diff options
author | Daniel Micay <danielmicay@gmail.com> | 2015-12-03 14:27:34 -0500 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-12-16 02:42:15 +0100 |
commit | 73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc (patch) | |
tree | bd72a6389e80f995a885267512df50ded75261c4 | |
parent | 34cb7bda51ec5716f24db107532555d64afa7177 (diff) | |
download | frameworks_base-73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc.zip frameworks_base-73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc.tar.gz frameworks_base-73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc.tar.bz2 |
support separate encryption/lockscreen passwords
This adds the necessary infrastructure for allowing users to opt-in to a
distinct device encryption passphrase. The passwords are still tied
together by default. This makes it possible to use a complex encryption
passphrase without losing the convenience of a very simple lockscreen
pin.
This feature can be combined with a forced reboot after a chosen number
of failed unlocking attempts to prevent brute-forcing by requiring the
entry of the encryption password instead.
-rw-r--r-- | core/java/android/provider/Settings.java | 7 | ||||
-rw-r--r-- | core/java/com/android/internal/widget/LockPatternUtils.java | 72 | ||||
-rw-r--r-- | services/core/java/com/android/server/LockSettingsService.java | 1 |
3 files changed, 77 insertions, 3 deletions
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java index 3ab16fe..e6f1f4a 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java @@ -4926,6 +4926,13 @@ public final class Settings { "lock_screen_allow_private_notifications"; /** + * Separate password for encryption and the lockscreen. + * @hide + */ + public static final String LOCK_SEPARATE_ENCRYPTION_PASSWORD = + "lock_separate_encryption_password"; + + /** * Set by the system to track if the user needs to see the call to action for * the lockscreen notification policy. * @hide diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java index 5dc91d2..92f520b 100644 --- a/core/java/com/android/internal/widget/LockPatternUtils.java +++ b/core/java/com/android/internal/widget/LockPatternUtils.java @@ -462,7 +462,8 @@ public class LockPatternUtils { // well, we tried... } - if (userHandle == UserHandle.USER_OWNER) { + if (userHandle == UserHandle.USER_OWNER + && !isSeparateEncryptionPasswordEnabled()) { // Set the encryption password to default. updateEncryptionPassword(StorageManager.CRYPT_TYPE_DEFAULT, null); } @@ -523,7 +524,8 @@ public class LockPatternUtils { // Update the device encryption password. if (userId == UserHandle.USER_OWNER - && LockPatternUtils.isDeviceEncryptionEnabled()) { + && LockPatternUtils.isDeviceEncryptionEnabled() + && !isSeparateEncryptionPasswordEnabled()) { if (!shouldEncryptWithCredentials(true)) { clearEncryptionPassword(); } else { @@ -732,7 +734,8 @@ public class LockPatternUtils { // Update the device encryption password. if (userHandle == UserHandle.USER_OWNER - && LockPatternUtils.isDeviceEncryptionEnabled()) { + && LockPatternUtils.isDeviceEncryptionEnabled() + && !isSeparateEncryptionPasswordEnabled()) { if (!shouldEncryptWithCredentials(true)) { clearEncryptionPassword(); } else { @@ -1089,6 +1092,69 @@ public class LockPatternUtils { } } + private void updateEncryptionPasswordFromPassword(String password) { + if (!TextUtils.isEmpty(password)) { + int computedQuality = computePasswordQuality(password); + boolean numeric = computedQuality + == DevicePolicyManager.PASSWORD_QUALITY_NUMERIC; + boolean numericComplex = computedQuality + == DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; + int type = numeric || numericComplex ? StorageManager.CRYPT_TYPE_PIN + : StorageManager.CRYPT_TYPE_PASSWORD; + updateEncryptionPassword(type, password); + } else { + clearEncryptionPassword(); + } + } + + /** + * Set the encryption password separately from the lockscreen password. + * + * @param password The password to save + */ + public void setSeparateEncryptionPassword(String password) { + updateEncryptionPasswordFromPassword(password); + setSeparateEncryptionPasswordEnabled(true); + } + + /** + * Replace the separate encryption password by tying it to the lockscreen + * password. No change will occur if the provided lockscreen password is + * incorrect. + * + * @param password The current lockscreen password + * @return Whether the lockscreen password was correct. + */ + public void replaceSeparateEncryptionPassword(String password) { + updateEncryptionPasswordFromPassword(password); + setSeparateEncryptionPasswordEnabled(false); + } + + /** + * Replace the separate encryption password by tying it to the lockscreen + * pattern. No change will occur if the provided lockscreen password is + * incorrect. + * + * @param pattern The current lockscreen pattern + * @return Whether the lockscreen pattern was correct. + */ + public void replaceSeparateEncryptionPasswordWithPattern(List<LockPatternView.Cell> pattern) { + String stringPattern = patternToString(pattern); + updateEncryptionPassword(StorageManager.CRYPT_TYPE_PATTERN, stringPattern); + setSeparateEncryptionPasswordEnabled(false); + } + + /** + * @return Whether the encryption password is separate from the lockscreen password. + */ + public boolean isSeparateEncryptionPasswordEnabled() { + return getBoolean(Settings.Secure.LOCK_SEPARATE_ENCRYPTION_PASSWORD, false, UserHandle.USER_OWNER); + } + + private void setSeparateEncryptionPasswordEnabled(boolean enabled) { + setBoolean(Settings.Secure.LOCK_SEPARATE_ENCRYPTION_PASSWORD, enabled, UserHandle.USER_OWNER); + } + /** * @return Whether tactile feedback for the pattern is enabled. */ diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java index 10b0bdd..81cbc19 100644 --- a/services/core/java/com/android/server/LockSettingsService.java +++ b/services/core/java/com/android/server/LockSettingsService.java @@ -839,6 +839,7 @@ public class LockSettingsService extends ILockSettings.Stub { Secure.LOCK_PATTERN_SIZE, Secure.LOCK_DOTS_VISIBLE, Secure.LOCK_SHOW_ERROR_PATH, + Secure.LOCK_SEPARATE_ENCRYPTION_PASSWORD }; // Reading these settings needs the contacts permission |