Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c34aefcc authored by Eric Biggers's avatar Eric Biggers
Browse files

Zeroize password metrics key in savePasswordMetrics() 

Secrets derived from or unlocked by the LSKF need to be zeroized as soon
as they are no longer needed.

Bug: 320392352
Test: atest FrameworksServicesTests:com.android.server.locksettings
Flag: EXEMPT bugfix
Change-Id: Ia21653380af5fb92e12514295d3dd988bd83e42d
parent c3e8542a

services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java

+9 −4
Original line number Diff line number Diff line
@@ -1865,10 +1865,15 @@ class SyntheticPasswordManager { 
     */

    private void savePasswordMetrics(LockscreenCredential credential, SyntheticPassword sp,

            long protectorId, int userId) {

        final byte[] encrypted = SyntheticPasswordCrypto.encrypt(sp.deriveMetricsKey(),

        final byte[] metricsKey = sp.deriveMetricsKey();

        try {

            final byte[] encrypted = SyntheticPasswordCrypto.encrypt(metricsKey,

                    /* personalization= */ new byte[0],

                    new VersionedPasswordMetrics(credential).serialize());

            saveState(PASSWORD_METRICS_NAME, encrypted, protectorId, userId);

        } finally {

            ArrayUtils.zeroize(metricsKey);

        }

    }



    @VisibleForTesting