commit 00f4aade5c172534c16070540d1c6c26d0a78c84
author Paul Lawrence <paullawrence@google.com> Wed May 06 13:53:43 2015 -0700
committer Paul Lawrence <paullawrence@google.com> Wed May 06 13:56:16 2015 -0700
tree 404ee45a1c9a68e3f25e0690475d7ae7a8ecd475
parent eae7fc77b60962c9384b31e0f98d14724731ce88

Delete password as per block encryption

Bug: 18151196
Change-Id: Iee0f932c61ff4a309dc2861725b24bf976adb4c7

Ext4Crypt.cpp

diff --git a/Ext4Crypt.cpp b/Ext4Crypt.cpp
index dcdcd62..d200ca6 100644
--- a/Ext4Crypt.cpp
+++ b/Ext4Crypt.cpp
@@ -25,10 +25,14 @@
     static_assert(key_length % 8 == 0,
                   "Key length must be multiple of 8 bits");
 
+    // How long do we store passwords for?
+    const int password_max_age_seconds = 60;
+
     // How is device encrypted
     struct keys {
         std::string master_key;
         std::string password;
+        time_t expiry_time;
     };
     std::map<std::string, keys> s_key_store;
 
@@ -318,9 +322,12 @@
         }
     }
 
+    struct timespec now;
+    clock_gettime(CLOCK_BOOTTIME, &now);
     s_key_store[path] = keys{std::string(reinterpret_cast<char*>(master_key),
                                          sizeof(master_key)),
-                             password};
+                             password,
+                             now.tv_sec + password_max_age_seconds};
 
     // Install password into global keyring
     // ext4enc:TODO Currently raw key is required to be of length
@@ -403,19 +410,6 @@
     return 0;
 }
 
-const char* e4crypt_get_password(const char* path)
-{
-    SLOGI("e4crypt_get_password");
-
-    // ext4enc:TODO scrub password after timeout
-    auto i = s_key_store.find(path);
-    if (i == s_key_store.end()) {
-        return 0;
-    } else {
-        return i->second.password.c_str();
-    }
-}
-
 int e4crypt_get_password_type(const char* path)
 {
     SLOGI("e4crypt_get_password_type");
@@ -423,6 +417,38 @@
       .Get<int>(tag::crypt_type, CRYPT_TYPE_DEFAULT);
 }
 
+const char* e4crypt_get_password(const char* path)
+{
+    SLOGI("e4crypt_get_password");
+
+    auto i = s_key_store.find(path);
+    if (i == s_key_store.end()) {
+        return 0;
+    }
+
+    struct timespec now;
+    clock_gettime(CLOCK_BOOTTIME, &now);
+    if (i->second.expiry_time < now.tv_sec) {
+        e4crypt_clear_password(path);
+        return 0;
+    }
+
+    return i->second.password.c_str();
+}
+
+void e4crypt_clear_password(const char* path)
+{
+    SLOGI("e4crypt_clear_password");
+
+    auto i = s_key_store.find(path);
+    if (i == s_key_store.end()) {
+        return;
+    }
+
+    memset(&i->second.password[0], 0, i->second.password.size());
+    i->second.password = std::string();
+}
+
 int e4crypt_get_field(const char* path, const char* fieldname,
                       char* value, size_t len)
 {