[LockSettings] migrate password attempt throttling to hardware

/*

 * Copyright (C) 2015 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.service.gatekeeper;

/**

 * Response object for a GateKeeper verification request.

 * @hide

 */

parcelable GateKeeperResponse;

/*

 * Copyright (C) 2015 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.service.gatekeeper;

import android.os.Parcel;

import android.os.Parcelable;

/**

 * Response object for a GateKeeper verification request.

 * @hide

 */

public final class GateKeeperResponse implements Parcelable {

    public static final int RESPONSE_ERROR = -1;

    public static final int RESPONSE_OK = 0;

    public static final int RESPONSE_RETRY = 1;

    private final int mResponseCode;

    private int mTimeout;

    private byte[] mPayload;

    private boolean mShouldReEnroll;

    private GateKeeperResponse(int responseCode) {

        mResponseCode = responseCode;

    }

    private GateKeeperResponse(int responseCode, int timeout) {

        mResponseCode = responseCode;

    }

    @Override

    public int describeContents() {

        return 0;

    }

    public static final Parcelable.Creator<GateKeeperResponse> CREATOR

            = new Parcelable.Creator<GateKeeperResponse>() {

        @Override

        public GateKeeperResponse createFromParcel(Parcel source) {

            int responseCode = source.readInt();

            GateKeeperResponse response = new GateKeeperResponse(responseCode);

            if (responseCode == RESPONSE_RETRY) {

                response.setTimeout(source.readInt());

            } else if (responseCode == RESPONSE_OK) {

                response.setShouldReEnroll(source.readInt() == 1);

                int size = source.readInt();

                if (size > 0) {

                    byte[] payload = new byte[size];

                    source.readByteArray(payload);

                    response.setPayload(payload);

                }

            }

            return response;

        }

        @Override

        public GateKeeperResponse[] newArray(int size) {

            return new GateKeeperResponse[size];

        }

    };

    @Override

    public void writeToParcel(Parcel dest, int flags) {

        dest.writeInt(mResponseCode);

        if (mResponseCode == RESPONSE_RETRY) {

            dest.writeInt(mTimeout);

        } else if (mResponseCode == RESPONSE_OK) {

            dest.writeInt(mShouldReEnroll ? 1 : 0);

            if (mPayload != null) {

                dest.writeInt(mPayload.length);

                dest.writeByteArray(mPayload);

            }

        }

    }

    public byte[] getPayload() {

        return mPayload;

    }

    public int getTimeout() {

        return mTimeout;

    }

    public boolean getShouldReEnroll() {

        return mShouldReEnroll;

    }

    public int getResponseCode() {

        return mResponseCode;

    }

    private void setTimeout(int timeout) {

        mTimeout = timeout;

    }

    private void setShouldReEnroll(boolean shouldReEnroll) {

        mShouldReEnroll = shouldReEnroll;

    }

    private void setPayload(byte[] payload) {

        mPayload = payload;

    }

}

package android.service.gatekeeper;

package android.service.gatekeeper;

import android.service.gatekeeper.GateKeeperResponse;

/**

/**

 * Interface for communication with GateKeeper, the

 * Interface for communication with GateKeeper, the

 * secure password storage daemon.

 * secure password storage daemon.

     *                        If provided, must verify against the currentPasswordHandle.

     *                        If provided, must verify against the currentPasswordHandle.

     * @param desiredPassword The new desired password, for which a handle will be returned

     * @param desiredPassword The new desired password, for which a handle will be returned

     *                        upon success.

     *                        upon success.

     * @return the handle corresponding to desiredPassword, or null

     * @return an EnrollResponse or null on failure

     */

     */

    byte[] enroll(int uid, in byte[] currentPasswordHandle, in byte[] currentPassword,

    GateKeeperResponse enroll(int uid, in byte[] currentPasswordHandle, in byte[] currentPassword,

            in byte[] desiredPassword);

            in byte[] desiredPassword);

    /**

    /**

     * @param enrolledPasswordHandle The handle against which the provided password will be

     * @param enrolledPasswordHandle The handle against which the provided password will be

     *                               verified.

     *                               verified.

     * @param The plaintext blob to verify against enrolledPassword.

     * @param The plaintext blob to verify against enrolledPassword.

     * @return True if the authentication was successful

     * @return a VerifyResponse, or null on failure.

     */

     */

    boolean verify(int uid, in byte[] enrolledPasswordHandle,

    GateKeeperResponse verify(int uid, in byte[] enrolledPasswordHandle, in byte[] providedPassword);

            in byte[] providedPassword);

    /**

    /**

     * Verifies an enrolled handle against a provided, plaintext blob.

     * Verifies an enrolled handle against a provided, plaintext blob.

     * @param uid The Android user ID associated to this enrollment

     * @param uid The Android user ID associated to this enrollment

     * @param enrolledPasswordHandle The handle against which the provided password will be

     * @param enrolledPasswordHandle The handle against which the provided password will be

     *                               verified.

     *                               verified.

     * @param The plaintext blob to verify against enrolledPassword.

     * @param The plaintext blob to verify against enrolledPassword.

     * @return an opaque attestation of authentication on success, or null.

     * @return a VerifyResponse with an attestation, or null on failure.

     */

     */

    byte[] verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle,

    GateKeeperResponse verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle,

            in byte[] providedPassword);

            in byte[] providedPassword);

    /**

    /**

package com.android.internal.widget;

package com.android.internal.widget;

import com.android.internal.widget.VerifyCredentialResponse;

/** {@hide} */

/** {@hide} */

interface ILockSettings {

interface ILockSettings {

    void setBoolean(in String key, in boolean value, in int userId);

    void setBoolean(in String key, in boolean value, in int userId);

    long getLong(in String key, in long defaultValue, in int userId);

    long getLong(in String key, in long defaultValue, in int userId);

    String getString(in String key, in String defaultValue, in int userId);

    String getString(in String key, in String defaultValue, in int userId);

    void setLockPattern(in String pattern, in String savedPattern, int userId);

    void setLockPattern(in String pattern, in String savedPattern, int userId);

    boolean checkPattern(in String pattern, int userId);

    VerifyCredentialResponse checkPattern(in String pattern, int userId);

    byte[] verifyPattern(in String pattern, long challenge, int userId);

    VerifyCredentialResponse verifyPattern(in String pattern, long challenge, int userId);

    void setLockPassword(in String password, in String savedPassword, int userId);

    void setLockPassword(in String password, in String savedPassword, int userId);

    boolean checkPassword(in String password, int userId);

    VerifyCredentialResponse checkPassword(in String password, int userId);

    byte[] verifyPassword(in String password, long challenge, int userId);

    VerifyCredentialResponse verifyPassword(in String password, long challenge, int userId);

    boolean checkVoldPassword(int userId);

    boolean checkVoldPassword(int userId);

    boolean havePattern(int userId);

    boolean havePattern(int userId);

    boolean havePassword(int userId);

    boolean havePassword(int userId);

import android.os.AsyncTask;

import android.os.AsyncTask;

import com.android.internal.widget.LockPatternUtils.RequestThrottledException;

import java.util.List;

import java.util.List;

/**

/**

         * Invoked when a security check is finished.

         * Invoked when a security check is finished.

         *

         *

         * @param matched Whether the PIN/Password/Pattern matches the stored one.

         * @param matched Whether the PIN/Password/Pattern matches the stored one.

         * @param throttleTimeoutMs The amount of time in ms to wait before reattempting

         * the call. Only non-0 if matched is false.

         */

         */

        void onChecked(boolean matched);

        void onChecked(boolean matched, int throttleTimeoutMs);

    }

    }

    /**

    /**

         * Invoked when a security verification is finished.

         * Invoked when a security verification is finished.

         *

         *

         * @param attestation The attestation that the challenge was verified, or null.

         * @param attestation The attestation that the challenge was verified, or null.

         * @param throttleTimeoutMs The amount of time in ms to wait before reattempting

         * the call. Only non-0 if attestation is null.

         */

         */

        void onVerified(byte[] attestation);

        void onVerified(byte[] attestation, int throttleTimeoutMs);

    }

    }

    /**

    /**

            final int userId,

            final int userId,

            final OnVerifyCallback callback) {

            final OnVerifyCallback callback) {

        AsyncTask<Void, Void, byte[]> task = new AsyncTask<Void, Void, byte[]>() {

        AsyncTask<Void, Void, byte[]> task = new AsyncTask<Void, Void, byte[]>() {

            private int mThrottleTimeout;

            @Override

            @Override

            protected byte[] doInBackground(Void... args) {

            protected byte[] doInBackground(Void... args) {

                try {

                    return utils.verifyPattern(pattern, challenge, userId);

                    return utils.verifyPattern(pattern, challenge, userId);

                } catch (RequestThrottledException ex) {

                    mThrottleTimeout = ex.getTimeoutMs();

                    return null;

                }

            }

            }

            @Override

            @Override

            protected void onPostExecute(byte[] result) {

            protected void onPostExecute(byte[] result) {

                callback.onVerified(result);

                callback.onVerified(result, mThrottleTimeout);

            }

            }

        };

        };

        task.execute();

        task.execute();

            final int userId,

            final int userId,

            final OnCheckCallback callback) {

            final OnCheckCallback callback) {

        AsyncTask<Void, Void, Boolean> task = new AsyncTask<Void, Void, Boolean>() {

        AsyncTask<Void, Void, Boolean> task = new AsyncTask<Void, Void, Boolean>() {

            private int mThrottleTimeout;

            @Override

            @Override

            protected Boolean doInBackground(Void... args) {

            protected Boolean doInBackground(Void... args) {

                try {

                    return utils.checkPattern(pattern, userId);

                    return utils.checkPattern(pattern, userId);

                } catch (RequestThrottledException ex) {

                    mThrottleTimeout = ex.getTimeoutMs();

                    return false;

                }

            }

            }

            @Override

            @Override

            protected void onPostExecute(Boolean result) {

            protected void onPostExecute(Boolean result) {

                callback.onChecked(result);

                callback.onChecked(result, mThrottleTimeout);

            }

            }

        };

        };

        task.execute();

        task.execute();

            final int userId,

            final int userId,

            final OnVerifyCallback callback) {

            final OnVerifyCallback callback) {

        AsyncTask<Void, Void, byte[]> task = new AsyncTask<Void, Void, byte[]>() {

        AsyncTask<Void, Void, byte[]> task = new AsyncTask<Void, Void, byte[]>() {

            private int mThrottleTimeout;

            @Override

            @Override

            protected byte[] doInBackground(Void... args) {

            protected byte[] doInBackground(Void... args) {

                try {

                    return utils.verifyPassword(password, challenge, userId);

                    return utils.verifyPassword(password, challenge, userId);

                } catch (RequestThrottledException ex) {

                    mThrottleTimeout = ex.getTimeoutMs();

                    return null;

                }

            }

            }

            @Override

            @Override

            protected void onPostExecute(byte[] result) {

            protected void onPostExecute(byte[] result) {

                callback.onVerified(result);

                callback.onVerified(result, mThrottleTimeout);

            }

            }

        };

        };

        task.execute();

        task.execute();

            final int userId,

            final int userId,

            final OnCheckCallback callback) {

            final OnCheckCallback callback) {

        AsyncTask<Void, Void, Boolean> task = new AsyncTask<Void, Void, Boolean>() {

        AsyncTask<Void, Void, Boolean> task = new AsyncTask<Void, Void, Boolean>() {

            private int mThrottleTimeout;

            @Override

            @Override

            protected Boolean doInBackground(Void... args) {

            protected Boolean doInBackground(Void... args) {

                try {

                    return utils.checkPassword(password, userId);

                    return utils.checkPassword(password, userId);

                } catch (RequestThrottledException ex) {

                    mThrottleTimeout = ex.getTimeoutMs();

                    return false;

                }

            }

            }

            @Override

            @Override

            protected void onPostExecute(Boolean result) {

            protected void onPostExecute(Boolean result) {

                callback.onChecked(result);

                callback.onChecked(result, mThrottleTimeout);

            }

            }

        };

        };

        task.execute();

        task.execute();