For secure password storage (that is required for FRP), the underlying storage also |
| 1427 | // enforces the deadline. Since we cannot store settings for the FRP user, don't. |
| 1428 | return deadline; |
| 1429 | } |
Kevin Chyn | a3e5582 | 2017-10-04 15:47:24 -0700 | [diff] [blame] | 1430 | mLockoutDeadlines.put(userId, deadline); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1431 | return deadline; |
| 1432 | } |
| 1433 | |
| 1434 | /** |
| 1435 | * @return The elapsed time in millis in the future when the user is allowed to |
| 1436 | * attempt to enter his/her lock pattern, or 0 if the user is welcome to |
| 1437 | * enter a pattern. |
| 1438 | */ |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 1439 | public long getLockoutAttemptDeadline(int userId) { |
Kevin Chyn | a3e5582 | 2017-10-04 15:47:24 -0700 | [diff] [blame] | 1440 | final long deadline = mLockoutDeadlines.get(userId, 0L); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1441 | final long now = SystemClock.elapsedRealtime(); |
Jorim Jaggi | e3e6d56 | 2015-09-28 13:57:37 -0700 | [diff] [blame] | 1442 | if (deadline < now && deadline != 0) { |
Andres Morales | a4e2337 | 2015-09-08 13:17:37 -0700 | [diff] [blame] | 1443 | // timeout expired |
Kevin Chyn | a3e5582 | 2017-10-04 15:47:24 -0700 | [diff] [blame] | 1444 | mLockoutDeadlines.put(userId, 0); |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1445 | return 0L; |
| 1446 | } |
| 1447 | return deadline; |
| 1448 | } |
| 1449 | |
Jim Miller | f45bb40 | 2013-08-20 18:58:32 -0700 | [diff] [blame] | 1450 | private boolean getBoolean(String secureSettingKey, boolean defaultValue, int userId) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1451 | try { |
Jim Miller | f45bb40 | 2013-08-20 18:58:32 -0700 | [diff] [blame] | 1452 | return getLockSettings().getBoolean(secureSettingKey, defaultValue, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1453 | } catch (RemoteException re) { |
| 1454 | return defaultValue; |
| 1455 | } |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1456 | } |
| 1457 | |
Jim Miller | f45bb40 | 2013-08-20 18:58:32 -0700 | [diff] [blame] | 1458 | private void setBoolean(String secureSettingKey, boolean enabled, int userId) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1459 | try { |
Jim Miller | f45bb40 | 2013-08-20 18:58:32 -0700 | [diff] [blame] | 1460 | getLockSettings().setBoolean(secureSettingKey, enabled, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1461 | } catch (RemoteException re) { |
| 1462 | // What can we do? |
| 1463 | Log.e(TAG, "Couldn't write boolean " + secureSettingKey + re); |
| 1464 | } |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1465 | } |
| 1466 | |
Geoffrey Borggaard | 987672d2 | 2014-07-18 16:47:18 -0400 | [diff] [blame] | 1467 | private long getLong(String secureSettingKey, long defaultValue, int userHandle) { |
| 1468 | try { |
| 1469 | return getLockSettings().getLong(secureSettingKey, defaultValue, userHandle); |
| 1470 | } catch (RemoteException re) { |
| 1471 | return defaultValue; |
| 1472 | } |
| 1473 | } |
| 1474 | |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 1475 | private void setLong(String secureSettingKey, long value, int userHandle) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1476 | try { |
Kenny Guy | 0cf1370 | 2013-11-29 16:33:05 +0000 | [diff] [blame] | 1477 | getLockSettings().setLong(secureSettingKey, value, userHandle); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1478 | } catch (RemoteException re) { |
| 1479 | // What can we do? |
| 1480 | Log.e(TAG, "Couldn't write long " + secureSettingKey + re); |
| 1481 | } |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 1482 | } |
| 1483 | |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 1484 | private String getString(String secureSettingKey, int userHandle) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1485 | try { |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 1486 | return getLockSettings().getString(secureSettingKey, null, userHandle); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1487 | } catch (RemoteException re) { |
| 1488 | return null; |
| 1489 | } |
Konstantin Lopyrev | 863f22d | 2010-05-12 17:16:58 -0700 | [diff] [blame] | 1490 | } |
| 1491 | |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 1492 | private void setString(String secureSettingKey, String value, int userHandle) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1493 | try { |
Amith Yamasani | 599dd7c | 2012-09-14 23:20:08 -0700 | [diff] [blame] | 1494 | getLockSettings().setString(secureSettingKey, value, userHandle); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1495 | } catch (RemoteException re) { |
| 1496 | // What can we do? |
| 1497 | Log.e(TAG, "Couldn't write string " + secureSettingKey + re); |
| 1498 | } |
Konstantin Lopyrev | 863f22d | 2010-05-12 17:16:58 -0700 | [diff] [blame] | 1499 | } |
| 1500 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 1501 | public void setPowerButtonInstantlyLocks(boolean enabled, int userId) { |
| 1502 | setBoolean(LOCKSCREEN_POWER_BUTTON_INSTANTLY_LOCKS, enabled, userId); |
Jim Miller | a4edd15 | 2012-01-06 18:24:04 -0800 | [diff] [blame] | 1503 | } |
| 1504 | |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 1505 | public boolean getPowerButtonInstantlyLocks(int userId) { |
| 1506 | return getBoolean(LOCKSCREEN_POWER_BUTTON_INSTANTLY_LOCKS, true, userId); |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 1507 | } |
| 1508 | |
Bryan Mawhinney | e483b56 | 2017-05-15 14:46:05 +0100 | [diff] [blame] | 1509 | public boolean isPowerButtonInstantlyLocksEverChosen(int userId) { |
| 1510 | return getString(LOCKSCREEN_POWER_BUTTON_INSTANTLY_LOCKS, userId) != null; |
| 1511 | } |
| 1512 | |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 1513 | public void setEnabledTrustAgents(Collection<ComponentName> activeTrustAgents, int userId) { |
| 1514 | StringBuilder sb = new StringBuilder(); |
| 1515 | for (ComponentName cn : activeTrustAgents) { |
| 1516 | if (sb.length() > 0) { |
| 1517 | sb.append(','); |
| 1518 | } |
| 1519 | sb.append(cn.flattenToShortString()); |
| 1520 | } |
| 1521 | setString(ENABLED_TRUST_AGENTS, sb.toString(), userId); |
Adrian Roos | 8150d2a | 2015-04-16 17:11:20 -0700 | [diff] [blame] | 1522 | getTrustManager().reportEnabledTrustAgentsChanged(userId); |
Adrian Roos | 82142c2 | 2014-03-27 14:56:59 +0100 | [diff] [blame] | 1523 | } |
| 1524 | |
| 1525 | public List<ComponentName> getEnabledTrustAgents(int userId) { |
| 1526 | String serialized = getString(ENABLED_TRUST_AGENTS, userId); |
| 1527 | if (TextUtils.isEmpty(serialized)) { |
| 1528 | return null; |
| 1529 | } |
| 1530 | String[] split = serialized.split(","); |
| 1531 | ArrayList<ComponentName> activeTrustAgents = new ArrayList<ComponentName>(split.length); |
| 1532 | for (String s : split) { |
| 1533 | if (!TextUtils.isEmpty(s)) { |
| 1534 | activeTrustAgents.add(ComponentName.unflattenFromString(s)); |
| 1535 | } |
| 1536 | } |
| 1537 | return activeTrustAgents; |
| 1538 | } |
Adrian Roos | 2c12cfa | 2014-06-25 23:28:53 +0200 | [diff] [blame] | 1539 | |
| 1540 | /** |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1541 | * Disable trust until credentials have been entered for user {@param userId}. |
| 1542 | * |
| 1543 | * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. |
| 1544 | * |
| 1545 | * @param userId either an explicit user id or {@link android.os.UserHandle#USER_ALL} |
Adrian Roos | 2c12cfa | 2014-06-25 23:28:53 +0200 | [diff] [blame] | 1546 | */ |
| 1547 | public void requireCredentialEntry(int userId) { |
Jorim Jaggi | 16093fe3 | 2015-09-09 23:29:17 +0000 | [diff] [blame] | 1548 | requireStrongAuth(StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_USER_REQUEST, userId); |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1549 | } |
| 1550 | |
| 1551 | /** |
| 1552 | * Requests strong authentication for user {@param userId}. |
| 1553 | * |
| 1554 | * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission. |
| 1555 | * |
| 1556 | * @param strongAuthReason a combination of {@link StrongAuthTracker.StrongAuthFlags} indicating |
| 1557 | * the reason for and the strength of the requested authentication. |
| 1558 | * @param userId either an explicit user id or {@link android.os.UserHandle#USER_ALL} |
| 1559 | */ |
| 1560 | public void requireStrongAuth(@StrongAuthTracker.StrongAuthFlags int strongAuthReason, |
| 1561 | int userId) { |
| 1562 | try { |
| 1563 | getLockSettings().requireStrongAuth(strongAuthReason, userId); |
| 1564 | } catch (RemoteException e) { |
| 1565 | Log.e(TAG, "Error while requesting strong auth: " + e); |
| 1566 | } |
Adrian Roos | 2c12cfa | 2014-06-25 23:28:53 +0200 | [diff] [blame] | 1567 | } |
Adrian Roos | 4b9e324 | 2014-08-20 23:36:25 +0200 | [diff] [blame] | 1568 | |
Adrian Roos | f8f56bc | 2014-11-20 23:55:34 +0100 | [diff] [blame] | 1569 | private void onAfterChangingPassword(int userHandle) { |
| 1570 | getTrustManager().reportEnabledTrustAgentsChanged(userHandle); |
Adrian Roos | 4b9e324 | 2014-08-20 23:36:25 +0200 | [diff] [blame] | 1571 | } |
Jim Miller | dd5de71 | 2014-10-16 19:50:18 -0700 | [diff] [blame] | 1572 | |
| 1573 | public boolean isCredentialRequiredToDecrypt(boolean defaultValue) { |
| 1574 | final int value = Settings.Global.getInt(mContentResolver, |
| 1575 | Settings.Global.REQUIRE_PASSWORD_TO_DECRYPT, -1); |
| 1576 | return value == -1 ? defaultValue : (value != 0); |
| 1577 | } |
| 1578 | |
| 1579 | public void setCredentialRequiredToDecrypt(boolean required) { |
Robin Lee | d39113e | 2016-01-22 15:44:49 +0000 | [diff] [blame] | 1580 | if (!(getUserManager().isSystemUser() || getUserManager().isPrimaryUser())) { |
| 1581 | throw new IllegalStateException( |
| 1582 | "Only the system or primary user may call setCredentialRequiredForDecrypt()"); |
Jim Miller | dd5de71 | 2014-10-16 19:50:18 -0700 | [diff] [blame] | 1583 | } |
Paul Lawrence | 688af6c | 2015-05-15 11:26:17 -0700 | [diff] [blame] | 1584 | |
| 1585 | if (isDeviceEncryptionEnabled()){ |
| 1586 | Settings.Global.putInt(mContext.getContentResolver(), |
| 1587 | Settings.Global.REQUIRE_PASSWORD_TO_DECRYPT, required ? 1 : 0); |
| 1588 | } |
Jim Miller | dd5de71 | 2014-10-16 19:50:18 -0700 | [diff] [blame] | 1589 | } |
Andrei Kapishnikov | 4eb6a36 | 2015-04-02 15:21:20 -0400 | [diff] [blame] | 1590 | |
| 1591 | private boolean isDoNotAskCredentialsOnBootSet() { |
Rubin Xu | 4929a5d | 2017-01-23 23:55:28 +0000 | [diff] [blame] | 1592 | return getDevicePolicyManager().getDoNotAskCredentialsOnBoot(); |
Andrei Kapishnikov | 4eb6a36 | 2015-04-02 15:21:20 -0400 | [diff] [blame] | 1593 | } |
| 1594 | |
| 1595 | private boolean shouldEncryptWithCredentials(boolean defaultValue) { |
| 1596 | return isCredentialRequiredToDecrypt(defaultValue) && !isDoNotAskCredentialsOnBootSet(); |
| 1597 | } |
Xiyuan Xia | aa26294 | 2015-05-05 15:18:45 -0700 | [diff] [blame] | 1598 | |
| 1599 | private void throwIfCalledOnMainThread() { |
| 1600 | if (Looper.getMainLooper().isCurrentThread()) { |
| 1601 | throw new IllegalStateException("should not be called from the main thread."); |
| 1602 | } |
| 1603 | } |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1604 | |
| 1605 | public void registerStrongAuthTracker(final StrongAuthTracker strongAuthTracker) { |
| 1606 | try { |
| 1607 | getLockSettings().registerStrongAuthTracker(strongAuthTracker.mStub); |
| 1608 | } catch (RemoteException e) { |
| 1609 | throw new RuntimeException("Could not register StrongAuthTracker"); |
| 1610 | } |
| 1611 | } |
| 1612 | |
| 1613 | public void unregisterStrongAuthTracker(final StrongAuthTracker strongAuthTracker) { |
| 1614 | try { |
| 1615 | getLockSettings().unregisterStrongAuthTracker(strongAuthTracker.mStub); |
| 1616 | } catch (RemoteException e) { |
| 1617 | Log.e(TAG, "Could not unregister StrongAuthTracker", e); |
| 1618 | } |
| 1619 | } |
| 1620 | |
| 1621 | /** |
Victor Chang | a0940d3 | 2016-05-16 19:36:08 +0100 | [diff] [blame] | 1622 | * @see StrongAuthTracker#getStrongAuthForUser |
| 1623 | */ |
| 1624 | public int getStrongAuthForUser(int userId) { |
| 1625 | try { |
| 1626 | return getLockSettings().getStrongAuthForUser(userId); |
| 1627 | } catch (RemoteException e) { |
| 1628 | Log.e(TAG, "Could not get StrongAuth", e); |
| 1629 | return StrongAuthTracker.getDefaultFlags(mContext); |
| 1630 | } |
| 1631 | } |
| 1632 | |
| 1633 | /** |
| 1634 | * @see StrongAuthTracker#isTrustAllowedForUser |
| 1635 | */ |
| 1636 | public boolean isTrustAllowedForUser(int userId) { |
| 1637 | return getStrongAuthForUser(userId) == StrongAuthTracker.STRONG_AUTH_NOT_REQUIRED; |
| 1638 | } |
| 1639 | |
| 1640 | /** |
| 1641 | * @see StrongAuthTracker#isFingerprintAllowedForUser |
| 1642 | */ |
Kevin Chyn | b17d409 | 2018-10-01 19:07:03 -0700 | [diff] [blame] | 1643 | public boolean isBiometricAllowedForUser(int userId) { |
Gilad Bretter | cb51b8b | 2018-03-22 17:04:51 +0200 | [diff] [blame] | 1644 | return (getStrongAuthForUser(userId) & ~StrongAuthTracker.ALLOWING_BIOMETRIC) == 0; |
Victor Chang | a0940d3 | 2016-05-16 19:36:08 +0100 | [diff] [blame] | 1645 | } |
| 1646 | |
Chad Brubaker | ea8c5ef | 2018-03-15 16:37:43 -0700 | [diff] [blame] | 1647 | public boolean isUserInLockdown(int userId) { |
| 1648 | return getStrongAuthForUser(userId) |
| 1649 | == StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN; |
| 1650 | } |
| 1651 | |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 1652 | private ICheckCredentialProgressCallback wrapCallback( |
| 1653 | final CheckCredentialProgressCallback callback) { |
| 1654 | if (callback == null) { |
| 1655 | return null; |
| 1656 | } else { |
Adrian Roos | 7a3bf7c | 2016-07-12 15:31:55 -0700 | [diff] [blame] | 1657 | if (mHandler == null) { |
| 1658 | throw new IllegalStateException("Must construct LockPatternUtils on a looper thread" |
| 1659 | + " to use progress callbacks."); |
| 1660 | } |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 1661 | return new ICheckCredentialProgressCallback.Stub() { |
| 1662 | |
| 1663 | @Override |
| 1664 | public void onCredentialVerified() throws RemoteException { |
| 1665 | mHandler.post(callback::onEarlyMatched); |
| 1666 | } |
| 1667 | }; |
| 1668 | } |
| 1669 | } |
| 1670 | |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1671 | private LockSettingsInternal getLockSettingsInternal() { |
| 1672 | LockSettingsInternal service = LocalServices.getService(LockSettingsInternal.class); |
| 1673 | if (service == null) { |
| 1674 | throw new SecurityException("Only available to system server itself"); |
| 1675 | } |
| 1676 | return service; |
| 1677 | } |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 1678 | /** |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1679 | * Create an escrow token for the current user, which can later be used to unlock FBE |
| 1680 | * or change user password. |
| 1681 | * |
| 1682 | * After adding, if the user currently has lockscreen password, he will need to perform a |
| 1683 | * confirm credential operation in order to activate the token for future use. If the user |
| 1684 | * has no secure lockscreen, then the token is activated immediately. |
| 1685 | * |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1686 | * <p>This method is only available to code running in the system server process itself. |
| 1687 | * |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1688 | * @return a unique 64-bit token handle which is needed to refer to this token later. |
| 1689 | */ |
Ram Periathiruvadi | 32d5355 | 2019-02-19 13:25:46 -0800 | [diff] [blame] | 1690 | public long addEscrowToken(byte[] token, int userId, |
| 1691 | @Nullable EscrowTokenStateChangeCallback callback) { |
| 1692 | return getLockSettingsInternal().addEscrowToken(token, userId, callback); |
| 1693 | } |
| 1694 | |
| 1695 | /** |
| 1696 | * Callback interface to notify when an added escrow token has been activated. |
| 1697 | */ |
| 1698 | public interface EscrowTokenStateChangeCallback { |
| 1699 | /** |
| 1700 | * The method to be called when the token is activated. |
| 1701 | * @param handle 64 bit handle corresponding to the escrow token |
| 1702 | * @param userid user for whom the escrow token has been added |
| 1703 | */ |
| 1704 | void onEscrowTokenActivated(long handle, int userid); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1705 | } |
| 1706 | |
| 1707 | /** |
| 1708 | * Remove an escrow token. |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1709 | * |
| 1710 | * <p>This method is only available to code running in the system server process itself. |
| 1711 | * |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1712 | * @return true if the given handle refers to a valid token previously returned from |
| 1713 | * {@link #addEscrowToken}, whether it's active or not. return false otherwise. |
| 1714 | */ |
| 1715 | public boolean removeEscrowToken(long handle, int userId) { |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1716 | return getLockSettingsInternal().removeEscrowToken(handle, userId); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1717 | } |
| 1718 | |
| 1719 | /** |
| 1720 | * Check if the given escrow token is active or not. Only active token can be used to call |
| 1721 | * {@link #setLockCredentialWithToken} and {@link #unlockUserWithToken} |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1722 | * |
| 1723 | * <p>This method is only available to code running in the system server process itself. |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1724 | */ |
| 1725 | public boolean isEscrowTokenActive(long handle, int userId) { |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1726 | return getLockSettingsInternal().isEscrowTokenActive(handle, userId); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1727 | } |
| 1728 | |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 1729 | /** |
| 1730 | * Change a user's lock credential with a pre-configured escrow token. |
| 1731 | * |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1732 | * <p>This method is only available to code running in the system server process itself. |
| 1733 | * |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 1734 | * @param credential The new credential to be set |
| 1735 | * @param type Credential type: password / pattern / none. |
| 1736 | * @param requestedQuality the requested password quality by DevicePolicyManager. |
| 1737 | * See {@link DevicePolicyManager#getPasswordQuality(android.content.ComponentName)} |
| 1738 | * @param tokenHandle Handle of the escrow token |
| 1739 | * @param token Escrow token |
| 1740 | * @param userId The user who's lock credential to be changed |
| 1741 | * @return {@code true} if the operation is successful. |
| 1742 | */ |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1743 | public boolean setLockCredentialWithToken(byte[] credential, int type, int requestedQuality, |
Rubin Xu | 7cf4509 | 2017-08-28 11:47:35 +0100 | [diff] [blame] | 1744 | long tokenHandle, byte[] token, int userId) { |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 1745 | if (!hasSecureLockScreen()) { |
| 1746 | throw new UnsupportedOperationException( |
| 1747 | "This operation requires the lock screen feature."); |
| 1748 | } |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1749 | LockSettingsInternal localService = getLockSettingsInternal(); |
| 1750 | if (type != CREDENTIAL_TYPE_NONE) { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1751 | if (credential == null || credential.length < MIN_LOCK_PASSWORD_SIZE) { |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1752 | throw new IllegalArgumentException("password must not be null and at least " |
| 1753 | + "of length " + MIN_LOCK_PASSWORD_SIZE); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1754 | } |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1755 | final int quality = computePasswordQuality(type, credential, requestedQuality); |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1756 | if (!localService.setLockCredentialWithToken(credential, type, tokenHandle, token, |
| 1757 | quality, userId)) { |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1758 | return false; |
| 1759 | } |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 1760 | setKeyguardStoredPasswordQuality(quality, userId); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1761 | |
| 1762 | updateEncryptionPasswordIfNeeded(credential, quality, userId); |
| 1763 | updatePasswordHistory(credential, userId); |
Rubin Xu | f01e907 | 2018-03-30 20:59:28 +0100 | [diff] [blame] | 1764 | onAfterChangingPassword(userId); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1765 | } else { |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1766 | if (!(credential == null || credential.length == 0)) { |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1767 | throw new IllegalArgumentException("password must be emtpy for NONE type"); |
| 1768 | } |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 1769 | if (!localService.setLockCredentialWithToken(null, CREDENTIAL_TYPE_NONE, tokenHandle, |
| 1770 | token, PASSWORD_QUALITY_UNSPECIFIED, userId)) { |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1771 | return false; |
| 1772 | } |
Rubin Xu | 682d167 | 2018-03-21 09:13:44 +0000 | [diff] [blame] | 1773 | setKeyguardStoredPasswordQuality(PASSWORD_QUALITY_UNSPECIFIED, userId); |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1774 | |
| 1775 | if (userId == UserHandle.USER_SYSTEM) { |
| 1776 | // Set the encryption password to default. |
| 1777 | updateEncryptionPassword(StorageManager.CRYPT_TYPE_DEFAULT, null); |
| 1778 | setCredentialRequiredToDecrypt(false); |
| 1779 | } |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1780 | } |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1781 | onAfterChangingPassword(userId); |
| 1782 | return true; |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1783 | } |
| 1784 | |
Rubin Xu | fcd49f9 | 2017-08-24 18:21:52 +0100 | [diff] [blame] | 1785 | /** |
| 1786 | * Unlock the specified user by an pre-activated escrow token. This should have the same effect |
| 1787 | * on device encryption as the user entering his lockscreen credentials for the first time after |
| 1788 | * boot, this includes unlocking the user's credential-encrypted storage as well as the keystore |
| 1789 | * |
| 1790 | * <p>This method is only available to code running in the system server process itself. |
| 1791 | * |
| 1792 | * @return {@code true} if the supplied token is valid and unlock succeeds, |
| 1793 | * {@code false} otherwise. |
| 1794 | */ |
| 1795 | public boolean unlockUserWithToken(long tokenHandle, byte[] token, int userId) { |
| 1796 | return getLockSettingsInternal().unlockUserWithToken(tokenHandle, token, userId); |
Rubin Xu | f095f83 | 2017-01-31 15:23:34 +0000 | [diff] [blame] | 1797 | } |
| 1798 | |
| 1799 | |
| 1800 | /** |
Jorim Jaggi | e8fde5d | 2016-06-30 23:41:37 -0700 | [diff] [blame] | 1801 | * Callback to be notified about progress when checking credentials. |
| 1802 | */ |
| 1803 | public interface CheckCredentialProgressCallback { |
| 1804 | |
| 1805 | /** |
| 1806 | * Called as soon as possible when we know that the credentials match but the user hasn't |
| 1807 | * been fully unlocked. |
| 1808 | */ |
| 1809 | void onEarlyMatched(); |
| 1810 | } |
| 1811 | |
Victor Chang | a0940d3 | 2016-05-16 19:36:08 +0100 | [diff] [blame] | 1812 | /** |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1813 | * Tracks the global strong authentication state. |
| 1814 | */ |
| 1815 | public static class StrongAuthTracker { |
| 1816 | |
| 1817 | @IntDef(flag = true, |
| 1818 | value = { STRONG_AUTH_NOT_REQUIRED, |
| 1819 | STRONG_AUTH_REQUIRED_AFTER_BOOT, |
| 1820 | STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW, |
Adrian Roos | 9d6fc92 | 2016-08-10 17:09:55 -0700 | [diff] [blame] | 1821 | SOME_AUTH_REQUIRED_AFTER_USER_REQUEST, |
Michal Karpinski | c52f867 | 2016-11-18 11:32:45 +0000 | [diff] [blame] | 1822 | STRONG_AUTH_REQUIRED_AFTER_LOCKOUT, |
Chad Brubaker | 4f28f0d | 2017-09-07 14:28:13 -0700 | [diff] [blame] | 1823 | STRONG_AUTH_REQUIRED_AFTER_TIMEOUT, |
| 1824 | STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN}) |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1825 | @Retention(RetentionPolicy.SOURCE) |
| 1826 | public @interface StrongAuthFlags {} |
| 1827 | |
| 1828 | /** |
| 1829 | * Strong authentication is not required. |
| 1830 | */ |
| 1831 | public static final int STRONG_AUTH_NOT_REQUIRED = 0x0; |
| 1832 | |
| 1833 | /** |
| 1834 | * Strong authentication is required because the user has not authenticated since boot. |
| 1835 | */ |
| 1836 | public static final int STRONG_AUTH_REQUIRED_AFTER_BOOT = 0x1; |
| 1837 | |
| 1838 | /** |
Jorim Jaggi | 16093fe3 | 2015-09-09 23:29:17 +0000 | [diff] [blame] | 1839 | * Strong authentication is required because a device admin has requested it. |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1840 | */ |
| 1841 | public static final int STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW = 0x2; |
| 1842 | |
| 1843 | /** |
Jorim Jaggi | 16093fe3 | 2015-09-09 23:29:17 +0000 | [diff] [blame] | 1844 | * Some authentication is required because the user has temporarily disabled trust. |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1845 | */ |
Jorim Jaggi | 16093fe3 | 2015-09-09 23:29:17 +0000 | [diff] [blame] | 1846 | public static final int SOME_AUTH_REQUIRED_AFTER_USER_REQUEST = 0x4; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1847 | |
Adrian Roos | 873010d | 2015-08-25 15:59:00 -0700 | [diff] [blame] | 1848 | /** |
| 1849 | * Strong authentication is required because the user has been locked out after too many |
| 1850 | * attempts. |
| 1851 | */ |
| 1852 | public static final int STRONG_AUTH_REQUIRED_AFTER_LOCKOUT = 0x8; |
| 1853 | |
Adrian Roos | af4ab3e | 2015-09-02 13:23:30 -0700 | [diff] [blame] | 1854 | /** |
Michal Karpinski | c52f867 | 2016-11-18 11:32:45 +0000 | [diff] [blame] | 1855 | * Strong authentication is required because it hasn't been used for a time required by |
| 1856 | * a device admin. |
| 1857 | */ |
| 1858 | public static final int STRONG_AUTH_REQUIRED_AFTER_TIMEOUT = 0x10; |
| 1859 | |
| 1860 | /** |
Chad Brubaker | 4f28f0d | 2017-09-07 14:28:13 -0700 | [diff] [blame] | 1861 | * Strong authentication is required because the user has triggered lockdown. |
| 1862 | */ |
| 1863 | public static final int STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN = 0x20; |
| 1864 | |
| 1865 | /** |
Gilad Bretter | cb51b8b | 2018-03-22 17:04:51 +0200 | [diff] [blame] | 1866 | * Strong auth flags that do not prevent biometric methods from being accepted as auth. |
| 1867 | * If any other flags are set, biometric authentication is disabled. |
Adrian Roos | af4ab3e | 2015-09-02 13:23:30 -0700 | [diff] [blame] | 1868 | */ |
Gilad Bretter | cb51b8b | 2018-03-22 17:04:51 +0200 | [diff] [blame] | 1869 | private static final int ALLOWING_BIOMETRIC = STRONG_AUTH_NOT_REQUIRED |
Adrian Roos | 9d6fc92 | 2016-08-10 17:09:55 -0700 | [diff] [blame] | 1870 | | SOME_AUTH_REQUIRED_AFTER_USER_REQUEST; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1871 | |
Adrian Roos | af4ab3e | 2015-09-02 13:23:30 -0700 | [diff] [blame] | 1872 | private final SparseIntArray mStrongAuthRequiredForUser = new SparseIntArray(); |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1873 | private final H mHandler; |
Rakesh Iyer | a7aa4d6 | 2016-01-19 17:27:23 -0800 | [diff] [blame] | 1874 | private final int mDefaultStrongAuthFlags; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1875 | |
Rakesh Iyer | a7aa4d6 | 2016-01-19 17:27:23 -0800 | [diff] [blame] | 1876 | public StrongAuthTracker(Context context) { |
| 1877 | this(context, Looper.myLooper()); |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1878 | } |
| 1879 | |
| 1880 | /** |
| 1881 | * @param looper the looper on whose thread calls to {@link #onStrongAuthRequiredChanged} |
| 1882 | * will be scheduled. |
Rakesh Iyer | a7aa4d6 | 2016-01-19 17:27:23 -0800 | [diff] [blame] | 1883 | * @param context the current {@link Context} |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1884 | */ |
Rakesh Iyer | a7aa4d6 | 2016-01-19 17:27:23 -0800 | [diff] [blame] | 1885 | public StrongAuthTracker(Context context, Looper looper) { |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1886 | mHandler = new H(looper); |
Rakesh Iyer | a7aa4d6 | 2016-01-19 17:27:23 -0800 | [diff] [blame] | 1887 | mDefaultStrongAuthFlags = getDefaultFlags(context); |
| 1888 | } |
| 1889 | |
| 1890 | public static @StrongAuthFlags int getDefaultFlags(Context context) { |
| 1891 | boolean strongAuthRequired = context.getResources().getBoolean( |
| 1892 | com.android.internal.R.bool.config_strongAuthRequiredOnBoot); |
| 1893 | return strongAuthRequired ? STRONG_AUTH_REQUIRED_AFTER_BOOT : STRONG_AUTH_NOT_REQUIRED; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1894 | } |
| 1895 | |
| 1896 | /** |
| 1897 | * Returns {@link #STRONG_AUTH_NOT_REQUIRED} if strong authentication is not required, |
| 1898 | * otherwise returns a combination of {@link StrongAuthFlags} indicating why strong |
| 1899 | * authentication is required. |
| 1900 | * |
| 1901 | * @param userId the user for whom the state is queried. |
| 1902 | */ |
| 1903 | public @StrongAuthFlags int getStrongAuthForUser(int userId) { |
Rakesh Iyer | a7aa4d6 | 2016-01-19 17:27:23 -0800 | [diff] [blame] | 1904 | return mStrongAuthRequiredForUser.get(userId, mDefaultStrongAuthFlags); |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1905 | } |
| 1906 | |
| 1907 | /** |
| 1908 | * @return true if unlocking with trust alone is allowed for {@param userId} by the current |
| 1909 | * strong authentication requirements. |
| 1910 | */ |
| 1911 | public boolean isTrustAllowedForUser(int userId) { |
| 1912 | return getStrongAuthForUser(userId) == STRONG_AUTH_NOT_REQUIRED; |
| 1913 | } |
| 1914 | |
| 1915 | /** |
Gilad Bretter | cb51b8b | 2018-03-22 17:04:51 +0200 | [diff] [blame] | 1916 | * @return true if unlocking with a biometric method alone is allowed for {@param userId} |
| 1917 | * by the current strong authentication requirements. |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1918 | */ |
Gilad Bretter | cb51b8b | 2018-03-22 17:04:51 +0200 | [diff] [blame] | 1919 | public boolean isBiometricAllowedForUser(int userId) { |
| 1920 | return (getStrongAuthForUser(userId) & ~ALLOWING_BIOMETRIC) == 0; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1921 | } |
| 1922 | |
| 1923 | /** |
| 1924 | * Called when the strong authentication requirements for {@param userId} changed. |
| 1925 | */ |
| 1926 | public void onStrongAuthRequiredChanged(int userId) { |
| 1927 | } |
| 1928 | |
Victor Chang | a0940d3 | 2016-05-16 19:36:08 +0100 | [diff] [blame] | 1929 | protected void handleStrongAuthRequiredChanged(@StrongAuthFlags int strongAuthFlags, |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1930 | int userId) { |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1931 | int oldValue = getStrongAuthForUser(userId); |
| 1932 | if (strongAuthFlags != oldValue) { |
Rakesh Iyer | a7aa4d6 | 2016-01-19 17:27:23 -0800 | [diff] [blame] | 1933 | if (strongAuthFlags == mDefaultStrongAuthFlags) { |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1934 | mStrongAuthRequiredForUser.delete(userId); |
| 1935 | } else { |
| 1936 | mStrongAuthRequiredForUser.put(userId, strongAuthFlags); |
| 1937 | } |
| 1938 | onStrongAuthRequiredChanged(userId); |
| 1939 | } |
| 1940 | } |
| 1941 | |
| 1942 | |
Victor Chang | a0940d3 | 2016-05-16 19:36:08 +0100 | [diff] [blame] | 1943 | protected final IStrongAuthTracker.Stub mStub = new IStrongAuthTracker.Stub() { |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1944 | @Override |
| 1945 | public void onStrongAuthRequiredChanged(@StrongAuthFlags int strongAuthFlags, |
| 1946 | int userId) { |
| 1947 | mHandler.obtainMessage(H.MSG_ON_STRONG_AUTH_REQUIRED_CHANGED, |
| 1948 | strongAuthFlags, userId).sendToTarget(); |
| 1949 | } |
| 1950 | }; |
| 1951 | |
| 1952 | private class H extends Handler { |
| 1953 | static final int MSG_ON_STRONG_AUTH_REQUIRED_CHANGED = 1; |
| 1954 | |
| 1955 | public H(Looper looper) { |
| 1956 | super(looper); |
| 1957 | } |
| 1958 | |
| 1959 | @Override |
| 1960 | public void handleMessage(Message msg) { |
| 1961 | switch (msg.what) { |
| 1962 | case MSG_ON_STRONG_AUTH_REQUIRED_CHANGED: |
| 1963 | handleStrongAuthRequiredChanged(msg.arg1, msg.arg2); |
| 1964 | break; |
| 1965 | } |
| 1966 | } |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 1967 | } |
| 1968 | } |
| 1969 | |
| 1970 | public void enableSyntheticPassword() { |
| 1971 | setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1L, UserHandle.USER_SYSTEM); |
| 1972 | } |
| 1973 | |
Paul Crowley | 7a0cc0a | 2017-05-31 22:12:57 +0000 | [diff] [blame] | 1974 | public void disableSyntheticPassword() { |
| 1975 | setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0L, UserHandle.USER_SYSTEM); |
| 1976 | } |
| 1977 | |
Rubin Xu | 3bf722a | 2016-12-15 16:07:38 +0000 | [diff] [blame] | 1978 | public boolean isSyntheticPasswordEnabled() { |
| 1979 | return getLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0, UserHandle.USER_SYSTEM) != 0; |
Adrian Roos | b5e4722 | 2015-08-14 15:53:06 -0700 | [diff] [blame] | 1980 | } |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 1981 | |
Lenka Trochtova | 66c492a | 2018-12-06 11:29:21 +0100 | [diff] [blame] | 1982 | /** |
| 1983 | * Return true if the device supports the lock screen feature, false otherwise. |
| 1984 | */ |
| 1985 | public boolean hasSecureLockScreen() { |
| 1986 | if (mHasSecureLockScreen == null) { |
| 1987 | mHasSecureLockScreen = Boolean.valueOf(mContext.getPackageManager() |
| 1988 | .hasSystemFeature(PackageManager.FEATURE_SECURE_LOCK_SCREEN)); |
| 1989 | } |
| 1990 | return mHasSecureLockScreen.booleanValue(); |
| 1991 | } |
| 1992 | |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 1993 | public static boolean userOwnsFrpCredential(Context context, UserInfo info) { |
| 1994 | return info != null && info.isPrimary() && info.isAdmin() && frpCredentialEnabled(context); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 1995 | } |
| 1996 | |
Adrian Roos | 2adc263 | 2017-09-05 17:01:42 +0200 | [diff] [blame] | 1997 | public static boolean frpCredentialEnabled(Context context) { |
| 1998 | return FRP_CREDENTIAL_ENABLED && context.getResources().getBoolean( |
| 1999 | com.android.internal.R.bool.config_enableCredentialFactoryResetProtection); |
Adrian Roos | 7374d3a | 2017-03-31 14:14:53 -0700 | [diff] [blame] | 2000 | } |
Rich Cannings | f64ec63 | 2019-02-21 12:40:36 -0800 | [diff] [blame] | 2001 | |
| 2002 | /** |
| 2003 | * Converts a CharSequence to a byte array without requiring a toString(), which creates an |
| 2004 | * additional copy. |
| 2005 | * |
| 2006 | * @param chars The CharSequence to convert |
| 2007 | * @return A byte array representing the input |
| 2008 | */ |
| 2009 | public static byte[] charSequenceToByteArray(CharSequence chars) { |
| 2010 | if (chars == null) { |
| 2011 | return null; |
| 2012 | } |
| 2013 | byte[] bytes = new byte[chars.length()]; |
| 2014 | for (int i = 0; i < chars.length(); i++) { |
| 2015 | bytes[i] = (byte) chars.charAt(i); |
| 2016 | } |
| 2017 | return bytes; |
| 2018 | } |
The Android Open Source Project | 9066cfe | 2009-03-03 19:31:44 -0800 | [diff] [blame] | 2019 | } |