| /* |
| * Copyright (C) 2007 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package com.android.internal.widget; |
| |
| import android.app.DevicePolicyManager; |
| import android.content.ComponentName; |
| import android.content.ContentResolver; |
| import android.content.Context; |
| import android.os.SystemClock; |
| import android.provider.Settings; |
| import android.security.MessageDigest; |
| import android.text.TextUtils; |
| import android.util.Log; |
| |
| import com.google.android.collect.Lists; |
| |
| import java.io.FileNotFoundException; |
| import java.io.IOException; |
| import java.io.RandomAccessFile; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.SecureRandom; |
| import java.util.Arrays; |
| import java.util.List; |
| |
| /** |
| * Utilities for the lock patten and its settings. |
| */ |
| public class LockPatternUtils { |
| |
| private static final String TAG = "LockPatternUtils"; |
| |
| private static final String LOCK_PATTERN_FILE = "/system/gesture.key"; |
| private static final String LOCK_PASSWORD_FILE = "/system/password.key"; |
| |
| /** |
| * The maximum number of incorrect attempts before the user is prevented |
| * from trying again for {@link #FAILED_ATTEMPT_TIMEOUT_MS}. |
| */ |
| public static final int FAILED_ATTEMPTS_BEFORE_TIMEOUT = 5; |
| |
| /** |
| * The number of incorrect attempts before which we fall back on an alternative |
| * method of verifying the user, and resetting their lock pattern. |
| */ |
| public static final int FAILED_ATTEMPTS_BEFORE_RESET = 20; |
| |
| /** |
| * How long the user is prevented from trying again after entering the |
| * wrong pattern too many times. |
| */ |
| public static final long FAILED_ATTEMPT_TIMEOUT_MS = 30000L; |
| |
| /** |
| * The interval of the countdown for showing progress of the lockout. |
| */ |
| public static final long FAILED_ATTEMPT_COUNTDOWN_INTERVAL_MS = 1000L; |
| |
| /** |
| * The minimum number of dots in a valid pattern. |
| */ |
| public static final int MIN_LOCK_PATTERN_SIZE = 4; |
| |
| /** |
| * Type of password being stored. |
| * pattern = pattern screen |
| * pin = digit-only password |
| * password = alphanumeric password |
| */ |
| public static final int MODE_PATTERN = DevicePolicyManager.PASSWORD_MODE_SOMETHING; |
| public static final int MODE_PIN = DevicePolicyManager.PASSWORD_MODE_NUMERIC; |
| public static final int MODE_PASSWORD = DevicePolicyManager.PASSWORD_MODE_ALPHANUMERIC; |
| |
| /** |
| * The minimum number of dots the user must include in a wrong pattern |
| * attempt for it to be counted against the counts that affect |
| * {@link #FAILED_ATTEMPTS_BEFORE_TIMEOUT} and {@link #FAILED_ATTEMPTS_BEFORE_RESET} |
| */ |
| public static final int MIN_PATTERN_REGISTER_FAIL = 3; |
| |
| private final static String LOCKOUT_PERMANENT_KEY = "lockscreen.lockedoutpermanently"; |
| private final static String LOCKOUT_ATTEMPT_DEADLINE = "lockscreen.lockoutattemptdeadline"; |
| private final static String PATTERN_EVER_CHOSEN_KEY = "lockscreen.patterneverchosen"; |
| public final static String PASSWORD_TYPE_KEY = "lockscreen.password_type"; |
| private final static String LOCK_PASSWORD_SALT_KEY = "lockscreen.password_salt"; |
| |
| private final Context mContext; |
| private final ContentResolver mContentResolver; |
| private DevicePolicyManager mDevicePolicyManager; |
| private static String sLockPatternFilename; |
| private static String sLockPasswordFilename; |
| |
| /** |
| * @param contentResolver Used to look up and save settings. |
| */ |
| public LockPatternUtils(Context context) { |
| mContext = context; |
| mContentResolver = context.getContentResolver(); |
| mDevicePolicyManager = |
| (DevicePolicyManager)context.getSystemService(Context.DEVICE_POLICY_SERVICE); |
| // Initialize the location of gesture lock file |
| if (sLockPatternFilename == null) { |
| sLockPatternFilename = android.os.Environment.getDataDirectory() |
| .getAbsolutePath() + LOCK_PATTERN_FILE; |
| sLockPasswordFilename = android.os.Environment.getDataDirectory() |
| .getAbsolutePath() + LOCK_PASSWORD_FILE; |
| } |
| |
| } |
| |
| public int getRequestedMinimumPasswordLength() { |
| return mDevicePolicyManager.getMinimumPasswordLength(); |
| } |
| |
| /** |
| * Gets the device policy password mode. If the mode is non-specific, returns |
| * MODE_PATTERN which allows the user to choose anything. |
| * |
| * @return |
| */ |
| public int getRequestedPasswordMode() { |
| int policyMode = mDevicePolicyManager.getPasswordMode(); |
| switch (policyMode) { |
| case DevicePolicyManager.PASSWORD_MODE_ALPHANUMERIC: |
| return MODE_PASSWORD; |
| case DevicePolicyManager.PASSWORD_MODE_NUMERIC: |
| return MODE_PIN; |
| case DevicePolicyManager.PASSWORD_MODE_UNSPECIFIED: |
| return MODE_PATTERN; |
| } |
| return MODE_PATTERN; |
| } |
| |
| /** |
| * Returns the actual password mode, as set by keyguard after updating the password. |
| * |
| * @return |
| */ |
| public void reportFailedPasswordAttempt() { |
| mDevicePolicyManager.reportFailedPasswordAttempt(); |
| } |
| |
| public void reportSuccessfulPasswordAttempt() { |
| mDevicePolicyManager.reportSuccessfulPasswordAttempt(); |
| } |
| |
| public void setActivePasswordState(int mode, int length) { |
| int policyMode = DevicePolicyManager.PASSWORD_MODE_UNSPECIFIED; |
| switch (mode) { |
| case MODE_PATTERN: |
| policyMode = DevicePolicyManager.PASSWORD_MODE_UNSPECIFIED; |
| break; |
| case MODE_PIN: |
| policyMode = DevicePolicyManager.PASSWORD_MODE_NUMERIC; |
| break; |
| case MODE_PASSWORD: |
| policyMode = DevicePolicyManager.PASSWORD_MODE_ALPHANUMERIC; |
| break; |
| } |
| mDevicePolicyManager.setActivePasswordState(policyMode, length); |
| } |
| |
| /** |
| * Check to see if a pattern matches the saved pattern. If no pattern exists, |
| * always returns true. |
| * @param pattern The pattern to check. |
| * @return Whether the pattern matches the stored one. |
| */ |
| public boolean checkPattern(List<LockPatternView.Cell> pattern) { |
| try { |
| // Read all the bytes from the file |
| RandomAccessFile raf = new RandomAccessFile(sLockPatternFilename, "r"); |
| final byte[] stored = new byte[(int) raf.length()]; |
| int got = raf.read(stored, 0, stored.length); |
| raf.close(); |
| if (got <= 0) { |
| return true; |
| } |
| // Compare the hash from the file with the entered pattern's hash |
| return Arrays.equals(stored, LockPatternUtils.patternToHash(pattern)); |
| } catch (FileNotFoundException fnfe) { |
| return true; |
| } catch (IOException ioe) { |
| return true; |
| } |
| } |
| |
| /** |
| * Check to see if a password matches the saved password. If no password exists, |
| * always returns true. |
| * @param password The password to check. |
| * @return Whether the password matches the stored one. |
| */ |
| public boolean checkPassword(String password) { |
| try { |
| // Read all the bytes from the file |
| RandomAccessFile raf = new RandomAccessFile(sLockPasswordFilename, "r"); |
| final byte[] stored = new byte[(int) raf.length()]; |
| int got = raf.read(stored, 0, stored.length); |
| raf.close(); |
| if (got <= 0) { |
| return true; |
| } |
| // Compare the hash from the file with the entered password's hash |
| return Arrays.equals(stored, passwordToHash(password)); |
| } catch (FileNotFoundException fnfe) { |
| return true; |
| } catch (IOException ioe) { |
| return true; |
| } |
| } |
| |
| /** |
| * Checks to see if the given file exists and contains any data. Returns true if it does, |
| * false otherwise. |
| * @param filename |
| * @return true if file exists and is non-empty. |
| */ |
| private boolean nonEmptyFileExists(String filename) { |
| try { |
| // Check if we can read a byte from the file |
| RandomAccessFile raf = new RandomAccessFile(filename, "r"); |
| byte first = raf.readByte(); |
| raf.close(); |
| return true; |
| } catch (FileNotFoundException fnfe) { |
| return false; |
| } catch (IOException ioe) { |
| return false; |
| } |
| } |
| |
| /** |
| * Check to see if the user has stored a lock pattern. |
| * @return Whether a saved pattern exists. |
| */ |
| public boolean savedPatternExists() { |
| return nonEmptyFileExists(sLockPatternFilename); |
| } |
| |
| /** |
| * Check to see if the user has stored a lock pattern. |
| * @return Whether a saved pattern exists. |
| */ |
| public boolean savedPasswordExists() { |
| return nonEmptyFileExists(sLockPasswordFilename); |
| } |
| |
| /** |
| * Return true if the user has ever chosen a pattern. This is true even if the pattern is |
| * currently cleared. |
| * |
| * @return True if the user has ever chosen a pattern. |
| */ |
| public boolean isPatternEverChosen() { |
| return getBoolean(PATTERN_EVER_CHOSEN_KEY); |
| } |
| |
| /** |
| * Clear any lock pattern or password. |
| */ |
| public void clearLock() { |
| saveLockPassword(null, LockPatternUtils.MODE_PATTERN); |
| setLockPatternEnabled(false); |
| saveLockPattern(null); |
| setLong(PASSWORD_TYPE_KEY, MODE_PATTERN); |
| } |
| |
| /** |
| * Save a lock pattern. |
| * @param pattern The new pattern to save. |
| */ |
| public void saveLockPattern(List<LockPatternView.Cell> pattern) { |
| // Compute the hash |
| final byte[] hash = LockPatternUtils.patternToHash(pattern); |
| try { |
| // Write the hash to file |
| RandomAccessFile raf = new RandomAccessFile(sLockPatternFilename, "rw"); |
| // Truncate the file if pattern is null, to clear the lock |
| if (pattern == null) { |
| raf.setLength(0); |
| } else { |
| raf.write(hash, 0, hash.length); |
| } |
| raf.close(); |
| if (pattern != null) { |
| setBoolean(PATTERN_EVER_CHOSEN_KEY, true); |
| setLong(PASSWORD_TYPE_KEY, MODE_PATTERN); |
| DevicePolicyManager dpm = (DevicePolicyManager)mContext.getSystemService( |
| Context.DEVICE_POLICY_SERVICE); |
| dpm.setActivePasswordState( |
| DevicePolicyManager.PASSWORD_MODE_SOMETHING, pattern.size()); |
| } |
| } catch (FileNotFoundException fnfe) { |
| // Cant do much, unless we want to fail over to using the settings provider |
| Log.e(TAG, "Unable to save lock pattern to " + sLockPatternFilename); |
| } catch (IOException ioe) { |
| // Cant do much |
| Log.e(TAG, "Unable to save lock pattern to " + sLockPatternFilename); |
| } |
| } |
| |
| /** |
| * Save a lock password. |
| * @param password The password to save |
| */ |
| public void saveLockPassword(String password, int mode) { |
| // Compute the hash |
| final byte[] hash = passwordToHash(password); |
| try { |
| // Write the hash to file |
| RandomAccessFile raf = new RandomAccessFile(sLockPasswordFilename, "rw"); |
| // Truncate the file if pattern is null, to clear the lock |
| if (password == null) { |
| raf.setLength(0); |
| } else { |
| raf.write(hash, 0, hash.length); |
| } |
| raf.close(); |
| if (password != null) { |
| int textMode = TextUtils.isDigitsOnly(password) ? MODE_PIN : MODE_PASSWORD; |
| if (textMode > mode) { |
| mode = textMode; |
| } |
| setLong(PASSWORD_TYPE_KEY, mode); |
| DevicePolicyManager dpm = (DevicePolicyManager)mContext.getSystemService( |
| Context.DEVICE_POLICY_SERVICE); |
| dpm.setActivePasswordState(mode, password.length()); |
| } |
| } catch (FileNotFoundException fnfe) { |
| // Cant do much, unless we want to fail over to using the settings provider |
| Log.e(TAG, "Unable to save lock pattern to " + sLockPasswordFilename); |
| } catch (IOException ioe) { |
| // Cant do much |
| Log.e(TAG, "Unable to save lock pattern to " + sLockPasswordFilename); |
| } |
| } |
| |
| public int getPasswordMode() { |
| return (int) getLong(PASSWORD_TYPE_KEY, MODE_PATTERN); |
| } |
| |
| /** |
| * Deserialize a pattern. |
| * @param string The pattern serialized with {@link #patternToString} |
| * @return The pattern. |
| */ |
| public static List<LockPatternView.Cell> stringToPattern(String string) { |
| List<LockPatternView.Cell> result = Lists.newArrayList(); |
| |
| final byte[] bytes = string.getBytes(); |
| for (int i = 0; i < bytes.length; i++) { |
| byte b = bytes[i]; |
| result.add(LockPatternView.Cell.of(b / 3, b % 3)); |
| } |
| return result; |
| } |
| |
| /** |
| * Serialize a pattern. |
| * @param pattern The pattern. |
| * @return The pattern in string form. |
| */ |
| public static String patternToString(List<LockPatternView.Cell> pattern) { |
| if (pattern == null) { |
| return ""; |
| } |
| final int patternSize = pattern.size(); |
| |
| byte[] res = new byte[patternSize]; |
| for (int i = 0; i < patternSize; i++) { |
| LockPatternView.Cell cell = pattern.get(i); |
| res[i] = (byte) (cell.getRow() * 3 + cell.getColumn()); |
| } |
| return new String(res); |
| } |
| |
| /* |
| * Generate an SHA-1 hash for the pattern. Not the most secure, but it is |
| * at least a second level of protection. First level is that the file |
| * is in a location only readable by the system process. |
| * @param pattern the gesture pattern. |
| * @return the hash of the pattern in a byte array. |
| */ |
| private static byte[] patternToHash(List<LockPatternView.Cell> pattern) { |
| if (pattern == null) { |
| return null; |
| } |
| |
| final int patternSize = pattern.size(); |
| byte[] res = new byte[patternSize]; |
| for (int i = 0; i < patternSize; i++) { |
| LockPatternView.Cell cell = pattern.get(i); |
| res[i] = (byte) (cell.getRow() * 3 + cell.getColumn()); |
| } |
| try { |
| MessageDigest md = MessageDigest.getInstance("SHA-1"); |
| byte[] hash = md.digest(res); |
| return hash; |
| } catch (NoSuchAlgorithmException nsa) { |
| return res; |
| } |
| } |
| |
| private String getSalt() { |
| long salt = getLong(LOCK_PASSWORD_SALT_KEY, 0); |
| if (salt == 0) { |
| try { |
| salt = SecureRandom.getInstance("SHA1PRNG").nextLong(); |
| setLong(LOCK_PASSWORD_SALT_KEY, salt); |
| Log.v(TAG, "Initialized lock password salt"); |
| } catch (NoSuchAlgorithmException e) { |
| // Throw an exception rather than storing a password we'll never be able to recover |
| throw new IllegalStateException("Couldn't get SecureRandom number", e); |
| } |
| } |
| return Long.toHexString(salt); |
| } |
| |
| /* |
| * Generate a hash for the given password. To avoid brute force attacks, we use a salted hash. |
| * Not the most secure, but it is at least a second level of protection. First level is that |
| * the file is in a location only readable by the system process. |
| * @param password the gesture pattern. |
| * @return the hash of the pattern in a byte array. |
| */ |
| public byte[] passwordToHash(String password) { |
| if (password == null) { |
| return null; |
| } |
| String algo = null; |
| byte[] hashed = null; |
| try { |
| byte[] saltedPassword = (password + getSalt()).getBytes(); |
| byte[] sha1 = MessageDigest.getInstance(algo = "SHA-1").digest(saltedPassword); |
| byte[] md5 = MessageDigest.getInstance(algo = "MD5").digest(saltedPassword); |
| hashed = (toHex(sha1) + toHex(md5)).getBytes(); |
| } catch (NoSuchAlgorithmException e) { |
| Log.w(TAG, "Failed to encode string because of missing algorithm: " + algo); |
| } |
| return hashed; |
| } |
| |
| private static String toHex(byte[] ary) { |
| final String hex = "0123456789ABCDEF"; |
| String ret = ""; |
| for (int i = 0; i < ary.length; i++) { |
| ret += hex.charAt((ary[i] >> 4) & 0xf); |
| ret += hex.charAt(ary[i] & 0xf); |
| } |
| return ret; |
| } |
| |
| /** |
| * @return Whether the lock password is enabled. |
| */ |
| public boolean isLockPasswordEnabled() { |
| long mode = getLong(PASSWORD_TYPE_KEY, 0); |
| return savedPasswordExists() && (mode == MODE_PASSWORD || mode == MODE_PIN); |
| } |
| |
| /** |
| * @return Whether the lock pattern is enabled. |
| */ |
| public boolean isLockPatternEnabled() { |
| return getBoolean(Settings.System.LOCK_PATTERN_ENABLED) |
| && getLong(PASSWORD_TYPE_KEY, MODE_PATTERN) == MODE_PATTERN; |
| } |
| |
| /** |
| * Set whether the lock pattern is enabled. |
| */ |
| public void setLockPatternEnabled(boolean enabled) { |
| setBoolean(Settings.System.LOCK_PATTERN_ENABLED, enabled); |
| } |
| |
| /** |
| * @return Whether the visible pattern is enabled. |
| */ |
| public boolean isVisiblePatternEnabled() { |
| return getBoolean(Settings.System.LOCK_PATTERN_VISIBLE); |
| } |
| |
| /** |
| * Set whether the visible pattern is enabled. |
| */ |
| public void setVisiblePatternEnabled(boolean enabled) { |
| setBoolean(Settings.System.LOCK_PATTERN_VISIBLE, enabled); |
| } |
| |
| /** |
| * @return Whether tactile feedback for the pattern is enabled. |
| */ |
| public boolean isTactileFeedbackEnabled() { |
| return getBoolean(Settings.System.LOCK_PATTERN_TACTILE_FEEDBACK_ENABLED); |
| } |
| |
| /** |
| * Set whether tactile feedback for the pattern is enabled. |
| */ |
| public void setTactileFeedbackEnabled(boolean enabled) { |
| setBoolean(Settings.System.LOCK_PATTERN_TACTILE_FEEDBACK_ENABLED, enabled); |
| } |
| |
| /** |
| * Set and store the lockout deadline, meaning the user can't attempt his/her unlock |
| * pattern until the deadline has passed. |
| * @return the chosen deadline. |
| */ |
| public long setLockoutAttemptDeadline() { |
| final long deadline = SystemClock.elapsedRealtime() + FAILED_ATTEMPT_TIMEOUT_MS; |
| setLong(LOCKOUT_ATTEMPT_DEADLINE, deadline); |
| return deadline; |
| } |
| |
| /** |
| * @return The elapsed time in millis in the future when the user is allowed to |
| * attempt to enter his/her lock pattern, or 0 if the user is welcome to |
| * enter a pattern. |
| */ |
| public long getLockoutAttemptDeadline() { |
| final long deadline = getLong(LOCKOUT_ATTEMPT_DEADLINE, 0L); |
| final long now = SystemClock.elapsedRealtime(); |
| if (deadline < now || deadline > (now + FAILED_ATTEMPT_TIMEOUT_MS)) { |
| return 0L; |
| } |
| return deadline; |
| } |
| |
| /** |
| * @return Whether the user is permanently locked out until they verify their |
| * credentials. Occurs after {@link #FAILED_ATTEMPTS_BEFORE_RESET} failed |
| * attempts. |
| */ |
| public boolean isPermanentlyLocked() { |
| return getBoolean(LOCKOUT_PERMANENT_KEY); |
| } |
| |
| /** |
| * Set the state of whether the device is permanently locked, meaning the user |
| * must authenticate via other means. |
| * |
| * @param locked Whether the user is permanently locked out until they verify their |
| * credentials. Occurs after {@link #FAILED_ATTEMPTS_BEFORE_RESET} failed |
| * attempts. |
| */ |
| public void setPermanentlyLocked(boolean locked) { |
| setBoolean(LOCKOUT_PERMANENT_KEY, locked); |
| } |
| |
| /** |
| * @return A formatted string of the next alarm (for showing on the lock screen), |
| * or null if there is no next alarm. |
| */ |
| public String getNextAlarm() { |
| String nextAlarm = Settings.System.getString(mContentResolver, |
| Settings.System.NEXT_ALARM_FORMATTED); |
| if (nextAlarm == null || TextUtils.isEmpty(nextAlarm)) { |
| return null; |
| } |
| return nextAlarm; |
| } |
| |
| private boolean getBoolean(String systemSettingKey) { |
| // STOPSHIP: these need to be moved to secure settings! |
| return 1 == |
| android.provider.Settings.System.getInt( |
| mContentResolver, |
| systemSettingKey, 0); |
| } |
| |
| private void setBoolean(String systemSettingKey, boolean enabled) { |
| // STOPSHIP: these need to be moved to secure settings! |
| android.provider.Settings.System.putInt( |
| mContentResolver, |
| systemSettingKey, |
| enabled ? 1 : 0); |
| } |
| |
| private long getLong(String systemSettingKey, long def) { |
| // STOPSHIP: these need to be moved to secure settings! |
| return android.provider.Settings.System.getLong(mContentResolver, systemSettingKey, def); |
| } |
| |
| private void setLong(String systemSettingKey, long value) { |
| // STOPSHIP: these need to be moved to secure settings! |
| android.provider.Settings.System.putLong(mContentResolver, systemSettingKey, value); |
| } |
| |
| public boolean isSecure() { |
| long mode = getPasswordMode(); |
| boolean secure = mode == MODE_PATTERN && isLockPatternEnabled() && savedPatternExists() |
| || (mode == MODE_PIN || mode == MODE_PASSWORD) && savedPasswordExists(); |
| return secure; |
| } |
| } |