blob: 90f1523d3b4dddd3c97649f641adb497d4daa7f8 [file] [log] [blame]
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23#include <sys/types.h>
24#include <sys/wait.h>
25#include <sys/stat.h>
26#include <ctype.h>
27#include <fcntl.h>
28#include <inttypes.h>
29#include <unistd.h>
30#include <stdio.h>
31#include <sys/ioctl.h>
32#include <linux/dm-ioctl.h>
33#include <libgen.h>
34#include <stdlib.h>
35#include <sys/param.h>
36#include <string.h>
37#include <sys/mount.h>
38#include <openssl/evp.h>
39#include <errno.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060040#include <linux/kdev_t.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060041#include <time.h>
42#include "cryptfs.h"
Ethan Yonker4eca40d2014-11-11 14:52:28 -060043#include "cutils/properties.h"
Ethan Yonker4eca40d2014-11-11 14:52:28 -060044#include "crypto_scrypt.h"
Ethan Yonker4eca40d2014-11-11 14:52:28 -060045#include <hardware/keymaster.h>
46
Ethan Yonker253368a2014-11-25 15:00:52 -060047#ifndef min /* already defined by windows.h */
48#define min(a, b) ((a) < (b) ? (a) : (b))
49#endif
50
Ethan Yonker4eca40d2014-11-11 14:52:28 -060051#define UNUSED __attribute__((unused))
52
53#define UNUSED __attribute__((unused))
54
55#define DM_CRYPT_BUF_SIZE 4096
56
57#define HASH_COUNT 2000
58#define KEY_LEN_BYTES 16
59#define IV_LEN_BYTES 16
60
61#define KEY_IN_FOOTER "footer"
62
63// "default_password" encoded into hex (d=0x64 etc)
64#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
65
66#define EXT4_FS 1
67#define F2FS_FS 2
68
69#define TABLE_LOAD_RETRIES 10
70
71#define RSA_KEY_SIZE 2048
72#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
73#define RSA_EXPONENT 0x10001
74
75#define RETRY_MOUNT_ATTEMPTS 10
76#define RETRY_MOUNT_DELAY_SECONDS 1
77
78char *me = "cryptfs";
79
80static unsigned char saved_master_key[KEY_LEN_BYTES];
81static char *saved_mount_point;
82static int master_key_saved = 0;
83static struct crypt_persist_data *persist_data = NULL;
Ethan Yonker253368a2014-11-25 15:00:52 -060084static char key_fname[PROPERTY_VALUE_MAX] = "";
85static char real_blkdev[PROPERTY_VALUE_MAX] = "";
86static char file_system[PROPERTY_VALUE_MAX] = "";
87
88void set_partition_data(const char* block_device, const char* key_location, const char* fs)
89{
90 strcpy(key_fname, key_location);
91 strcpy(real_blkdev, block_device);
92 strcpy(file_system, fs);
93}
Ethan Yonker4eca40d2014-11-11 14:52:28 -060094
95static int keymaster_init(keymaster_device_t **keymaster_dev)
96{
97 int rc;
98
99 const hw_module_t* mod;
100 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
101 if (rc) {
102 printf("could not find any keystore module\n");
103 goto out;
104 }
105
106 rc = keymaster_open(mod, keymaster_dev);
107 if (rc) {
108 printf("could not open keymaster device in %s (%s)\n",
109 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
110 goto out;
111 }
112
113 return 0;
114
115out:
116 *keymaster_dev = NULL;
117 return rc;
118}
119
120/* Should we use keymaster? */
121static int keymaster_check_compatibility()
122{
123 keymaster_device_t *keymaster_dev = 0;
124 int rc = 0;
125
126 if (keymaster_init(&keymaster_dev)) {
127 printf("Failed to init keymaster\n");
128 rc = -1;
129 goto out;
130 }
131
132 printf("keymaster version is %d\n", keymaster_dev->common.module->module_api_version);
133
134 if (keymaster_dev->common.module->module_api_version
135 < KEYMASTER_MODULE_API_VERSION_0_3) {
136 rc = 0;
137 goto out;
138 }
139
140 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) {
141 rc = 1;
142 }
143
144out:
145 keymaster_close(keymaster_dev);
146 return rc;
147}
148
149/* Create a new keymaster key and store it in this footer */
150static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
151{
152 uint8_t* key = 0;
153 keymaster_device_t *keymaster_dev = 0;
154
155 if (keymaster_init(&keymaster_dev)) {
156 printf("Failed to init keymaster\n");
157 return -1;
158 }
159
160 int rc = 0;
161
162 keymaster_rsa_keygen_params_t params;
163 memset(&params, '\0', sizeof(params));
164 params.public_exponent = RSA_EXPONENT;
165 params.modulus_size = RSA_KEY_SIZE;
166
167 size_t key_size;
168 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, &params,
169 &key, &key_size)) {
170 printf("Failed to generate keypair\n");
171 rc = -1;
172 goto out;
173 }
174
175 if (key_size > KEYMASTER_BLOB_SIZE) {
176 printf("Keymaster key too large for crypto footer\n");
177 rc = -1;
178 goto out;
179 }
180
181 memcpy(ftr->keymaster_blob, key, key_size);
182 ftr->keymaster_blob_size = key_size;
183
184out:
185 keymaster_close(keymaster_dev);
186 free(key);
187 return rc;
188}
189
190/* This signs the given object using the keymaster key. */
191static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
192 const unsigned char *object,
193 const size_t object_size,
194 unsigned char **signature,
195 size_t *signature_size)
196{
197 int rc = 0;
198 keymaster_device_t *keymaster_dev = 0;
199 if (keymaster_init(&keymaster_dev)) {
200 printf("Failed to init keymaster\n");
201 return -1;
202 }
203
204 /* We currently set the digest type to DIGEST_NONE because it's the
205 * only supported value for keymaster. A similar issue exists with
206 * PADDING_NONE. Long term both of these should likely change.
207 */
208 keymaster_rsa_sign_params_t params;
209 params.digest_type = DIGEST_NONE;
210 params.padding_type = PADDING_NONE;
211
212 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
213 size_t to_sign_size = sizeof(to_sign);
214 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
215
216 // To sign a message with RSA, the message must satisfy two
217 // constraints:
218 //
219 // 1. The message, when interpreted as a big-endian numeric value, must
220 // be strictly less than the public modulus of the RSA key. Note
221 // that because the most significant bit of the public modulus is
222 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
223 // key), an n-bit message with most significant bit 0 always
224 // satisfies this requirement.
225 //
226 // 2. The message must have the same length in bits as the public
227 // modulus of the RSA key. This requirement isn't mathematically
228 // necessary, but is necessary to ensure consistency in
229 // implementations.
230 switch (ftr->kdf_type) {
231 case KDF_SCRYPT_KEYMASTER_UNPADDED:
232 // This is broken: It produces a message which is shorter than
233 // the public modulus, failing criterion 2.
234 memcpy(to_sign, object, object_size);
235 to_sign_size = object_size;
236 printf("Signing unpadded object\n");
237 break;
238 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
239 // This is broken: Since the value of object is uniformly
240 // distributed, it produces a message that is larger than the
241 // public modulus with probability 0.25.
242 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
243 printf("Signing end-padded object\n");
244 break;
245 case KDF_SCRYPT_KEYMASTER:
246 // This ensures the most significant byte of the signed message
247 // is zero. We could have zero-padded to the left instead, but
248 // this approach is slightly more robust against changes in
249 // object size. However, it's still broken (but not unusably
250 // so) because we really should be using a proper RSA padding
251 // function, such as OAEP.
252 //
253 // TODO(paullawrence): When keymaster 0.4 is available, change
254 // this to use the padding options it provides.
255 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
256 printf("Signing safely-padded object\n");
257 break;
258 default:
259 printf("Unknown KDF type %d\n", ftr->kdf_type);
260 return -1;
261 }
262
263 rc = keymaster_dev->sign_data(keymaster_dev,
264 &params,
265 ftr->keymaster_blob,
266 ftr->keymaster_blob_size,
267 to_sign,
268 to_sign_size,
269 signature,
270 signature_size);
271
272 keymaster_close(keymaster_dev);
273 return rc;
274}
275
276/* Store password when userdata is successfully decrypted and mounted.
277 * Cleared by cryptfs_clear_password
278 *
279 * To avoid a double prompt at boot, we need to store the CryptKeeper
280 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
281 * Since the entire framework is torn down and rebuilt after encryption,
282 * we have to use a daemon or similar to store the password. Since vold
283 * is secured against IPC except from system processes, it seems a reasonable
284 * place to store this.
285 *
286 * password should be cleared once it has been used.
287 *
288 * password is aged out after password_max_age_seconds seconds.
289 */
290static char* password = 0;
291static int password_expiry_time = 0;
292static const int password_max_age_seconds = 60;
293
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600294static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
295{
296 memset(io, 0, dataSize);
297 io->data_size = dataSize;
298 io->data_start = sizeof(struct dm_ioctl);
299 io->version[0] = 4;
300 io->version[1] = 0;
301 io->version[2] = 0;
302 io->flags = flags;
303 if (name) {
304 strncpy(io->name, name, sizeof(io->name));
305 }
306}
307
308/**
309 * Gets the default device scrypt parameters for key derivation time tuning.
310 * The parameters should lead to about one second derivation time for the
311 * given device.
312 */
313static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
314 const int default_params[] = SCRYPT_DEFAULTS;
315 int params[] = SCRYPT_DEFAULTS;
316 char paramstr[PROPERTY_VALUE_MAX];
317 char *token;
318 char *saveptr;
319 int i;
320
321 property_get(SCRYPT_PROP, paramstr, "");
322 if (paramstr[0] != '\0') {
323 /*
324 * The token we're looking for should be three integers separated by
325 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
326 */
327 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
328 token != NULL && i < 3;
329 i++, token = strtok_r(NULL, ":", &saveptr)) {
330 char *endptr;
331 params[i] = strtol(token, &endptr, 10);
332
333 /*
334 * Check that there was a valid number and it's 8-bit. If not,
335 * break out and the end check will take the default values.
336 */
337 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
338 break;
339 }
340 }
341
342 /*
343 * If there were not enough tokens or a token was malformed (not an
344 * integer), it will end up here and the default parameters can be
345 * taken.
346 */
347 if ((i != 3) || (token != NULL)) {
348 printf("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
349 memcpy(params, default_params, sizeof(params));
350 }
351 }
352
353 ftr->N_factor = params[0];
354 ftr->r_factor = params[1];
355 ftr->p_factor = params[2];
356}
357
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600358static unsigned int get_blkdev_size(int fd)
359{
360 unsigned int nr_sec;
361
362 if ( (ioctl(fd, BLKGETSIZE, &nr_sec)) == -1) {
363 nr_sec = 0;
364 }
365
366 return nr_sec;
367}
368
369static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
370{
371 static int cached_data = 0;
372 static off64_t cached_off = 0;
373 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
374 int fd;
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600375 unsigned int nr_sec;
376 int rc = -1;
377
378 if (!cached_data) {
Ethan Yonker253368a2014-11-25 15:00:52 -0600379 printf("get_crypt_ftr_info crypto key location: '%s'\n", key_fname);
380 if (!strcmp(key_fname, KEY_IN_FOOTER)) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600381 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
382 printf("Cannot open real block device %s\n", real_blkdev);
383 return -1;
384 }
385
386 if ((nr_sec = get_blkdev_size(fd))) {
387 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
388 * encryption info footer and key, and plenty of bytes to spare for future
389 * growth.
390 */
391 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
392 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
393 cached_data = 1;
394 } else {
395 printf("Cannot get size of block device %s\n", real_blkdev);
396 }
397 close(fd);
398 } else {
Ethan Yonker253368a2014-11-25 15:00:52 -0600399 strlcpy(cached_metadata_fname, key_fname, sizeof(cached_metadata_fname));
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600400 cached_off = 0;
401 cached_data = 1;
402 }
403 }
404
405 if (cached_data) {
406 if (metadata_fname) {
407 *metadata_fname = cached_metadata_fname;
408 }
409 if (off) {
410 *off = cached_off;
411 }
412 rc = 0;
413 }
414
415 return rc;
416}
417
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600418static inline int unix_read(int fd, void* buff, int len)
419{
420 return TEMP_FAILURE_RETRY(read(fd, buff, len));
421}
422
423static inline int unix_write(int fd, const void* buff, int len)
424{
425 return TEMP_FAILURE_RETRY(write(fd, buff, len));
426}
427
428static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
429{
430 memset(pdata, 0, len);
431 pdata->persist_magic = PERSIST_DATA_MAGIC;
432 pdata->persist_valid_entries = 0;
433}
434
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600435static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
436{
437 int fd;
438 unsigned int nr_sec, cnt;
439 off64_t starting_off;
440 int rc = -1;
441 char *fname = NULL;
442 struct stat statbuf;
443
444 if (get_crypt_ftr_info(&fname, &starting_off)) {
445 printf("Unable to get crypt_ftr_info\n");
446 return -1;
447 }
448 if (fname[0] != '/') {
449 printf("Unexpected value for crypto key location\n");
450 return -1;
451 }
452 if ( (fd = open(fname, O_RDWR)) < 0) {
453 printf("Cannot open footer file %s for get\n", fname);
454 return -1;
455 }
456
457 /* Make sure it's 16 Kbytes in length */
458 fstat(fd, &statbuf);
459 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
460 printf("footer file %s is not the expected size!\n", fname);
461 goto errout;
462 }
463
464 /* Seek to the start of the crypt footer */
465 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
466 printf("Cannot seek to real block device footer\n");
467 goto errout;
468 }
469
470 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
471 printf("Cannot read real block device footer\n");
472 goto errout;
473 }
474
475 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
476 printf("Bad magic for real block device %s\n", fname);
477 goto errout;
478 }
479
480 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
481 printf("Cannot understand major version %d real block device footer; expected %d\n",
482 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
483 goto errout;
484 }
485
486 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
487 printf("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
488 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
489 }
490
491 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
492 * copy on disk before returning.
493 */
Ethan Yonker253368a2014-11-25 15:00:52 -0600494 /*if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600495 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
Ethan Yonker253368a2014-11-25 15:00:52 -0600496 }*/
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600497
498 /* Success! */
499 rc = 0;
500
501errout:
502 close(fd);
503 return rc;
504}
505
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600506static int hexdigit (char c)
507{
508 if (c >= '0' && c <= '9') return c - '0';
509 c = tolower(c);
510 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
511 return -1;
512}
513
514static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
515 unsigned int* out_keysize)
516{
517 unsigned int i;
518 *out_keysize = 0;
519
520 size_t size = strlen (master_key_ascii);
521 if (size % 2) {
522 printf("Trying to convert ascii string of odd length");
523 return NULL;
524 }
525
526 unsigned char* master_key = (unsigned char*) malloc(size / 2);
527 if (master_key == 0) {
528 printf("Cannot allocate");
529 return NULL;
530 }
531
532 for (i = 0; i < size; i += 2) {
533 int high_nibble = hexdigit (master_key_ascii[i]);
534 int low_nibble = hexdigit (master_key_ascii[i + 1]);
535
536 if(high_nibble < 0 || low_nibble < 0) {
537 printf("Invalid hex string");
538 free (master_key);
539 return NULL;
540 }
541
542 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
543 (*out_keysize)++;
544 }
545
546 return master_key;
547}
548
549/* Convert a binary key of specified length into an ascii hex string equivalent,
550 * without the leading 0x and with null termination
551 */
552static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
553 char *master_key_ascii)
554{
555 unsigned int i, a;
556 unsigned char nibble;
557
558 for (i=0, a=0; i<keysize; i++, a+=2) {
559 /* For each byte, write out two ascii hex digits */
560 nibble = (master_key[i] >> 4) & 0xf;
561 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
562
563 nibble = master_key[i] & 0xf;
564 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
565 }
566
567 /* Add the null termination */
568 master_key_ascii[a] = '\0';
569
570}
571
572static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
573 char *real_blk_name, const char *name, int fd,
574 char *extra_params)
575{
576 char buffer[DM_CRYPT_BUF_SIZE];
577 struct dm_ioctl *io;
578 struct dm_target_spec *tgt;
579 char *crypt_params;
580 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
581 int i;
582
583 io = (struct dm_ioctl *) buffer;
584
585 /* Load the mapping table for this device */
586 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
587
588 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
589 io->target_count = 1;
590 tgt->status = 0;
591 tgt->sector_start = 0;
592 tgt->length = crypt_ftr->fs_size;
593 strcpy(tgt->target_type, "crypt");
594
595 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
596 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
597 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
598 master_key_ascii, real_blk_name, extra_params);
599 crypt_params += strlen(crypt_params) + 1;
600 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
601 tgt->next = crypt_params - buffer;
602
603 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
604 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
605 break;
606 }
607 usleep(500000);
608 }
609
610 if (i == TABLE_LOAD_RETRIES) {
611 /* We failed to load the table, return an error */
612 return -1;
613 } else {
614 return i + 1;
615 }
616}
617
618
619static int get_dm_crypt_version(int fd, const char *name, int *version)
620{
621 char buffer[DM_CRYPT_BUF_SIZE];
622 struct dm_ioctl *io;
623 struct dm_target_versions *v;
624 int i;
625
626 io = (struct dm_ioctl *) buffer;
627
628 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
629
630 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
631 return -1;
632 }
633
634 /* Iterate over the returned versions, looking for name of "crypt".
635 * When found, get and return the version.
636 */
637 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
638 while (v->next) {
639 if (! strcmp(v->name, "crypt")) {
640 /* We found the crypt driver, return the version, and get out */
641 version[0] = v->version[0];
642 version[1] = v->version[1];
643 version[2] = v->version[2];
644 return 0;
645 }
646 v = (struct dm_target_versions *)(((char *)v) + v->next);
647 }
648
649 return -1;
650}
651
652static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
653 char *real_blk_name, char *crypto_blk_name, const char *name)
654{
655 char buffer[DM_CRYPT_BUF_SIZE];
656 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
657 char *crypt_params;
658 struct dm_ioctl *io;
659 struct dm_target_spec *tgt;
660 unsigned int minor;
661 int fd;
662 int i;
663 int retval = -1;
664 int version[3];
665 char *extra_params;
666 int load_count;
667
668 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
669 printf("Cannot open device-mapper\n");
670 goto errout;
671 }
672
673 io = (struct dm_ioctl *) buffer;
674
675 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
676 if (ioctl(fd, DM_DEV_CREATE, io)) {
677 printf("Cannot create dm-crypt device\n");
678 goto errout;
679 }
680
681 /* Get the device status, in particular, the name of it's device file */
682 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
683 if (ioctl(fd, DM_DEV_STATUS, io)) {
684 printf("Cannot retrieve dm-crypt device status\n");
685 goto errout;
686 }
687 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
688 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
689
690 extra_params = "";
691 if (! get_dm_crypt_version(fd, name, version)) {
692 /* Support for allow_discards was added in version 1.11.0 */
693 if ((version[0] >= 2) ||
694 ((version[0] == 1) && (version[1] >= 11))) {
695 extra_params = "1 allow_discards";
696 printf("Enabling support for allow_discards in dmcrypt.\n");
697 }
698 }
699
700 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
701 fd, extra_params);
702 if (load_count < 0) {
703 printf("Cannot load dm-crypt mapping table.\n");
704 goto errout;
705 } else if (load_count > 1) {
706 printf("Took %d tries to load dmcrypt table.\n", load_count);
707 }
708
709 /* Resume this device to activate it */
710 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
711
712 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
713 printf("Cannot resume the dm-crypt device\n");
714 goto errout;
715 }
716
717 /* We made it here with no errors. Woot! */
718 retval = 0;
719
720errout:
721 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
722
723 return retval;
724}
725
726static int delete_crypto_blk_dev(char *name)
727{
728 int fd;
729 char buffer[DM_CRYPT_BUF_SIZE];
730 struct dm_ioctl *io;
731 int retval = -1;
732
733 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
734 printf("Cannot open device-mapper\n");
735 goto errout;
736 }
737
738 io = (struct dm_ioctl *) buffer;
739
740 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
741 if (ioctl(fd, DM_DEV_REMOVE, io)) {
742 printf("Cannot remove dm-crypt device\n");
743 goto errout;
744 }
745
746 /* We made it here with no errors. Woot! */
747 retval = 0;
748
749errout:
750 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
751
752 return retval;
753
754}
755
756static int pbkdf2(const char *passwd, const unsigned char *salt,
757 unsigned char *ikey, void *params UNUSED)
758{
759 printf("Using pbkdf2 for cryptfs KDF");
760
761 /* Turn the password into a key and IV that can decrypt the master key */
762 unsigned int keysize;
763 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
764 if (!master_key) return -1;
765 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
766 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
767
768 memset(master_key, 0, keysize);
769 free (master_key);
770 return 0;
771}
772
773static int scrypt(const char *passwd, const unsigned char *salt,
774 unsigned char *ikey, void *params)
775{
776 printf("Using scrypt for cryptfs KDF\n");
777
778 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
779
780 int N = 1 << ftr->N_factor;
781 int r = 1 << ftr->r_factor;
782 int p = 1 << ftr->p_factor;
783
784 /* Turn the password into a key and IV that can decrypt the master key */
785 unsigned int keysize;
786 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
787 if (!master_key) return -1;
788 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
789 KEY_LEN_BYTES + IV_LEN_BYTES);
790
791 memset(master_key, 0, keysize);
792 free (master_key);
793 return 0;
794}
795
796static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
797 unsigned char *ikey, void *params)
798{
799 printf("Using scrypt with keymaster for cryptfs KDF\n");
800
801 int rc;
802 unsigned int key_size;
803 size_t signature_size;
804 unsigned char* signature;
805 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
806
807 int N = 1 << ftr->N_factor;
808 int r = 1 << ftr->r_factor;
809 int p = 1 << ftr->p_factor;
810
811 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
812 if (!master_key) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600813 printf("Failed to convert passwd from hex\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600814 return -1;
815 }
816
817 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
818 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
819 memset(master_key, 0, key_size);
820 free(master_key);
821
822 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600823 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600824 return -1;
825 }
826
827 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
828 &signature, &signature_size)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600829 printf("Signing failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600830 return -1;
831 }
832
833 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
834 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
835 free(signature);
836
837 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -0600838 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600839 return -1;
840 }
841
842 return 0;
843}
844
845static int encrypt_master_key(const char *passwd, const unsigned char *salt,
846 const unsigned char *decrypted_master_key,
847 unsigned char *encrypted_master_key,
848 struct crypt_mnt_ftr *crypt_ftr)
849{
850 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
851 EVP_CIPHER_CTX e_ctx;
852 int encrypted_len, final_len;
853 int rc = 0;
854
855 /* Turn the password into an intermediate key and IV that can decrypt the master key */
856 get_device_scrypt_params(crypt_ftr);
857
858 switch (crypt_ftr->kdf_type) {
859 case KDF_SCRYPT_KEYMASTER_UNPADDED:
860 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
861 case KDF_SCRYPT_KEYMASTER:
862 if (keymaster_create_key(crypt_ftr)) {
863 printf("keymaster_create_key failed");
864 return -1;
865 }
866
867 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
868 printf("scrypt failed");
869 return -1;
870 }
871 break;
872
873 case KDF_SCRYPT:
874 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
875 printf("scrypt failed");
876 return -1;
877 }
878 break;
879
880 default:
881 printf("Invalid kdf_type");
882 return -1;
883 }
884
885 /* Initialize the decryption engine */
886 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
887 printf("EVP_EncryptInit failed\n");
888 return -1;
889 }
890 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
891
892 /* Encrypt the master key */
893 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
894 decrypted_master_key, KEY_LEN_BYTES)) {
895 printf("EVP_EncryptUpdate failed\n");
896 return -1;
897 }
898 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
899 printf("EVP_EncryptFinal failed\n");
900 return -1;
901 }
902
903 if (encrypted_len + final_len != KEY_LEN_BYTES) {
904 printf("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
905 return -1;
906 }
907
908 /* Store the scrypt of the intermediate key, so we can validate if it's a
909 password error or mount error when things go wrong.
910 Note there's no need to check for errors, since if this is incorrect, we
911 simply won't wipe userdata, which is the correct default behavior
912 */
913 int N = 1 << crypt_ftr->N_factor;
914 int r = 1 << crypt_ftr->r_factor;
915 int p = 1 << crypt_ftr->p_factor;
916
917 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
918 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
919 crypt_ftr->scrypted_intermediate_key,
920 sizeof(crypt_ftr->scrypted_intermediate_key));
921
922 if (rc) {
923 printf("encrypt_master_key: crypto_scrypt failed");
924 }
925
926 return 0;
927}
928
929static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
930 unsigned char *encrypted_master_key,
931 unsigned char *decrypted_master_key,
932 kdf_func kdf, void *kdf_params,
933 unsigned char** intermediate_key,
934 size_t* intermediate_key_size)
935{
936 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
937 EVP_CIPHER_CTX d_ctx;
938 int decrypted_len, final_len;
939
940 /* Turn the password into an intermediate key and IV that can decrypt the
941 master key */
942 if (kdf(passwd, salt, ikey, kdf_params)) {
943 printf("kdf failed");
944 return -1;
945 }
946
947 /* Initialize the decryption engine */
948 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
949 return -1;
950 }
951 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
952 /* Decrypt the master key */
953 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
954 encrypted_master_key, KEY_LEN_BYTES)) {
955 return -1;
956 }
957 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
958 return -1;
959 }
960
961 if (decrypted_len + final_len != KEY_LEN_BYTES) {
962 return -1;
963 }
964
965 /* Copy intermediate key if needed by params */
966 if (intermediate_key && intermediate_key_size) {
967 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
968 if (intermediate_key) {
969 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
970 *intermediate_key_size = KEY_LEN_BYTES;
971 }
972 }
973
974 return 0;
975}
976
977static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
978{
979 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED ||
980 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED ||
981 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
982 *kdf = scrypt_keymaster;
983 *kdf_params = ftr;
984 } else if (ftr->kdf_type == KDF_SCRYPT) {
985 *kdf = scrypt;
986 *kdf_params = ftr;
987 } else {
988 *kdf = pbkdf2;
989 *kdf_params = NULL;
990 }
991}
992
993static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
994 struct crypt_mnt_ftr *crypt_ftr,
995 unsigned char** intermediate_key,
996 size_t* intermediate_key_size)
997{
998 kdf_func kdf;
999 void *kdf_params;
1000 int ret;
1001
1002 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1003 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1004 decrypted_master_key, kdf, kdf_params,
1005 intermediate_key, intermediate_key_size);
1006 if (ret != 0) {
1007 printf("failure decrypting master key");
1008 }
1009
1010 return ret;
1011}
1012
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001013static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1014 char *passwd, char *mount_point, char *label)
1015{
1016 /* Allocate enough space for a 256 bit key, but we may use less */
1017 unsigned char decrypted_master_key[32];
1018 char crypto_blkdev[MAXPATHLEN];
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001019 char tmp_mount_point[64];
1020 unsigned int orig_failed_decrypt_count;
1021 int rc;
1022 kdf_func kdf;
1023 void *kdf_params;
1024 int use_keymaster = 0;
1025 int upgrade = 0;
1026 unsigned char* intermediate_key = 0;
1027 size_t intermediate_key_size = 0;
1028
1029 printf("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1030 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1031
1032 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1033 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1034 &intermediate_key, &intermediate_key_size)) {
1035 printf("Failed to decrypt master key\n");
1036 rc = -1;
1037 goto errout;
1038 }
1039 }
1040
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001041 // Create crypto block device - all (non fatal) code paths
1042 // need it
1043 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1044 real_blkdev, crypto_blkdev, label)) {
1045 printf("Error creating decrypted block device\n");
1046 rc = -1;
1047 goto errout;
1048 }
1049
1050 /* Work out if the problem is the password or the data */
1051 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1052 scrypted_intermediate_key)];
1053 int N = 1 << crypt_ftr->N_factor;
1054 int r = 1 << crypt_ftr->r_factor;
1055 int p = 1 << crypt_ftr->p_factor;
1056
1057 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1058 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1059 N, r, p, scrypted_intermediate_key,
1060 sizeof(scrypted_intermediate_key));
1061
1062 // Does the key match the crypto footer?
1063 if (rc == 0 && memcmp(scrypted_intermediate_key,
1064 crypt_ftr->scrypted_intermediate_key,
1065 sizeof(scrypted_intermediate_key)) == 0) {
1066 printf("Password matches\n");
1067 rc = 0;
1068 } else {
1069 /* Try mounting the file system anyway, just in case the problem's with
1070 * the footer, not the key. */
1071 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1072 mkdir(tmp_mount_point, 0755);
Ethan Yonker253368a2014-11-25 15:00:52 -06001073 if (mount(crypto_blkdev, tmp_mount_point, file_system, NULL, NULL) != 0) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001074 printf("Error temp mounting decrypted block device '%s'\n", crypto_blkdev);
1075 delete_crypto_blk_dev(label);
1076
1077 rc = ++crypt_ftr->failed_decrypt_count;
1078 //put_crypt_ftr_and_key(crypt_ftr); // Do not penalize for attempting to decrypt in recovery
1079 } else {
1080 /* Success! */
1081 printf("Password did not match but decrypted drive mounted - continue\n");
1082 umount(tmp_mount_point);
1083 rc = 0;
1084 }
1085 }
1086
1087 if (rc == 0) {
1088 /*crypt_ftr->failed_decrypt_count = 0;
1089 if (orig_failed_decrypt_count != 0) {
1090 put_crypt_ftr_and_key(crypt_ftr);
1091 }*/
1092
1093 /* Save the name of the crypto block device
1094 * so we can mount it when restarting the framework. */
1095 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1096
1097 /* Also save a the master key so we can reencrypted the key
1098 * the key when we want to change the password on it. */
1099 /*memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1100 saved_mount_point = strdup(mount_point);
1101 master_key_saved = 1;
1102 printf("%s(): Master key saved\n", __FUNCTION__);*/
1103 rc = 0;
1104
1105 // Upgrade if we're not using the latest KDF.
1106 /*use_keymaster = keymaster_check_compatibility();
1107 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1108 // Don't allow downgrade
1109 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1110 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1111 upgrade = 1;
1112 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1113 crypt_ftr->kdf_type = KDF_SCRYPT;
1114 upgrade = 1;
1115 }
1116
1117 if (upgrade) {
1118 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1119 crypt_ftr->master_key, crypt_ftr);
1120 if (!rc) {
1121 rc = put_crypt_ftr_and_key(crypt_ftr);
1122 }
1123 printf("Key Derivation Function upgrade: rc=%d\n", rc);
1124
1125 // Do not fail even if upgrade failed - machine is bootable
1126 // Note that if this code is ever hit, there is a *serious* problem
1127 // since KDFs should never fail. You *must* fix the kdf before
1128 // proceeding!
1129 if (rc) {
1130 printf("Upgrade failed with error %d,"
1131 " but continuing with previous state\n",
1132 rc);
1133 rc = 0;
1134 }
1135 }*/
1136 }
1137
1138 errout:
1139 if (intermediate_key) {
1140 memset(intermediate_key, 0, intermediate_key_size);
1141 free(intermediate_key);
1142 }
1143 return rc;
1144}
1145
1146/* Called by vold when it wants to undo the crypto mapping of a volume it
1147 * manages. This is usually in response to a factory reset, when we want
1148 * to undo the crypto mapping so the volume is formatted in the clear.
1149 */
1150int cryptfs_revert_volume(const char *label)
1151{
1152 return delete_crypto_blk_dev((char *)label);
1153}
1154
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001155int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1156{
1157 char encrypted_state[PROPERTY_VALUE_MAX];
1158 property_get("ro.crypto.state", encrypted_state, "");
1159 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1160 printf("encrypted fs already validated or not running with encryption,"
Ethan Yonkercceebb82014-11-18 10:17:59 -06001161 " aborting\n");
1162 //return -1;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001163 }
1164
1165 if (get_crypt_ftr_and_key(crypt_ftr)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001166 printf("Error getting crypt footer and key\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001167 return -1;
1168 }
1169
1170 return 0;
1171}
1172
1173/*
1174 * TODO - transition patterns to new format in calling code
1175 * and remove this vile hack, and the use of hex in
1176 * the password passing code.
1177 *
1178 * Patterns are passed in zero based (i.e. the top left dot
1179 * is represented by zero, the top middle one etc), but we want
1180 * to store them '1' based.
1181 * This is to allow us to migrate the calling code to use this
1182 * convention. It also solves a nasty problem whereby scrypt ignores
1183 * trailing zeros, so patterns ending at the top left could be
1184 * truncated, and similarly, you could add the top left to any
1185 * pattern and still match.
1186 * adjust_passwd is a hack function that returns the alternate representation
1187 * if the password appears to be a pattern (hex numbers all less than 09)
1188 * If it succeeds we need to try both, and in particular try the alternate
1189 * first. If the original matches, then we need to update the footer
1190 * with the alternate.
1191 * All code that accepts passwords must adjust them first. Since
1192 * cryptfs_check_passwd is always the first function called after a migration
1193 * (and indeed on any boot) we only need to do the double try in this
1194 * function.
1195 */
1196char* adjust_passwd(const char* passwd)
1197{
1198 size_t index, length;
1199
1200 if (!passwd) {
1201 return 0;
1202 }
1203
1204 // Check even length. Hex encoded passwords are always
1205 // an even length, since each character encodes to two characters.
1206 length = strlen(passwd);
1207 if (length % 2) {
1208 printf("Password not correctly hex encoded.");
1209 return 0;
1210 }
1211
1212 // Check password is old-style pattern - a collection of hex
1213 // encoded bytes less than 9 (00 through 08)
1214 for (index = 0; index < length; index +=2) {
1215 if (passwd[index] != '0'
1216 || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
1217 return 0;
1218 }
1219 }
1220
1221 // Allocate room for adjusted passwd and null terminate
1222 char* adjusted = malloc(length + 1);
1223 adjusted[length] = 0;
1224
1225 // Add 0x31 ('1') to each character
1226 for (index = 0; index < length; index += 2) {
1227 // output is 31 through 39 so set first byte to three, second to src + 1
1228 adjusted[index] = '3';
1229 adjusted[index + 1] = passwd[index + 1] + 1;
1230 }
1231
1232 return adjusted;
1233}
1234
1235/*
1236 * Passwords in L get passed from Android to cryptfs in hex, so a '1'
1237 * gets converted to '31' where 31 is 0x31 which is the ascii character
1238 * code in hex of the character '1'. This function will convert the
1239 * regular character codes to their hexadecimal representation to make
1240 * decrypt work properly with Android 5.0 lollipop decryption.
1241 */
1242char* hexadj_passwd(const char* passwd)
1243{
1244 size_t index, length;
1245 char* ptr = passwd;
1246
1247 if (!passwd) {
1248 return 0;
1249 }
1250
1251 length = strlen(passwd);
1252
1253 // Allocate room for hex passwd and null terminate
1254 char* hex = malloc((length * 2) + 1);
1255 hex[length * 2] = 0;
1256
1257 // Convert to hex
1258 for (index = 0; index < length; index++) {
1259 sprintf(hex + (index * 2), "%02X", *ptr);
1260 ptr++;
1261 }
1262
1263 return hex;
1264}
1265
Ethan Yonker253368a2014-11-25 15:00:52 -06001266int cryptfs_check_footer()
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001267{
1268 int rc = -1;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001269 struct crypt_mnt_ftr crypt_ftr;
1270
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001271 rc = get_crypt_ftr_and_key(&crypt_ftr);
1272
1273 return rc;
1274}
1275
1276int cryptfs_check_passwd(char *passwd)
1277{
1278 struct crypt_mnt_ftr crypt_ftr;
1279 int rc;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001280
1281 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1282 if (rc)
1283 return rc;
1284
1285 char* adjusted_passwd = adjust_passwd(passwd);
1286 char* hex_passwd = hexadj_passwd(passwd);
1287
1288 if (adjusted_passwd) {
1289 int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
1290 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd,
1291 DATA_MNT_POINT, "userdata");
1292
1293 // Maybe the original one still works?
1294 if (rc) {
1295 // Don't double count this failure
1296 crypt_ftr.failed_decrypt_count = failed_decrypt_count;
1297 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1298 DATA_MNT_POINT, "userdata");
1299 if (!rc) {
1300 // cryptfs_changepw also adjusts so pass original
1301 // Note that adjust_passwd only recognises patterns
1302 // so we can safely use CRYPT_TYPE_PATTERN
1303 printf("TWRP NOT Updating pattern to new format");
1304 //cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
1305 } else if (hex_passwd) {
1306 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
1307 DATA_MNT_POINT, "userdata");
1308 }
1309 }
1310 free(adjusted_passwd);
1311 } else {
1312 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1313 DATA_MNT_POINT, "userdata");
1314 if (rc && hex_passwd) {
1315 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
1316 DATA_MNT_POINT, "userdata");
1317 }
1318 }
1319
1320 if (hex_passwd)
1321 free(hex_passwd);
1322
1323 /*if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
1324 printf("cryptfs_check_passwd update expiry time?\n");
1325 cryptfs_clear_password();
1326 password = strdup(passwd);
1327 struct timespec now;
1328 clock_gettime(CLOCK_BOOTTIME, &now);
1329 password_expiry_time = now.tv_sec + password_max_age_seconds;
1330 }*/
1331
1332 return rc;
1333}
1334
1335int cryptfs_verify_passwd(char *passwd)
1336{
1337 struct crypt_mnt_ftr crypt_ftr;
1338 /* Allocate enough space for a 256 bit key, but we may use less */
1339 unsigned char decrypted_master_key[32];
1340 char encrypted_state[PROPERTY_VALUE_MAX];
1341 int rc;
1342
1343 property_get("ro.crypto.state", encrypted_state, "");
1344 if (strcmp(encrypted_state, "encrypted") ) {
1345 printf("device not encrypted, aborting");
1346 return -2;
1347 }
1348
1349 if (!master_key_saved) {
1350 printf("encrypted fs not yet mounted, aborting");
1351 return -1;
1352 }
1353
1354 if (!saved_mount_point) {
1355 printf("encrypted fs failed to save mount point, aborting");
1356 return -1;
1357 }
1358
1359 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1360 printf("Error getting crypt footer and key\n");
1361 return -1;
1362 }
1363
1364 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1365 /* If the device has no password, then just say the password is valid */
1366 rc = 0;
1367 } else {
1368 char* adjusted_passwd = adjust_passwd(passwd);
1369 if (adjusted_passwd) {
1370 passwd = adjusted_passwd;
1371 }
1372
1373 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1374 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1375 /* They match, the password is correct */
1376 rc = 0;
1377 } else {
1378 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1379 sleep(1);
1380 rc = 1;
1381 }
1382
1383 free(adjusted_passwd);
1384 }
1385
1386 return rc;
1387}
1388
1389/* Initialize a crypt_mnt_ftr structure. The keysize is
1390 * defaulted to 16 bytes, and the filesystem size to 0.
1391 * Presumably, at a minimum, the caller will update the
1392 * filesystem size and crypto_type_name after calling this function.
1393 */
1394static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
1395{
1396 off64_t off;
1397
1398 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
1399 ftr->magic = CRYPT_MNT_MAGIC;
1400 ftr->major_version = CURRENT_MAJOR_VERSION;
1401 ftr->minor_version = CURRENT_MINOR_VERSION;
1402 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
1403 ftr->keysize = KEY_LEN_BYTES;
1404
1405 switch (keymaster_check_compatibility()) {
1406 case 1:
1407 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1408 break;
1409
1410 case 0:
1411 ftr->kdf_type = KDF_SCRYPT;
1412 break;
1413
1414 default:
1415 printf("keymaster_check_compatibility failed");
1416 return -1;
1417 }
1418
1419 get_device_scrypt_params(ftr);
1420
1421 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
1422 if (get_crypt_ftr_info(NULL, &off) == 0) {
1423 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
1424 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
1425 ftr->persist_data_size;
1426 }
1427
1428 return 0;
1429}
1430
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001431/* Returns type of the password, default, pattern, pin or password.
1432 */
1433int cryptfs_get_password_type(void)
1434{
1435 struct crypt_mnt_ftr crypt_ftr;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001436
1437 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1438 printf("Error getting crypt footer and key\n");
1439 return -1;
1440 }
1441
1442 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
1443 return -1;
1444 }
1445
1446 return crypt_ftr.crypt_type;
1447}