Gitiles
Code Review Sign In
gerrit.twrp.me / android_bootable_recovery / 0e67837dd0da83ea2ebb5a5f2e805ef1dfc8bcb0 / . / crypto / lollipop / cryptfs.c
blob: 0277c78efbf7914f170421ce81ea18a738cf5034 [file] [log] [blame]
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600[diff] [blame]1/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23#include <sys/types.h>
24#include <sys/wait.h>
25#include <sys/stat.h>
26#include <ctype.h>
27#include <fcntl.h>
28#include <inttypes.h>
29#include <unistd.h>
30#include <stdio.h>
31#include <sys/ioctl.h>
32#include <linux/dm-ioctl.h>
33#include <libgen.h>
34#include <stdlib.h>
35#include <sys/param.h>
36#include <string.h>
37#include <sys/mount.h>
38#include <openssl/evp.h>
39#include <errno.h>
40#include <ext4.h>
41#include <linux/kdev_t.h>
42#include <fs_mgr.h>
43#include <time.h>
44#include "cryptfs.h"
45#define LOG_TAG "Cryptfs"
46#include "cutils/log.h"
47#include "cutils/properties.h"
48#include "cutils/android_reboot.h"
49#include "hardware_legacy/power.h"
50#include <logwrap/logwrap.h>
51//#include "VolumeManager.h"
52//#include "VoldUtil.h"
53#include "crypto_scrypt.h"
54#include "ext4_utils.h"
55#include "f2fs_sparseblock.h"
56//#include "CheckBattery.h"
57//#include "Process.h"
58
59#include <hardware/keymaster.h>
60
61#define UNUSED __attribute__((unused))
62
63#define UNUSED __attribute__((unused))
64
65#define DM_CRYPT_BUF_SIZE 4096
66
67#define HASH_COUNT 2000
68#define KEY_LEN_BYTES 16
69#define IV_LEN_BYTES 16
70
71#define KEY_IN_FOOTER "footer"
72
73// "default_password" encoded into hex (d=0x64 etc)
74#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
75
76#define EXT4_FS 1
77#define F2FS_FS 2
78
79#define TABLE_LOAD_RETRIES 10
80
81#define RSA_KEY_SIZE 2048
82#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
83#define RSA_EXPONENT 0x10001
84
85#define RETRY_MOUNT_ATTEMPTS 10
86#define RETRY_MOUNT_DELAY_SECONDS 1
87
88char *me = "cryptfs";
89
90static unsigned char saved_master_key[KEY_LEN_BYTES];
91static char *saved_mount_point;
92static int master_key_saved = 0;
93static struct crypt_persist_data *persist_data = NULL;
94
95static int keymaster_init(keymaster_device_t **keymaster_dev)
96{
97 int rc;
98
99 const hw_module_t* mod;
100 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
101 if (rc) {
102 printf("could not find any keystore module\n");
103 goto out;
104 }
105
106 rc = keymaster_open(mod, keymaster_dev);
107 if (rc) {
108 printf("could not open keymaster device in %s (%s)\n",
109 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
110 goto out;
111 }
112
113 return 0;
114
115out:
116 *keymaster_dev = NULL;
117 return rc;
118}
119
120/* Should we use keymaster? */
121static int keymaster_check_compatibility()
122{
123 keymaster_device_t *keymaster_dev = 0;
124 int rc = 0;
125
126 if (keymaster_init(&keymaster_dev)) {
127 printf("Failed to init keymaster\n");
128 rc = -1;
129 goto out;
130 }
131
132 printf("keymaster version is %d\n", keymaster_dev->common.module->module_api_version);
133
134 if (keymaster_dev->common.module->module_api_version
135 < KEYMASTER_MODULE_API_VERSION_0_3) {
136 rc = 0;
137 goto out;
138 }
139
140 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) {
141 rc = 1;
142 }
143
144out:
145 keymaster_close(keymaster_dev);
146 return rc;
147}
148
149/* Create a new keymaster key and store it in this footer */
150static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
151{
152 uint8_t* key = 0;
153 keymaster_device_t *keymaster_dev = 0;
154
155 if (keymaster_init(&keymaster_dev)) {
156 printf("Failed to init keymaster\n");
157 return -1;
158 }
159
160 int rc = 0;
161
162 keymaster_rsa_keygen_params_t params;
163 memset(&params, '\0', sizeof(params));
164 params.public_exponent = RSA_EXPONENT;
165 params.modulus_size = RSA_KEY_SIZE;
166
167 size_t key_size;
168 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, &params,
169 &key, &key_size)) {
170 printf("Failed to generate keypair\n");
171 rc = -1;
172 goto out;
173 }
174
175 if (key_size > KEYMASTER_BLOB_SIZE) {
176 printf("Keymaster key too large for crypto footer\n");
177 rc = -1;
178 goto out;
179 }
180
181 memcpy(ftr->keymaster_blob, key, key_size);
182 ftr->keymaster_blob_size = key_size;
183
184out:
185 keymaster_close(keymaster_dev);
186 free(key);
187 return rc;
188}
189
190/* This signs the given object using the keymaster key. */
191static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
192 const unsigned char *object,
193 const size_t object_size,
194 unsigned char **signature,
195 size_t *signature_size)
196{
197 int rc = 0;
198 keymaster_device_t *keymaster_dev = 0;
199 if (keymaster_init(&keymaster_dev)) {
200 printf("Failed to init keymaster\n");
201 return -1;
202 }
203
204 /* We currently set the digest type to DIGEST_NONE because it's the
205 * only supported value for keymaster. A similar issue exists with
206 * PADDING_NONE. Long term both of these should likely change.
207 */
208 keymaster_rsa_sign_params_t params;
209 params.digest_type = DIGEST_NONE;
210 params.padding_type = PADDING_NONE;
211
212 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
213 size_t to_sign_size = sizeof(to_sign);
214 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
215
216 // To sign a message with RSA, the message must satisfy two
217 // constraints:
218 //
219 // 1. The message, when interpreted as a big-endian numeric value, must
220 // be strictly less than the public modulus of the RSA key. Note
221 // that because the most significant bit of the public modulus is
222 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
223 // key), an n-bit message with most significant bit 0 always
224 // satisfies this requirement.
225 //
226 // 2. The message must have the same length in bits as the public
227 // modulus of the RSA key. This requirement isn't mathematically
228 // necessary, but is necessary to ensure consistency in
229 // implementations.
230 switch (ftr->kdf_type) {
231 case KDF_SCRYPT_KEYMASTER_UNPADDED:
232 // This is broken: It produces a message which is shorter than
233 // the public modulus, failing criterion 2.
234 memcpy(to_sign, object, object_size);
235 to_sign_size = object_size;
236 printf("Signing unpadded object\n");
237 break;
238 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
239 // This is broken: Since the value of object is uniformly
240 // distributed, it produces a message that is larger than the
241 // public modulus with probability 0.25.
242 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
243 printf("Signing end-padded object\n");
244 break;
245 case KDF_SCRYPT_KEYMASTER:
246 // This ensures the most significant byte of the signed message
247 // is zero. We could have zero-padded to the left instead, but
248 // this approach is slightly more robust against changes in
249 // object size. However, it's still broken (but not unusably
250 // so) because we really should be using a proper RSA padding
251 // function, such as OAEP.
252 //
253 // TODO(paullawrence): When keymaster 0.4 is available, change
254 // this to use the padding options it provides.
255 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
256 printf("Signing safely-padded object\n");
257 break;
258 default:
259 printf("Unknown KDF type %d\n", ftr->kdf_type);
260 return -1;
261 }
262
263 rc = keymaster_dev->sign_data(keymaster_dev,
264 &params,
265 ftr->keymaster_blob,
266 ftr->keymaster_blob_size,
267 to_sign,
268 to_sign_size,
269 signature,
270 signature_size);
271
272 keymaster_close(keymaster_dev);
273 return rc;
274}
275
276/* Store password when userdata is successfully decrypted and mounted.
277 * Cleared by cryptfs_clear_password
278 *
279 * To avoid a double prompt at boot, we need to store the CryptKeeper
280 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
281 * Since the entire framework is torn down and rebuilt after encryption,
282 * we have to use a daemon or similar to store the password. Since vold
283 * is secured against IPC except from system processes, it seems a reasonable
284 * place to store this.
285 *
286 * password should be cleared once it has been used.
287 *
288 * password is aged out after password_max_age_seconds seconds.
289 */
290static char* password = 0;
291static int password_expiry_time = 0;
292static const int password_max_age_seconds = 60;
293
294struct fstab *fstab;
295
296enum RebootType {reboot, recovery, shutdown};
297static void cryptfs_reboot(enum RebootType rt)
298{
299 switch(rt) {
300 case reboot:
301 property_set(ANDROID_RB_PROPERTY, "reboot");
302 break;
303
304 case recovery:
305 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
306 break;
307
308 case shutdown:
309 property_set(ANDROID_RB_PROPERTY, "shutdown");
310 break;
311 }
312
313 sleep(20);
314
315 /* Shouldn't get here, reboot should happen before sleep times out */
316 return;
317}
318
319static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
320{
321 memset(io, 0, dataSize);
322 io->data_size = dataSize;
323 io->data_start = sizeof(struct dm_ioctl);
324 io->version[0] = 4;
325 io->version[1] = 0;
326 io->version[2] = 0;
327 io->flags = flags;
328 if (name) {
329 strncpy(io->name, name, sizeof(io->name));
330 }
331}
332
333/**
334 * Gets the default device scrypt parameters for key derivation time tuning.
335 * The parameters should lead to about one second derivation time for the
336 * given device.
337 */
338static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
339 const int default_params[] = SCRYPT_DEFAULTS;
340 int params[] = SCRYPT_DEFAULTS;
341 char paramstr[PROPERTY_VALUE_MAX];
342 char *token;
343 char *saveptr;
344 int i;
345
346 property_get(SCRYPT_PROP, paramstr, "");
347 if (paramstr[0] != '\0') {
348 /*
349 * The token we're looking for should be three integers separated by
350 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
351 */
352 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
353 token != NULL && i < 3;
354 i++, token = strtok_r(NULL, ":", &saveptr)) {
355 char *endptr;
356 params[i] = strtol(token, &endptr, 10);
357
358 /*
359 * Check that there was a valid number and it's 8-bit. If not,
360 * break out and the end check will take the default values.
361 */
362 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
363 break;
364 }
365 }
366
367 /*
368 * If there were not enough tokens or a token was malformed (not an
369 * integer), it will end up here and the default parameters can be
370 * taken.
371 */
372 if ((i != 3) || (token != NULL)) {
373 printf("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
374 memcpy(params, default_params, sizeof(params));
375 }
376 }
377
378 ftr->N_factor = params[0];
379 ftr->r_factor = params[1];
380 ftr->p_factor = params[2];
381}
382
383static unsigned int get_fs_size(char *dev)
384{
385 int fd, block_size;
386 struct ext4_super_block sb;
387 off64_t len;
388
389 if ((fd = open(dev, O_RDONLY)) < 0) {
390 printf("Cannot open device to get filesystem size ");
391 return 0;
392 }
393
394 if (lseek64(fd, 1024, SEEK_SET) < 0) {
395 printf("Cannot seek to superblock");
396 return 0;
397 }
398
399 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
400 printf("Cannot read superblock");
401 return 0;
402 }
403
404 close(fd);
405
406 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
407 printf("Not a valid ext4 superblock");
408 return 0;
409 }
410 block_size = 1024 << sb.s_log_block_size;
411 /* compute length in bytes */
412 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
413
414 /* return length in sectors */
415 return (unsigned int) (len / 512);
416}
417
418static unsigned int get_blkdev_size(int fd)
419{
420 unsigned int nr_sec;
421
422 if ( (ioctl(fd, BLKGETSIZE, &nr_sec)) == -1) {
423 nr_sec = 0;
424 }
425
426 return nr_sec;
427}
428
429static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
430{
431 static int cached_data = 0;
432 static off64_t cached_off = 0;
433 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
434 int fd;
435 char key_loc[PROPERTY_VALUE_MAX];
436 char real_blkdev[PROPERTY_VALUE_MAX];
437 unsigned int nr_sec;
438 int rc = -1;
439
440 if (!cached_data) {
441 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
442 printf("get_crypt_ftr_info crypto key location: '%s'\n", key_loc);
443 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
444 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
445 printf("Cannot open real block device %s\n", real_blkdev);
446 return -1;
447 }
448
449 if ((nr_sec = get_blkdev_size(fd))) {
450 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
451 * encryption info footer and key, and plenty of bytes to spare for future
452 * growth.
453 */
454 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
455 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
456 cached_data = 1;
457 } else {
458 printf("Cannot get size of block device %s\n", real_blkdev);
459 }
460 close(fd);
461 } else {
462 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
463 cached_off = 0;
464 cached_data = 1;
465 }
466 }
467
468 if (cached_data) {
469 if (metadata_fname) {
470 *metadata_fname = cached_metadata_fname;
471 }
472 if (off) {
473 *off = cached_off;
474 }
475 rc = 0;
476 }
477
478 return rc;
479}
480
481/* key or salt can be NULL, in which case just skip writing that value. Useful to
482 * update the failed mount count but not change the key.
483 */
484static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
485{
486 printf("TWRP NOT putting crypt footer and key\n");
487 return 0;
488 int fd;
489 unsigned int nr_sec, cnt;
490 /* starting_off is set to the SEEK_SET offset
491 * where the crypto structure starts
492 */
493 off64_t starting_off;
494 int rc = -1;
495 char *fname = NULL;
496 struct stat statbuf;
497
498 if (get_crypt_ftr_info(&fname, &starting_off)) {
499 printf("Unable to get crypt_ftr_info\n");
500 return -1;
501 }
502 if (fname[0] != '/') {
503 printf("Unexpected value for crypto key location\n");
504 return -1;
505 }
506 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) {
507 printf("Cannot open footer file %s for put\n", fname);
508 return -1;
509 }
510
511 /* Seek to the start of the crypt footer */
512 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
513 printf("Cannot seek to real block device footer\n");
514 goto errout;
515 }
516
517 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
518 printf("Cannot write real block device footer\n");
519 goto errout;
520 }
521
522 fstat(fd, &statbuf);
523 /* If the keys are kept on a raw block device, do not try to truncate it. */
524 if (S_ISREG(statbuf.st_mode)) {
525 if (ftruncate(fd, 0x4000)) {
526 printf("Cannot set footer file size\n");
527 goto errout;
528 }
529 }
530
531 /* Success! */
532 rc = 0;
533
534errout:
535 close(fd);
536 return rc;
537
538}
539
540static inline int unix_read(int fd, void* buff, int len)
541{
542 return TEMP_FAILURE_RETRY(read(fd, buff, len));
543}
544
545static inline int unix_write(int fd, const void* buff, int len)
546{
547 return TEMP_FAILURE_RETRY(write(fd, buff, len));
548}
549
550static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
551{
552 memset(pdata, 0, len);
553 pdata->persist_magic = PERSIST_DATA_MAGIC;
554 pdata->persist_valid_entries = 0;
555}
556
557/* A routine to update the passed in crypt_ftr to the lastest version.
558 * fd is open read/write on the device that holds the crypto footer and persistent
559 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
560 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
561 */
562static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
563{
564 int orig_major = crypt_ftr->major_version;
565 int orig_minor = crypt_ftr->minor_version;
566printf("TWRP NOT upgrading crypto footer\n");
567return; // do not upgrade in recovery
568 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
569 struct crypt_persist_data *pdata;
570 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
571
572 printf("upgrading crypto footer to 1.1");
573
574 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
575 if (pdata == NULL) {
576 printf("Cannot allocate persisent data\n");
577 return;
578 }
579 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
580
581 /* Need to initialize the persistent data area */
582 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
583 printf("Cannot seek to persisent data offset\n");
584 return;
585 }
586 /* Write all zeros to the first copy, making it invalid */
587 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
588
589 /* Write a valid but empty structure to the second copy */
590 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
591 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
592
593 /* Update the footer */
594 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
595 crypt_ftr->persist_data_offset[0] = pdata_offset;
596 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
597 crypt_ftr->minor_version = 1;
598 }
599
600 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
601 printf("upgrading crypto footer to 1.2");
602 /* But keep the old kdf_type.
603 * It will get updated later to KDF_SCRYPT after the password has been verified.
604 */
605 crypt_ftr->kdf_type = KDF_PBKDF2;
606 get_device_scrypt_params(crypt_ftr);
607 crypt_ftr->minor_version = 2;
608 }
609
610 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
611 printf("upgrading crypto footer to 1.3");
612 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
613 crypt_ftr->minor_version = 3;
614 }
615
616 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
617 if (lseek64(fd, offset, SEEK_SET) == -1) {
618 printf("Cannot seek to crypt footer\n");
619 return;
620 }
621 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
622 }
623}
624
625
626static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
627{
628 int fd;
629 unsigned int nr_sec, cnt;
630 off64_t starting_off;
631 int rc = -1;
632 char *fname = NULL;
633 struct stat statbuf;
634
635 if (get_crypt_ftr_info(&fname, &starting_off)) {
636 printf("Unable to get crypt_ftr_info\n");
637 return -1;
638 }
639 if (fname[0] != '/') {
640 printf("Unexpected value for crypto key location\n");
641 return -1;
642 }
643 if ( (fd = open(fname, O_RDWR)) < 0) {
644 printf("Cannot open footer file %s for get\n", fname);
645 return -1;
646 }
647
648 /* Make sure it's 16 Kbytes in length */
649 fstat(fd, &statbuf);
650 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
651 printf("footer file %s is not the expected size!\n", fname);
652 goto errout;
653 }
654
655 /* Seek to the start of the crypt footer */
656 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
657 printf("Cannot seek to real block device footer\n");
658 goto errout;
659 }
660
661 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
662 printf("Cannot read real block device footer\n");
663 goto errout;
664 }
665
666 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
667 printf("Bad magic for real block device %s\n", fname);
668 goto errout;
669 }
670
671 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
672 printf("Cannot understand major version %d real block device footer; expected %d\n",
673 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
674 goto errout;
675 }
676
677 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
678 printf("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
679 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
680 }
681
682 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
683 * copy on disk before returning.
684 */
685 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
686 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
687 }
688
689 /* Success! */
690 rc = 0;
691
692errout:
693 close(fd);
694 return rc;
695}
696
697static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
698{
699 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
700 crypt_ftr->persist_data_offset[1]) {
701 printf("Crypt_ftr persist data regions overlap");
702 return -1;
703 }
704
705 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
706 printf("Crypt_ftr persist data region 0 starts after region 1");
707 return -1;
708 }
709
710 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
711 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
712 CRYPT_FOOTER_OFFSET) {
713 printf("Persistent data extends past crypto footer");
714 return -1;
715 }
716
717 return 0;
718}
719
720static int load_persistent_data(void)
721{
722 struct crypt_mnt_ftr crypt_ftr;
723 struct crypt_persist_data *pdata = NULL;
724 char encrypted_state[PROPERTY_VALUE_MAX];
725 char *fname;
726 int found = 0;
727 int fd;
728 int ret;
729 int i;
730
731 if (persist_data) {
732 /* Nothing to do, we've already loaded or initialized it */
733 return 0;
734 }
735
736
737 /* If not encrypted, just allocate an empty table and initialize it */
738 property_get("ro.crypto.state", encrypted_state, "");
739 if (strcmp(encrypted_state, "encrypted") ) {
740 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
741 if (pdata) {
742 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
743 persist_data = pdata;
744 return 0;
745 }
746 return -1;
747 }
748
749 if(get_crypt_ftr_and_key(&crypt_ftr)) {
750 return -1;
751 }
752
753 if ((crypt_ftr.major_version < 1)
754 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
755 printf("Crypt_ftr version doesn't support persistent data");
756 return -1;
757 }
758
759 if (get_crypt_ftr_info(&fname, NULL)) {
760 return -1;
761 }
762
763 ret = validate_persistent_data_storage(&crypt_ftr);
764 if (ret) {
765 return -1;
766 }
767
768 fd = open(fname, O_RDONLY);
769 if (fd < 0) {
770 printf("Cannot open %s metadata file", fname);
771 return -1;
772 }
773
774 if (persist_data == NULL) {
775 pdata = malloc(crypt_ftr.persist_data_size);
776 if (pdata == NULL) {
777 printf("Cannot allocate memory for persistent data");
778 goto err;
779 }
780 }
781
782 for (i = 0; i < 2; i++) {
783 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
784 printf("Cannot seek to read persistent data on %s", fname);
785 goto err2;
786 }
787 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
788 printf("Error reading persistent data on iteration %d", i);
789 goto err2;
790 }
791 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
792 found = 1;
793 break;
794 }
795 }
796
797 if (!found) {
798 printf("Could not find valid persistent data, creating");
799 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
800 }
801
802 /* Success */
803 persist_data = pdata;
804 close(fd);
805 return 0;
806
807err2:
808 free(pdata);
809
810err:
811 close(fd);
812 return -1;
813}
814
815static int save_persistent_data(void)
816{
817 struct crypt_mnt_ftr crypt_ftr;
818 struct crypt_persist_data *pdata;
819 char *fname;
820 off64_t write_offset;
821 off64_t erase_offset;
822 int found = 0;
823 int fd;
824 int ret;
825
826 if (persist_data == NULL) {
827 printf("No persistent data to save");
828 return -1;
829 }
830
831 if(get_crypt_ftr_and_key(&crypt_ftr)) {
832 return -1;
833 }
834
835 if ((crypt_ftr.major_version < 1)
836 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
837 printf("Crypt_ftr version doesn't support persistent data");
838 return -1;
839 }
840
841 ret = validate_persistent_data_storage(&crypt_ftr);
842 if (ret) {
843 return -1;
844 }
845
846 if (get_crypt_ftr_info(&fname, NULL)) {
847 return -1;
848 }
849
850 fd = open(fname, O_RDWR);
851 if (fd < 0) {
852 printf("Cannot open %s metadata file", fname);
853 return -1;
854 }
855
856 pdata = malloc(crypt_ftr.persist_data_size);
857 if (pdata == NULL) {
858 printf("Cannot allocate persistant data");
859 goto err;
860 }
861
862 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
863 printf("Cannot seek to read persistent data on %s", fname);
864 goto err2;
865 }
866
867 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
868 printf("Error reading persistent data before save");
869 goto err2;
870 }
871
872 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
873 /* The first copy is the curent valid copy, so write to
874 * the second copy and erase this one */
875 write_offset = crypt_ftr.persist_data_offset[1];
876 erase_offset = crypt_ftr.persist_data_offset[0];
877 } else {
878 /* The second copy must be the valid copy, so write to
879 * the first copy, and erase the second */
880 write_offset = crypt_ftr.persist_data_offset[0];
881 erase_offset = crypt_ftr.persist_data_offset[1];
882 }
883
884 /* Write the new copy first, if successful, then erase the old copy */
885 if (lseek(fd, write_offset, SEEK_SET) < 0) {
886 printf("Cannot seek to write persistent data");
887 goto err2;
888 }
889 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
890 (int) crypt_ftr.persist_data_size) {
891 if (lseek(fd, erase_offset, SEEK_SET) < 0) {
892 printf("Cannot seek to erase previous persistent data");
893 goto err2;
894 }
895 fsync(fd);
896 memset(pdata, 0, crypt_ftr.persist_data_size);
897 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
898 (int) crypt_ftr.persist_data_size) {
899 printf("Cannot write to erase previous persistent data");
900 goto err2;
901 }
902 fsync(fd);
903 } else {
904 printf("Cannot write to save persistent data");
905 goto err2;
906 }
907
908 /* Success */
909 free(pdata);
910 close(fd);
911 return 0;
912
913err2:
914 free(pdata);
915err:
916 close(fd);
917 return -1;
918}
919
920static int hexdigit (char c)
921{
922 if (c >= '0' && c <= '9') return c - '0';
923 c = tolower(c);
924 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
925 return -1;
926}
927
928static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
929 unsigned int* out_keysize)
930{
931 unsigned int i;
932 *out_keysize = 0;
933
934 size_t size = strlen (master_key_ascii);
935 if (size % 2) {
936 printf("Trying to convert ascii string of odd length");
937 return NULL;
938 }
939
940 unsigned char* master_key = (unsigned char*) malloc(size / 2);
941 if (master_key == 0) {
942 printf("Cannot allocate");
943 return NULL;
944 }
945
946 for (i = 0; i < size; i += 2) {
947 int high_nibble = hexdigit (master_key_ascii[i]);
948 int low_nibble = hexdigit (master_key_ascii[i + 1]);
949
950 if(high_nibble < 0 || low_nibble < 0) {
951 printf("Invalid hex string");
952 free (master_key);
953 return NULL;
954 }
955
956 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
957 (*out_keysize)++;
958 }
959
960 return master_key;
961}
962
963/* Convert a binary key of specified length into an ascii hex string equivalent,
964 * without the leading 0x and with null termination
965 */
966static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
967 char *master_key_ascii)
968{
969 unsigned int i, a;
970 unsigned char nibble;
971
972 for (i=0, a=0; i<keysize; i++, a+=2) {
973 /* For each byte, write out two ascii hex digits */
974 nibble = (master_key[i] >> 4) & 0xf;
975 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
976
977 nibble = master_key[i] & 0xf;
978 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
979 }
980
981 /* Add the null termination */
982 master_key_ascii[a] = '\0';
983
984}
985
986static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
987 char *real_blk_name, const char *name, int fd,
988 char *extra_params)
989{
990 char buffer[DM_CRYPT_BUF_SIZE];
991 struct dm_ioctl *io;
992 struct dm_target_spec *tgt;
993 char *crypt_params;
994 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
995 int i;
996
997 io = (struct dm_ioctl *) buffer;
998
999 /* Load the mapping table for this device */
1000 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1001
1002 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1003 io->target_count = 1;
1004 tgt->status = 0;
1005 tgt->sector_start = 0;
1006 tgt->length = crypt_ftr->fs_size;
1007 strcpy(tgt->target_type, "crypt");
1008
1009 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1010 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1011 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1012 master_key_ascii, real_blk_name, extra_params);
1013 crypt_params += strlen(crypt_params) + 1;
1014 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1015 tgt->next = crypt_params - buffer;
1016
1017 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1018 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1019 break;
1020 }
1021 usleep(500000);
1022 }
1023
1024 if (i == TABLE_LOAD_RETRIES) {
1025 /* We failed to load the table, return an error */
1026 return -1;
1027 } else {
1028 return i + 1;
1029 }
1030}
1031
1032
1033static int get_dm_crypt_version(int fd, const char *name, int *version)
1034{
1035 char buffer[DM_CRYPT_BUF_SIZE];
1036 struct dm_ioctl *io;
1037 struct dm_target_versions *v;
1038 int i;
1039
1040 io = (struct dm_ioctl *) buffer;
1041
1042 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1043
1044 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1045 return -1;
1046 }
1047
1048 /* Iterate over the returned versions, looking for name of "crypt".
1049 * When found, get and return the version.
1050 */
1051 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1052 while (v->next) {
1053 if (! strcmp(v->name, "crypt")) {
1054 /* We found the crypt driver, return the version, and get out */
1055 version[0] = v->version[0];
1056 version[1] = v->version[1];
1057 version[2] = v->version[2];
1058 return 0;
1059 }
1060 v = (struct dm_target_versions *)(((char *)v) + v->next);
1061 }
1062
1063 return -1;
1064}
1065
1066static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
1067 char *real_blk_name, char *crypto_blk_name, const char *name)
1068{
1069 char buffer[DM_CRYPT_BUF_SIZE];
1070 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1071 char *crypt_params;
1072 struct dm_ioctl *io;
1073 struct dm_target_spec *tgt;
1074 unsigned int minor;
1075 int fd;
1076 int i;
1077 int retval = -1;
1078 int version[3];
1079 char *extra_params;
1080 int load_count;
1081
1082 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1083 printf("Cannot open device-mapper\n");
1084 goto errout;
1085 }
1086
1087 io = (struct dm_ioctl *) buffer;
1088
1089 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1090 if (ioctl(fd, DM_DEV_CREATE, io)) {
1091 printf("Cannot create dm-crypt device\n");
1092 goto errout;
1093 }
1094
1095 /* Get the device status, in particular, the name of it's device file */
1096 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1097 if (ioctl(fd, DM_DEV_STATUS, io)) {
1098 printf("Cannot retrieve dm-crypt device status\n");
1099 goto errout;
1100 }
1101 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1102 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1103
1104 extra_params = "";
1105 if (! get_dm_crypt_version(fd, name, version)) {
1106 /* Support for allow_discards was added in version 1.11.0 */
1107 if ((version[0] >= 2) ||
1108 ((version[0] == 1) && (version[1] >= 11))) {
1109 extra_params = "1 allow_discards";
1110 printf("Enabling support for allow_discards in dmcrypt.\n");
1111 }
1112 }
1113
1114 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1115 fd, extra_params);
1116 if (load_count < 0) {
1117 printf("Cannot load dm-crypt mapping table.\n");
1118 goto errout;
1119 } else if (load_count > 1) {
1120 printf("Took %d tries to load dmcrypt table.\n", load_count);
1121 }
1122
1123 /* Resume this device to activate it */
1124 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1125
1126 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1127 printf("Cannot resume the dm-crypt device\n");
1128 goto errout;
1129 }
1130
1131 /* We made it here with no errors. Woot! */
1132 retval = 0;
1133
1134errout:
1135 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1136
1137 return retval;
1138}
1139
1140static int delete_crypto_blk_dev(char *name)
1141{
1142 int fd;
1143 char buffer[DM_CRYPT_BUF_SIZE];
1144 struct dm_ioctl *io;
1145 int retval = -1;
1146
1147 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1148 printf("Cannot open device-mapper\n");
1149 goto errout;
1150 }
1151
1152 io = (struct dm_ioctl *) buffer;
1153
1154 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1155 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1156 printf("Cannot remove dm-crypt device\n");
1157 goto errout;
1158 }
1159
1160 /* We made it here with no errors. Woot! */
1161 retval = 0;
1162
1163errout:
1164 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1165
1166 return retval;
1167
1168}
1169
1170static int pbkdf2(const char *passwd, const unsigned char *salt,
1171 unsigned char *ikey, void *params UNUSED)
1172{
1173 printf("Using pbkdf2 for cryptfs KDF");
1174
1175 /* Turn the password into a key and IV that can decrypt the master key */
1176 unsigned int keysize;
1177 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
1178 if (!master_key) return -1;
1179 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1180 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1181
1182 memset(master_key, 0, keysize);
1183 free (master_key);
1184 return 0;
1185}
1186
1187static int scrypt(const char *passwd, const unsigned char *salt,
1188 unsigned char *ikey, void *params)
1189{
1190 printf("Using scrypt for cryptfs KDF\n");
1191
1192 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1193
1194 int N = 1 << ftr->N_factor;
1195 int r = 1 << ftr->r_factor;
1196 int p = 1 << ftr->p_factor;
1197
1198 /* Turn the password into a key and IV that can decrypt the master key */
1199 unsigned int keysize;
1200 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
1201 if (!master_key) return -1;
1202 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
1203 KEY_LEN_BYTES + IV_LEN_BYTES);
1204
1205 memset(master_key, 0, keysize);
1206 free (master_key);
1207 return 0;
1208}
1209
1210static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1211 unsigned char *ikey, void *params)
1212{
1213 printf("Using scrypt with keymaster for cryptfs KDF\n");
1214
1215 int rc;
1216 unsigned int key_size;
1217 size_t signature_size;
1218 unsigned char* signature;
1219 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1220
1221 int N = 1 << ftr->N_factor;
1222 int r = 1 << ftr->r_factor;
1223 int p = 1 << ftr->p_factor;
1224
1225 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
1226 if (!master_key) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600[diff] [blame]1227 printf("Failed to convert passwd from hex\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600[diff] [blame]1228 return -1;
1229 }
1230
1231 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
1232 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1233 memset(master_key, 0, key_size);
1234 free(master_key);
1235
1236 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600[diff] [blame]1237 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600[diff] [blame]1238 return -1;
1239 }
1240
1241 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1242 &signature, &signature_size)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600[diff] [blame]1243 printf("Signing failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600[diff] [blame]1244 return -1;
1245 }
1246
1247 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1248 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1249 free(signature);
1250
1251 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600[diff] [blame]1252 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600[diff] [blame]1253 return -1;
1254 }
1255
1256 return 0;
1257}
1258
1259static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1260 const unsigned char *decrypted_master_key,
1261 unsigned char *encrypted_master_key,
1262 struct crypt_mnt_ftr *crypt_ftr)
1263{
1264 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1265 EVP_CIPHER_CTX e_ctx;
1266 int encrypted_len, final_len;
1267 int rc = 0;
1268
1269 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1270 get_device_scrypt_params(crypt_ftr);
1271
1272 switch (crypt_ftr->kdf_type) {
1273 case KDF_SCRYPT_KEYMASTER_UNPADDED:
1274 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
1275 case KDF_SCRYPT_KEYMASTER:
1276 if (keymaster_create_key(crypt_ftr)) {
1277 printf("keymaster_create_key failed");
1278 return -1;
1279 }
1280
1281 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1282 printf("scrypt failed");
1283 return -1;
1284 }
1285 break;
1286
1287 case KDF_SCRYPT:
1288 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1289 printf("scrypt failed");
1290 return -1;
1291 }
1292 break;
1293
1294 default:
1295 printf("Invalid kdf_type");
1296 return -1;
1297 }
1298
1299 /* Initialize the decryption engine */
1300 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1301 printf("EVP_EncryptInit failed\n");
1302 return -1;
1303 }
1304 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1305
1306 /* Encrypt the master key */
1307 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1308 decrypted_master_key, KEY_LEN_BYTES)) {
1309 printf("EVP_EncryptUpdate failed\n");
1310 return -1;
1311 }
1312 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1313 printf("EVP_EncryptFinal failed\n");
1314 return -1;
1315 }
1316
1317 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1318 printf("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1319 return -1;
1320 }
1321
1322 /* Store the scrypt of the intermediate key, so we can validate if it's a
1323 password error or mount error when things go wrong.
1324 Note there's no need to check for errors, since if this is incorrect, we
1325 simply won't wipe userdata, which is the correct default behavior
1326 */
1327 int N = 1 << crypt_ftr->N_factor;
1328 int r = 1 << crypt_ftr->r_factor;
1329 int p = 1 << crypt_ftr->p_factor;
1330
1331 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1332 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1333 crypt_ftr->scrypted_intermediate_key,
1334 sizeof(crypt_ftr->scrypted_intermediate_key));
1335
1336 if (rc) {
1337 printf("encrypt_master_key: crypto_scrypt failed");
1338 }
1339
1340 return 0;
1341}
1342
1343static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1344 unsigned char *encrypted_master_key,
1345 unsigned char *decrypted_master_key,
1346 kdf_func kdf, void *kdf_params,
1347 unsigned char** intermediate_key,
1348 size_t* intermediate_key_size)
1349{
1350 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1351 EVP_CIPHER_CTX d_ctx;
1352 int decrypted_len, final_len;
1353
1354 /* Turn the password into an intermediate key and IV that can decrypt the
1355 master key */
1356 if (kdf(passwd, salt, ikey, kdf_params)) {
1357 printf("kdf failed");
1358 return -1;
1359 }
1360
1361 /* Initialize the decryption engine */
1362 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1363 return -1;
1364 }
1365 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1366 /* Decrypt the master key */
1367 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1368 encrypted_master_key, KEY_LEN_BYTES)) {
1369 return -1;
1370 }
1371 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1372 return -1;
1373 }
1374
1375 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1376 return -1;
1377 }
1378
1379 /* Copy intermediate key if needed by params */
1380 if (intermediate_key && intermediate_key_size) {
1381 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1382 if (intermediate_key) {
1383 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1384 *intermediate_key_size = KEY_LEN_BYTES;
1385 }
1386 }
1387
1388 return 0;
1389}
1390
1391static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1392{
1393 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED ||
1394 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED ||
1395 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1396 *kdf = scrypt_keymaster;
1397 *kdf_params = ftr;
1398 } else if (ftr->kdf_type == KDF_SCRYPT) {
1399 *kdf = scrypt;
1400 *kdf_params = ftr;
1401 } else {
1402 *kdf = pbkdf2;
1403 *kdf_params = NULL;
1404 }
1405}
1406
1407static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1408 struct crypt_mnt_ftr *crypt_ftr,
1409 unsigned char** intermediate_key,
1410 size_t* intermediate_key_size)
1411{
1412 kdf_func kdf;
1413 void *kdf_params;
1414 int ret;
1415
1416 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1417 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1418 decrypted_master_key, kdf, kdf_params,
1419 intermediate_key, intermediate_key_size);
1420 if (ret != 0) {
1421 printf("failure decrypting master key");
1422 }
1423
1424 return ret;
1425}
1426
1427static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1428 struct crypt_mnt_ftr *crypt_ftr) {
1429 int fd;
1430 unsigned char key_buf[KEY_LEN_BYTES];
1431 EVP_CIPHER_CTX e_ctx;
1432 int encrypted_len, final_len;
1433
1434 /* Get some random bits for a key */
1435 fd = open("/dev/urandom", O_RDONLY);
1436 read(fd, key_buf, sizeof(key_buf));
1437 read(fd, salt, SALT_LEN);
1438 close(fd);
1439
1440 /* Now encrypt it with the password */
1441 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1442}
1443
1444static int wait_and_unmount(char *mountpoint, bool kill)
1445{
1446 int i, err, rc;
1447#define WAIT_UNMOUNT_COUNT 20
1448
1449 /* Now umount the tmpfs filesystem */
1450 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1451 if (umount(mountpoint) == 0) {
1452 break;
1453 }
1454
1455 if (errno == EINVAL) {
1456 /* EINVAL is returned if the directory is not a mountpoint,
1457 * i.e. there is no filesystem mounted there. So just get out.
1458 */
1459 break;
1460 }
1461
1462 err = errno;
1463
1464 /* If allowed, be increasingly aggressive before the last two retries */
1465 if (kill) {
1466 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1467 printf("sending SIGHUP to processes with open files\n");
1468 //vold_killProcessesWithOpenFiles(mountpoint, 1);
1469 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1470 printf("sending SIGKILL to processes with open files\n");
1471 //vold_killProcessesWithOpenFiles(mountpoint, 2);
1472 }
1473 }
1474
1475 sleep(1);
1476 }
1477
1478 if (i < WAIT_UNMOUNT_COUNT) {
1479 printf("unmounting %s succeeded\n", mountpoint);
1480 rc = 0;
1481 } else {
1482 //vold_killProcessesWithOpenFiles(mountpoint, 0);
1483 printf("unmounting %s failed: %s\n", mountpoint, strerror(err));
1484 rc = -1;
1485 }
1486
1487 return rc;
1488}
1489
1490#define DATA_PREP_TIMEOUT 200
1491static int prep_data_fs(void)
1492{
1493 int i;
1494
1495 /* Do the prep of the /data filesystem */
1496 property_set("vold.post_fs_data_done", "0");
1497 property_set("vold.decrypt", "trigger_post_fs_data");
1498 printf("Just triggered post_fs_data\n");
1499
1500 /* Wait a max of 50 seconds, hopefully it takes much less */
1501 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1502 char p[PROPERTY_VALUE_MAX];
1503
1504 property_get("vold.post_fs_data_done", p, "0");
1505 if (*p == '1') {
1506 break;
1507 } else {
1508 usleep(250000);
1509 }
1510 }
1511 if (i == DATA_PREP_TIMEOUT) {
1512 /* Ugh, we failed to prep /data in time. Bail. */
1513 printf("post_fs_data timed out!\n");
1514 return -1;
1515 } else {
1516 printf("post_fs_data done\n");
1517 return 0;
1518 }
1519}
1520
1521static void cryptfs_set_corrupt()
1522{
1523 // Mark the footer as bad
1524 struct crypt_mnt_ftr crypt_ftr;
1525 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1526 printf("Failed to get crypto footer - panic");
1527 return;
1528 }
1529
1530 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1531 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1532 printf("Failed to set crypto footer - panic");
1533 return;
1534 }
1535}
1536
1537static void cryptfs_trigger_restart_min_framework()
1538{
1539 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1540 printf("Failed to mount tmpfs on data - panic");
1541 return;
1542 }
1543
1544 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1545 printf("Failed to trigger post fs data - panic");
1546 return;
1547 }
1548
1549 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1550 printf("Failed to trigger restart min framework - panic");
1551 return;
1552 }
1553}
1554
1555/* returns < 0 on failure */
1556static int cryptfs_restart_internal(int restart_main)
1557{
1558 char fs_type[32];
1559 char real_blkdev[MAXPATHLEN];
1560 char crypto_blkdev[MAXPATHLEN];
1561 char fs_options[256];
1562 unsigned long mnt_flags;
1563 struct stat statbuf;
1564 int rc = -1, i;
1565 static int restart_successful = 0;
1566
1567 /* Validate that it's OK to call this routine */
1568 if (! master_key_saved) {
1569 printf("Encrypted filesystem not validated, aborting");
1570 return -1;
1571 }
1572
1573 if (restart_successful) {
1574 printf("System already restarted with encrypted disk, aborting");
1575 return -1;
1576 }
1577
1578 if (restart_main) {
1579 /* Here is where we shut down the framework. The init scripts
1580 * start all services in one of three classes: core, main or late_start.
1581 * On boot, we start core and main. Now, we stop main, but not core,
1582 * as core includes vold and a few other really important things that
1583 * we need to keep running. Once main has stopped, we should be able
1584 * to umount the tmpfs /data, then mount the encrypted /data.
1585 * We then restart the class main, and also the class late_start.
1586 * At the moment, I've only put a few things in late_start that I know
1587 * are not needed to bring up the framework, and that also cause problems
1588 * with unmounting the tmpfs /data, but I hope to add add more services
1589 * to the late_start class as we optimize this to decrease the delay
1590 * till the user is asked for the password to the filesystem.
1591 */
1592
1593 /* The init files are setup to stop the class main when vold.decrypt is
1594 * set to trigger_reset_main.
1595 */
1596 property_set("vold.decrypt", "trigger_reset_main");
1597 printf("Just asked init to shut down class main\n");
1598
1599 /* Ugh, shutting down the framework is not synchronous, so until it
1600 * can be fixed, this horrible hack will wait a moment for it all to
1601 * shut down before proceeding. Without it, some devices cannot
1602 * restart the graphics services.
1603 */
1604 sleep(2);
1605 }
1606
1607 /* Now that the framework is shutdown, we should be able to umount()
1608 * the tmpfs filesystem, and mount the real one.
1609 */
1610
1611 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1612 if (strlen(crypto_blkdev) == 0) {
1613 printf("fs_crypto_blkdev not set\n");
1614 return -1;
1615 }
1616
1617 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1618 /* If ro.crypto.readonly is set to 1, mount the decrypted
1619 * filesystem readonly. This is used when /data is mounted by
1620 * recovery mode.
1621 */
1622 char ro_prop[PROPERTY_VALUE_MAX];
1623 property_get("ro.crypto.readonly", ro_prop, "");
1624 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1625 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1626 rec->flags |= MS_RDONLY;
1627 }
1628
1629 /* If that succeeded, then mount the decrypted filesystem */
1630 int retries = RETRY_MOUNT_ATTEMPTS;
1631 int mount_rc;
1632 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1633 crypto_blkdev, 0))
1634 != 0) {
1635 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1636 /* TODO: invoke something similar to
1637 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1638 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1639 printf("Failed to mount %s because it is busy - waiting",
1640 crypto_blkdev);
1641 if (--retries) {
1642 sleep(RETRY_MOUNT_DELAY_SECONDS);
1643 } else {
1644 /* Let's hope that a reboot clears away whatever is keeping
1645 the mount busy */
1646 cryptfs_reboot(reboot);
1647 }
1648 } else {
1649 printf("Failed to mount decrypted data");
1650 cryptfs_set_corrupt();
1651 cryptfs_trigger_restart_min_framework();
1652 printf("Started framework to offer wipe");
1653 return -1;
1654 }
1655 }
1656
1657 property_set("vold.decrypt", "trigger_load_persist_props");
1658 /* Create necessary paths on /data */
1659 if (prep_data_fs()) {
1660 return -1;
1661 }
1662
1663 /* startup service classes main and late_start */
1664 property_set("vold.decrypt", "trigger_restart_framework");
1665 printf("Just triggered restart_framework\n");
1666
1667 /* Give it a few moments to get started */
1668 sleep(1);
1669 }
1670
1671 if (rc == 0) {
1672 restart_successful = 1;
1673 }
1674
1675 return rc;
1676}
1677
1678int cryptfs_restart(void)
1679{
1680 /* Call internal implementation forcing a restart of main service group */
1681 return cryptfs_restart_internal(1);
1682}
1683
1684static int do_crypto_complete(char *mount_point UNUSED)
1685{
1686 struct crypt_mnt_ftr crypt_ftr;
1687 char encrypted_state[PROPERTY_VALUE_MAX];
1688 char key_loc[PROPERTY_VALUE_MAX];
1689
1690 property_get("ro.crypto.state", encrypted_state, "");
1691 if (strcmp(encrypted_state, "encrypted") ) {
1692 printf("not running with encryption, aborting");
1693 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1694 }
1695
1696 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1697 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1698
1699 /*
1700 * Only report this error if key_loc is a file and it exists.
1701 * If the device was never encrypted, and /data is not mountable for
1702 * some reason, returning 1 should prevent the UI from presenting the
1703 * a "enter password" screen, or worse, a "press button to wipe the
1704 * device" screen.
1705 */
1706 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1707 printf("master key file does not exist, aborting");
1708 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1709 } else {
1710 printf("Error getting crypt footer and key\n");
1711 return CRYPTO_COMPLETE_BAD_METADATA;
1712 }
1713 }
1714
1715 // Test for possible error flags
1716 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1717 printf("Encryption process is partway completed\n");
1718 return CRYPTO_COMPLETE_PARTIAL;
1719 }
1720
1721 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1722 printf("Encryption process was interrupted but cannot continue\n");
1723 return CRYPTO_COMPLETE_INCONSISTENT;
1724 }
1725
1726 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1727 printf("Encryption is successful but data is corrupt\n");
1728 return CRYPTO_COMPLETE_CORRUPT;
1729 }
1730
1731 /* We passed the test! We shall diminish, and return to the west */
1732 return CRYPTO_COMPLETE_ENCRYPTED;
1733}
1734
1735static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1736 char *passwd, char *mount_point, char *label)
1737{
1738 /* Allocate enough space for a 256 bit key, but we may use less */
1739 unsigned char decrypted_master_key[32];
1740 char crypto_blkdev[MAXPATHLEN];
1741 char real_blkdev[MAXPATHLEN];
1742 char tmp_mount_point[64];
1743 unsigned int orig_failed_decrypt_count;
1744 int rc;
1745 kdf_func kdf;
1746 void *kdf_params;
1747 int use_keymaster = 0;
1748 int upgrade = 0;
1749 unsigned char* intermediate_key = 0;
1750 size_t intermediate_key_size = 0;
1751
1752 printf("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1753 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1754
1755 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1756 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1757 &intermediate_key, &intermediate_key_size)) {
1758 printf("Failed to decrypt master key\n");
1759 rc = -1;
1760 goto errout;
1761 }
1762 }
1763
1764 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1765
1766 // Create crypto block device - all (non fatal) code paths
1767 // need it
1768 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1769 real_blkdev, crypto_blkdev, label)) {
1770 printf("Error creating decrypted block device\n");
1771 rc = -1;
1772 goto errout;
1773 }
1774
1775 /* Work out if the problem is the password or the data */
1776 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1777 scrypted_intermediate_key)];
1778 int N = 1 << crypt_ftr->N_factor;
1779 int r = 1 << crypt_ftr->r_factor;
1780 int p = 1 << crypt_ftr->p_factor;
1781
1782 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1783 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1784 N, r, p, scrypted_intermediate_key,
1785 sizeof(scrypted_intermediate_key));
1786
1787 // Does the key match the crypto footer?
1788 if (rc == 0 && memcmp(scrypted_intermediate_key,
1789 crypt_ftr->scrypted_intermediate_key,
1790 sizeof(scrypted_intermediate_key)) == 0) {
1791 printf("Password matches\n");
1792 rc = 0;
1793 } else {
1794 /* Try mounting the file system anyway, just in case the problem's with
1795 * the footer, not the key. */
1796 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1797 mkdir(tmp_mount_point, 0755);
1798 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1799 printf("Error temp mounting decrypted block device '%s'\n", crypto_blkdev);
1800 delete_crypto_blk_dev(label);
1801
1802 rc = ++crypt_ftr->failed_decrypt_count;
1803 //put_crypt_ftr_and_key(crypt_ftr); // Do not penalize for attempting to decrypt in recovery
1804 } else {
1805 /* Success! */
1806 printf("Password did not match but decrypted drive mounted - continue\n");
1807 umount(tmp_mount_point);
1808 rc = 0;
1809 }
1810 }
1811
1812 if (rc == 0) {
1813 /*crypt_ftr->failed_decrypt_count = 0;
1814 if (orig_failed_decrypt_count != 0) {
1815 put_crypt_ftr_and_key(crypt_ftr);
1816 }*/
1817
1818 /* Save the name of the crypto block device
1819 * so we can mount it when restarting the framework. */
1820 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1821
1822 /* Also save a the master key so we can reencrypted the key
1823 * the key when we want to change the password on it. */
1824 /*memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1825 saved_mount_point = strdup(mount_point);
1826 master_key_saved = 1;
1827 printf("%s(): Master key saved\n", __FUNCTION__);*/
1828 rc = 0;
1829
1830 // Upgrade if we're not using the latest KDF.
1831 /*use_keymaster = keymaster_check_compatibility();
1832 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1833 // Don't allow downgrade
1834 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1835 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1836 upgrade = 1;
1837 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1838 crypt_ftr->kdf_type = KDF_SCRYPT;
1839 upgrade = 1;
1840 }
1841
1842 if (upgrade) {
1843 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1844 crypt_ftr->master_key, crypt_ftr);
1845 if (!rc) {
1846 rc = put_crypt_ftr_and_key(crypt_ftr);
1847 }
1848 printf("Key Derivation Function upgrade: rc=%d\n", rc);
1849
1850 // Do not fail even if upgrade failed - machine is bootable
1851 // Note that if this code is ever hit, there is a *serious* problem
1852 // since KDFs should never fail. You *must* fix the kdf before
1853 // proceeding!
1854 if (rc) {
1855 printf("Upgrade failed with error %d,"
1856 " but continuing with previous state\n",
1857 rc);
1858 rc = 0;
1859 }
1860 }*/
1861 }
1862
1863 errout:
1864 if (intermediate_key) {
1865 memset(intermediate_key, 0, intermediate_key_size);
1866 free(intermediate_key);
1867 }
1868 return rc;
1869}
1870
1871/* Called by vold when it wants to undo the crypto mapping of a volume it
1872 * manages. This is usually in response to a factory reset, when we want
1873 * to undo the crypto mapping so the volume is formatted in the clear.
1874 */
1875int cryptfs_revert_volume(const char *label)
1876{
1877 return delete_crypto_blk_dev((char *)label);
1878}
1879
1880/*
1881 * Called by vold when it's asked to mount an encrypted, nonremovable volume.
1882 * Setup a dm-crypt mapping, use the saved master key from
1883 * setting up the /data mapping, and return the new device path.
1884 */
1885int cryptfs_setup_volume(const char *label, int major, int minor,
1886 char *crypto_sys_path, unsigned int max_path,
1887 int *new_major, int *new_minor)
1888{
1889 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN];
1890 struct crypt_mnt_ftr sd_crypt_ftr;
1891 struct stat statbuf;
1892 int nr_sec, fd;
1893
1894 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor);
1895
1896 get_crypt_ftr_and_key(&sd_crypt_ftr);
1897
1898 /* Update the fs_size field to be the size of the volume */
1899 fd = open(real_blkdev, O_RDONLY);
1900 nr_sec = get_blkdev_size(fd);
1901 close(fd);
1902 if (nr_sec == 0) {
1903 printf("Cannot get size of volume %s\n", real_blkdev);
1904 return -1;
1905 }
1906
1907 sd_crypt_ftr.fs_size = nr_sec;
1908 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev,
1909 crypto_blkdev, label);
1910
1911 stat(crypto_blkdev, &statbuf);
1912 *new_major = MAJOR(statbuf.st_rdev);
1913 *new_minor = MINOR(statbuf.st_rdev);
1914
1915 /* Create path to sys entry for this block device */
1916 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1);
1917
1918 return 0;
1919}
1920
1921int cryptfs_crypto_complete(void)
1922{
1923 return do_crypto_complete("/data");
1924}
1925
1926int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1927{
1928 char encrypted_state[PROPERTY_VALUE_MAX];
1929 property_get("ro.crypto.state", encrypted_state, "");
1930 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1931 printf("encrypted fs already validated or not running with encryption,"
Ethan Yonkercceebb82014-11-18 10:17:59 -0600[diff] [blame]1932 " aborting\n");
1933 //return -1;
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600[diff] [blame]1934 }
1935
1936 if (get_crypt_ftr_and_key(crypt_ftr)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600[diff] [blame]1937 printf("Error getting crypt footer and key\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600[diff] [blame]1938 return -1;
1939 }
1940
1941 return 0;
1942}
1943
1944/*
1945 * TODO - transition patterns to new format in calling code
1946 * and remove this vile hack, and the use of hex in
1947 * the password passing code.
1948 *
1949 * Patterns are passed in zero based (i.e. the top left dot
1950 * is represented by zero, the top middle one etc), but we want
1951 * to store them '1' based.
1952 * This is to allow us to migrate the calling code to use this
1953 * convention. It also solves a nasty problem whereby scrypt ignores
1954 * trailing zeros, so patterns ending at the top left could be
1955 * truncated, and similarly, you could add the top left to any
1956 * pattern and still match.
1957 * adjust_passwd is a hack function that returns the alternate representation
1958 * if the password appears to be a pattern (hex numbers all less than 09)
1959 * If it succeeds we need to try both, and in particular try the alternate
1960 * first. If the original matches, then we need to update the footer
1961 * with the alternate.
1962 * All code that accepts passwords must adjust them first. Since
1963 * cryptfs_check_passwd is always the first function called after a migration
1964 * (and indeed on any boot) we only need to do the double try in this
1965 * function.
1966 */
1967char* adjust_passwd(const char* passwd)
1968{
1969 size_t index, length;
1970
1971 if (!passwd) {
1972 return 0;
1973 }
1974
1975 // Check even length. Hex encoded passwords are always
1976 // an even length, since each character encodes to two characters.
1977 length = strlen(passwd);
1978 if (length % 2) {
1979 printf("Password not correctly hex encoded.");
1980 return 0;
1981 }
1982
1983 // Check password is old-style pattern - a collection of hex
1984 // encoded bytes less than 9 (00 through 08)
1985 for (index = 0; index < length; index +=2) {
1986 if (passwd[index] != '0'
1987 || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
1988 return 0;
1989 }
1990 }
1991
1992 // Allocate room for adjusted passwd and null terminate
1993 char* adjusted = malloc(length + 1);
1994 adjusted[length] = 0;
1995
1996 // Add 0x31 ('1') to each character
1997 for (index = 0; index < length; index += 2) {
1998 // output is 31 through 39 so set first byte to three, second to src + 1
1999 adjusted[index] = '3';
2000 adjusted[index + 1] = passwd[index + 1] + 1;
2001 }
2002
2003 return adjusted;
2004}
2005
2006/*
2007 * Passwords in L get passed from Android to cryptfs in hex, so a '1'
2008 * gets converted to '31' where 31 is 0x31 which is the ascii character
2009 * code in hex of the character '1'. This function will convert the
2010 * regular character codes to their hexadecimal representation to make
2011 * decrypt work properly with Android 5.0 lollipop decryption.
2012 */
2013char* hexadj_passwd(const char* passwd)
2014{
2015 size_t index, length;
2016 char* ptr = passwd;
2017
2018 if (!passwd) {
2019 return 0;
2020 }
2021
2022 length = strlen(passwd);
2023
2024 // Allocate room for hex passwd and null terminate
2025 char* hex = malloc((length * 2) + 1);
2026 hex[length * 2] = 0;
2027
2028 // Convert to hex
2029 for (index = 0; index < length; index++) {
2030 sprintf(hex + (index * 2), "%02X", *ptr);
2031 ptr++;
2032 }
2033
2034 return hex;
2035}
2036
2037#define FSTAB_PREFIX "/fstab."
2038
2039int cryptfs_check_footer(void)
2040{
2041 int rc = -1;
2042 char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)];
2043 char propbuf[PROPERTY_VALUE_MAX];
2044 struct crypt_mnt_ftr crypt_ftr;
2045
2046 property_get("ro.hardware", propbuf, "");
2047 snprintf(fstab_filename, sizeof(fstab_filename), FSTAB_PREFIX"%s", propbuf);
2048
2049 fstab = fs_mgr_read_fstab(fstab_filename);
2050 if (!fstab) {
2051 printf("failed to open %s\n", fstab_filename);
2052 return -1;
2053 }
2054
2055 rc = get_crypt_ftr_and_key(&crypt_ftr);
2056
2057 return rc;
2058}
2059
2060int cryptfs_check_passwd(char *passwd)
2061{
2062 struct crypt_mnt_ftr crypt_ftr;
2063 int rc;
2064 char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)];
2065 char propbuf[PROPERTY_VALUE_MAX];
2066
2067 property_get("ro.hardware", propbuf, "");
2068 snprintf(fstab_filename, sizeof(fstab_filename), FSTAB_PREFIX"%s", propbuf);
2069
2070 fstab = fs_mgr_read_fstab(fstab_filename);
2071 if (!fstab) {
2072 printf("failed to open %s\n", fstab_filename);
2073 return -1;
2074 }
2075
2076 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2077 if (rc)
2078 return rc;
2079
2080 char* adjusted_passwd = adjust_passwd(passwd);
2081 char* hex_passwd = hexadj_passwd(passwd);
2082
2083 if (adjusted_passwd) {
2084 int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
2085 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd,
2086 DATA_MNT_POINT, "userdata");
2087
2088 // Maybe the original one still works?
2089 if (rc) {
2090 // Don't double count this failure
2091 crypt_ftr.failed_decrypt_count = failed_decrypt_count;
2092 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2093 DATA_MNT_POINT, "userdata");
2094 if (!rc) {
2095 // cryptfs_changepw also adjusts so pass original
2096 // Note that adjust_passwd only recognises patterns
2097 // so we can safely use CRYPT_TYPE_PATTERN
2098 printf("TWRP NOT Updating pattern to new format");
2099 //cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
2100 } else if (hex_passwd) {
2101 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
2102 DATA_MNT_POINT, "userdata");
2103 }
2104 }
2105 free(adjusted_passwd);
2106 } else {
2107 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2108 DATA_MNT_POINT, "userdata");
2109 if (rc && hex_passwd) {
2110 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
2111 DATA_MNT_POINT, "userdata");
2112 }
2113 }
2114
2115 if (hex_passwd)
2116 free(hex_passwd);
2117
2118 /*if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2119 printf("cryptfs_check_passwd update expiry time?\n");
2120 cryptfs_clear_password();
2121 password = strdup(passwd);
2122 struct timespec now;
2123 clock_gettime(CLOCK_BOOTTIME, &now);
2124 password_expiry_time = now.tv_sec + password_max_age_seconds;
2125 }*/
2126
2127 return rc;
2128}
2129
2130int cryptfs_verify_passwd(char *passwd)
2131{
2132 struct crypt_mnt_ftr crypt_ftr;
2133 /* Allocate enough space for a 256 bit key, but we may use less */
2134 unsigned char decrypted_master_key[32];
2135 char encrypted_state[PROPERTY_VALUE_MAX];
2136 int rc;
2137
2138 property_get("ro.crypto.state", encrypted_state, "");
2139 if (strcmp(encrypted_state, "encrypted") ) {
2140 printf("device not encrypted, aborting");
2141 return -2;
2142 }
2143
2144 if (!master_key_saved) {
2145 printf("encrypted fs not yet mounted, aborting");
2146 return -1;
2147 }
2148
2149 if (!saved_mount_point) {
2150 printf("encrypted fs failed to save mount point, aborting");
2151 return -1;
2152 }
2153
2154 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2155 printf("Error getting crypt footer and key\n");
2156 return -1;
2157 }
2158
2159 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2160 /* If the device has no password, then just say the password is valid */
2161 rc = 0;
2162 } else {
2163 char* adjusted_passwd = adjust_passwd(passwd);
2164 if (adjusted_passwd) {
2165 passwd = adjusted_passwd;
2166 }
2167
2168 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2169 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2170 /* They match, the password is correct */
2171 rc = 0;
2172 } else {
2173 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2174 sleep(1);
2175 rc = 1;
2176 }
2177
2178 free(adjusted_passwd);
2179 }
2180
2181 return rc;
2182}
2183
2184/* Initialize a crypt_mnt_ftr structure. The keysize is
2185 * defaulted to 16 bytes, and the filesystem size to 0.
2186 * Presumably, at a minimum, the caller will update the
2187 * filesystem size and crypto_type_name after calling this function.
2188 */
2189static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2190{
2191 off64_t off;
2192
2193 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2194 ftr->magic = CRYPT_MNT_MAGIC;
2195 ftr->major_version = CURRENT_MAJOR_VERSION;
2196 ftr->minor_version = CURRENT_MINOR_VERSION;
2197 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2198 ftr->keysize = KEY_LEN_BYTES;
2199
2200 switch (keymaster_check_compatibility()) {
2201 case 1:
2202 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2203 break;
2204
2205 case 0:
2206 ftr->kdf_type = KDF_SCRYPT;
2207 break;
2208
2209 default:
2210 printf("keymaster_check_compatibility failed");
2211 return -1;
2212 }
2213
2214 get_device_scrypt_params(ftr);
2215
2216 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2217 if (get_crypt_ftr_info(NULL, &off) == 0) {
2218 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2219 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2220 ftr->persist_data_size;
2221 }
2222
2223 return 0;
2224}
2225
2226static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2227{
2228 const char *args[10];
2229 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2230 int num_args;
2231 int status;
2232 int tmp;
2233 int rc = -1;
2234
2235 if (type == EXT4_FS) {
2236 args[0] = "/system/bin/make_ext4fs";
2237 args[1] = "-a";
2238 args[2] = "/data";
2239 args[3] = "-l";
2240 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2241 args[4] = size_str;
2242 args[5] = crypto_blkdev;
2243 num_args = 6;
2244 printf("Making empty filesystem with command %s %s %s %s %s %s\n",
2245 args[0], args[1], args[2], args[3], args[4], args[5]);
2246 } else if (type == F2FS_FS) {
2247 args[0] = "/system/bin/mkfs.f2fs";
2248 args[1] = "-t";
2249 args[2] = "-d1";
2250 args[3] = crypto_blkdev;
2251 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2252 args[4] = size_str;
2253 num_args = 5;
2254 printf("Making empty filesystem with command %s %s %s %s %s\n",
2255 args[0], args[1], args[2], args[3], args[4]);
2256 } else {
2257 printf("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2258 return -1;
2259 }
2260
2261 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2262
2263 if (tmp != 0) {
2264 printf("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2265 } else {
2266 if (WIFEXITED(status)) {
2267 if (WEXITSTATUS(status)) {
2268 printf("Error creating filesystem on %s, exit status %d ",
2269 crypto_blkdev, WEXITSTATUS(status));
2270 } else {
2271 printf("Successfully created filesystem on %s\n", crypto_blkdev);
2272 rc = 0;
2273 }
2274 } else {
2275 printf("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2276 }
2277 }
2278
2279 return rc;
2280}
2281
2282#define CRYPT_INPLACE_BUFSIZE 4096
2283#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2284#define CRYPT_SECTOR_SIZE 512
2285
2286/* aligned 32K writes tends to make flash happy.
2287 * SD card association recommends it.
2288 */
2289#define BLOCKS_AT_A_TIME 8
2290
2291struct encryptGroupsData
2292{
2293 int realfd;
2294 int cryptofd;
2295 off64_t numblocks;
2296 off64_t one_pct, cur_pct, new_pct;
2297 off64_t blocks_already_done, tot_numblocks;
2298 off64_t used_blocks_already_done, tot_used_blocks;
2299 char* real_blkdev, * crypto_blkdev;
2300 int count;
2301 off64_t offset;
2302 char* buffer;
2303 off64_t last_written_sector;
2304 int completed;
2305 time_t time_started;
2306 int remaining_time;
2307};
2308
2309static void update_progress(struct encryptGroupsData* data, int is_used)
2310{
2311 data->blocks_already_done++;
2312
2313 if (is_used) {
2314 data->used_blocks_already_done++;
2315 }
2316 if (data->tot_used_blocks) {
2317 data->new_pct = data->used_blocks_already_done / data->one_pct;
2318 } else {
2319 data->new_pct = data->blocks_already_done / data->one_pct;
2320 }
2321
2322 if (data->new_pct > data->cur_pct) {
2323 char buf[8];
2324 data->cur_pct = data->new_pct;
2325 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2326 property_set("vold.encrypt_progress", buf);
2327 }
2328
2329 if (data->cur_pct >= 5) {
2330 struct timespec time_now;
2331 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2332 printf("Error getting time");
2333 } else {
2334 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2335 off64_t remaining_blocks = data->tot_used_blocks
2336 - data->used_blocks_already_done;
2337 int remaining_time = (int)(elapsed_time * remaining_blocks
2338 / data->used_blocks_already_done);
2339
2340 // Change time only if not yet set, lower, or a lot higher for
2341 // best user experience
2342 if (data->remaining_time == -1
2343 || remaining_time < data->remaining_time
2344 || remaining_time > data->remaining_time + 60) {
2345 char buf[8];
2346 snprintf(buf, sizeof(buf), "%d", remaining_time);
2347 property_set("vold.encrypt_time_remaining", buf);
2348 data->remaining_time = remaining_time;
2349 }
2350 }
2351 }
2352}
2353
2354static void log_progress(struct encryptGroupsData const* data, bool completed)
2355{
2356 // Precondition - if completed data = 0 else data != 0
2357
2358 // Track progress so we can skip logging blocks
2359 static off64_t offset = -1;
2360
2361 // Need to close existing 'Encrypting from' log?
2362 if (completed || (offset != -1 && data->offset != offset)) {
2363 printf("Encrypted to sector %" PRId64,
2364 offset / info.block_size * CRYPT_SECTOR_SIZE);
2365 offset = -1;
2366 }
2367
2368 // Need to start new 'Encrypting from' log?
2369 if (!completed && offset != data->offset) {
2370 printf("Encrypting from sector %" PRId64,
2371 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2372 }
2373
2374 // Update offset
2375 if (!completed) {
2376 offset = data->offset + (off64_t)data->count * info.block_size;
2377 }
2378}
2379
2380static int flush_outstanding_data(struct encryptGroupsData* data)
2381{
2382 if (data->count == 0) {
2383 return 0;
2384 }
2385
2386 printf("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2387
2388 if (pread64(data->realfd, data->buffer,
2389 info.block_size * data->count, data->offset)
2390 <= 0) {
2391 printf("Error reading real_blkdev %s for inplace encrypt",
2392 data->real_blkdev);
2393 return -1;
2394 }
2395
2396 if (pwrite64(data->cryptofd, data->buffer,
2397 info.block_size * data->count, data->offset)
2398 <= 0) {
2399 printf("Error writing crypto_blkdev %s for inplace encrypt",
2400 data->crypto_blkdev);
2401 return -1;
2402 } else {
2403 log_progress(data, false);
2404 }
2405
2406 data->count = 0;
2407 data->last_written_sector = (data->offset + data->count)
2408 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2409 return 0;
2410}
2411
2412static int encrypt_groups(struct encryptGroupsData* data)
2413{
2414 unsigned int i;
2415 u8 *block_bitmap = 0;
2416 unsigned int block;
2417 off64_t ret;
2418 int rc = -1;
2419
2420 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2421 if (!data->buffer) {
2422 printf("Failed to allocate crypto buffer");
2423 goto errout;
2424 }
2425
2426 block_bitmap = malloc(info.block_size);
2427 if (!block_bitmap) {
2428 printf("failed to allocate block bitmap");
2429 goto errout;
2430 }
2431
2432 for (i = 0; i < aux_info.groups; ++i) {
2433 printf("Encrypting group %d", i);
2434
2435 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2436 u32 block_count = min(info.blocks_per_group,
2437 aux_info.len_blocks - first_block);
2438
2439 off64_t offset = (u64)info.block_size
2440 * aux_info.bg_desc[i].bg_block_bitmap;
2441
2442 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2443 if (ret != (int)info.block_size) {
2444 printf("failed to read all of block group bitmap %d", i);
2445 goto errout;
2446 }
2447
2448 offset = (u64)info.block_size * first_block;
2449
2450 data->count = 0;
2451
2452 for (block = 0; block < block_count; block++) {
2453 int used = bitmap_get_bit(block_bitmap, block);
2454 update_progress(data, used);
2455 if (used) {
2456 if (data->count == 0) {
2457 data->offset = offset;
2458 }
2459 data->count++;
2460 } else {
2461 if (flush_outstanding_data(data)) {
2462 goto errout;
2463 }
2464 }
2465
2466 offset += info.block_size;
2467
2468 /* Write data if we are aligned or buffer size reached */
2469 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2470 || data->count == BLOCKS_AT_A_TIME) {
2471 if (flush_outstanding_data(data)) {
2472 goto errout;
2473 }
2474 }
2475
2476 if (1) {
2477 printf("Stopping encryption due to low battery");
2478 rc = 0;
2479 goto errout;
2480 }
2481
2482 }
2483 if (flush_outstanding_data(data)) {
2484 goto errout;
2485 }
2486 }
2487
2488 data->completed = 1;
2489 rc = 0;
2490
2491errout:
2492 log_progress(0, true);
2493 free(data->buffer);
2494 free(block_bitmap);
2495 return rc;
2496}
2497
2498static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2499 char *real_blkdev,
2500 off64_t size,
2501 off64_t *size_already_done,
2502 off64_t tot_size,
2503 off64_t previously_encrypted_upto)
2504{
2505 u32 i;
2506 struct encryptGroupsData data;
2507 int rc; // Can't initialize without causing warning -Wclobbered
2508
2509 if (previously_encrypted_upto > *size_already_done) {
2510 printf("Not fast encrypting since resuming part way through");
2511 return -1;
2512 }
2513
2514 memset(&data, 0, sizeof(data));
2515 data.real_blkdev = real_blkdev;
2516 data.crypto_blkdev = crypto_blkdev;
2517
2518 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) {
2519 printf("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2520 real_blkdev, errno, strerror(errno));
2521 rc = -1;
2522 goto errout;
2523 }
2524
2525 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2526 printf("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2527 crypto_blkdev, errno, strerror(errno));
2528 rc = ENABLE_INPLACE_ERR_DEV;
2529 goto errout;
2530 }
2531
2532 if (setjmp(setjmp_env)) {
2533 printf("Reading ext4 extent caused an exception\n");
2534 rc = -1;
2535 goto errout;
2536 }
2537
2538 if (read_ext(data.realfd, 0) != 0) {
2539 printf("Failed to read ext4 extent\n");
2540 rc = -1;
2541 goto errout;
2542 }
2543
2544 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2545 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2546 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2547
2548 printf("Encrypting ext4 filesystem in place...");
2549
2550 data.tot_used_blocks = data.numblocks;
2551 for (i = 0; i < aux_info.groups; ++i) {
2552 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2553 }
2554
2555 data.one_pct = data.tot_used_blocks / 100;
2556 data.cur_pct = 0;
2557
2558 struct timespec time_started = {0};
2559 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2560 printf("Error getting time at start");
2561 // Note - continue anyway - we'll run with 0
2562 }
2563 data.time_started = time_started.tv_sec;
2564 data.remaining_time = -1;
2565
2566 rc = encrypt_groups(&data);
2567 if (rc) {
2568 printf("Error encrypting groups");
2569 goto errout;
2570 }
2571
2572 *size_already_done += data.completed ? size : data.last_written_sector;
2573 rc = 0;
2574
2575errout:
2576 close(data.realfd);
2577 close(data.cryptofd);
2578
2579 return rc;
2580}
2581
2582static void log_progress_f2fs(u64 block, bool completed)
2583{
2584 // Precondition - if completed data = 0 else data != 0
2585
2586 // Track progress so we can skip logging blocks
2587 static u64 last_block = (u64)-1;
2588
2589 // Need to close existing 'Encrypting from' log?
2590 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2591 printf("Encrypted to block %" PRId64, last_block);
2592 last_block = -1;
2593 }
2594
2595 // Need to start new 'Encrypting from' log?
2596 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2597 printf("Encrypting from block %" PRId64, block);
2598 }
2599
2600 // Update offset
2601 if (!completed) {
2602 last_block = block;
2603 }
2604}
2605
2606static int encrypt_one_block_f2fs(u64 pos, void *data)
2607{
2608 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2609
2610 priv_dat->blocks_already_done = pos - 1;
2611 update_progress(priv_dat, 1);
2612
2613 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2614
2615 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2616 printf("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2617 return -1;
2618 }
2619
2620 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2621 printf("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2622 return -1;
2623 } else {
2624 log_progress_f2fs(pos, false);
2625 }
2626
2627 return 0;
2628}
2629
2630static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2631 char *real_blkdev,
2632 off64_t size,
2633 off64_t *size_already_done,
2634 off64_t tot_size,
2635 off64_t previously_encrypted_upto)
2636{
2637 u32 i;
2638 struct encryptGroupsData data;
2639 struct f2fs_info *f2fs_info = NULL;
2640 int rc = ENABLE_INPLACE_ERR_OTHER;
2641 if (previously_encrypted_upto > *size_already_done) {
2642 printf("Not fast encrypting since resuming part way through");
2643 return ENABLE_INPLACE_ERR_OTHER;
2644 }
2645 memset(&data, 0, sizeof(data));
2646 data.real_blkdev = real_blkdev;
2647 data.crypto_blkdev = crypto_blkdev;
2648 data.realfd = -1;
2649 data.cryptofd = -1;
2650 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) {
2651 printf("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2652 real_blkdev);
2653 goto errout;
2654 }
2655 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) {
2656 printf("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2657 crypto_blkdev, errno, strerror(errno));
2658 rc = ENABLE_INPLACE_ERR_DEV;
2659 goto errout;
2660 }
2661
2662 f2fs_info = generate_f2fs_info(data.realfd);
2663 if (!f2fs_info)
2664 goto errout;
2665
2666 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2667 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2668 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2669
2670 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2671
2672 data.one_pct = data.tot_used_blocks / 100;
2673 data.cur_pct = 0;
2674 data.time_started = time(NULL);
2675 data.remaining_time = -1;
2676
2677 data.buffer = malloc(f2fs_info->block_size);
2678 if (!data.buffer) {
2679 printf("Failed to allocate crypto buffer");
2680 goto errout;
2681 }
2682
2683 data.count = 0;
2684
2685 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2686 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2687
2688 if (rc) {
2689 printf("Error in running over f2fs blocks");
2690 rc = ENABLE_INPLACE_ERR_OTHER;
2691 goto errout;
2692 }
2693
2694 *size_already_done += size;
2695 rc = 0;
2696
2697errout:
2698 if (rc)
2699 printf("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2700
2701 log_progress_f2fs(0, true);
2702 free(f2fs_info);
2703 free(data.buffer);
2704 close(data.realfd);
2705 close(data.cryptofd);
2706
2707 return rc;
2708}
2709
2710static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2711 off64_t size, off64_t *size_already_done,
2712 off64_t tot_size,
2713 off64_t previously_encrypted_upto)
2714{
2715 int realfd, cryptofd;
2716 char *buf[CRYPT_INPLACE_BUFSIZE];
2717 int rc = ENABLE_INPLACE_ERR_OTHER;
2718 off64_t numblocks, i, remainder;
2719 off64_t one_pct, cur_pct, new_pct;
2720 off64_t blocks_already_done, tot_numblocks;
2721
2722 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) {
2723 printf("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2724 return ENABLE_INPLACE_ERR_OTHER;
2725 }
2726
2727 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2728 printf("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2729 crypto_blkdev, errno, strerror(errno));
2730 close(realfd);
2731 return ENABLE_INPLACE_ERR_DEV;
2732 }
2733
2734 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2735 * The size passed in is the number of 512 byte sectors in the filesystem.
2736 * So compute the number of whole 4K blocks we should read/write,
2737 * and the remainder.
2738 */
2739 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2740 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2741 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2742 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2743
2744 printf("Encrypting filesystem in place...");
2745
2746 i = previously_encrypted_upto + 1 - *size_already_done;
2747
2748 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2749 printf("Cannot seek to previously encrypted point on %s", real_blkdev);
2750 goto errout;
2751 }
2752
2753 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2754 printf("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2755 goto errout;
2756 }
2757
2758 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2759 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2760 printf("Error reading initial sectors from real_blkdev %s for "
2761 "inplace encrypt\n", crypto_blkdev);
2762 goto errout;
2763 }
2764 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2765 printf("Error writing initial sectors to crypto_blkdev %s for "
2766 "inplace encrypt\n", crypto_blkdev);
2767 goto errout;
2768 } else {
2769 printf("Encrypted 1 block at %" PRId64, i);
2770 }
2771 }
2772
2773 one_pct = tot_numblocks / 100;
2774 cur_pct = 0;
2775 /* process the majority of the filesystem in blocks */
2776 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2777 new_pct = (i + blocks_already_done) / one_pct;
2778 if (new_pct > cur_pct) {
2779 char buf[8];
2780
2781 cur_pct = new_pct;
2782 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2783 property_set("vold.encrypt_progress", buf);
2784 }
2785 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2786 printf("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2787 goto errout;
2788 }
2789 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2790 printf("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2791 goto errout;
2792 } else {
2793 printf("Encrypted %d block at %" PRId64,
2794 CRYPT_SECTORS_PER_BUFSIZE,
2795 i * CRYPT_SECTORS_PER_BUFSIZE);
2796 }
2797
2798 if (1) {
2799 printf("Stopping encryption due to low battery");
2800 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2801 rc = 0;
2802 goto errout;
2803 }
2804 }
2805
2806 /* Do any remaining sectors */
2807 for (i=0; i<remainder; i++) {
2808 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2809 printf("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2810 goto errout;
2811 }
2812 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2813 printf("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2814 goto errout;
2815 } else {
2816 printf("Encrypted 1 block at next location");
2817 }
2818 }
2819
2820 *size_already_done += size;
2821 rc = 0;
2822
2823errout:
2824 close(realfd);
2825 close(cryptofd);
2826
2827 return rc;
2828}
2829
2830/* returns on of the ENABLE_INPLACE_* return codes */
2831static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2832 off64_t size, off64_t *size_already_done,
2833 off64_t tot_size,
2834 off64_t previously_encrypted_upto)
2835{
2836 int rc_ext4, rc_f2fs, rc_full;
2837 if (previously_encrypted_upto) {
2838 printf("Continuing encryption from %" PRId64, previously_encrypted_upto);
2839 }
2840
2841 if (*size_already_done + size < previously_encrypted_upto) {
2842 *size_already_done += size;
2843 return 0;
2844 }
2845
2846 /* TODO: identify filesystem type.
2847 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2848 * then we will drop down to cryptfs_enable_inplace_f2fs.
2849 * */
2850 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2851 size, size_already_done,
2852 tot_size, previously_encrypted_upto)) == 0) {
2853 return 0;
2854 }
2855 printf("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2856
2857 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2858 size, size_already_done,
2859 tot_size, previously_encrypted_upto)) == 0) {
2860 return 0;
2861 }
2862 printf("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2863
2864 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2865 size, size_already_done, tot_size,
2866 previously_encrypted_upto);
2867 printf("cryptfs_enable_inplace_full()=%d\n", rc_full);
2868
2869 /* Hack for b/17898962, the following is the symptom... */
2870 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2871 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2872 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2873 return ENABLE_INPLACE_ERR_DEV;
2874 }
2875 return rc_full;
2876}
2877
2878#define CRYPTO_ENABLE_WIPE 1
2879#define CRYPTO_ENABLE_INPLACE 2
2880
2881#define FRAMEWORK_BOOT_WAIT 60
2882
2883static inline int should_encrypt(struct volume_info *volume)
2884{
2885 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) ==
2886 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
2887}
2888
2889static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2890{
2891 int fd = open(filename, O_RDONLY);
2892 if (fd == -1) {
2893 printf("Error opening file %s", filename);
2894 return -1;
2895 }
2896
2897 char block[CRYPT_INPLACE_BUFSIZE];
2898 memset(block, 0, sizeof(block));
2899 if (unix_read(fd, block, sizeof(block)) < 0) {
2900 printf("Error reading file %s", filename);
2901 close(fd);
2902 return -1;
2903 }
2904
2905 close(fd);
2906
2907 SHA256_CTX c;
2908 SHA256_Init(&c);
2909 SHA256_Update(&c, block, sizeof(block));
2910 SHA256_Final(buf, &c);
2911
2912 return 0;
2913}
2914
2915static int get_fs_type(struct fstab_rec *rec)
2916{
2917 if (!strcmp(rec->fs_type, "ext4")) {
2918 return EXT4_FS;
2919 } else if (!strcmp(rec->fs_type, "f2fs")) {
2920 return F2FS_FS;
2921 } else {
2922 return -1;
2923 }
2924}
2925
2926static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2927 char *crypto_blkdev, char *real_blkdev,
2928 int previously_encrypted_upto)
2929{
2930 off64_t cur_encryption_done=0, tot_encryption_size=0;
2931 int i, rc = -1;
2932
2933 if (1) {
2934 printf("Not starting encryption due to low battery");
2935 return 0;
2936 }
2937
2938 /* The size of the userdata partition, and add in the vold volumes below */
2939 tot_encryption_size = crypt_ftr->fs_size;
2940
2941 if (how == CRYPTO_ENABLE_WIPE) {
2942 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2943 int fs_type = get_fs_type(rec);
2944 if (fs_type < 0) {
2945 printf("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2946 return -1;
2947 }
2948 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2949 } else if (how == CRYPTO_ENABLE_INPLACE) {
2950 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2951 crypt_ftr->fs_size, &cur_encryption_done,
2952 tot_encryption_size,
2953 previously_encrypted_upto);
2954
2955 if (rc == ENABLE_INPLACE_ERR_DEV) {
2956 /* Hack for b/17898962 */
2957 printf("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2958 cryptfs_reboot(reboot);
2959 }
2960
2961 if (!rc) {
2962 crypt_ftr->encrypted_upto = cur_encryption_done;
2963 }
2964
2965 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2966 /* The inplace routine never actually sets the progress to 100% due
2967 * to the round down nature of integer division, so set it here */
2968 property_set("vold.encrypt_progress", "100");
2969 }
2970 } else {
2971 /* Shouldn't happen */
2972 printf("cryptfs_enable: internal error, unknown option\n");
2973 rc = -1;
2974 }
2975
2976 return rc;
2977}
2978
2979int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2980 int allow_reboot)
2981{
2982 int how = 0;
2983 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2984 unsigned long nr_sec;
2985 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2986 int rc=-1, fd, i, ret;
2987 struct crypt_mnt_ftr crypt_ftr;
2988 struct crypt_persist_data *pdata;
2989 char encrypted_state[PROPERTY_VALUE_MAX];
2990 char lockid[32] = { 0 };
2991 char key_loc[PROPERTY_VALUE_MAX];
2992 char fuse_sdcard[PROPERTY_VALUE_MAX];
2993 char *sd_mnt_point;
2994 int num_vols;
2995 struct volume_info *vol_list = 0;
2996 off64_t previously_encrypted_upto = 0;
2997printf("cryptfs_enable_internal disabled by TWRP\n");
2998return -1;
2999 if (!strcmp(howarg, "wipe")) {
3000 how = CRYPTO_ENABLE_WIPE;
3001 } else if (! strcmp(howarg, "inplace")) {
3002 how = CRYPTO_ENABLE_INPLACE;
3003 } else {
3004 /* Shouldn't happen, as CommandListener vets the args */
3005 goto error_unencrypted;
3006 }
3007
3008 /* See if an encryption was underway and interrupted */
3009 if (how == CRYPTO_ENABLE_INPLACE
3010 && get_crypt_ftr_and_key(&crypt_ftr) == 0
3011 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
3012 previously_encrypted_upto = crypt_ftr.encrypted_upto;
3013 crypt_ftr.encrypted_upto = 0;
3014 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
3015
3016 /* At this point, we are in an inconsistent state. Until we successfully
3017 complete encryption, a reboot will leave us broken. So mark the
3018 encryption failed in case that happens.
3019 On successfully completing encryption, remove this flag */
3020 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3021
3022 put_crypt_ftr_and_key(&crypt_ftr);
3023 }
3024
3025 property_get("ro.crypto.state", encrypted_state, "");
3026 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
3027 printf("Device is already running encrypted, aborting");
3028 goto error_unencrypted;
3029 }
3030
3031 // TODO refactor fs_mgr_get_crypt_info to get both in one call
3032 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
3033 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
3034
3035 /* Get the size of the real block device */
3036 fd = open(real_blkdev, O_RDONLY);
3037 if ( (nr_sec = get_blkdev_size(fd)) == 0) {
3038 printf("Cannot get size of block device %s\n", real_blkdev);
3039 goto error_unencrypted;
3040 }
3041 close(fd);
3042
3043 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
3044 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
3045 unsigned int fs_size_sec, max_fs_size_sec;
3046 fs_size_sec = get_fs_size(real_blkdev);
3047 if (fs_size_sec == 0)
3048 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
3049
3050 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3051
3052 if (fs_size_sec > max_fs_size_sec) {
3053 printf("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
3054 goto error_unencrypted;
3055 }
3056 }
3057
3058 /* Get a wakelock as this may take a while, and we don't want the
3059 * device to sleep on us. We'll grab a partial wakelock, and if the UI
3060 * wants to keep the screen on, it can grab a full wakelock.
3061 */
3062 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
3063 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
3064
3065 /* Get the sdcard mount point */
3066 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE");
3067 if (!sd_mnt_point) {
3068 sd_mnt_point = getenv("EXTERNAL_STORAGE");
3069 }
3070 if (!sd_mnt_point) {
3071 sd_mnt_point = "/mnt/sdcard";
3072 }
3073
3074 /* TODO
3075 * Currently do not have test devices with multiple encryptable volumes.
3076 * When we acquire some, re-add support.
3077 */
3078 num_vols=0/*vold_getNumDirectVolumes()*/;
3079 vol_list = malloc(sizeof(struct volume_info) * num_vols);
3080 //vold_getDirectVolumeList(vol_list);
3081
3082 for (i=0; i<num_vols; i++) {
3083 if (should_encrypt(&vol_list[i])) {
3084 printf("Cannot encrypt if there are multiple encryptable volumes"
3085 "%s\n", vol_list[i].label);
3086 goto error_unencrypted;
3087 }
3088 }
3089
3090 /* The init files are setup to stop the class main and late start when
3091 * vold sets trigger_shutdown_framework.
3092 */
3093 property_set("vold.decrypt", "trigger_shutdown_framework");
3094 printf("Just asked init to shut down class main\n");
3095
3096 if (1 /*vold_unmountAllAsecs()*/) {
3097 /* Just report the error. If any are left mounted,
3098 * umounting /data below will fail and handle the error.
3099 */
3100 printf("Error unmounting internal asecs");
3101 }
3102
3103 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, "");
3104 if (!strcmp(fuse_sdcard, "true")) {
3105 /* This is a device using the fuse layer to emulate the sdcard semantics
3106 * on top of the userdata partition. vold does not manage it, it is managed
3107 * by the sdcard service. The sdcard service was killed by the property trigger
3108 * above, so just unmount it now. We must do this _AFTER_ killing the framework,
3109 * unlike the case for vold managed devices above.
3110 */
3111 if (wait_and_unmount(sd_mnt_point, false)) {
3112 goto error_shutting_down;
3113 }
3114 }
3115
3116 /* Now unmount the /data partition. */
3117 if (wait_and_unmount(DATA_MNT_POINT, false)) {
3118 if (allow_reboot) {
3119 goto error_shutting_down;
3120 } else {
3121 goto error_unencrypted;
3122 }
3123 }
3124
3125 /* Do extra work for a better UX when doing the long inplace encryption */
3126 if (how == CRYPTO_ENABLE_INPLACE) {
3127 /* Now that /data is unmounted, we need to mount a tmpfs
3128 * /data, set a property saying we're doing inplace encryption,
3129 * and restart the framework.
3130 */
3131 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3132 goto error_shutting_down;
3133 }
3134 /* Tells the framework that inplace encryption is starting */
3135 property_set("vold.encrypt_progress", "0");
3136
3137 /* restart the framework. */
3138 /* Create necessary paths on /data */
3139 if (prep_data_fs()) {
3140 goto error_shutting_down;
3141 }
3142
3143 /* Ugh, shutting down the framework is not synchronous, so until it
3144 * can be fixed, this horrible hack will wait a moment for it all to
3145 * shut down before proceeding. Without it, some devices cannot
3146 * restart the graphics services.
3147 */
3148 sleep(2);
3149
3150 /* startup service classes main and late_start */
3151 property_set("vold.decrypt", "trigger_restart_min_framework");
3152 printf("Just triggered restart_min_framework\n");
3153
3154 /* OK, the framework is restarted and will soon be showing a
3155 * progress bar. Time to setup an encrypted mapping, and
3156 * either write a new filesystem, or encrypt in place updating
3157 * the progress bar as we work.
3158 */
3159 }
3160
3161 /* Start the actual work of making an encrypted filesystem */
3162 /* Initialize a crypt_mnt_ftr for the partition */
3163 if (previously_encrypted_upto == 0) {
3164 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3165 goto error_shutting_down;
3166 }
3167
3168 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3169 crypt_ftr.fs_size = nr_sec
3170 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3171 } else {
3172 crypt_ftr.fs_size = nr_sec;
3173 }
3174 /* At this point, we are in an inconsistent state. Until we successfully
3175 complete encryption, a reboot will leave us broken. So mark the
3176 encryption failed in case that happens.
3177 On successfully completing encryption, remove this flag */
3178 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3179 crypt_ftr.crypt_type = crypt_type;
3180 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
3181
3182 /* Make an encrypted master key */
3183 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3184 printf("Cannot create encrypted master key\n");
3185 goto error_shutting_down;
3186 }
3187
3188 /* Write the key to the end of the partition */
3189 put_crypt_ftr_and_key(&crypt_ftr);
3190
3191 /* If any persistent data has been remembered, save it.
3192 * If none, create a valid empty table and save that.
3193 */
3194 if (!persist_data) {
3195 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3196 if (pdata) {
3197 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3198 persist_data = pdata;
3199 }
3200 }
3201 if (persist_data) {
3202 save_persistent_data();
3203 }
3204 }
3205
3206 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3207 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3208 "userdata");
3209
3210 /* If we are continuing, check checksums match */
3211 rc = 0;
3212 if (previously_encrypted_upto) {
3213 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3214 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3215
3216 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3217 sizeof(hash_first_block)) != 0) {
3218 printf("Checksums do not match - trigger wipe");
3219 rc = -1;
3220 }
3221 }
3222
3223 if (!rc) {
3224 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3225 crypto_blkdev, real_blkdev,
3226 previously_encrypted_upto);
3227 }
3228
3229 /* Calculate checksum if we are not finished */
3230 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3231 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3232 crypt_ftr.hash_first_block);
3233 if (rc) {
3234 printf("Error calculating checksum for continuing encryption");
3235 rc = -1;
3236 }
3237 }
3238
3239 /* Undo the dm-crypt mapping whether we succeed or not */
3240 delete_crypto_blk_dev("userdata");
3241
3242 free(vol_list);
3243
3244 if (! rc) {
3245 /* Success */
3246 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3247
3248 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3249 printf("Encrypted up to sector %lld - will continue after reboot",
3250 crypt_ftr.encrypted_upto);
3251 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3252 }
3253
3254 put_crypt_ftr_and_key(&crypt_ftr);
3255
3256 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3257 char value[PROPERTY_VALUE_MAX];
3258 property_get("ro.crypto.state", value, "");
3259 if (!strcmp(value, "")) {
3260 /* default encryption - continue first boot sequence */
3261 property_set("ro.crypto.state", "encrypted");
3262 release_wake_lock(lockid);
3263 cryptfs_check_passwd(DEFAULT_PASSWORD);
3264 cryptfs_restart_internal(1);
3265 return 0;
3266 } else {
3267 sleep(2); /* Give the UI a chance to show 100% progress */
3268 cryptfs_reboot(reboot);
3269 }
3270 } else {
3271 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3272 cryptfs_reboot(shutdown);
3273 }
3274 } else {
3275 char value[PROPERTY_VALUE_MAX];
3276
3277 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3278 if (!strcmp(value, "1")) {
3279 /* wipe data if encryption failed */
3280 printf("encryption failed - rebooting into recovery to wipe data\n");
3281 mkdir("/cache/recovery", 0700);
3282 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600);
3283 if (fd >= 0) {
3284 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
3285 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
3286 close(fd);
3287 } else {
3288 printf("could not open /cache/recovery/command\n");
3289 }
3290 cryptfs_reboot(recovery);
3291 } else {
3292 /* set property to trigger dialog */
3293 property_set("vold.encrypt_progress", "error_partially_encrypted");
3294 release_wake_lock(lockid);
3295 }
3296 return -1;
3297 }
3298
3299 /* hrm, the encrypt step claims success, but the reboot failed.
3300 * This should not happen.
3301 * Set the property and return. Hope the framework can deal with it.
3302 */
3303 property_set("vold.encrypt_progress", "error_reboot_failed");
3304 release_wake_lock(lockid);
3305 return rc;
3306
3307error_unencrypted:
3308 free(vol_list);
3309 property_set("vold.encrypt_progress", "error_not_encrypted");
3310 if (lockid[0]) {
3311 release_wake_lock(lockid);
3312 }
3313 return -1;
3314
3315error_shutting_down:
3316 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3317 * but the framework is stopped and not restarted to show the error, so it's up to
3318 * vold to restart the system.
3319 */
3320 printf("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3321 cryptfs_reboot(reboot);
3322
3323 /* shouldn't get here */
3324 property_set("vold.encrypt_progress", "error_shutting_down");
3325 free(vol_list);
3326 if (lockid[0]) {
3327 release_wake_lock(lockid);
3328 }
3329 return -1;
3330}
3331
3332int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
3333{
3334 char* adjusted_passwd = adjust_passwd(passwd);
3335 if (adjusted_passwd) {
3336 passwd = adjusted_passwd;
3337 }
3338
3339 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
3340
3341 free(adjusted_passwd);
3342 return rc;
3343}
3344
3345int cryptfs_enable_default(char *howarg, int allow_reboot)
3346{
3347 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3348 DEFAULT_PASSWORD, allow_reboot);
3349}
3350
3351int cryptfs_changepw(int crypt_type, const char *newpw)
3352{
3353 struct crypt_mnt_ftr crypt_ftr;
3354 unsigned char decrypted_master_key[KEY_LEN_BYTES];
3355
3356 /* This is only allowed after we've successfully decrypted the master key */
3357 if (!master_key_saved) {
3358 printf("Key not saved, aborting");
3359 return -1;
3360 }
3361
3362 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3363 printf("Invalid crypt_type %d", crypt_type);
3364 return -1;
3365 }
3366
3367 /* get key */
3368 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3369 printf("Error getting crypt footer and key");
3370 return -1;
3371 }
3372
3373 crypt_ftr.crypt_type = crypt_type;
3374
3375 char* adjusted_passwd = adjust_passwd(newpw);
3376 if (adjusted_passwd) {
3377 newpw = adjusted_passwd;
3378 }
3379
3380 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3381 : newpw,
3382 crypt_ftr.salt,
3383 saved_master_key,
3384 crypt_ftr.master_key,
3385 &crypt_ftr);
3386
3387 /* save the key */
3388 put_crypt_ftr_and_key(&crypt_ftr);
3389
3390 free(adjusted_passwd);
3391 return 0;
3392}
3393
3394static int persist_get_key(char *fieldname, char *value)
3395{
3396 unsigned int i;
3397
3398 if (persist_data == NULL) {
3399 return -1;
3400 }
3401 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3402 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3403 /* We found it! */
3404 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3405 return 0;
3406 }
3407 }
3408
3409 return -1;
3410}
3411
3412static int persist_set_key(char *fieldname, char *value, int encrypted)
3413{
3414 unsigned int i;
3415 unsigned int num;
3416 struct crypt_mnt_ftr crypt_ftr;
3417 unsigned int max_persistent_entries;
3418 unsigned int dsize;
3419
3420 if (persist_data == NULL) {
3421 return -1;
3422 }
3423
3424 /* If encrypted, use the values from the crypt_ftr, otherwise
3425 * use the values for the current spec.
3426 */
3427 if (encrypted) {
3428 if(get_crypt_ftr_and_key(&crypt_ftr)) {
3429 return -1;
3430 }
3431 dsize = crypt_ftr.persist_data_size;
3432 } else {
3433 dsize = CRYPT_PERSIST_DATA_SIZE;
3434 }
3435 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3436 sizeof(struct crypt_persist_entry);
3437
3438 num = persist_data->persist_valid_entries;
3439
3440 for (i = 0; i < num; i++) {
3441 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3442 /* We found an existing entry, update it! */
3443 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3444 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3445 return 0;
3446 }
3447 }
3448
3449 /* We didn't find it, add it to the end, if there is room */
3450 if (persist_data->persist_valid_entries < max_persistent_entries) {
3451 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3452 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3453 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3454 persist_data->persist_valid_entries++;
3455 return 0;
3456 }
3457
3458 return -1;
3459}
3460
3461/* Return the value of the specified field. */
3462int cryptfs_getfield(char *fieldname, char *value, int len)
3463{
3464 char temp_value[PROPERTY_VALUE_MAX];
3465 char real_blkdev[MAXPATHLEN];
3466 /* 0 is success, 1 is not encrypted,
3467 * -1 is value not set, -2 is any other error
3468 */
3469 int rc = -2;
3470
3471 if (persist_data == NULL) {
3472 load_persistent_data();
3473 if (persist_data == NULL) {
3474 printf("Getfield error, cannot load persistent data");
3475 goto out;
3476 }
3477 }
3478
3479 if (!persist_get_key(fieldname, temp_value)) {
3480 /* We found it, copy it to the caller's buffer and return */
3481 strlcpy(value, temp_value, len);
3482 rc = 0;
3483 } else {
3484 /* Sadness, it's not there. Return the error */
3485 rc = -1;
3486 }
3487
3488out:
3489 return rc;
3490}
3491
3492/* Set the value of the specified field. */
3493int cryptfs_setfield(char *fieldname, char *value)
3494{
3495 struct crypt_persist_data stored_pdata;
3496 struct crypt_persist_data *pdata_p;
3497 struct crypt_mnt_ftr crypt_ftr;
3498 char encrypted_state[PROPERTY_VALUE_MAX];
3499 /* 0 is success, -1 is an error */
3500 int rc = -1;
3501 int encrypted = 0;
3502
3503 if (persist_data == NULL) {
3504 load_persistent_data();
3505 if (persist_data == NULL) {
3506 printf("Setfield error, cannot load persistent data");
3507 goto out;
3508 }
3509 }
3510
3511 property_get("ro.crypto.state", encrypted_state, "");
3512 if (!strcmp(encrypted_state, "encrypted") ) {
3513 encrypted = 1;
3514 }
3515
3516 if (persist_set_key(fieldname, value, encrypted)) {
3517 goto out;
3518 }
3519
3520 /* If we are running encrypted, save the persistent data now */
3521 if (encrypted) {
3522 if (save_persistent_data()) {
3523 printf("Setfield error, cannot save persistent data");
3524 goto out;
3525 }
3526 }
3527
3528 rc = 0;
3529
3530out:
3531 return rc;
3532}
3533
3534/* Checks userdata. Attempt to mount the volume if default-
3535 * encrypted.
3536 * On success trigger next init phase and return 0.
3537 * Currently do not handle failure - see TODO below.
3538 */
3539int cryptfs_mount_default_encrypted(void)
3540{
3541 char decrypt_state[PROPERTY_VALUE_MAX];
3542 property_get("vold.decrypt", decrypt_state, "0");
3543 if (!strcmp(decrypt_state, "0")) {
3544 printf("Not encrypted - should not call here");
3545 } else {
3546 int crypt_type = cryptfs_get_password_type();
3547 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3548 printf("Bad crypt type - error");
3549 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3550 printf("Password is not default - "
3551 "starting min framework to prompt");
3552 property_set("vold.decrypt", "trigger_restart_min_framework");
3553 return 0;
3554 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3555 printf("Password is default - restarting filesystem");
3556 cryptfs_restart_internal(0);
3557 return 0;
3558 } else {
3559 printf("Encrypted, default crypt type but can't decrypt");
3560 }
3561 }
3562
3563 /** Corrupt. Allow us to boot into framework, which will detect bad
3564 crypto when it calls do_crypto_complete, then do a factory reset
3565 */
3566 property_set("vold.decrypt", "trigger_restart_min_framework");
3567 return 0;
3568}
3569
3570/* Returns type of the password, default, pattern, pin or password.
3571 */
3572int cryptfs_get_password_type(void)
3573{
3574 struct crypt_mnt_ftr crypt_ftr;
3575 char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)];
3576 char propbuf[PROPERTY_VALUE_MAX];
3577
3578 property_get("ro.hardware", propbuf, "");
3579 snprintf(fstab_filename, sizeof(fstab_filename), FSTAB_PREFIX"%s", propbuf);
3580
3581 fstab = fs_mgr_read_fstab(fstab_filename);
3582 if (!fstab) {
3583 printf("failed to open %s\n", fstab_filename);
3584 return -1;
3585 }
3586
3587 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3588 printf("Error getting crypt footer and key\n");
3589 return -1;
3590 }
3591
3592 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3593 return -1;
3594 }
3595
3596 return crypt_ftr.crypt_type;
3597}
3598
3599char* cryptfs_get_password()
3600{
3601 struct timespec now;
3602 clock_gettime(CLOCK_MONOTONIC, &now);
3603 if (now.tv_sec < password_expiry_time) {
3604 return password;
3605 } else {
3606 cryptfs_clear_password();
3607 return 0;
3608 }
3609}
3610
3611void cryptfs_clear_password()
3612{
3613 if (password) {
3614 size_t len = strlen(password);
3615 memset(password, 0, len);
3616 free(password);
3617 password = 0;
3618 password_expiry_time = 0;
3619 }
3620}