LockPatternUtils.java revision 69aa4a953f040277c19c23208bb830f52796c8c6 
1/*
2 * Copyright (C) 2007 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.internal.widget;
18
19import android.content.ContentResolver;
20import android.os.SystemClock;
21import android.provider.Settings;
22import android.security.MessageDigest;
23import android.text.TextUtils;
24import android.util.Log;
25
26import com.google.android.collect.Lists;
27
28import java.io.FileNotFoundException;
29import java.io.IOException;
30import java.io.RandomAccessFile;
31import java.security.NoSuchAlgorithmException;
32import java.util.Arrays;
33import java.util.List;
34
35/**
36 * Utilities for the lock patten and its settings.
37 */
38public class LockPatternUtils {
39
40    private static final String TAG = "LockPatternUtils";
41
42    private static final String LOCK_PATTERN_FILE = "/system/gesture.key";
43    private static final String LOCK_PASSWORD_FILE = "/system/password.key";
44
45    /**
46     * The maximum number of incorrect attempts before the user is prevented
47     * from trying again for {@link #FAILED_ATTEMPT_TIMEOUT_MS}.
48     */
49    public static final int FAILED_ATTEMPTS_BEFORE_TIMEOUT = 5;
50
51    /**
52     * The number of incorrect attempts before which we fall back on an alternative
53     * method of verifying the user, and resetting their lock pattern.
54     */
55    public static final int FAILED_ATTEMPTS_BEFORE_RESET = 20;
56
57    /**
58     * How long the user is prevented from trying again after entering the
59     * wrong pattern too many times.
60     */
61    public static final long FAILED_ATTEMPT_TIMEOUT_MS = 30000L;
62
63    /**
64     * The interval of the countdown for showing progress of the lockout.
65     */
66    public static final long FAILED_ATTEMPT_COUNTDOWN_INTERVAL_MS = 1000L;
67
68    /**
69     * The minimum number of dots in a valid pattern.
70     */
71    public static final int MIN_LOCK_PATTERN_SIZE = 4;
72
73    /**
74     * Type of password being stored.
75     * pattern = pattern screen
76     * pin = digit-only password
77     * password = alphanumeric password
78     */
79    public static final int MODE_PATTERN = 0;
80    public static final int MODE_PIN = 1;
81    public static final int MODE_PASSWORD = 2;
82
83    /**
84     * The minimum number of dots the user must include in a wrong pattern
85     * attempt for it to be counted against the counts that affect
86     * {@link #FAILED_ATTEMPTS_BEFORE_TIMEOUT} and {@link #FAILED_ATTEMPTS_BEFORE_RESET}
87     */
88    public static final int MIN_PATTERN_REGISTER_FAIL = 3;
89
90    private final static String LOCKOUT_PERMANENT_KEY = "lockscreen.lockedoutpermanently";
91    private final static String LOCKOUT_ATTEMPT_DEADLINE = "lockscreen.lockoutattemptdeadline";
92    private final static String PATTERN_EVER_CHOSEN_KEY = "lockscreen.patterneverchosen";
93    public final static String PASSWORD_TYPE_KEY = "lockscreen.password_type";
94
95    private final ContentResolver mContentResolver;
96
97    private static String sLockPatternFilename;
98    private static String sLockPasswordFilename;
99
100    /**
101     * @param contentResolver Used to look up and save settings.
102     */
103    public LockPatternUtils(ContentResolver contentResolver) {
104        mContentResolver = contentResolver;
105        // Initialize the location of gesture lock file
106        if (sLockPatternFilename == null) {
107            sLockPatternFilename = android.os.Environment.getDataDirectory()
108                    .getAbsolutePath() + LOCK_PATTERN_FILE;
109            sLockPasswordFilename = android.os.Environment.getDataDirectory()
110                    .getAbsolutePath() + LOCK_PASSWORD_FILE;
111        }
112
113    }
114
115    /**
116     * Check to see if a pattern matches the saved pattern.  If no pattern exists,
117     * always returns true.
118     * @param pattern The pattern to check.
119     * @return Whether the pattern matches the stored one.
120     */
121    public boolean checkPattern(List<LockPatternView.Cell> pattern) {
122        try {
123            // Read all the bytes from the file
124            RandomAccessFile raf = new RandomAccessFile(sLockPatternFilename, "r");
125            final byte[] stored = new byte[(int) raf.length()];
126            int got = raf.read(stored, 0, stored.length);
127            raf.close();
128            if (got <= 0) {
129                return true;
130            }
131            // Compare the hash from the file with the entered pattern's hash
132            return Arrays.equals(stored, LockPatternUtils.patternToHash(pattern));
133        } catch (FileNotFoundException fnfe) {
134            return true;
135        } catch (IOException ioe) {
136            return true;
137        }
138    }
139
140    /**
141     * Check to see if a password matches the saved password.  If no password exists,
142     * always returns true.
143     * @param password The password to check.
144     * @return Whether the password matches the stored one.
145     */
146    public boolean checkPassword(String password) {
147        try {
148            // Read all the bytes from the file
149            RandomAccessFile raf = new RandomAccessFile(sLockPasswordFilename, "r");
150            final byte[] stored = new byte[(int) raf.length()];
151            int got = raf.read(stored, 0, stored.length);
152            raf.close();
153            if (got <= 0) {
154                return true;
155            }
156            // Compare the hash from the file with the entered password's hash
157            return Arrays.equals(stored, LockPatternUtils.passwordToHash(password));
158        } catch (FileNotFoundException fnfe) {
159            return true;
160        } catch (IOException ioe) {
161            return true;
162        }
163    }
164
165    /**
166     * Checks to see if the given file exists and contains any data. Returns true if it does,
167     * false otherwise.
168     * @param filename
169     * @return true if file exists and is non-empty.
170     */
171    private boolean nonEmptyFileExists(String filename) {
172        try {
173            // Check if we can read a byte from the file
174            RandomAccessFile raf = new RandomAccessFile(filename, "r");
175            byte first = raf.readByte();
176            raf.close();
177            return true;
178        } catch (FileNotFoundException fnfe) {
179            return false;
180        } catch (IOException ioe) {
181            return false;
182        }
183    }
184
185    /**
186     * Check to see if the user has stored a lock pattern.
187     * @return Whether a saved pattern exists.
188     */
189    public boolean savedPatternExists() {
190        return nonEmptyFileExists(sLockPatternFilename);
191    }
192
193    /**
194     * Check to see if the user has stored a lock pattern.
195     * @return Whether a saved pattern exists.
196     */
197    public boolean savedPasswordExists() {
198        return nonEmptyFileExists(sLockPasswordFilename);
199    }
200
201    /**
202     * Return true if the user has ever chosen a pattern.  This is true even if the pattern is
203     * currently cleared.
204     *
205     * @return True if the user has ever chosen a pattern.
206     */
207    public boolean isPatternEverChosen() {
208        return getBoolean(PATTERN_EVER_CHOSEN_KEY);
209    }
210
211    /**
212     * Save a lock pattern.
213     * @param pattern The new pattern to save.
214     */
215    public void saveLockPattern(List<LockPatternView.Cell> pattern) {
216        // Compute the hash
217        final byte[] hash  = LockPatternUtils.patternToHash(pattern);
218        try {
219            // Write the hash to file
220            RandomAccessFile raf = new RandomAccessFile(sLockPatternFilename, "rw");
221            // Truncate the file if pattern is null, to clear the lock
222            if (pattern == null) {
223                raf.setLength(0);
224            } else {
225                raf.write(hash, 0, hash.length);
226            }
227            raf.close();
228            setBoolean(PATTERN_EVER_CHOSEN_KEY, true);
229            setLong(PASSWORD_TYPE_KEY, MODE_PATTERN);
230        } catch (FileNotFoundException fnfe) {
231            // Cant do much, unless we want to fail over to using the settings provider
232            Log.e(TAG, "Unable to save lock pattern to " + sLockPatternFilename);
233        } catch (IOException ioe) {
234            // Cant do much
235            Log.e(TAG, "Unable to save lock pattern to " + sLockPatternFilename);
236        }
237    }
238
239    /**
240     * Save a lock password.
241     * @param password The password to save
242     */
243    public void saveLockPassword(String password) {
244        // Compute the hash
245        boolean numericHint = password != null ? TextUtils.isDigitsOnly(password) : false;
246        final byte[] hash  = LockPatternUtils.passwordToHash(password);
247        try {
248            // Write the hash to file
249            RandomAccessFile raf = new RandomAccessFile(sLockPasswordFilename, "rw");
250            // Truncate the file if pattern is null, to clear the lock
251            if (password == null) {
252                raf.setLength(0);
253            } else {
254                raf.write(hash, 0, hash.length);
255            }
256            raf.close();
257            setLong(PASSWORD_TYPE_KEY, numericHint ? MODE_PIN : MODE_PASSWORD);
258        } catch (FileNotFoundException fnfe) {
259            // Cant do much, unless we want to fail over to using the settings provider
260            Log.e(TAG, "Unable to save lock pattern to " + sLockPasswordFilename);
261        } catch (IOException ioe) {
262            // Cant do much
263            Log.e(TAG, "Unable to save lock pattern to " + sLockPasswordFilename);
264        }
265    }
266
267    public int getPasswordMode() {
268        return (int) getLong(PASSWORD_TYPE_KEY, MODE_PATTERN);
269    }
270
271    /**
272     * Deserialize a pattern.
273     * @param string The pattern serialized with {@link #patternToString}
274     * @return The pattern.
275     */
276    public static List<LockPatternView.Cell> stringToPattern(String string) {
277        List<LockPatternView.Cell> result = Lists.newArrayList();
278
279        final byte[] bytes = string.getBytes();
280        for (int i = 0; i < bytes.length; i++) {
281            byte b = bytes[i];
282            result.add(LockPatternView.Cell.of(b / 3, b % 3));
283        }
284        return result;
285    }
286
287    /**
288     * Serialize a pattern.
289     * @param pattern The pattern.
290     * @return The pattern in string form.
291     */
292    public static String patternToString(List<LockPatternView.Cell> pattern) {
293        if (pattern == null) {
294            return "";
295        }
296        final int patternSize = pattern.size();
297
298        byte[] res = new byte[patternSize];
299        for (int i = 0; i < patternSize; i++) {
300            LockPatternView.Cell cell = pattern.get(i);
301            res[i] = (byte) (cell.getRow() * 3 + cell.getColumn());
302        }
303        return new String(res);
304    }
305
306    /*
307     * Generate an SHA-1 hash for the pattern. Not the most secure, but it is
308     * at least a second level of protection. First level is that the file
309     * is in a location only readable by the system process.
310     * @param pattern the gesture pattern.
311     * @return the hash of the pattern in a byte array.
312     */
313    private static byte[] patternToHash(List<LockPatternView.Cell> pattern) {
314        if (pattern == null) {
315            return null;
316        }
317
318        final int patternSize = pattern.size();
319        byte[] res = new byte[patternSize];
320        for (int i = 0; i < patternSize; i++) {
321            LockPatternView.Cell cell = pattern.get(i);
322            res[i] = (byte) (cell.getRow() * 3 + cell.getColumn());
323        }
324        try {
325            MessageDigest md = MessageDigest.getInstance("SHA-1");
326            byte[] hash = md.digest(res);
327            return hash;
328        } catch (NoSuchAlgorithmException nsa) {
329            return res;
330        }
331    }
332
333    /*
334     * Generate a hash for the given password. To avoid brute force attacks, we use a salted hash.
335     * Not the most secure, but it is at least a second level of protection. First level is that
336     * the file is in a location only readable by the system process.
337     * @param password the gesture pattern.
338     * @return the hash of the pattern in a byte array.
339     */
340     public static byte[] passwordToHash(String password) {
341        if (password == null) {
342            return null;
343        }
344        String algo = null;
345        byte[] hashed = null;
346        try {
347            long salt = 0x2374868151054924L; // TODO: make this unique to device
348            byte[] saltedPassword = (password + Long.toString(salt)).getBytes();
349            byte[] sha1 = MessageDigest.getInstance(algo = "SHA-1").digest(saltedPassword);
350            byte[] md5 = MessageDigest.getInstance(algo = "MD5").digest(saltedPassword);
351            hashed = (toHex(sha1) + toHex(md5)).getBytes();
352        } catch (NoSuchAlgorithmException e) {
353            Log.w(TAG, "Failed to encode string because of missing algorithm: " + algo);
354        }
355        return hashed;
356    }
357
358    private static String toHex(byte[] ary) {
359        final String hex = "0123456789ABCDEF";
360        String ret = "";
361        for (int i = 0; i < ary.length; i++) {
362            ret += hex.charAt((ary[i] >> 4) & 0xf);
363            ret += hex.charAt(ary[i] & 0xf);
364        }
365        return ret;
366    }
367
368    /**
369     * @return Whether the lock password is enabled.
370     */
371    public boolean isLockPasswordEnabled() {
372        long mode = getLong(PASSWORD_TYPE_KEY, 0);
373        return savedPasswordExists() && (mode == MODE_PASSWORD || mode == MODE_PIN);
374    }
375
376    /**
377     * @return Whether the lock pattern is enabled.
378     */
379    public boolean isLockPatternEnabled() {
380        return getBoolean(Settings.System.LOCK_PATTERN_ENABLED)
381                && getLong(PASSWORD_TYPE_KEY, MODE_PATTERN) == MODE_PATTERN;
382    }
383
384    /**
385     * Set whether the lock pattern is enabled.
386     */
387    public void setLockPatternEnabled(boolean enabled) {
388        setBoolean(Settings.System.LOCK_PATTERN_ENABLED, enabled);
389    }
390
391    /**
392     * @return Whether the visible pattern is enabled.
393     */
394    public boolean isVisiblePatternEnabled() {
395        return getBoolean(Settings.System.LOCK_PATTERN_VISIBLE);
396    }
397
398    /**
399     * Set whether the visible pattern is enabled.
400     */
401    public void setVisiblePatternEnabled(boolean enabled) {
402        setBoolean(Settings.System.LOCK_PATTERN_VISIBLE, enabled);
403    }
404
405    /**
406     * @return Whether tactile feedback for the pattern is enabled.
407     */
408    public boolean isTactileFeedbackEnabled() {
409        return getBoolean(Settings.System.LOCK_PATTERN_TACTILE_FEEDBACK_ENABLED);
410    }
411
412    /**
413     * Set whether tactile feedback for the pattern is enabled.
414     */
415    public void setTactileFeedbackEnabled(boolean enabled) {
416        setBoolean(Settings.System.LOCK_PATTERN_TACTILE_FEEDBACK_ENABLED, enabled);
417    }
418
419    /**
420     * Set and store the lockout deadline, meaning the user can't attempt his/her unlock
421     * pattern until the deadline has passed.
422     * @return the chosen deadline.
423     */
424    public long setLockoutAttemptDeadline() {
425        final long deadline = SystemClock.elapsedRealtime() + FAILED_ATTEMPT_TIMEOUT_MS;
426        setLong(LOCKOUT_ATTEMPT_DEADLINE, deadline);
427        return deadline;
428    }
429
430    /**
431     * @return The elapsed time in millis in the future when the user is allowed to
432     *   attempt to enter his/her lock pattern, or 0 if the user is welcome to
433     *   enter a pattern.
434     */
435    public long getLockoutAttemptDeadline() {
436        final long deadline = getLong(LOCKOUT_ATTEMPT_DEADLINE, 0L);
437        final long now = SystemClock.elapsedRealtime();
438        if (deadline < now || deadline > (now + FAILED_ATTEMPT_TIMEOUT_MS)) {
439            return 0L;
440        }
441        return deadline;
442    }
443
444    /**
445     * @return Whether the user is permanently locked out until they verify their
446     *   credentials.  Occurs after {@link #FAILED_ATTEMPTS_BEFORE_RESET} failed
447     *   attempts.
448     */
449    public boolean isPermanentlyLocked() {
450        return getBoolean(LOCKOUT_PERMANENT_KEY);
451    }
452
453    /**
454     * Set the state of whether the device is permanently locked, meaning the user
455     * must authenticate via other means.
456     *
457     * @param locked Whether the user is permanently locked out until they verify their
458     *   credentials.  Occurs after {@link #FAILED_ATTEMPTS_BEFORE_RESET} failed
459     *   attempts.
460     */
461    public void setPermanentlyLocked(boolean locked) {
462        setBoolean(LOCKOUT_PERMANENT_KEY, locked);
463    }
464
465    /**
466     * @return A formatted string of the next alarm (for showing on the lock screen),
467     *   or null if there is no next alarm.
468     */
469    public String getNextAlarm() {
470        String nextAlarm = Settings.System.getString(mContentResolver,
471                Settings.System.NEXT_ALARM_FORMATTED);
472        if (nextAlarm == null || TextUtils.isEmpty(nextAlarm)) {
473            return null;
474        }
475        return nextAlarm;
476    }
477
478    private boolean getBoolean(String systemSettingKey) {
479        return 1 ==
480                android.provider.Settings.System.getInt(
481                        mContentResolver,
482                        systemSettingKey, 0);
483    }
484
485    private void setBoolean(String systemSettingKey, boolean enabled) {
486        android.provider.Settings.System.putInt(
487                        mContentResolver,
488                        systemSettingKey,
489                        enabled ? 1 : 0);
490    }
491
492    private long getLong(String systemSettingKey, long def) {
493        return android.provider.Settings.System.getLong(mContentResolver, systemSettingKey, def);
494    }
495
496    private void setLong(String systemSettingKey, long value) {
497        android.provider.Settings.System.putLong(mContentResolver, systemSettingKey, value);
498    }
499
500    public boolean isSecure() {
501        long mode = getPasswordMode();
502        boolean secure = mode == MODE_PATTERN && isLockPatternEnabled() && savedPatternExists()
503            || (mode == MODE_PIN || mode == MODE_PASSWORD) && savedPasswordExists();
504        return secure;
505    }
506}
507