summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Micay <danielmicay@gmail.com>2015-12-03 14:27:34 -0500
committerWolfgang Wiedmeyer <wolfgit@wiedmeyer.de>2016-12-16 02:42:15 +0100
commit73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc (patch)
treebd72a6389e80f995a885267512df50ded75261c4
parent34cb7bda51ec5716f24db107532555d64afa7177 (diff)
downloadframeworks_base-73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc.zip
frameworks_base-73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc.tar.gz
frameworks_base-73e4ff6ef31cce010d31bf4b0bd8990a7bfd85bc.tar.bz2
support separate encryption/lockscreen passwords
This adds the necessary infrastructure for allowing users to opt-in to a distinct device encryption passphrase. The passwords are still tied together by default. This makes it possible to use a complex encryption passphrase without losing the convenience of a very simple lockscreen pin. This feature can be combined with a forced reboot after a chosen number of failed unlocking attempts to prevent brute-forcing by requiring the entry of the encryption password instead.
-rw-r--r--core/java/android/provider/Settings.java7
-rw-r--r--core/java/com/android/internal/widget/LockPatternUtils.java72
-rw-r--r--services/core/java/com/android/server/LockSettingsService.java1
3 files changed, 77 insertions, 3 deletions
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index 3ab16fe..e6f1f4a 100644
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -4926,6 +4926,13 @@ public final class Settings {
"lock_screen_allow_private_notifications";
/**
+ * Separate password for encryption and the lockscreen.
+ * @hide
+ */
+ public static final String LOCK_SEPARATE_ENCRYPTION_PASSWORD =
+ "lock_separate_encryption_password";
+
+ /**
* Set by the system to track if the user needs to see the call to action for
* the lockscreen notification policy.
* @hide
diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java
index 5dc91d2..92f520b 100644
--- a/core/java/com/android/internal/widget/LockPatternUtils.java
+++ b/core/java/com/android/internal/widget/LockPatternUtils.java
@@ -462,7 +462,8 @@ public class LockPatternUtils {
// well, we tried...
}
- if (userHandle == UserHandle.USER_OWNER) {
+ if (userHandle == UserHandle.USER_OWNER
+ && !isSeparateEncryptionPasswordEnabled()) {
// Set the encryption password to default.
updateEncryptionPassword(StorageManager.CRYPT_TYPE_DEFAULT, null);
}
@@ -523,7 +524,8 @@ public class LockPatternUtils {
// Update the device encryption password.
if (userId == UserHandle.USER_OWNER
- && LockPatternUtils.isDeviceEncryptionEnabled()) {
+ && LockPatternUtils.isDeviceEncryptionEnabled()
+ && !isSeparateEncryptionPasswordEnabled()) {
if (!shouldEncryptWithCredentials(true)) {
clearEncryptionPassword();
} else {
@@ -732,7 +734,8 @@ public class LockPatternUtils {
// Update the device encryption password.
if (userHandle == UserHandle.USER_OWNER
- && LockPatternUtils.isDeviceEncryptionEnabled()) {
+ && LockPatternUtils.isDeviceEncryptionEnabled()
+ && !isSeparateEncryptionPasswordEnabled()) {
if (!shouldEncryptWithCredentials(true)) {
clearEncryptionPassword();
} else {
@@ -1089,6 +1092,69 @@ public class LockPatternUtils {
}
}
+ private void updateEncryptionPasswordFromPassword(String password) {
+ if (!TextUtils.isEmpty(password)) {
+ int computedQuality = computePasswordQuality(password);
+ boolean numeric = computedQuality
+ == DevicePolicyManager.PASSWORD_QUALITY_NUMERIC;
+ boolean numericComplex = computedQuality
+ == DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX;
+ int type = numeric || numericComplex ? StorageManager.CRYPT_TYPE_PIN
+ : StorageManager.CRYPT_TYPE_PASSWORD;
+ updateEncryptionPassword(type, password);
+ } else {
+ clearEncryptionPassword();
+ }
+ }
+
+ /**
+ * Set the encryption password separately from the lockscreen password.
+ *
+ * @param password The password to save
+ */
+ public void setSeparateEncryptionPassword(String password) {
+ updateEncryptionPasswordFromPassword(password);
+ setSeparateEncryptionPasswordEnabled(true);
+ }
+
+ /**
+ * Replace the separate encryption password by tying it to the lockscreen
+ * password. No change will occur if the provided lockscreen password is
+ * incorrect.
+ *
+ * @param password The current lockscreen password
+ * @return Whether the lockscreen password was correct.
+ */
+ public void replaceSeparateEncryptionPassword(String password) {
+ updateEncryptionPasswordFromPassword(password);
+ setSeparateEncryptionPasswordEnabled(false);
+ }
+
+ /**
+ * Replace the separate encryption password by tying it to the lockscreen
+ * pattern. No change will occur if the provided lockscreen password is
+ * incorrect.
+ *
+ * @param pattern The current lockscreen pattern
+ * @return Whether the lockscreen pattern was correct.
+ */
+ public void replaceSeparateEncryptionPasswordWithPattern(List<LockPatternView.Cell> pattern) {
+ String stringPattern = patternToString(pattern);
+ updateEncryptionPassword(StorageManager.CRYPT_TYPE_PATTERN, stringPattern);
+ setSeparateEncryptionPasswordEnabled(false);
+ }
+
+ /**
+ * @return Whether the encryption password is separate from the lockscreen password.
+ */
+ public boolean isSeparateEncryptionPasswordEnabled() {
+ return getBoolean(Settings.Secure.LOCK_SEPARATE_ENCRYPTION_PASSWORD, false, UserHandle.USER_OWNER);
+ }
+
+ private void setSeparateEncryptionPasswordEnabled(boolean enabled) {
+ setBoolean(Settings.Secure.LOCK_SEPARATE_ENCRYPTION_PASSWORD, enabled, UserHandle.USER_OWNER);
+ }
+
/**
* @return Whether tactile feedback for the pattern is enabled.
*/
diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
index 10b0bdd..81cbc19 100644
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -839,6 +839,7 @@ public class LockSettingsService extends ILockSettings.Stub {
Secure.LOCK_PATTERN_SIZE,
Secure.LOCK_DOTS_VISIBLE,
Secure.LOCK_SHOW_ERROR_PATH,
+ Secure.LOCK_SEPARATE_ENCRYPTION_PASSWORD
};
// Reading these settings needs the contacts permission