Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 810d0720 authored by Ellen Arteca's avatar Ellen Arteca
Browse files

Mitigate LSKF leaks through the LockscreenCredential in KeyguardManager 

This CL adds try-with-resources around LockscreenCredential objects,
in order to call `close()` when the resource is done being used.
This also clears the LSKF `byte[]` representation in the LockscreenCredential.

This CL applies the above changes to the KeyguardManager.

Bug: 320392352
Test: atest KeyguardManagerTest
Change-Id: Idf1d8545a7bc94a257e939fc41184ea9442694f3
parent c9615168

core/java/android/app/KeyguardManager.java

+20 −21
Original line number Diff line number Diff line
@@ -1032,9 +1032,7 @@ public class KeyguardManager { 
            return false;

        }

        boolean success;

        try {

            LockscreenCredential credential = createLockscreenCredential(

                    lockType, password);

        try (LockscreenCredential credential = createLockscreenCredential(lockType, password)) {

            success = mLockPatternUtils.setLockCredential(

                    credential,

                    /* savedPassword= */ LockscreenCredential.createNone(),
@@ -1213,10 +1211,10 @@ public class KeyguardManager { 
    public boolean setLock(@LockTypes int newLockType, @Nullable byte[] newPassword,

            @LockTypes int currentLockType, @Nullable byte[] currentPassword) {

        final int userId = mContext.getUserId();

        LockscreenCredential currentCredential = createLockscreenCredential(

        try (LockscreenCredential currentCredential = createLockscreenCredential(

                currentLockType, currentPassword);

                LockscreenCredential newCredential = createLockscreenCredential(

                newLockType, newPassword);

                        newLockType, newPassword)) {

            PasswordMetrics adminMetrics =

                    mLockPatternUtils.getRequestedPasswordMetrics(mContext.getUserId());

            List<PasswordValidationError> errors = PasswordMetrics.validateCredential(adminMetrics,
@@ -1227,6 +1225,7 @@ public class KeyguardManager { 
            }

            return mLockPatternUtils.setLockCredential(newCredential, currentCredential, userId);

        }

    }



    /**

     * Verifies the current lock credentials against {@code password}.
@@ -1244,8 +1243,7 @@ public class KeyguardManager { 
            Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE

    })

    public boolean checkLock(@LockTypes int lockType, @Nullable byte[] password) {

        final LockscreenCredential credential = createLockscreenCredential(

                lockType, password);

        try (LockscreenCredential credential = createLockscreenCredential(lockType, password)) {

            final VerifyCredentialResponse response = mLockPatternUtils.verifyCredential(

                    credential, mContext.getUserId(), /* flags= */ 0);

            if (response == null) {
@@ -1253,6 +1251,7 @@ public class KeyguardManager { 
            }

            return response.getResponseCode() == VerifyCredentialResponse.RESPONSE_OK;

        }

    }



    /** Starts a session to verify lockscreen credentials provided by a remote device.

     *