blob: 87e4c989ca77cface21f0f102a1c3c9bd715eacc [file] [log] [blame]
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23#include <sys/types.h>
Dees Troyc657cc02015-01-16 22:48:47 +000024#include <linux/types.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060025#include <sys/wait.h>
26#include <sys/stat.h>
27#include <ctype.h>
28#include <fcntl.h>
29#include <inttypes.h>
30#include <unistd.h>
31#include <stdio.h>
32#include <sys/ioctl.h>
33#include <linux/dm-ioctl.h>
34#include <libgen.h>
35#include <stdlib.h>
36#include <sys/param.h>
37#include <string.h>
38#include <sys/mount.h>
39#include <openssl/evp.h>
40#include <errno.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060041#include <linux/kdev_t.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060042#include <time.h>
43#include "cryptfs.h"
Ethan Yonker4eca40d2014-11-11 14:52:28 -060044#include "cutils/properties.h"
Ethan Yonker4eca40d2014-11-11 14:52:28 -060045#include "crypto_scrypt.h"
Ethan Yonkerc798c9c2015-10-09 11:15:26 -050046
47#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -060048#include <hardware/keymaster.h>
Ethan Yonkerc798c9c2015-10-09 11:15:26 -050049#else
50#include <stdbool.h>
51#include <openssl/evp.h>
52#include <openssl/sha.h>
53#include <hardware/keymaster0.h>
54#include <hardware/keymaster1.h>
55#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -060056
Ethan Yonker253368a2014-11-25 15:00:52 -060057#ifndef min /* already defined by windows.h */
58#define min(a, b) ((a) < (b) ? (a) : (b))
59#endif
60
Ethan Yonker4eca40d2014-11-11 14:52:28 -060061#define UNUSED __attribute__((unused))
62
63#define UNUSED __attribute__((unused))
64
Dees Troyc657cc02015-01-16 22:48:47 +000065#ifdef CONFIG_HW_DISK_ENCRYPTION
66#include "cryptfs_hw.h"
67#endif
68
Ethan Yonker4eca40d2014-11-11 14:52:28 -060069#define DM_CRYPT_BUF_SIZE 4096
70
71#define HASH_COUNT 2000
72#define KEY_LEN_BYTES 16
73#define IV_LEN_BYTES 16
74
75#define KEY_IN_FOOTER "footer"
76
77// "default_password" encoded into hex (d=0x64 etc)
78#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
79
80#define EXT4_FS 1
81#define F2FS_FS 2
82
83#define TABLE_LOAD_RETRIES 10
84
85#define RSA_KEY_SIZE 2048
86#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
87#define RSA_EXPONENT 0x10001
Ethan Yonkerc798c9c2015-10-09 11:15:26 -050088#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
Ethan Yonker4eca40d2014-11-11 14:52:28 -060089
90#define RETRY_MOUNT_ATTEMPTS 10
91#define RETRY_MOUNT_DELAY_SECONDS 1
92
93char *me = "cryptfs";
94
95static unsigned char saved_master_key[KEY_LEN_BYTES];
96static char *saved_mount_point;
97static int master_key_saved = 0;
98static struct crypt_persist_data *persist_data = NULL;
Ethan Yonker253368a2014-11-25 15:00:52 -060099static char key_fname[PROPERTY_VALUE_MAX] = "";
100static char real_blkdev[PROPERTY_VALUE_MAX] = "";
101static char file_system[PROPERTY_VALUE_MAX] = "";
102
103void set_partition_data(const char* block_device, const char* key_location, const char* fs)
104{
105 strcpy(key_fname, key_location);
106 strcpy(real_blkdev, block_device);
107 strcpy(file_system, fs);
108}
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600109
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500110#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600111static int keymaster_init(keymaster_device_t **keymaster_dev)
112{
113 int rc;
114
115 const hw_module_t* mod;
116 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
117 if (rc) {
118 printf("could not find any keystore module\n");
119 goto out;
120 }
121
122 rc = keymaster_open(mod, keymaster_dev);
123 if (rc) {
124 printf("could not open keymaster device in %s (%s)\n",
125 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
126 goto out;
127 }
128
129 return 0;
130
131out:
132 *keymaster_dev = NULL;
133 return rc;
134}
135
136/* Should we use keymaster? */
137static int keymaster_check_compatibility()
138{
139 keymaster_device_t *keymaster_dev = 0;
140 int rc = 0;
141
142 if (keymaster_init(&keymaster_dev)) {
143 printf("Failed to init keymaster\n");
144 rc = -1;
145 goto out;
146 }
147
148 printf("keymaster version is %d\n", keymaster_dev->common.module->module_api_version);
149
thatceb7b8e2014-12-09 23:15:16 +0100150#if (KEYMASTER_HEADER_VERSION >= 3)
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600151 if (keymaster_dev->common.module->module_api_version
152 < KEYMASTER_MODULE_API_VERSION_0_3) {
153 rc = 0;
154 goto out;
155 }
156
157 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) {
158 rc = 1;
159 }
160
thatceb7b8e2014-12-09 23:15:16 +0100161#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600162out:
163 keymaster_close(keymaster_dev);
164 return rc;
165}
166
167/* Create a new keymaster key and store it in this footer */
168static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
169{
170 uint8_t* key = 0;
171 keymaster_device_t *keymaster_dev = 0;
172
173 if (keymaster_init(&keymaster_dev)) {
174 printf("Failed to init keymaster\n");
175 return -1;
176 }
177
178 int rc = 0;
179
180 keymaster_rsa_keygen_params_t params;
181 memset(&params, '\0', sizeof(params));
182 params.public_exponent = RSA_EXPONENT;
183 params.modulus_size = RSA_KEY_SIZE;
184
185 size_t key_size;
186 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, &params,
187 &key, &key_size)) {
188 printf("Failed to generate keypair\n");
189 rc = -1;
190 goto out;
191 }
192
193 if (key_size > KEYMASTER_BLOB_SIZE) {
194 printf("Keymaster key too large for crypto footer\n");
195 rc = -1;
196 goto out;
197 }
198
199 memcpy(ftr->keymaster_blob, key, key_size);
200 ftr->keymaster_blob_size = key_size;
201
202out:
203 keymaster_close(keymaster_dev);
204 free(key);
205 return rc;
206}
207
208/* This signs the given object using the keymaster key. */
209static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
210 const unsigned char *object,
211 const size_t object_size,
212 unsigned char **signature,
213 size_t *signature_size)
214{
215 int rc = 0;
216 keymaster_device_t *keymaster_dev = 0;
217 if (keymaster_init(&keymaster_dev)) {
218 printf("Failed to init keymaster\n");
219 return -1;
220 }
221
222 /* We currently set the digest type to DIGEST_NONE because it's the
223 * only supported value for keymaster. A similar issue exists with
224 * PADDING_NONE. Long term both of these should likely change.
225 */
226 keymaster_rsa_sign_params_t params;
227 params.digest_type = DIGEST_NONE;
228 params.padding_type = PADDING_NONE;
229
230 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
231 size_t to_sign_size = sizeof(to_sign);
232 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
233
234 // To sign a message with RSA, the message must satisfy two
235 // constraints:
236 //
237 // 1. The message, when interpreted as a big-endian numeric value, must
238 // be strictly less than the public modulus of the RSA key. Note
239 // that because the most significant bit of the public modulus is
240 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
241 // key), an n-bit message with most significant bit 0 always
242 // satisfies this requirement.
243 //
244 // 2. The message must have the same length in bits as the public
245 // modulus of the RSA key. This requirement isn't mathematically
246 // necessary, but is necessary to ensure consistency in
247 // implementations.
248 switch (ftr->kdf_type) {
249 case KDF_SCRYPT_KEYMASTER_UNPADDED:
250 // This is broken: It produces a message which is shorter than
251 // the public modulus, failing criterion 2.
252 memcpy(to_sign, object, object_size);
253 to_sign_size = object_size;
254 printf("Signing unpadded object\n");
255 break;
256 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
257 // This is broken: Since the value of object is uniformly
258 // distributed, it produces a message that is larger than the
259 // public modulus with probability 0.25.
260 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
261 printf("Signing end-padded object\n");
262 break;
263 case KDF_SCRYPT_KEYMASTER:
264 // This ensures the most significant byte of the signed message
265 // is zero. We could have zero-padded to the left instead, but
266 // this approach is slightly more robust against changes in
267 // object size. However, it's still broken (but not unusably
268 // so) because we really should be using a proper RSA padding
269 // function, such as OAEP.
270 //
271 // TODO(paullawrence): When keymaster 0.4 is available, change
272 // this to use the padding options it provides.
273 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
274 printf("Signing safely-padded object\n");
275 break;
276 default:
277 printf("Unknown KDF type %d\n", ftr->kdf_type);
278 return -1;
279 }
280
281 rc = keymaster_dev->sign_data(keymaster_dev,
282 &params,
283 ftr->keymaster_blob,
284 ftr->keymaster_blob_size,
285 to_sign,
286 to_sign_size,
287 signature,
288 signature_size);
289
290 keymaster_close(keymaster_dev);
291 return rc;
292}
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500293#else //#ifndef TW_CRYPTO_HAVE_KEYMASTERX
294static int keymaster_init(keymaster0_device_t **keymaster0_dev,
295 keymaster1_device_t **keymaster1_dev)
296{
297 int rc;
298
299 const hw_module_t* mod;
300 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
301 if (rc) {
302 printf("could not find any keystore module\n");
303 goto err;
304 }
305
306 printf("keymaster module name is %s\n", mod->name);
307 printf("keymaster version is %d\n", mod->module_api_version);
308
309 *keymaster0_dev = NULL;
310 *keymaster1_dev = NULL;
311 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
312 printf("Found keymaster1 module, using keymaster1 API.\n");
313 rc = keymaster1_open(mod, keymaster1_dev);
314 } else {
315 printf("Found keymaster0 module, using keymaster0 API.\n");
316 rc = keymaster0_open(mod, keymaster0_dev);
317 }
318
319 if (rc) {
320 printf("could not open keymaster device in %s (%s)\n",
321 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
322 goto err;
323 }
324
325 return 0;
326
327err:
328 *keymaster0_dev = NULL;
329 *keymaster1_dev = NULL;
330 return rc;
331}
332
333/* Should we use keymaster? */
334static int keymaster_check_compatibility()
335{
336 keymaster0_device_t *keymaster0_dev = 0;
337 keymaster1_device_t *keymaster1_dev = 0;
338 int rc = 0;
339
340 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
341 printf("Failed to init keymaster\n");
342 rc = -1;
343 goto out;
344 }
345
346 if (keymaster1_dev) {
347 rc = 1;
348 goto out;
349 }
350
351 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
352 // should work.
353 if (keymaster0_dev->common.module->module_api_version
354 < KEYMASTER_MODULE_API_VERSION_0_3) {
355 rc = 0;
356 goto out;
357 }
358
359 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
360 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
361 rc = 1;
362 }
363
364out:
365 if (keymaster1_dev) {
366 keymaster1_close(keymaster1_dev);
367 }
368 if (keymaster0_dev) {
369 keymaster0_close(keymaster0_dev);
370 }
371 return rc;
372}
373
374/* Create a new keymaster key and store it in this footer */
375static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
376{
377 uint8_t* key = 0;
378 keymaster0_device_t *keymaster0_dev = 0;
379 keymaster1_device_t *keymaster1_dev = 0;
380
381 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
382 printf("Failed to init keymaster\n");
383 return -1;
384 }
385
386 int rc = 0;
387 size_t key_size = 0;
388 if (keymaster1_dev) {
389 keymaster_key_param_t params[] = {
390 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
391 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
392 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
393 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
394
395 /* The only allowed purpose for this key is signing. */
396 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
397
398 /* Padding & digest specifications. */
399 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
400 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
401
402 /* Require that the key be usable in standalone mode. File system isn't available. */
403 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
404
405 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
406 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
407
408 /* Rate-limit key usage attempts, to rate-limit brute force */
409 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
410 };
411 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
412 keymaster_key_blob_t key_blob;
413 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, &param_set,
414 &key_blob,
415 NULL /* characteristics */);
416 if (error != KM_ERROR_OK) {
417 printf("Failed to generate keymaster1 key, error %d\n", error);
418 rc = -1;
419 goto out;
420 }
421
422 key = (uint8_t*)key_blob.key_material;
423 key_size = key_blob.key_material_size;
424 }
425 else if (keymaster0_dev) {
426 keymaster_rsa_keygen_params_t params;
427 memset(&params, '\0', sizeof(params));
428 params.public_exponent = RSA_EXPONENT;
429 params.modulus_size = RSA_KEY_SIZE;
430
431 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, &params,
432 &key, &key_size)) {
433 printf("Failed to generate keypair\n");
434 rc = -1;
435 goto out;
436 }
437 } else {
438 printf("Cryptfs bug: keymaster_init succeeded but didn't initialize a device\n");
439 rc = -1;
440 goto out;
441 }
442
443 if (key_size > KEYMASTER_BLOB_SIZE) {
444 printf("Keymaster key too large for crypto footer\n");
445 rc = -1;
446 goto out;
447 }
448
449 memcpy(ftr->keymaster_blob, key, key_size);
450 ftr->keymaster_blob_size = key_size;
451
452out:
453 if (keymaster0_dev)
454 keymaster0_close(keymaster0_dev);
455 if (keymaster1_dev)
456 keymaster1_close(keymaster1_dev);
457 free(key);
458 return rc;
459}
460
461/* This signs the given object using the keymaster key. */
462static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
463 const unsigned char *object,
464 const size_t object_size,
465 unsigned char **signature,
466 size_t *signature_size)
467{
468 int rc = 0;
469 keymaster0_device_t *keymaster0_dev = 0;
470 keymaster1_device_t *keymaster1_dev = 0;
471 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
472 printf("Failed to init keymaster\n");
473 rc = -1;
474 goto out;
475 }
476
477 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
478 size_t to_sign_size = sizeof(to_sign);
479 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
480
481 // To sign a message with RSA, the message must satisfy two
482 // constraints:
483 //
484 // 1. The message, when interpreted as a big-endian numeric value, must
485 // be strictly less than the public modulus of the RSA key. Note
486 // that because the most significant bit of the public modulus is
487 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
488 // key), an n-bit message with most significant bit 0 always
489 // satisfies this requirement.
490 //
491 // 2. The message must have the same length in bits as the public
492 // modulus of the RSA key. This requirement isn't mathematically
493 // necessary, but is necessary to ensure consistency in
494 // implementations.
495 switch (ftr->kdf_type) {
496 case KDF_SCRYPT_KEYMASTER:
497 // This ensures the most significant byte of the signed message
498 // is zero. We could have zero-padded to the left instead, but
499 // this approach is slightly more robust against changes in
500 // object size. However, it's still broken (but not unusably
501 // so) because we really should be using a proper deterministic
502 // RSA padding function, such as PKCS1.
503 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
504 printf("Signing safely-padded object\n");
505 break;
506 default:
507 printf("Unknown KDF type %d\n", ftr->kdf_type);
508 rc = -1;
509 goto out;
510 }
511
512 if (keymaster0_dev) {
513 keymaster_rsa_sign_params_t params;
514 params.digest_type = DIGEST_NONE;
515 params.padding_type = PADDING_NONE;
516
517 rc = keymaster0_dev->sign_data(keymaster0_dev,
518 &params,
519 ftr->keymaster_blob,
520 ftr->keymaster_blob_size,
521 to_sign,
522 to_sign_size,
523 signature,
524 signature_size);
525 goto out;
526 } else if (keymaster1_dev) {
527 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
528 keymaster_key_param_t params[] = {
529 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
530 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
531 };
532 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
533 keymaster_operation_handle_t op_handle;
534 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
535 &param_set, NULL /* out_params */,
536 &op_handle);
537 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
538 // Key usage has been rate-limited. Wait a bit and try again.
539 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
540 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
541 &param_set, NULL /* out_params */,
542 &op_handle);
543 }
544 if (error != KM_ERROR_OK) {
545 printf("Error starting keymaster signature transaction: %d\n", error);
546 rc = -1;
547 goto out;
548 }
549
550 keymaster_blob_t input = { to_sign, to_sign_size };
551 size_t input_consumed;
552 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
553 &input, &input_consumed, NULL /* out_params */,
554 NULL /* output */);
555 if (error != KM_ERROR_OK) {
556 printf("Error sending data to keymaster signature transaction: %d\n", error);
557 rc = -1;
558 goto out;
559 }
560 if (input_consumed != to_sign_size) {
561 // This should never happen. If it does, it's a bug in the keymaster implementation.
562 printf("Keymaster update() did not consume all data.\n");
563 keymaster1_dev->abort(keymaster1_dev, op_handle);
564 rc = -1;
565 goto out;
566 }
567
568 keymaster_blob_t tmp_sig;
569 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
570 NULL /* verify signature */, NULL /* out_params */,
571 &tmp_sig);
572 if (error != KM_ERROR_OK) {
573 printf("Error finishing keymaster signature transaction: %d\n", error);
574 rc = -1;
575 goto out;
576 }
577
578 *signature = (uint8_t*)tmp_sig.data;
579 *signature_size = tmp_sig.data_length;
580 } else {
581 printf("Cryptfs bug: keymaster_init succeded but didn't initialize a device.\n");
582 rc = -1;
583 goto out;
584 }
585
586 out:
587 if (keymaster1_dev)
588 keymaster1_close(keymaster1_dev);
589 if (keymaster0_dev)
590 keymaster0_close(keymaster0_dev);
591
592 return rc;
593}
594#endif //#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600595
596/* Store password when userdata is successfully decrypted and mounted.
597 * Cleared by cryptfs_clear_password
598 *
599 * To avoid a double prompt at boot, we need to store the CryptKeeper
600 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
601 * Since the entire framework is torn down and rebuilt after encryption,
602 * we have to use a daemon or similar to store the password. Since vold
603 * is secured against IPC except from system processes, it seems a reasonable
604 * place to store this.
605 *
606 * password should be cleared once it has been used.
607 *
608 * password is aged out after password_max_age_seconds seconds.
609 */
610static char* password = 0;
611static int password_expiry_time = 0;
612static const int password_max_age_seconds = 60;
613
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600614static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
615{
616 memset(io, 0, dataSize);
617 io->data_size = dataSize;
618 io->data_start = sizeof(struct dm_ioctl);
619 io->version[0] = 4;
620 io->version[1] = 0;
621 io->version[2] = 0;
622 io->flags = flags;
623 if (name) {
624 strncpy(io->name, name, sizeof(io->name));
625 }
626}
627
628/**
629 * Gets the default device scrypt parameters for key derivation time tuning.
630 * The parameters should lead to about one second derivation time for the
631 * given device.
632 */
633static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
634 const int default_params[] = SCRYPT_DEFAULTS;
635 int params[] = SCRYPT_DEFAULTS;
636 char paramstr[PROPERTY_VALUE_MAX];
637 char *token;
638 char *saveptr;
639 int i;
640
641 property_get(SCRYPT_PROP, paramstr, "");
642 if (paramstr[0] != '\0') {
643 /*
644 * The token we're looking for should be three integers separated by
645 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
646 */
647 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
648 token != NULL && i < 3;
649 i++, token = strtok_r(NULL, ":", &saveptr)) {
650 char *endptr;
651 params[i] = strtol(token, &endptr, 10);
652
653 /*
654 * Check that there was a valid number and it's 8-bit. If not,
655 * break out and the end check will take the default values.
656 */
657 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
658 break;
659 }
660 }
661
662 /*
663 * If there were not enough tokens or a token was malformed (not an
664 * integer), it will end up here and the default parameters can be
665 * taken.
666 */
667 if ((i != 3) || (token != NULL)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500668 printf("bad scrypt parameters '%s' should be like '12:8:1'; using defaults\n", paramstr);
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600669 memcpy(params, default_params, sizeof(params));
670 }
671 }
672
673 ftr->N_factor = params[0];
674 ftr->r_factor = params[1];
675 ftr->p_factor = params[2];
676}
677
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600678static unsigned int get_blkdev_size(int fd)
679{
680 unsigned int nr_sec;
681
682 if ( (ioctl(fd, BLKGETSIZE, &nr_sec)) == -1) {
683 nr_sec = 0;
684 }
685
686 return nr_sec;
687}
688
689static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
690{
691 static int cached_data = 0;
692 static off64_t cached_off = 0;
693 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
694 int fd;
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600695 unsigned int nr_sec;
696 int rc = -1;
697
698 if (!cached_data) {
Ethan Yonker253368a2014-11-25 15:00:52 -0600699 printf("get_crypt_ftr_info crypto key location: '%s'\n", key_fname);
700 if (!strcmp(key_fname, KEY_IN_FOOTER)) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600701 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
702 printf("Cannot open real block device %s\n", real_blkdev);
703 return -1;
704 }
705
706 if ((nr_sec = get_blkdev_size(fd))) {
707 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
708 * encryption info footer and key, and plenty of bytes to spare for future
709 * growth.
710 */
711 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
712 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
713 cached_data = 1;
714 } else {
715 printf("Cannot get size of block device %s\n", real_blkdev);
716 }
717 close(fd);
718 } else {
Ethan Yonker253368a2014-11-25 15:00:52 -0600719 strlcpy(cached_metadata_fname, key_fname, sizeof(cached_metadata_fname));
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600720 cached_off = 0;
721 cached_data = 1;
722 }
723 }
724
725 if (cached_data) {
726 if (metadata_fname) {
727 *metadata_fname = cached_metadata_fname;
728 }
729 if (off) {
730 *off = cached_off;
731 }
732 rc = 0;
733 }
734
735 return rc;
736}
737
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600738static inline int unix_read(int fd, void* buff, int len)
739{
740 return TEMP_FAILURE_RETRY(read(fd, buff, len));
741}
742
743static inline int unix_write(int fd, const void* buff, int len)
744{
745 return TEMP_FAILURE_RETRY(write(fd, buff, len));
746}
747
748static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
749{
750 memset(pdata, 0, len);
751 pdata->persist_magic = PERSIST_DATA_MAGIC;
752 pdata->persist_valid_entries = 0;
753}
754
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600755static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
756{
757 int fd;
758 unsigned int nr_sec, cnt;
759 off64_t starting_off;
760 int rc = -1;
761 char *fname = NULL;
762 struct stat statbuf;
763
764 if (get_crypt_ftr_info(&fname, &starting_off)) {
765 printf("Unable to get crypt_ftr_info\n");
766 return -1;
767 }
768 if (fname[0] != '/') {
769 printf("Unexpected value for crypto key location\n");
770 return -1;
771 }
772 if ( (fd = open(fname, O_RDWR)) < 0) {
773 printf("Cannot open footer file %s for get\n", fname);
774 return -1;
775 }
776
777 /* Make sure it's 16 Kbytes in length */
778 fstat(fd, &statbuf);
779 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
780 printf("footer file %s is not the expected size!\n", fname);
781 goto errout;
782 }
783
784 /* Seek to the start of the crypt footer */
785 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
786 printf("Cannot seek to real block device footer\n");
787 goto errout;
788 }
789
790 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
791 printf("Cannot read real block device footer\n");
792 goto errout;
793 }
794
795 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
796 printf("Bad magic for real block device %s\n", fname);
797 goto errout;
798 }
799
800 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
801 printf("Cannot understand major version %d real block device footer; expected %d\n",
802 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
803 goto errout;
804 }
805
806 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
807 printf("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
808 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
809 }
810
811 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
812 * copy on disk before returning.
813 */
Ethan Yonker253368a2014-11-25 15:00:52 -0600814 /*if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600815 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
Ethan Yonker253368a2014-11-25 15:00:52 -0600816 }*/
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600817
818 /* Success! */
819 rc = 0;
820
821errout:
822 close(fd);
823 return rc;
824}
825
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600826static int hexdigit (char c)
827{
828 if (c >= '0' && c <= '9') return c - '0';
829 c = tolower(c);
830 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
831 return -1;
832}
833
834static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
835 unsigned int* out_keysize)
836{
837 unsigned int i;
838 *out_keysize = 0;
839
840 size_t size = strlen (master_key_ascii);
841 if (size % 2) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500842 printf("Trying to convert ascii string of odd length\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600843 return NULL;
844 }
845
846 unsigned char* master_key = (unsigned char*) malloc(size / 2);
847 if (master_key == 0) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500848 printf("Cannot allocate\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600849 return NULL;
850 }
851
852 for (i = 0; i < size; i += 2) {
853 int high_nibble = hexdigit (master_key_ascii[i]);
854 int low_nibble = hexdigit (master_key_ascii[i + 1]);
855
856 if(high_nibble < 0 || low_nibble < 0) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500857 printf("Invalid hex string\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600858 free (master_key);
859 return NULL;
860 }
861
862 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
863 (*out_keysize)++;
864 }
865
866 return master_key;
867}
868
869/* Convert a binary key of specified length into an ascii hex string equivalent,
870 * without the leading 0x and with null termination
871 */
872static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
873 char *master_key_ascii)
874{
875 unsigned int i, a;
876 unsigned char nibble;
877
878 for (i=0, a=0; i<keysize; i++, a+=2) {
879 /* For each byte, write out two ascii hex digits */
880 nibble = (master_key[i] >> 4) & 0xf;
881 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
882
883 nibble = master_key[i] & 0xf;
884 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
885 }
886
887 /* Add the null termination */
888 master_key_ascii[a] = '\0';
889
890}
891
892static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
893 char *real_blk_name, const char *name, int fd,
894 char *extra_params)
895{
896 char buffer[DM_CRYPT_BUF_SIZE];
897 struct dm_ioctl *io;
898 struct dm_target_spec *tgt;
899 char *crypt_params;
900 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
901 int i;
902
903 io = (struct dm_ioctl *) buffer;
904
905 /* Load the mapping table for this device */
906 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
907
908 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
909 io->target_count = 1;
910 tgt->status = 0;
911 tgt->sector_start = 0;
912 tgt->length = crypt_ftr->fs_size;
Dees Troyc657cc02015-01-16 22:48:47 +0000913#ifdef CONFIG_HW_DISK_ENCRYPTION
914 if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name) && is_hw_fde_enabled()) {
915 printf("load_crypto_mapping_table using req-crypt\n");
916 strlcpy(tgt->target_type, "req-crypt",DM_MAX_TYPE_NAME);
917 } else {
918 printf("load_crypto_mapping_table using crypt\n");
919 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
920 }
921#else
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600922 strcpy(tgt->target_type, "crypt");
Dees Troyc657cc02015-01-16 22:48:47 +0000923#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600924
925 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
926 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
927 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
928 master_key_ascii, real_blk_name, extra_params);
Dees Troyc657cc02015-01-16 22:48:47 +0000929
930 printf("%s: target_type = %s\n", __func__, tgt->target_type);
931 printf("%s: real_blk_name = %s, extra_params = %s\n", __func__, real_blk_name, extra_params);
932
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600933 crypt_params += strlen(crypt_params) + 1;
934 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
935 tgt->next = crypt_params - buffer;
936
937 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
938 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
939 break;
940 }
941 usleep(500000);
942 }
943
944 if (i == TABLE_LOAD_RETRIES) {
945 /* We failed to load the table, return an error */
946 return -1;
947 } else {
948 return i + 1;
949 }
950}
951
952
953static int get_dm_crypt_version(int fd, const char *name, int *version)
954{
955 char buffer[DM_CRYPT_BUF_SIZE];
956 struct dm_ioctl *io;
957 struct dm_target_versions *v;
Dees Troyc657cc02015-01-16 22:48:47 +0000958 int flag;
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600959 int i;
960
961 io = (struct dm_ioctl *) buffer;
962
963 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
964
965 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
966 return -1;
967 }
968
969 /* Iterate over the returned versions, looking for name of "crypt".
970 * When found, get and return the version.
971 */
972 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
973 while (v->next) {
Dees Troyc657cc02015-01-16 22:48:47 +0000974#ifdef CONFIG_HW_DISK_ENCRYPTION
975 if (is_hw_fde_enabled()) {
976 flag = (!strcmp(v->name, "crypt") || !strcmp(v->name, "req-crypt"));
977 } else {
978 flag = (!strcmp(v->name, "crypt"));
979 }
980 printf("get_dm_crypt_version flag: %i, name: '%s'\n", flag, v->name);
981 if (flag) {
982#else
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600983 if (! strcmp(v->name, "crypt")) {
Dees Troyc657cc02015-01-16 22:48:47 +0000984#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600985 /* We found the crypt driver, return the version, and get out */
986 version[0] = v->version[0];
987 version[1] = v->version[1];
988 version[2] = v->version[2];
989 return 0;
990 }
991 v = (struct dm_target_versions *)(((char *)v) + v->next);
992 }
993
994 return -1;
995}
996
997static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
998 char *real_blk_name, char *crypto_blk_name, const char *name)
999{
1000 char buffer[DM_CRYPT_BUF_SIZE];
1001 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1002 char *crypt_params;
1003 struct dm_ioctl *io;
1004 struct dm_target_spec *tgt;
1005 unsigned int minor;
Dees Troyc657cc02015-01-16 22:48:47 +00001006 int fd=0;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001007 int i;
1008 int retval = -1;
1009 int version[3];
1010 char *extra_params;
1011 int load_count;
Dees Troyc657cc02015-01-16 22:48:47 +00001012#ifdef CONFIG_HW_DISK_ENCRYPTION
1013 char encrypted_state[PROPERTY_VALUE_MAX] = {0};
1014 char progress[PROPERTY_VALUE_MAX] = {0};
1015#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001016
1017 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1018 printf("Cannot open device-mapper\n");
1019 goto errout;
1020 }
1021
1022 io = (struct dm_ioctl *) buffer;
1023
1024 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1025 if (ioctl(fd, DM_DEV_CREATE, io)) {
1026 printf("Cannot create dm-crypt device\n");
1027 goto errout;
1028 }
1029
1030 /* Get the device status, in particular, the name of it's device file */
1031 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1032 if (ioctl(fd, DM_DEV_STATUS, io)) {
1033 printf("Cannot retrieve dm-crypt device status\n");
1034 goto errout;
1035 }
1036 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1037 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1038
Dees Troyc657cc02015-01-16 22:48:47 +00001039#ifdef CONFIG_HW_DISK_ENCRYPTION
1040 if (is_hw_fde_enabled() && is_hw_disk_encryption((char*) crypt_ftr->crypto_type_name)) {
1041 /* Set fde_enabled if either FDE completed or in-progress */
1042 property_get("ro.crypto.state", encrypted_state, ""); /* FDE completed */
1043 property_get("vold.encrypt_progress", progress, ""); /* FDE in progress */
1044 if (!strcmp(encrypted_state, "encrypted") || strcmp(progress, "")) {
1045 extra_params = "fde_enabled";
1046 printf("create_crypto_blk_dev extra_params set to fde_enabled\n");
1047 } else {
1048 extra_params = "fde_disabled";
1049 printf("create_crypto_blk_dev extra_params set to fde_disabled\n");
1050 }
1051 } else {
1052 extra_params = "";
1053 printf("create_crypto_blk_dev extra_params set to empty string\n");
1054 if (!get_dm_crypt_version(fd, name, version)) {
1055 /* Support for allow_discards was added in version 1.11.0 */
1056 if ((version[0] >= 2) ||
1057 ((version[0] == 1) && (version[1] >= 11))) {
1058 extra_params = "1 allow_discards";
1059 printf("Enabling support for allow_discards in dmcrypt.\n");
1060 }
1061 }
1062 }
1063#else
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001064 extra_params = "";
1065 if (! get_dm_crypt_version(fd, name, version)) {
1066 /* Support for allow_discards was added in version 1.11.0 */
1067 if ((version[0] >= 2) ||
1068 ((version[0] == 1) && (version[1] >= 11))) {
1069 extra_params = "1 allow_discards";
1070 printf("Enabling support for allow_discards in dmcrypt.\n");
1071 }
1072 }
Dees Troyc657cc02015-01-16 22:48:47 +00001073#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001074
1075 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1076 fd, extra_params);
1077 if (load_count < 0) {
1078 printf("Cannot load dm-crypt mapping table.\n");
1079 goto errout;
1080 } else if (load_count > 1) {
1081 printf("Took %d tries to load dmcrypt table.\n", load_count);
1082 }
1083
1084 /* Resume this device to activate it */
1085 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1086
1087 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1088 printf("Cannot resume the dm-crypt device\n");
1089 goto errout;
1090 }
1091
1092 /* We made it here with no errors. Woot! */
1093 retval = 0;
1094
1095errout:
1096 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1097
1098 return retval;
1099}
1100
Ethan Yonkerd79d9bc2014-12-20 15:38:29 -06001101int delete_crypto_blk_dev(char *name)
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001102{
1103 int fd;
1104 char buffer[DM_CRYPT_BUF_SIZE];
1105 struct dm_ioctl *io;
1106 int retval = -1;
1107
1108 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1109 printf("Cannot open device-mapper\n");
1110 goto errout;
1111 }
1112
1113 io = (struct dm_ioctl *) buffer;
1114
1115 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1116 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1117 printf("Cannot remove dm-crypt device\n");
1118 goto errout;
1119 }
1120
1121 /* We made it here with no errors. Woot! */
1122 retval = 0;
1123
1124errout:
1125 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1126
1127 return retval;
1128
1129}
1130
1131static int pbkdf2(const char *passwd, const unsigned char *salt,
1132 unsigned char *ikey, void *params UNUSED)
1133{
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001134 printf("Using pbkdf2 for cryptfs KDF\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001135
1136 /* Turn the password into a key and IV that can decrypt the master key */
1137 unsigned int keysize;
1138 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
1139 if (!master_key) return -1;
1140 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1141 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1142
1143 memset(master_key, 0, keysize);
1144 free (master_key);
1145 return 0;
1146}
1147
1148static int scrypt(const char *passwd, const unsigned char *salt,
1149 unsigned char *ikey, void *params)
1150{
1151 printf("Using scrypt for cryptfs KDF\n");
1152
1153 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1154
1155 int N = 1 << ftr->N_factor;
1156 int r = 1 << ftr->r_factor;
1157 int p = 1 << ftr->p_factor;
1158
1159 /* Turn the password into a key and IV that can decrypt the master key */
1160 unsigned int keysize;
1161 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
1162 if (!master_key) return -1;
1163 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
1164 KEY_LEN_BYTES + IV_LEN_BYTES);
1165
1166 memset(master_key, 0, keysize);
1167 free (master_key);
1168 return 0;
1169}
1170
1171static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1172 unsigned char *ikey, void *params)
1173{
1174 printf("Using scrypt with keymaster for cryptfs KDF\n");
1175
1176 int rc;
1177 unsigned int key_size;
1178 size_t signature_size;
1179 unsigned char* signature;
1180 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1181
1182 int N = 1 << ftr->N_factor;
1183 int r = 1 << ftr->r_factor;
1184 int p = 1 << ftr->p_factor;
1185
1186 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
1187 if (!master_key) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001188 printf("Failed to convert passwd from hex\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001189 return -1;
1190 }
1191
1192 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
1193 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1194 memset(master_key, 0, key_size);
1195 free(master_key);
1196
1197 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001198 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001199 return -1;
1200 }
1201
1202 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1203 &signature, &signature_size)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001204 printf("Signing failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001205 return -1;
1206 }
1207
1208 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1209 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1210 free(signature);
1211
1212 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001213 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001214 return -1;
1215 }
1216
1217 return 0;
1218}
1219
1220static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1221 const unsigned char *decrypted_master_key,
1222 unsigned char *encrypted_master_key,
1223 struct crypt_mnt_ftr *crypt_ftr)
1224{
1225 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1226 EVP_CIPHER_CTX e_ctx;
1227 int encrypted_len, final_len;
1228 int rc = 0;
1229
1230 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1231 get_device_scrypt_params(crypt_ftr);
1232
1233 switch (crypt_ftr->kdf_type) {
1234 case KDF_SCRYPT_KEYMASTER_UNPADDED:
1235 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
1236 case KDF_SCRYPT_KEYMASTER:
1237 if (keymaster_create_key(crypt_ftr)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001238 printf("keymaster_create_key failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001239 return -1;
1240 }
1241
1242 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001243 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001244 return -1;
1245 }
1246 break;
1247
1248 case KDF_SCRYPT:
1249 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001250 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001251 return -1;
1252 }
1253 break;
1254
1255 default:
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001256 printf("Invalid kdf_type\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001257 return -1;
1258 }
1259
1260 /* Initialize the decryption engine */
1261 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1262 printf("EVP_EncryptInit failed\n");
1263 return -1;
1264 }
1265 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1266
1267 /* Encrypt the master key */
1268 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1269 decrypted_master_key, KEY_LEN_BYTES)) {
1270 printf("EVP_EncryptUpdate failed\n");
1271 return -1;
1272 }
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001273#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001274 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001275#else
1276 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1277#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001278 printf("EVP_EncryptFinal failed\n");
1279 return -1;
1280 }
1281
1282 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1283 printf("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1284 return -1;
1285 }
1286
1287 /* Store the scrypt of the intermediate key, so we can validate if it's a
1288 password error or mount error when things go wrong.
1289 Note there's no need to check for errors, since if this is incorrect, we
1290 simply won't wipe userdata, which is the correct default behavior
1291 */
1292 int N = 1 << crypt_ftr->N_factor;
1293 int r = 1 << crypt_ftr->r_factor;
1294 int p = 1 << crypt_ftr->p_factor;
1295
1296 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1297 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1298 crypt_ftr->scrypted_intermediate_key,
1299 sizeof(crypt_ftr->scrypted_intermediate_key));
1300
1301 if (rc) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001302 printf("encrypt_master_key: crypto_scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001303 }
1304
1305 return 0;
1306}
1307
1308static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1309 unsigned char *encrypted_master_key,
1310 unsigned char *decrypted_master_key,
1311 kdf_func kdf, void *kdf_params,
1312 unsigned char** intermediate_key,
1313 size_t* intermediate_key_size)
1314{
1315 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1316 EVP_CIPHER_CTX d_ctx;
1317 int decrypted_len, final_len;
1318
1319 /* Turn the password into an intermediate key and IV that can decrypt the
1320 master key */
1321 if (kdf(passwd, salt, ikey, kdf_params)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001322 printf("kdf failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001323 return -1;
1324 }
1325
1326 /* Initialize the decryption engine */
1327 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1328 return -1;
1329 }
1330 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1331 /* Decrypt the master key */
1332 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1333 encrypted_master_key, KEY_LEN_BYTES)) {
1334 return -1;
1335 }
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001336#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001337 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001338#else
1339 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1340#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001341 return -1;
1342 }
1343
1344 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1345 return -1;
1346 }
1347
1348 /* Copy intermediate key if needed by params */
1349 if (intermediate_key && intermediate_key_size) {
1350 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1351 if (intermediate_key) {
1352 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1353 *intermediate_key_size = KEY_LEN_BYTES;
1354 }
1355 }
1356
1357 return 0;
1358}
1359
1360static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1361{
1362 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED ||
1363 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED ||
1364 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1365 *kdf = scrypt_keymaster;
1366 *kdf_params = ftr;
1367 } else if (ftr->kdf_type == KDF_SCRYPT) {
1368 *kdf = scrypt;
1369 *kdf_params = ftr;
1370 } else {
1371 *kdf = pbkdf2;
1372 *kdf_params = NULL;
1373 }
1374}
1375
1376static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1377 struct crypt_mnt_ftr *crypt_ftr,
1378 unsigned char** intermediate_key,
1379 size_t* intermediate_key_size)
1380{
1381 kdf_func kdf;
1382 void *kdf_params;
1383 int ret;
1384
1385 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1386 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1387 decrypted_master_key, kdf, kdf_params,
1388 intermediate_key, intermediate_key_size);
1389 if (ret != 0) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001390 printf("failure decrypting master key\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001391 }
1392
1393 return ret;
1394}
1395
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001396static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1397 char *passwd, char *mount_point, char *label)
1398{
1399 /* Allocate enough space for a 256 bit key, but we may use less */
1400 unsigned char decrypted_master_key[32];
1401 char crypto_blkdev[MAXPATHLEN];
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001402 char tmp_mount_point[64];
1403 unsigned int orig_failed_decrypt_count;
Dees Troyc657cc02015-01-16 22:48:47 +00001404 int rc = 0;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001405 kdf_func kdf;
1406 void *kdf_params;
1407 int use_keymaster = 0;
1408 int upgrade = 0;
1409 unsigned char* intermediate_key = 0;
1410 size_t intermediate_key_size = 0;
1411
1412 printf("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1413 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1414
1415 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1416 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1417 &intermediate_key, &intermediate_key_size)) {
1418 printf("Failed to decrypt master key\n");
1419 rc = -1;
1420 goto errout;
1421 }
1422 }
1423
Dees Troyc657cc02015-01-16 22:48:47 +00001424#ifdef CONFIG_HW_DISK_ENCRYPTION
1425 if (is_hw_fde_enabled()) {
1426 if(is_hw_disk_encryption((char*) crypt_ftr->crypto_type_name)) {
1427 if (!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1428 rc = -1;
1429 printf("Failed to set_hw_device_encryption_key\n");
1430 goto errout;
1431 }
1432 }
1433 }
1434#endif
1435
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001436 // Create crypto block device - all (non fatal) code paths
1437 // need it
1438 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1439 real_blkdev, crypto_blkdev, label)) {
1440 printf("Error creating decrypted block device\n");
1441 rc = -1;
1442 goto errout;
1443 }
1444
1445 /* Work out if the problem is the password or the data */
1446 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1447 scrypted_intermediate_key)];
1448 int N = 1 << crypt_ftr->N_factor;
1449 int r = 1 << crypt_ftr->r_factor;
1450 int p = 1 << crypt_ftr->p_factor;
1451
1452 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1453 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1454 N, r, p, scrypted_intermediate_key,
1455 sizeof(scrypted_intermediate_key));
1456
1457 // Does the key match the crypto footer?
1458 if (rc == 0 && memcmp(scrypted_intermediate_key,
1459 crypt_ftr->scrypted_intermediate_key,
1460 sizeof(scrypted_intermediate_key)) == 0) {
1461 printf("Password matches\n");
1462 rc = 0;
1463 } else {
1464 /* Try mounting the file system anyway, just in case the problem's with
1465 * the footer, not the key. */
1466 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1467 mkdir(tmp_mount_point, 0755);
Ethan Yonker253368a2014-11-25 15:00:52 -06001468 if (mount(crypto_blkdev, tmp_mount_point, file_system, NULL, NULL) != 0) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001469 printf("Error temp mounting decrypted block device '%s'\n", crypto_blkdev);
1470 delete_crypto_blk_dev(label);
1471
1472 rc = ++crypt_ftr->failed_decrypt_count;
1473 //put_crypt_ftr_and_key(crypt_ftr); // Do not penalize for attempting to decrypt in recovery
1474 } else {
1475 /* Success! */
1476 printf("Password did not match but decrypted drive mounted - continue\n");
1477 umount(tmp_mount_point);
1478 rc = 0;
1479 }
1480 }
1481
1482 if (rc == 0) {
1483 /*crypt_ftr->failed_decrypt_count = 0;
1484 if (orig_failed_decrypt_count != 0) {
1485 put_crypt_ftr_and_key(crypt_ftr);
1486 }*/
1487
1488 /* Save the name of the crypto block device
1489 * so we can mount it when restarting the framework. */
1490 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1491
1492 /* Also save a the master key so we can reencrypted the key
1493 * the key when we want to change the password on it. */
1494 /*memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1495 saved_mount_point = strdup(mount_point);
1496 master_key_saved = 1;
1497 printf("%s(): Master key saved\n", __FUNCTION__);*/
1498 rc = 0;
1499
1500 // Upgrade if we're not using the latest KDF.
1501 /*use_keymaster = keymaster_check_compatibility();
1502 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1503 // Don't allow downgrade
1504 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1505 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1506 upgrade = 1;
1507 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1508 crypt_ftr->kdf_type = KDF_SCRYPT;
1509 upgrade = 1;
1510 }
1511
1512 if (upgrade) {
1513 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1514 crypt_ftr->master_key, crypt_ftr);
1515 if (!rc) {
1516 rc = put_crypt_ftr_and_key(crypt_ftr);
1517 }
1518 printf("Key Derivation Function upgrade: rc=%d\n", rc);
1519
1520 // Do not fail even if upgrade failed - machine is bootable
1521 // Note that if this code is ever hit, there is a *serious* problem
1522 // since KDFs should never fail. You *must* fix the kdf before
1523 // proceeding!
1524 if (rc) {
1525 printf("Upgrade failed with error %d,"
1526 " but continuing with previous state\n",
1527 rc);
1528 rc = 0;
1529 }
1530 }*/
1531 }
1532
1533 errout:
1534 if (intermediate_key) {
1535 memset(intermediate_key, 0, intermediate_key_size);
1536 free(intermediate_key);
1537 }
1538 return rc;
1539}
1540
1541/* Called by vold when it wants to undo the crypto mapping of a volume it
1542 * manages. This is usually in response to a factory reset, when we want
1543 * to undo the crypto mapping so the volume is formatted in the clear.
1544 */
1545int cryptfs_revert_volume(const char *label)
1546{
1547 return delete_crypto_blk_dev((char *)label);
1548}
1549
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001550int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1551{
1552 char encrypted_state[PROPERTY_VALUE_MAX];
1553 property_get("ro.crypto.state", encrypted_state, "");
1554 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1555 printf("encrypted fs already validated or not running with encryption,"
Ethan Yonkercceebb82014-11-18 10:17:59 -06001556 " aborting\n");
1557 //return -1;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001558 }
1559
1560 if (get_crypt_ftr_and_key(crypt_ftr)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001561 printf("Error getting crypt footer and key\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001562 return -1;
1563 }
1564
1565 return 0;
1566}
1567
1568/*
1569 * TODO - transition patterns to new format in calling code
1570 * and remove this vile hack, and the use of hex in
1571 * the password passing code.
1572 *
1573 * Patterns are passed in zero based (i.e. the top left dot
1574 * is represented by zero, the top middle one etc), but we want
1575 * to store them '1' based.
1576 * This is to allow us to migrate the calling code to use this
1577 * convention. It also solves a nasty problem whereby scrypt ignores
1578 * trailing zeros, so patterns ending at the top left could be
1579 * truncated, and similarly, you could add the top left to any
1580 * pattern and still match.
1581 * adjust_passwd is a hack function that returns the alternate representation
1582 * if the password appears to be a pattern (hex numbers all less than 09)
1583 * If it succeeds we need to try both, and in particular try the alternate
1584 * first. If the original matches, then we need to update the footer
1585 * with the alternate.
1586 * All code that accepts passwords must adjust them first. Since
1587 * cryptfs_check_passwd is always the first function called after a migration
1588 * (and indeed on any boot) we only need to do the double try in this
1589 * function.
1590 */
1591char* adjust_passwd(const char* passwd)
1592{
1593 size_t index, length;
1594
1595 if (!passwd) {
1596 return 0;
1597 }
1598
1599 // Check even length. Hex encoded passwords are always
1600 // an even length, since each character encodes to two characters.
1601 length = strlen(passwd);
1602 if (length % 2) {
Dees Troyc657cc02015-01-16 22:48:47 +00001603 printf("Password not correctly hex encoded.\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001604 return 0;
1605 }
1606
1607 // Check password is old-style pattern - a collection of hex
1608 // encoded bytes less than 9 (00 through 08)
1609 for (index = 0; index < length; index +=2) {
1610 if (passwd[index] != '0'
1611 || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
1612 return 0;
1613 }
1614 }
1615
1616 // Allocate room for adjusted passwd and null terminate
1617 char* adjusted = malloc(length + 1);
1618 adjusted[length] = 0;
1619
1620 // Add 0x31 ('1') to each character
1621 for (index = 0; index < length; index += 2) {
1622 // output is 31 through 39 so set first byte to three, second to src + 1
1623 adjusted[index] = '3';
1624 adjusted[index + 1] = passwd[index + 1] + 1;
1625 }
1626
1627 return adjusted;
1628}
1629
1630/*
1631 * Passwords in L get passed from Android to cryptfs in hex, so a '1'
1632 * gets converted to '31' where 31 is 0x31 which is the ascii character
1633 * code in hex of the character '1'. This function will convert the
1634 * regular character codes to their hexadecimal representation to make
1635 * decrypt work properly with Android 5.0 lollipop decryption.
1636 */
Dees Troyc657cc02015-01-16 22:48:47 +00001637char* hexadj_passwd(const char* passwd, int has_hw_crypto)
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001638{
1639 size_t index, length;
Dees Troyc657cc02015-01-16 22:48:47 +00001640 const char* ptr = passwd;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001641
1642 if (!passwd) {
1643 return 0;
1644 }
1645
1646 length = strlen(passwd);
1647
1648 // Allocate room for hex passwd and null terminate
1649 char* hex = malloc((length * 2) + 1);
1650 hex[length * 2] = 0;
1651
1652 // Convert to hex
1653 for (index = 0; index < length; index++) {
1654 sprintf(hex + (index * 2), "%02X", *ptr);
1655 ptr++;
1656 }
Dees Troyc657cc02015-01-16 22:48:47 +00001657#ifdef CONFIG_HW_DISK_ENCRYPTION
1658 if (has_hw_crypto) {
1659 printf("hexadj_passwd converting to lower case for hardware disk crypto.\n");
1660 length *= 2;
1661 for (index = 0; index < length; index++) {
1662 hex[index] = tolower(hex[index]);
1663 }
1664 }
1665#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001666 return hex;
1667}
1668
Ethan Yonker253368a2014-11-25 15:00:52 -06001669int cryptfs_check_footer()
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001670{
1671 int rc = -1;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001672 struct crypt_mnt_ftr crypt_ftr;
1673
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001674 rc = get_crypt_ftr_and_key(&crypt_ftr);
1675
1676 return rc;
1677}
1678
1679int cryptfs_check_passwd(char *passwd)
1680{
1681 struct crypt_mnt_ftr crypt_ftr;
1682 int rc;
Dees Troyc657cc02015-01-16 22:48:47 +00001683 int has_hw_crypto = 0;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001684
1685 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1686 if (rc)
1687 return rc;
1688
Dees Troyc657cc02015-01-16 22:48:47 +00001689#ifdef CONFIG_HW_DISK_ENCRYPTION
1690 printf("CONFIG_HW_DISK_ENCRYPTION present\n");
1691 if (is_hw_fde_enabled() && is_hw_disk_encryption((char*) crypt_ftr.crypto_type_name))
1692 has_hw_crypto = 1;
1693#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001694
Dees Troyc657cc02015-01-16 22:48:47 +00001695 //if (passwd) printf("passwd: '%s'\n", passwd);
1696 char* adjusted_passwd;
1697 if (!has_hw_crypto)
1698 adjusted_passwd = adjust_passwd(passwd);
1699 //if (adjusted_passwd) printf("adjusted_passwd: '%s'\n", adjusted_passwd);
1700 char* hex_passwd = hexadj_passwd(passwd, has_hw_crypto);
1701 //if (hex_passwd) printf("hex_passwd: '%s'\n", hex_passwd);
1702 printf("has_hw_crypto is %i\n", has_hw_crypto);
1703 if (!has_hw_crypto && adjusted_passwd) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001704 int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
Dees Troyc657cc02015-01-16 22:48:47 +00001705 //printf("trying adjusted password '%s'\n", adjusted_passwd);
1706 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001707 DATA_MNT_POINT, "userdata");
1708
1709 // Maybe the original one still works?
1710 if (rc) {
1711 // Don't double count this failure
Dees Troyc657cc02015-01-16 22:48:47 +00001712 //printf("trying passwd '%s'\n", passwd);
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001713 crypt_ftr.failed_decrypt_count = failed_decrypt_count;
1714 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1715 DATA_MNT_POINT, "userdata");
1716 if (!rc) {
1717 // cryptfs_changepw also adjusts so pass original
1718 // Note that adjust_passwd only recognises patterns
1719 // so we can safely use CRYPT_TYPE_PATTERN
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001720 printf("TWRP NOT Updating pattern to new format\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001721 //cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
1722 } else if (hex_passwd) {
Dees Troyc657cc02015-01-16 22:48:47 +00001723 //printf("trying hex_passwd '%s'\n", hex_passwd);
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001724 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
1725 DATA_MNT_POINT, "userdata");
1726 }
1727 }
1728 free(adjusted_passwd);
1729 } else {
Dees Troyc657cc02015-01-16 22:48:47 +00001730 if (hex_passwd) {
1731 //printf("2trying hex_passwd '%s'\n", hex_passwd);
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001732 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
Dees Troyc657cc02015-01-16 22:48:47 +00001733 DATA_MNT_POINT, "userdata");
1734 } else {
1735 rc = 1;
1736 }
1737 if (rc && passwd) {
1738 //printf("2trying passwd '%s'\n", passwd);
1739 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001740 DATA_MNT_POINT, "userdata");
1741 }
1742 }
1743
1744 if (hex_passwd)
1745 free(hex_passwd);
1746
1747 /*if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
Dees Troyc657cc02015-01-16 22:48:47 +00001748 printf("cryptfs_check_passwd update expiry time?\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001749 cryptfs_clear_password();
1750 password = strdup(passwd);
1751 struct timespec now;
1752 clock_gettime(CLOCK_BOOTTIME, &now);
1753 password_expiry_time = now.tv_sec + password_max_age_seconds;
1754 }*/
1755
1756 return rc;
1757}
1758
1759int cryptfs_verify_passwd(char *passwd)
1760{
1761 struct crypt_mnt_ftr crypt_ftr;
1762 /* Allocate enough space for a 256 bit key, but we may use less */
1763 unsigned char decrypted_master_key[32];
1764 char encrypted_state[PROPERTY_VALUE_MAX];
1765 int rc;
1766
1767 property_get("ro.crypto.state", encrypted_state, "");
1768 if (strcmp(encrypted_state, "encrypted") ) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001769 printf("device not encrypted, aborting\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001770 return -2;
1771 }
1772
1773 if (!master_key_saved) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001774 printf("encrypted fs not yet mounted, aborting\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001775 return -1;
1776 }
1777
1778 if (!saved_mount_point) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001779 printf("encrypted fs failed to save mount point, aborting\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001780 return -1;
1781 }
1782
1783 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1784 printf("Error getting crypt footer and key\n");
1785 return -1;
1786 }
1787
1788 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1789 /* If the device has no password, then just say the password is valid */
1790 rc = 0;
1791 } else {
1792 char* adjusted_passwd = adjust_passwd(passwd);
1793 if (adjusted_passwd) {
1794 passwd = adjusted_passwd;
1795 }
1796
1797 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1798 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1799 /* They match, the password is correct */
1800 rc = 0;
1801 } else {
1802 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1803 sleep(1);
1804 rc = 1;
1805 }
1806
1807 free(adjusted_passwd);
1808 }
1809
1810 return rc;
1811}
1812
1813/* Initialize a crypt_mnt_ftr structure. The keysize is
1814 * defaulted to 16 bytes, and the filesystem size to 0.
1815 * Presumably, at a minimum, the caller will update the
1816 * filesystem size and crypto_type_name after calling this function.
1817 */
1818static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
1819{
1820 off64_t off;
1821
1822 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
1823 ftr->magic = CRYPT_MNT_MAGIC;
1824 ftr->major_version = CURRENT_MAJOR_VERSION;
1825 ftr->minor_version = CURRENT_MINOR_VERSION;
1826 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
1827 ftr->keysize = KEY_LEN_BYTES;
1828
1829 switch (keymaster_check_compatibility()) {
1830 case 1:
1831 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1832 break;
1833
1834 case 0:
1835 ftr->kdf_type = KDF_SCRYPT;
1836 break;
1837
1838 default:
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001839 printf("keymaster_check_compatibility failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001840 return -1;
1841 }
1842
1843 get_device_scrypt_params(ftr);
1844
1845 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
1846 if (get_crypt_ftr_info(NULL, &off) == 0) {
1847 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
1848 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
1849 ftr->persist_data_size;
1850 }
1851
1852 return 0;
1853}
1854
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001855/* Returns type of the password, default, pattern, pin or password.
1856 */
1857int cryptfs_get_password_type(void)
1858{
1859 struct crypt_mnt_ftr crypt_ftr;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001860
1861 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1862 printf("Error getting crypt footer and key\n");
1863 return -1;
1864 }
1865
1866 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1867 return -1;
1868 }
1869
1870 return crypt_ftr.crypt_type;
1871}