Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 686c56ec authored by Eric Biggers's avatar Eric Biggers Committed by Android (Google) Code Review
Browse files

Merge changes I76f70b4d,Ia1bee113 into main 

* changes:
  Zeroize the vendor auth secret encryption key
  Zeroize metrics key in getPasswordMetrics()
parents fee97b78 f00e02cb

services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java

+26 −13
Original line number Diff line number Diff line
@@ -1854,13 +1854,18 @@ class SyntheticPasswordManager { 
            Slogf.e(TAG, "Failed to read password metrics file for user %d", userId);

            return null;

        }

        final byte[] decrypted = SyntheticPasswordCrypto.decrypt(sp.deriveMetricsKey(),

        final byte[] metricsKey = sp.deriveMetricsKey();

        try {

            final byte[] decrypted = SyntheticPasswordCrypto.decrypt(metricsKey,

                    /* personalization= */ new byte[0], encrypted);

            if (decrypted == null) {

                Slogf.e(TAG, "Failed to decrypt password metrics file for user %d", userId);

                return null;

            }

            return VersionedPasswordMetrics.deserialize(decrypted).getMetrics();

        } finally {

            ArrayUtils.zeroize(metricsKey);

        }

    }



    /**
@@ -2055,11 +2060,15 @@ class SyntheticPasswordManager { 
            @NonNull final byte[] vendorAuthSecret,

            @NonNull final SyntheticPassword sp,

            @UserIdInt final int userId) {

        final byte[] encrypted =

                SyntheticPasswordCrypto.encrypt(

                        sp.deriveVendorAuthSecretEncryptionKey(), new byte[0], vendorAuthSecret);

        final byte[] key = sp.deriveVendorAuthSecretEncryptionKey();

        try {

            final byte[] encrypted = SyntheticPasswordCrypto.encrypt(key, new byte[0],

                    vendorAuthSecret);

            saveState(VENDOR_AUTH_SECRET_NAME, encrypted, NULL_PROTECTOR_ID, userId);

            syncState(userId);

        } finally {

            ArrayUtils.zeroize(key);

        }

    }



    public @Nullable byte[] readVendorAuthSecret(
@@ -2068,7 +2077,11 @@ class SyntheticPasswordManager { 
        if (encrypted == null) {

            return null;

        }

        return SyntheticPasswordCrypto.decrypt(

                sp.deriveVendorAuthSecretEncryptionKey(), new byte[0], encrypted);

        final byte[] key = sp.deriveVendorAuthSecretEncryptionKey();

        try {

            return SyntheticPasswordCrypto.decrypt(key, new byte[0], encrypted);

        } finally {

            ArrayUtils.zeroize(key);

        }

    }

}