am 86ddbbf4: Merge "Delete password as per block encryption"

* commit '86ddbbf4143daa721b84f0f253022d19d61b6fe3':
  Delete password as per block encryption
diff --git a/Ext4Crypt.cpp b/Ext4Crypt.cpp
index dcdcd62..d200ca6 100644
--- a/Ext4Crypt.cpp
+++ b/Ext4Crypt.cpp
@@ -25,10 +25,14 @@
     static_assert(key_length % 8 == 0,
                   "Key length must be multiple of 8 bits");
 
+    // How long do we store passwords for?
+    const int password_max_age_seconds = 60;
+
     // How is device encrypted
     struct keys {
         std::string master_key;
         std::string password;
+        time_t expiry_time;
     };
     std::map<std::string, keys> s_key_store;
 
@@ -318,9 +322,12 @@
         }
     }
 
+    struct timespec now;
+    clock_gettime(CLOCK_BOOTTIME, &now);
     s_key_store[path] = keys{std::string(reinterpret_cast<char*>(master_key),
                                          sizeof(master_key)),
-                             password};
+                             password,
+                             now.tv_sec + password_max_age_seconds};
 
     // Install password into global keyring
     // ext4enc:TODO Currently raw key is required to be of length
@@ -403,19 +410,6 @@
     return 0;
 }
 
-const char* e4crypt_get_password(const char* path)
-{
-    SLOGI("e4crypt_get_password");
-
-    // ext4enc:TODO scrub password after timeout
-    auto i = s_key_store.find(path);
-    if (i == s_key_store.end()) {
-        return 0;
-    } else {
-        return i->second.password.c_str();
-    }
-}
-
 int e4crypt_get_password_type(const char* path)
 {
     SLOGI("e4crypt_get_password_type");
@@ -423,6 +417,38 @@
       .Get<int>(tag::crypt_type, CRYPT_TYPE_DEFAULT);
 }
 
+const char* e4crypt_get_password(const char* path)
+{
+    SLOGI("e4crypt_get_password");
+
+    auto i = s_key_store.find(path);
+    if (i == s_key_store.end()) {
+        return 0;
+    }
+
+    struct timespec now;
+    clock_gettime(CLOCK_BOOTTIME, &now);
+    if (i->second.expiry_time < now.tv_sec) {
+        e4crypt_clear_password(path);
+        return 0;
+    }
+
+    return i->second.password.c_str();
+}
+
+void e4crypt_clear_password(const char* path)
+{
+    SLOGI("e4crypt_clear_password");
+
+    auto i = s_key_store.find(path);
+    if (i == s_key_store.end()) {
+        return;
+    }
+
+    memset(&i->second.password[0], 0, i->second.password.size());
+    i->second.password = std::string();
+}
+
 int e4crypt_get_field(const char* path, const char* fieldname,
                       char* value, size_t len)
 {
diff --git a/Ext4Crypt.h b/Ext4Crypt.h
index 68e0fb2..53a26a0 100644
--- a/Ext4Crypt.h
+++ b/Ext4Crypt.h
@@ -12,6 +12,7 @@
 int e4crypt_check_passwd(const char* path, const char* password);
 int e4crypt_get_password_type(const char* path);
 const char* e4crypt_get_password(const char* path);
+void e4crypt_clear_password(const char* path);
 int e4crypt_restart(const char* path);
 int e4crypt_get_field(const char* path, const char* fieldname,
                       char* value, size_t len);
diff --git a/cryptfs.c b/cryptfs.c
index 2306e4a..154feee 100644
--- a/cryptfs.c
+++ b/cryptfs.c
@@ -3718,6 +3718,10 @@
 
 void cryptfs_clear_password()
 {
+    if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
+        e4crypt_clear_password(DATA_MNT_POINT);
+    }
+
     if (password) {
         size_t len = strlen(password);
         memset(password, 0, len);