blob: 1e65a22630524a84463cea2a5de2441bfc7ce388 [file] [log] [blame]
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001/*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17/* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23#include <sys/types.h>
Dees Troyc657cc02015-01-16 22:48:47 +000024#include <linux/types.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060025#include <sys/wait.h>
26#include <sys/stat.h>
27#include <ctype.h>
28#include <fcntl.h>
29#include <inttypes.h>
30#include <unistd.h>
31#include <stdio.h>
32#include <sys/ioctl.h>
33#include <linux/dm-ioctl.h>
34#include <libgen.h>
35#include <stdlib.h>
36#include <sys/param.h>
37#include <string.h>
38#include <sys/mount.h>
39#include <openssl/evp.h>
40#include <errno.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060041#include <linux/kdev_t.h>
Ethan Yonker4eca40d2014-11-11 14:52:28 -060042#include <time.h>
43#include "cryptfs.h"
Ethan Yonker4eca40d2014-11-11 14:52:28 -060044#include "cutils/properties.h"
Ethan Yonker4eca40d2014-11-11 14:52:28 -060045#include "crypto_scrypt.h"
Ethan Yonkerc798c9c2015-10-09 11:15:26 -050046
47#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -060048#include <hardware/keymaster.h>
Ethan Yonkerc798c9c2015-10-09 11:15:26 -050049#else
50#include <stdbool.h>
51#include <openssl/evp.h>
52#include <openssl/sha.h>
53#include <hardware/keymaster0.h>
54#include <hardware/keymaster1.h>
55#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -060056
Ethan Yonker253368a2014-11-25 15:00:52 -060057#ifndef min /* already defined by windows.h */
58#define min(a, b) ((a) < (b) ? (a) : (b))
59#endif
60
Ethan Yonker4eca40d2014-11-11 14:52:28 -060061#define UNUSED __attribute__((unused))
62
63#define UNUSED __attribute__((unused))
64
Dees Troyc657cc02015-01-16 22:48:47 +000065#ifdef CONFIG_HW_DISK_ENCRYPTION
66#include "cryptfs_hw.h"
67#endif
68
Ethan Yonker4eca40d2014-11-11 14:52:28 -060069#define DM_CRYPT_BUF_SIZE 4096
70
71#define HASH_COUNT 2000
72#define KEY_LEN_BYTES 16
73#define IV_LEN_BYTES 16
74
75#define KEY_IN_FOOTER "footer"
76
77// "default_password" encoded into hex (d=0x64 etc)
78#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
79
80#define EXT4_FS 1
81#define F2FS_FS 2
82
83#define TABLE_LOAD_RETRIES 10
84
85#define RSA_KEY_SIZE 2048
86#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
87#define RSA_EXPONENT 0x10001
Ethan Yonkerc798c9c2015-10-09 11:15:26 -050088#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
Ethan Yonker4eca40d2014-11-11 14:52:28 -060089
90#define RETRY_MOUNT_ATTEMPTS 10
91#define RETRY_MOUNT_DELAY_SECONDS 1
92
93char *me = "cryptfs";
94
95static unsigned char saved_master_key[KEY_LEN_BYTES];
96static char *saved_mount_point;
97static int master_key_saved = 0;
98static struct crypt_persist_data *persist_data = NULL;
Ethan Yonker253368a2014-11-25 15:00:52 -060099static char key_fname[PROPERTY_VALUE_MAX] = "";
100static char real_blkdev[PROPERTY_VALUE_MAX] = "";
101static char file_system[PROPERTY_VALUE_MAX] = "";
102
Ethan Yonkerba95ad12016-01-18 15:18:15 -0600103#ifdef CONFIG_HW_DISK_ENCRYPTION
104#define DEFAULT_HEX_PASSWORD "64656661756c745f70617373776f7264"
105static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
106 unsigned char *ikey, void *params);
107static void convert_key_to_hex_ascii(const unsigned char *master_key,
108 unsigned int keysize, char *master_key_ascii);
109static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr);
110
111static int get_keymaster_hw_fde_passwd(const char* passwd, unsigned char* newpw,
112 unsigned char* salt,
113 const struct crypt_mnt_ftr *ftr)
114{
115 /* if newpw updated, return 0
116 * if newpw not updated return -1
117 */
118 int rc = -1;
119
120 if (should_use_keymaster()) {
121 if (scrypt_keymaster(passwd, salt, newpw, (void*)ftr)) {
122 printf("scrypt failed");
123 } else {
124 rc = 0;
125 }
126 }
127
128 return rc;
129}
130
131static int verify_hw_fde_passwd(char *passwd, struct crypt_mnt_ftr* crypt_ftr)
132{
133 unsigned char newpw[32] = {0};
134 int key_index;
135 if (get_keymaster_hw_fde_passwd(passwd, newpw, crypt_ftr->salt, crypt_ftr))
136 key_index = set_hw_device_encryption_key(passwd,
137 (char*) crypt_ftr->crypto_type_name);
138 else
139 key_index = set_hw_device_encryption_key((const char*)newpw,
140 (char*) crypt_ftr->crypto_type_name);
141 return key_index;
142}
143
144static int verify_and_update_hw_fde_passwd(char *passwd,
145 struct crypt_mnt_ftr* crypt_ftr)
146{
147 char* new_passwd = NULL;
148 unsigned char newpw[32] = {0};
149 int key_index = -1;
150 int passwd_updated = -1;
151 int ascii_passwd_updated = (crypt_ftr->flags & CRYPT_ASCII_PASSWORD_UPDATED);
152
153 key_index = verify_hw_fde_passwd(passwd, crypt_ftr);
154 if (key_index < 0) {
155 ++crypt_ftr->failed_decrypt_count;
156
157 if (ascii_passwd_updated) {
158 printf("Ascii password was updated");
159 } else {
160 /* Code in else part would execute only once:
161 * When device is upgraded from L->M release.
162 * Once upgraded, code flow should never come here.
163 * L release passed actual password in hex, so try with hex
164 * Each nible of passwd was encoded as a byte, so allocate memory
165 * twice of password len plus one more byte for null termination
166 */
167 if (crypt_ftr->crypt_type == CRYPT_TYPE_DEFAULT) {
168 new_passwd = (char*)malloc(strlen(DEFAULT_HEX_PASSWORD) + 1);
169 if (new_passwd == NULL) {
170 printf("System out of memory. Password verification incomplete");
171 goto out;
172 }
173 strlcpy(new_passwd, DEFAULT_HEX_PASSWORD, strlen(DEFAULT_HEX_PASSWORD) + 1);
174 } else {
175 new_passwd = (char*)malloc(strlen(passwd) * 2 + 1);
176 if (new_passwd == NULL) {
177 printf("System out of memory. Password verification incomplete");
178 goto out;
179 }
180 convert_key_to_hex_ascii((const unsigned char*)passwd,
181 strlen(passwd), new_passwd);
182 }
183 key_index = set_hw_device_encryption_key((const char*)new_passwd,
184 (char*) crypt_ftr->crypto_type_name);
185 if (key_index >=0) {
186 crypt_ftr->failed_decrypt_count = 0;
187 printf("Hex password verified...will try to update with Ascii value");
188 /* Before updating password, tie that with keymaster to tie with ROT */
189
190 if (get_keymaster_hw_fde_passwd(passwd, newpw,
191 crypt_ftr->salt, crypt_ftr)) {
192 passwd_updated = update_hw_device_encryption_key(new_passwd,
193 passwd, (char*)crypt_ftr->crypto_type_name);
194 } else {
195 passwd_updated = update_hw_device_encryption_key(new_passwd,
196 (const char*)newpw, (char*)crypt_ftr->crypto_type_name);
197 }
198
199 if (passwd_updated >= 0) {
200 crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
201 printf("Ascii password recorded and updated");
202 } else {
203 printf("Passwd verified, could not update...Will try next time");
204 }
205 } else {
206 ++crypt_ftr->failed_decrypt_count;
207 }
208 free(new_passwd);
209 }
210 } else {
211 if (!ascii_passwd_updated)
212 crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
213 }
214out:
215 // DO NOT update footer before leaving
216 // put_crypt_ftr_and_key(crypt_ftr);
217 return key_index;
218}
219#endif
220
Ethan Yonker253368a2014-11-25 15:00:52 -0600221void set_partition_data(const char* block_device, const char* key_location, const char* fs)
222{
223 strcpy(key_fname, key_location);
224 strcpy(real_blkdev, block_device);
225 strcpy(file_system, fs);
226}
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600227
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500228#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600229static int keymaster_init(keymaster_device_t **keymaster_dev)
230{
231 int rc;
232
233 const hw_module_t* mod;
234 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
235 if (rc) {
236 printf("could not find any keystore module\n");
237 goto out;
238 }
239
240 rc = keymaster_open(mod, keymaster_dev);
241 if (rc) {
242 printf("could not open keymaster device in %s (%s)\n",
243 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
244 goto out;
245 }
246
247 return 0;
248
249out:
250 *keymaster_dev = NULL;
251 return rc;
252}
253
254/* Should we use keymaster? */
255static int keymaster_check_compatibility()
256{
257 keymaster_device_t *keymaster_dev = 0;
258 int rc = 0;
259
260 if (keymaster_init(&keymaster_dev)) {
261 printf("Failed to init keymaster\n");
262 rc = -1;
263 goto out;
264 }
265
266 printf("keymaster version is %d\n", keymaster_dev->common.module->module_api_version);
267
thatceb7b8e2014-12-09 23:15:16 +0100268#if (KEYMASTER_HEADER_VERSION >= 3)
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600269 if (keymaster_dev->common.module->module_api_version
270 < KEYMASTER_MODULE_API_VERSION_0_3) {
271 rc = 0;
272 goto out;
273 }
274
275 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) {
276 rc = 1;
277 }
278
thatceb7b8e2014-12-09 23:15:16 +0100279#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600280out:
281 keymaster_close(keymaster_dev);
282 return rc;
283}
284
285/* Create a new keymaster key and store it in this footer */
286static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
287{
288 uint8_t* key = 0;
289 keymaster_device_t *keymaster_dev = 0;
290
291 if (keymaster_init(&keymaster_dev)) {
292 printf("Failed to init keymaster\n");
293 return -1;
294 }
295
296 int rc = 0;
297
298 keymaster_rsa_keygen_params_t params;
299 memset(&params, '\0', sizeof(params));
300 params.public_exponent = RSA_EXPONENT;
301 params.modulus_size = RSA_KEY_SIZE;
302
303 size_t key_size;
304 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, &params,
305 &key, &key_size)) {
306 printf("Failed to generate keypair\n");
307 rc = -1;
308 goto out;
309 }
310
311 if (key_size > KEYMASTER_BLOB_SIZE) {
312 printf("Keymaster key too large for crypto footer\n");
313 rc = -1;
314 goto out;
315 }
316
317 memcpy(ftr->keymaster_blob, key, key_size);
318 ftr->keymaster_blob_size = key_size;
319
320out:
321 keymaster_close(keymaster_dev);
322 free(key);
323 return rc;
324}
325
326/* This signs the given object using the keymaster key. */
327static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
328 const unsigned char *object,
329 const size_t object_size,
330 unsigned char **signature,
331 size_t *signature_size)
332{
333 int rc = 0;
334 keymaster_device_t *keymaster_dev = 0;
335 if (keymaster_init(&keymaster_dev)) {
336 printf("Failed to init keymaster\n");
337 return -1;
338 }
339
340 /* We currently set the digest type to DIGEST_NONE because it's the
341 * only supported value for keymaster. A similar issue exists with
342 * PADDING_NONE. Long term both of these should likely change.
343 */
344 keymaster_rsa_sign_params_t params;
345 params.digest_type = DIGEST_NONE;
346 params.padding_type = PADDING_NONE;
347
348 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
349 size_t to_sign_size = sizeof(to_sign);
350 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
351
352 // To sign a message with RSA, the message must satisfy two
353 // constraints:
354 //
355 // 1. The message, when interpreted as a big-endian numeric value, must
356 // be strictly less than the public modulus of the RSA key. Note
357 // that because the most significant bit of the public modulus is
358 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
359 // key), an n-bit message with most significant bit 0 always
360 // satisfies this requirement.
361 //
362 // 2. The message must have the same length in bits as the public
363 // modulus of the RSA key. This requirement isn't mathematically
364 // necessary, but is necessary to ensure consistency in
365 // implementations.
366 switch (ftr->kdf_type) {
367 case KDF_SCRYPT_KEYMASTER_UNPADDED:
368 // This is broken: It produces a message which is shorter than
369 // the public modulus, failing criterion 2.
370 memcpy(to_sign, object, object_size);
371 to_sign_size = object_size;
372 printf("Signing unpadded object\n");
373 break;
374 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
375 // This is broken: Since the value of object is uniformly
376 // distributed, it produces a message that is larger than the
377 // public modulus with probability 0.25.
378 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
379 printf("Signing end-padded object\n");
380 break;
381 case KDF_SCRYPT_KEYMASTER:
382 // This ensures the most significant byte of the signed message
383 // is zero. We could have zero-padded to the left instead, but
384 // this approach is slightly more robust against changes in
385 // object size. However, it's still broken (but not unusably
386 // so) because we really should be using a proper RSA padding
387 // function, such as OAEP.
388 //
389 // TODO(paullawrence): When keymaster 0.4 is available, change
390 // this to use the padding options it provides.
391 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
392 printf("Signing safely-padded object\n");
393 break;
394 default:
395 printf("Unknown KDF type %d\n", ftr->kdf_type);
396 return -1;
397 }
398
399 rc = keymaster_dev->sign_data(keymaster_dev,
400 &params,
401 ftr->keymaster_blob,
402 ftr->keymaster_blob_size,
403 to_sign,
404 to_sign_size,
405 signature,
406 signature_size);
407
408 keymaster_close(keymaster_dev);
409 return rc;
410}
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500411#else //#ifndef TW_CRYPTO_HAVE_KEYMASTERX
412static int keymaster_init(keymaster0_device_t **keymaster0_dev,
413 keymaster1_device_t **keymaster1_dev)
414{
415 int rc;
416
417 const hw_module_t* mod;
418 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
419 if (rc) {
420 printf("could not find any keystore module\n");
421 goto err;
422 }
423
424 printf("keymaster module name is %s\n", mod->name);
425 printf("keymaster version is %d\n", mod->module_api_version);
426
427 *keymaster0_dev = NULL;
428 *keymaster1_dev = NULL;
429 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
430 printf("Found keymaster1 module, using keymaster1 API.\n");
431 rc = keymaster1_open(mod, keymaster1_dev);
432 } else {
433 printf("Found keymaster0 module, using keymaster0 API.\n");
434 rc = keymaster0_open(mod, keymaster0_dev);
435 }
436
437 if (rc) {
438 printf("could not open keymaster device in %s (%s)\n",
439 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
440 goto err;
441 }
442
443 return 0;
444
445err:
446 *keymaster0_dev = NULL;
447 *keymaster1_dev = NULL;
448 return rc;
449}
450
451/* Should we use keymaster? */
452static int keymaster_check_compatibility()
453{
454 keymaster0_device_t *keymaster0_dev = 0;
455 keymaster1_device_t *keymaster1_dev = 0;
456 int rc = 0;
457
458 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
459 printf("Failed to init keymaster\n");
460 rc = -1;
461 goto out;
462 }
463
464 if (keymaster1_dev) {
465 rc = 1;
466 goto out;
467 }
468
469 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
470 // should work.
471 if (keymaster0_dev->common.module->module_api_version
472 < KEYMASTER_MODULE_API_VERSION_0_3) {
473 rc = 0;
474 goto out;
475 }
476
477 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
478 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
479 rc = 1;
480 }
481
482out:
483 if (keymaster1_dev) {
484 keymaster1_close(keymaster1_dev);
485 }
486 if (keymaster0_dev) {
487 keymaster0_close(keymaster0_dev);
488 }
489 return rc;
490}
491
492/* Create a new keymaster key and store it in this footer */
493static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
494{
495 uint8_t* key = 0;
496 keymaster0_device_t *keymaster0_dev = 0;
497 keymaster1_device_t *keymaster1_dev = 0;
498
499 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
500 printf("Failed to init keymaster\n");
501 return -1;
502 }
503
504 int rc = 0;
505 size_t key_size = 0;
506 if (keymaster1_dev) {
507 keymaster_key_param_t params[] = {
508 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
509 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
510 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
511 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
512
513 /* The only allowed purpose for this key is signing. */
514 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
515
516 /* Padding & digest specifications. */
517 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
518 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
519
520 /* Require that the key be usable in standalone mode. File system isn't available. */
521 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
522
523 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
524 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
525
526 /* Rate-limit key usage attempts, to rate-limit brute force */
527 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
528 };
529 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
530 keymaster_key_blob_t key_blob;
531 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, &param_set,
532 &key_blob,
533 NULL /* characteristics */);
534 if (error != KM_ERROR_OK) {
535 printf("Failed to generate keymaster1 key, error %d\n", error);
536 rc = -1;
537 goto out;
538 }
539
540 key = (uint8_t*)key_blob.key_material;
541 key_size = key_blob.key_material_size;
542 }
543 else if (keymaster0_dev) {
544 keymaster_rsa_keygen_params_t params;
545 memset(&params, '\0', sizeof(params));
546 params.public_exponent = RSA_EXPONENT;
547 params.modulus_size = RSA_KEY_SIZE;
548
549 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, &params,
550 &key, &key_size)) {
551 printf("Failed to generate keypair\n");
552 rc = -1;
553 goto out;
554 }
555 } else {
556 printf("Cryptfs bug: keymaster_init succeeded but didn't initialize a device\n");
557 rc = -1;
558 goto out;
559 }
560
561 if (key_size > KEYMASTER_BLOB_SIZE) {
562 printf("Keymaster key too large for crypto footer\n");
563 rc = -1;
564 goto out;
565 }
566
567 memcpy(ftr->keymaster_blob, key, key_size);
568 ftr->keymaster_blob_size = key_size;
569
570out:
571 if (keymaster0_dev)
572 keymaster0_close(keymaster0_dev);
573 if (keymaster1_dev)
574 keymaster1_close(keymaster1_dev);
575 free(key);
576 return rc;
577}
578
579/* This signs the given object using the keymaster key. */
580static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
581 const unsigned char *object,
582 const size_t object_size,
583 unsigned char **signature,
584 size_t *signature_size)
585{
586 int rc = 0;
587 keymaster0_device_t *keymaster0_dev = 0;
588 keymaster1_device_t *keymaster1_dev = 0;
589 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
590 printf("Failed to init keymaster\n");
591 rc = -1;
592 goto out;
593 }
594
595 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
596 size_t to_sign_size = sizeof(to_sign);
597 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
598
599 // To sign a message with RSA, the message must satisfy two
600 // constraints:
601 //
602 // 1. The message, when interpreted as a big-endian numeric value, must
603 // be strictly less than the public modulus of the RSA key. Note
604 // that because the most significant bit of the public modulus is
605 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
606 // key), an n-bit message with most significant bit 0 always
607 // satisfies this requirement.
608 //
609 // 2. The message must have the same length in bits as the public
610 // modulus of the RSA key. This requirement isn't mathematically
611 // necessary, but is necessary to ensure consistency in
612 // implementations.
613 switch (ftr->kdf_type) {
614 case KDF_SCRYPT_KEYMASTER:
615 // This ensures the most significant byte of the signed message
616 // is zero. We could have zero-padded to the left instead, but
617 // this approach is slightly more robust against changes in
618 // object size. However, it's still broken (but not unusably
619 // so) because we really should be using a proper deterministic
620 // RSA padding function, such as PKCS1.
621 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
622 printf("Signing safely-padded object\n");
623 break;
624 default:
625 printf("Unknown KDF type %d\n", ftr->kdf_type);
626 rc = -1;
627 goto out;
628 }
629
630 if (keymaster0_dev) {
631 keymaster_rsa_sign_params_t params;
632 params.digest_type = DIGEST_NONE;
633 params.padding_type = PADDING_NONE;
634
635 rc = keymaster0_dev->sign_data(keymaster0_dev,
636 &params,
637 ftr->keymaster_blob,
638 ftr->keymaster_blob_size,
639 to_sign,
640 to_sign_size,
641 signature,
642 signature_size);
643 goto out;
644 } else if (keymaster1_dev) {
645 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
646 keymaster_key_param_t params[] = {
647 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
648 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
649 };
650 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
651 keymaster_operation_handle_t op_handle;
652 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
653 &param_set, NULL /* out_params */,
654 &op_handle);
655 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
656 // Key usage has been rate-limited. Wait a bit and try again.
657 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
658 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
659 &param_set, NULL /* out_params */,
660 &op_handle);
661 }
662 if (error != KM_ERROR_OK) {
663 printf("Error starting keymaster signature transaction: %d\n", error);
664 rc = -1;
665 goto out;
666 }
667
668 keymaster_blob_t input = { to_sign, to_sign_size };
669 size_t input_consumed;
670 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
671 &input, &input_consumed, NULL /* out_params */,
672 NULL /* output */);
673 if (error != KM_ERROR_OK) {
674 printf("Error sending data to keymaster signature transaction: %d\n", error);
675 rc = -1;
676 goto out;
677 }
678 if (input_consumed != to_sign_size) {
679 // This should never happen. If it does, it's a bug in the keymaster implementation.
680 printf("Keymaster update() did not consume all data.\n");
681 keymaster1_dev->abort(keymaster1_dev, op_handle);
682 rc = -1;
683 goto out;
684 }
685
686 keymaster_blob_t tmp_sig;
687 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
688 NULL /* verify signature */, NULL /* out_params */,
689 &tmp_sig);
690 if (error != KM_ERROR_OK) {
691 printf("Error finishing keymaster signature transaction: %d\n", error);
692 rc = -1;
693 goto out;
694 }
695
696 *signature = (uint8_t*)tmp_sig.data;
697 *signature_size = tmp_sig.data_length;
698 } else {
699 printf("Cryptfs bug: keymaster_init succeded but didn't initialize a device.\n");
700 rc = -1;
701 goto out;
702 }
703
704 out:
705 if (keymaster1_dev)
706 keymaster1_close(keymaster1_dev);
707 if (keymaster0_dev)
708 keymaster0_close(keymaster0_dev);
709
710 return rc;
711}
712#endif //#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600713
714/* Store password when userdata is successfully decrypted and mounted.
715 * Cleared by cryptfs_clear_password
716 *
717 * To avoid a double prompt at boot, we need to store the CryptKeeper
718 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
719 * Since the entire framework is torn down and rebuilt after encryption,
720 * we have to use a daemon or similar to store the password. Since vold
721 * is secured against IPC except from system processes, it seems a reasonable
722 * place to store this.
723 *
724 * password should be cleared once it has been used.
725 *
726 * password is aged out after password_max_age_seconds seconds.
727 */
728static char* password = 0;
729static int password_expiry_time = 0;
730static const int password_max_age_seconds = 60;
731
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600732static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
733{
734 memset(io, 0, dataSize);
735 io->data_size = dataSize;
736 io->data_start = sizeof(struct dm_ioctl);
737 io->version[0] = 4;
738 io->version[1] = 0;
739 io->version[2] = 0;
740 io->flags = flags;
741 if (name) {
742 strncpy(io->name, name, sizeof(io->name));
743 }
744}
745
746/**
747 * Gets the default device scrypt parameters for key derivation time tuning.
748 * The parameters should lead to about one second derivation time for the
749 * given device.
750 */
751static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
752 const int default_params[] = SCRYPT_DEFAULTS;
753 int params[] = SCRYPT_DEFAULTS;
754 char paramstr[PROPERTY_VALUE_MAX];
755 char *token;
756 char *saveptr;
757 int i;
758
759 property_get(SCRYPT_PROP, paramstr, "");
760 if (paramstr[0] != '\0') {
761 /*
762 * The token we're looking for should be three integers separated by
763 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
764 */
765 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
766 token != NULL && i < 3;
767 i++, token = strtok_r(NULL, ":", &saveptr)) {
768 char *endptr;
769 params[i] = strtol(token, &endptr, 10);
770
771 /*
772 * Check that there was a valid number and it's 8-bit. If not,
773 * break out and the end check will take the default values.
774 */
775 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
776 break;
777 }
778 }
779
780 /*
781 * If there were not enough tokens or a token was malformed (not an
782 * integer), it will end up here and the default parameters can be
783 * taken.
784 */
785 if ((i != 3) || (token != NULL)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500786 printf("bad scrypt parameters '%s' should be like '12:8:1'; using defaults\n", paramstr);
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600787 memcpy(params, default_params, sizeof(params));
788 }
789 }
790
791 ftr->N_factor = params[0];
792 ftr->r_factor = params[1];
793 ftr->p_factor = params[2];
794}
795
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600796static unsigned int get_blkdev_size(int fd)
797{
798 unsigned int nr_sec;
799
800 if ( (ioctl(fd, BLKGETSIZE, &nr_sec)) == -1) {
801 nr_sec = 0;
802 }
803
804 return nr_sec;
805}
806
807static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
808{
809 static int cached_data = 0;
810 static off64_t cached_off = 0;
811 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
812 int fd;
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600813 unsigned int nr_sec;
814 int rc = -1;
815
816 if (!cached_data) {
Ethan Yonker253368a2014-11-25 15:00:52 -0600817 printf("get_crypt_ftr_info crypto key location: '%s'\n", key_fname);
818 if (!strcmp(key_fname, KEY_IN_FOOTER)) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600819 if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
820 printf("Cannot open real block device %s\n", real_blkdev);
821 return -1;
822 }
823
824 if ((nr_sec = get_blkdev_size(fd))) {
825 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
826 * encryption info footer and key, and plenty of bytes to spare for future
827 * growth.
828 */
829 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
830 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
831 cached_data = 1;
832 } else {
833 printf("Cannot get size of block device %s\n", real_blkdev);
834 }
835 close(fd);
836 } else {
Ethan Yonker253368a2014-11-25 15:00:52 -0600837 strlcpy(cached_metadata_fname, key_fname, sizeof(cached_metadata_fname));
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600838 cached_off = 0;
839 cached_data = 1;
840 }
841 }
842
843 if (cached_data) {
844 if (metadata_fname) {
845 *metadata_fname = cached_metadata_fname;
846 }
847 if (off) {
848 *off = cached_off;
849 }
850 rc = 0;
851 }
852
853 return rc;
854}
855
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600856static inline int unix_read(int fd, void* buff, int len)
857{
858 return TEMP_FAILURE_RETRY(read(fd, buff, len));
859}
860
861static inline int unix_write(int fd, const void* buff, int len)
862{
863 return TEMP_FAILURE_RETRY(write(fd, buff, len));
864}
865
866static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
867{
868 memset(pdata, 0, len);
869 pdata->persist_magic = PERSIST_DATA_MAGIC;
870 pdata->persist_valid_entries = 0;
871}
872
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600873static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
874{
875 int fd;
876 unsigned int nr_sec, cnt;
877 off64_t starting_off;
878 int rc = -1;
879 char *fname = NULL;
880 struct stat statbuf;
881
882 if (get_crypt_ftr_info(&fname, &starting_off)) {
883 printf("Unable to get crypt_ftr_info\n");
884 return -1;
885 }
886 if (fname[0] != '/') {
887 printf("Unexpected value for crypto key location\n");
888 return -1;
889 }
890 if ( (fd = open(fname, O_RDWR)) < 0) {
891 printf("Cannot open footer file %s for get\n", fname);
892 return -1;
893 }
894
895 /* Make sure it's 16 Kbytes in length */
896 fstat(fd, &statbuf);
897 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
898 printf("footer file %s is not the expected size!\n", fname);
899 goto errout;
900 }
901
902 /* Seek to the start of the crypt footer */
903 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
904 printf("Cannot seek to real block device footer\n");
905 goto errout;
906 }
907
908 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
909 printf("Cannot read real block device footer\n");
910 goto errout;
911 }
912
913 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
914 printf("Bad magic for real block device %s\n", fname);
915 goto errout;
916 }
917
918 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
919 printf("Cannot understand major version %d real block device footer; expected %d\n",
920 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
921 goto errout;
922 }
923
924 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
925 printf("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
926 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
927 }
928
929 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
930 * copy on disk before returning.
931 */
Ethan Yonker253368a2014-11-25 15:00:52 -0600932 /*if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600933 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
Ethan Yonker253368a2014-11-25 15:00:52 -0600934 }*/
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600935
936 /* Success! */
937 rc = 0;
938
939errout:
940 close(fd);
941 return rc;
942}
943
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600944static int hexdigit (char c)
945{
946 if (c >= '0' && c <= '9') return c - '0';
947 c = tolower(c);
948 if (c >= 'a' && c <= 'f') return c - 'a' + 10;
949 return -1;
950}
951
952static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
953 unsigned int* out_keysize)
954{
955 unsigned int i;
956 *out_keysize = 0;
957
958 size_t size = strlen (master_key_ascii);
959 if (size % 2) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500960 printf("Trying to convert ascii string of odd length\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600961 return NULL;
962 }
963
964 unsigned char* master_key = (unsigned char*) malloc(size / 2);
965 if (master_key == 0) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500966 printf("Cannot allocate\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600967 return NULL;
968 }
969
970 for (i = 0; i < size; i += 2) {
971 int high_nibble = hexdigit (master_key_ascii[i]);
972 int low_nibble = hexdigit (master_key_ascii[i + 1]);
973
974 if(high_nibble < 0 || low_nibble < 0) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -0500975 printf("Invalid hex string\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600976 free (master_key);
977 return NULL;
978 }
979
980 master_key[*out_keysize] = high_nibble * 16 + low_nibble;
981 (*out_keysize)++;
982 }
983
984 return master_key;
985}
986
987/* Convert a binary key of specified length into an ascii hex string equivalent,
988 * without the leading 0x and with null termination
989 */
Ethan Yonkerba95ad12016-01-18 15:18:15 -0600990static void convert_key_to_hex_ascii(const unsigned char *master_key,
991 unsigned int keysize, char *master_key_ascii) {
992 unsigned int i, a;
993 unsigned char nibble;
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600994
Ethan Yonkerba95ad12016-01-18 15:18:15 -0600995 for (i=0, a=0; i<keysize; i++, a+=2) {
996 /* For each byte, write out two ascii hex digits */
997 nibble = (master_key[i] >> 4) & 0xf;
998 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
Ethan Yonker4eca40d2014-11-11 14:52:28 -0600999
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001000 nibble = master_key[i] & 0xf;
1001 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1002 }
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001003
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001004 /* Add the null termination */
1005 master_key_ascii[a] = '\0';
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001006
1007}
1008
1009static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
1010 char *real_blk_name, const char *name, int fd,
1011 char *extra_params)
1012{
1013 char buffer[DM_CRYPT_BUF_SIZE];
1014 struct dm_ioctl *io;
1015 struct dm_target_spec *tgt;
1016 char *crypt_params;
1017 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1018 int i;
1019
1020 io = (struct dm_ioctl *) buffer;
1021
1022 /* Load the mapping table for this device */
1023 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1024
1025 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1026 io->target_count = 1;
1027 tgt->status = 0;
1028 tgt->sector_start = 0;
1029 tgt->length = crypt_ftr->fs_size;
Dees Troyc657cc02015-01-16 22:48:47 +00001030#ifdef CONFIG_HW_DISK_ENCRYPTION
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001031 if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
1032 strlcpy(tgt->target_type, "req-crypt",DM_MAX_TYPE_NAME);
1033 if (is_ice_enabled())
1034 convert_key_to_hex_ascii(master_key, sizeof(int), master_key_ascii);
1035 else
1036 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1037 }
1038 else {
1039 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1040 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1041 }
Dees Troyc657cc02015-01-16 22:48:47 +00001042#else
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001043 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1044 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
Dees Troyc657cc02015-01-16 22:48:47 +00001045#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001046
1047 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1048 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1049 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1050 master_key_ascii, real_blk_name, extra_params);
Dees Troyc657cc02015-01-16 22:48:47 +00001051
1052 printf("%s: target_type = %s\n", __func__, tgt->target_type);
1053 printf("%s: real_blk_name = %s, extra_params = %s\n", __func__, real_blk_name, extra_params);
1054
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001055 crypt_params += strlen(crypt_params) + 1;
1056 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1057 tgt->next = crypt_params - buffer;
1058
1059 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1060 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1061 break;
1062 }
1063 usleep(500000);
1064 }
1065
1066 if (i == TABLE_LOAD_RETRIES) {
1067 /* We failed to load the table, return an error */
1068 return -1;
1069 } else {
1070 return i + 1;
1071 }
1072}
1073
1074
1075static int get_dm_crypt_version(int fd, const char *name, int *version)
1076{
1077 char buffer[DM_CRYPT_BUF_SIZE];
1078 struct dm_ioctl *io;
1079 struct dm_target_versions *v;
Dees Troyc657cc02015-01-16 22:48:47 +00001080 int flag;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001081 int i;
1082
1083 io = (struct dm_ioctl *) buffer;
1084
1085 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1086
1087 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1088 return -1;
1089 }
1090
1091 /* Iterate over the returned versions, looking for name of "crypt".
1092 * When found, get and return the version.
1093 */
1094 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1095 while (v->next) {
Dees Troyc657cc02015-01-16 22:48:47 +00001096#ifdef CONFIG_HW_DISK_ENCRYPTION
1097 if (is_hw_fde_enabled()) {
1098 flag = (!strcmp(v->name, "crypt") || !strcmp(v->name, "req-crypt"));
1099 } else {
1100 flag = (!strcmp(v->name, "crypt"));
1101 }
1102 printf("get_dm_crypt_version flag: %i, name: '%s'\n", flag, v->name);
1103 if (flag) {
1104#else
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001105 if (! strcmp(v->name, "crypt")) {
Dees Troyc657cc02015-01-16 22:48:47 +00001106#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001107 /* We found the crypt driver, return the version, and get out */
1108 version[0] = v->version[0];
1109 version[1] = v->version[1];
1110 version[2] = v->version[2];
1111 return 0;
1112 }
1113 v = (struct dm_target_versions *)(((char *)v) + v->next);
1114 }
1115
1116 return -1;
1117}
1118
1119static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
1120 char *real_blk_name, char *crypto_blk_name, const char *name)
1121{
1122 char buffer[DM_CRYPT_BUF_SIZE];
1123 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1124 char *crypt_params;
1125 struct dm_ioctl *io;
1126 struct dm_target_spec *tgt;
1127 unsigned int minor;
Dees Troyc657cc02015-01-16 22:48:47 +00001128 int fd=0;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001129 int i;
1130 int retval = -1;
1131 int version[3];
1132 char *extra_params;
1133 int load_count;
Dees Troyc657cc02015-01-16 22:48:47 +00001134#ifdef CONFIG_HW_DISK_ENCRYPTION
1135 char encrypted_state[PROPERTY_VALUE_MAX] = {0};
1136 char progress[PROPERTY_VALUE_MAX] = {0};
1137#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001138
1139 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1140 printf("Cannot open device-mapper\n");
1141 goto errout;
1142 }
1143
1144 io = (struct dm_ioctl *) buffer;
1145
1146 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1147 if (ioctl(fd, DM_DEV_CREATE, io)) {
1148 printf("Cannot create dm-crypt device\n");
1149 goto errout;
1150 }
1151
1152 /* Get the device status, in particular, the name of it's device file */
1153 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1154 if (ioctl(fd, DM_DEV_STATUS, io)) {
1155 printf("Cannot retrieve dm-crypt device status\n");
1156 goto errout;
1157 }
1158 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1159 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1160
Dees Troyc657cc02015-01-16 22:48:47 +00001161#ifdef CONFIG_HW_DISK_ENCRYPTION
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001162 if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
1163 /* Set fde_enabled if either FDE completed or in-progress */
1164 property_get("ro.crypto.state", encrypted_state, ""); /* FDE completed */
1165 property_get("vold.encrypt_progress", progress, ""); /* FDE in progress */
1166 if (!strcmp(encrypted_state, "encrypted") || strcmp(progress, "")) {
1167 if (is_ice_enabled())
1168 extra_params = "fde_enabled ice";
1169 else
1170 extra_params = "fde_enabled";
1171 } else
1172 extra_params = "fde_disabled";
Dees Troyc657cc02015-01-16 22:48:47 +00001173 } else {
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001174 extra_params = "";
1175 if (! get_dm_crypt_version(fd, name, version)) {
1176 /* Support for allow_discards was added in version 1.11.0 */
1177 if ((version[0] >= 2) ||
1178 ((version[0] == 1) && (version[1] >= 11))) {
1179 extra_params = "1 allow_discards";
1180 printf("Enabling support for allow_discards in dmcrypt.\n");
Dees Troyc657cc02015-01-16 22:48:47 +00001181 }
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001182 }
Dees Troyc657cc02015-01-16 22:48:47 +00001183 }
1184#else
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001185 extra_params = "";
1186 if (! get_dm_crypt_version(fd, name, version)) {
1187 /* Support for allow_discards was added in version 1.11.0 */
1188 if ((version[0] >= 2) ||
1189 ((version[0] == 1) && (version[1] >= 11))) {
1190 extra_params = "1 allow_discards";
1191 printf("Enabling support for allow_discards in dmcrypt.\n");
1192 }
1193 }
Dees Troyc657cc02015-01-16 22:48:47 +00001194#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001195
1196 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1197 fd, extra_params);
1198 if (load_count < 0) {
1199 printf("Cannot load dm-crypt mapping table.\n");
1200 goto errout;
1201 } else if (load_count > 1) {
1202 printf("Took %d tries to load dmcrypt table.\n", load_count);
1203 }
1204
1205 /* Resume this device to activate it */
1206 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1207
1208 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1209 printf("Cannot resume the dm-crypt device\n");
1210 goto errout;
1211 }
1212
1213 /* We made it here with no errors. Woot! */
1214 retval = 0;
1215
1216errout:
1217 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1218
1219 return retval;
1220}
1221
Ethan Yonkerd79d9bc2014-12-20 15:38:29 -06001222int delete_crypto_blk_dev(char *name)
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001223{
1224 int fd;
1225 char buffer[DM_CRYPT_BUF_SIZE];
1226 struct dm_ioctl *io;
1227 int retval = -1;
1228
1229 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
1230 printf("Cannot open device-mapper\n");
1231 goto errout;
1232 }
1233
1234 io = (struct dm_ioctl *) buffer;
1235
1236 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1237 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1238 printf("Cannot remove dm-crypt device\n");
1239 goto errout;
1240 }
1241
1242 /* We made it here with no errors. Woot! */
1243 retval = 0;
1244
1245errout:
1246 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1247
1248 return retval;
1249
1250}
1251
1252static int pbkdf2(const char *passwd, const unsigned char *salt,
1253 unsigned char *ikey, void *params UNUSED)
1254{
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001255 printf("Using pbkdf2 for cryptfs KDF\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001256
1257 /* Turn the password into a key and IV that can decrypt the master key */
1258 unsigned int keysize;
1259 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
1260 if (!master_key) return -1;
1261 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1262 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1263
1264 memset(master_key, 0, keysize);
1265 free (master_key);
1266 return 0;
1267}
1268
1269static int scrypt(const char *passwd, const unsigned char *salt,
1270 unsigned char *ikey, void *params)
1271{
1272 printf("Using scrypt for cryptfs KDF\n");
1273
1274 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1275
1276 int N = 1 << ftr->N_factor;
1277 int r = 1 << ftr->r_factor;
1278 int p = 1 << ftr->p_factor;
1279
1280 /* Turn the password into a key and IV that can decrypt the master key */
1281 unsigned int keysize;
1282 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
1283 if (!master_key) return -1;
1284 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
1285 KEY_LEN_BYTES + IV_LEN_BYTES);
1286
1287 memset(master_key, 0, keysize);
1288 free (master_key);
1289 return 0;
1290}
1291
1292static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1293 unsigned char *ikey, void *params)
1294{
1295 printf("Using scrypt with keymaster for cryptfs KDF\n");
1296
1297 int rc;
1298 unsigned int key_size;
1299 size_t signature_size;
1300 unsigned char* signature;
1301 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1302
1303 int N = 1 << ftr->N_factor;
1304 int r = 1 << ftr->r_factor;
1305 int p = 1 << ftr->p_factor;
1306
1307 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
1308 if (!master_key) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001309 printf("Failed to convert passwd from hex\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001310 return -1;
1311 }
1312
1313 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
1314 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1315 memset(master_key, 0, key_size);
1316 free(master_key);
1317
1318 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001319 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001320 return -1;
1321 }
1322
1323 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1324 &signature, &signature_size)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001325 printf("Signing failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001326 return -1;
1327 }
1328
1329 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1330 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1331 free(signature);
1332
1333 if (rc) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001334 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001335 return -1;
1336 }
1337
1338 return 0;
1339}
1340
1341static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1342 const unsigned char *decrypted_master_key,
1343 unsigned char *encrypted_master_key,
1344 struct crypt_mnt_ftr *crypt_ftr)
1345{
1346 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1347 EVP_CIPHER_CTX e_ctx;
1348 int encrypted_len, final_len;
1349 int rc = 0;
1350
1351 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1352 get_device_scrypt_params(crypt_ftr);
1353
1354 switch (crypt_ftr->kdf_type) {
1355 case KDF_SCRYPT_KEYMASTER_UNPADDED:
1356 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
1357 case KDF_SCRYPT_KEYMASTER:
1358 if (keymaster_create_key(crypt_ftr)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001359 printf("keymaster_create_key failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001360 return -1;
1361 }
1362
1363 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001364 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001365 return -1;
1366 }
1367 break;
1368
1369 case KDF_SCRYPT:
1370 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001371 printf("scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001372 return -1;
1373 }
1374 break;
1375
1376 default:
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001377 printf("Invalid kdf_type\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001378 return -1;
1379 }
1380
1381 /* Initialize the decryption engine */
1382 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1383 printf("EVP_EncryptInit failed\n");
1384 return -1;
1385 }
1386 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1387
1388 /* Encrypt the master key */
1389 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1390 decrypted_master_key, KEY_LEN_BYTES)) {
1391 printf("EVP_EncryptUpdate failed\n");
1392 return -1;
1393 }
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001394#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001395 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001396#else
1397 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1398#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001399 printf("EVP_EncryptFinal failed\n");
1400 return -1;
1401 }
1402
1403 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1404 printf("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1405 return -1;
1406 }
1407
1408 /* Store the scrypt of the intermediate key, so we can validate if it's a
1409 password error or mount error when things go wrong.
1410 Note there's no need to check for errors, since if this is incorrect, we
1411 simply won't wipe userdata, which is the correct default behavior
1412 */
1413 int N = 1 << crypt_ftr->N_factor;
1414 int r = 1 << crypt_ftr->r_factor;
1415 int p = 1 << crypt_ftr->p_factor;
1416
1417 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1418 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1419 crypt_ftr->scrypted_intermediate_key,
1420 sizeof(crypt_ftr->scrypted_intermediate_key));
1421
1422 if (rc) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001423 printf("encrypt_master_key: crypto_scrypt failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001424 }
1425
1426 return 0;
1427}
1428
1429static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1430 unsigned char *encrypted_master_key,
1431 unsigned char *decrypted_master_key,
1432 kdf_func kdf, void *kdf_params,
1433 unsigned char** intermediate_key,
1434 size_t* intermediate_key_size)
1435{
1436 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1437 EVP_CIPHER_CTX d_ctx;
1438 int decrypted_len, final_len;
1439
1440 /* Turn the password into an intermediate key and IV that can decrypt the
1441 master key */
1442 if (kdf(passwd, salt, ikey, kdf_params)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001443 printf("kdf failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001444 return -1;
1445 }
1446
1447 /* Initialize the decryption engine */
1448 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
1449 return -1;
1450 }
1451 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1452 /* Decrypt the master key */
1453 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1454 encrypted_master_key, KEY_LEN_BYTES)) {
1455 return -1;
1456 }
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001457#ifndef TW_CRYPTO_HAVE_KEYMASTERX
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001458 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001459#else
1460 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1461#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001462 return -1;
1463 }
1464
1465 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1466 return -1;
1467 }
1468
1469 /* Copy intermediate key if needed by params */
1470 if (intermediate_key && intermediate_key_size) {
1471 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1472 if (intermediate_key) {
1473 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1474 *intermediate_key_size = KEY_LEN_BYTES;
1475 }
1476 }
1477
1478 return 0;
1479}
1480
1481static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1482{
1483 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED ||
1484 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED ||
1485 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1486 *kdf = scrypt_keymaster;
1487 *kdf_params = ftr;
1488 } else if (ftr->kdf_type == KDF_SCRYPT) {
1489 *kdf = scrypt;
1490 *kdf_params = ftr;
1491 } else {
1492 *kdf = pbkdf2;
1493 *kdf_params = NULL;
1494 }
1495}
1496
1497static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1498 struct crypt_mnt_ftr *crypt_ftr,
1499 unsigned char** intermediate_key,
1500 size_t* intermediate_key_size)
1501{
1502 kdf_func kdf;
1503 void *kdf_params;
1504 int ret;
1505
1506 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1507 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1508 decrypted_master_key, kdf, kdf_params,
1509 intermediate_key, intermediate_key_size);
1510 if (ret != 0) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001511 printf("failure decrypting master key\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001512 }
1513
1514 return ret;
1515}
1516
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001517static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1518 char *passwd, char *mount_point, char *label)
1519{
1520 /* Allocate enough space for a 256 bit key, but we may use less */
1521 unsigned char decrypted_master_key[32];
1522 char crypto_blkdev[MAXPATHLEN];
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001523 char tmp_mount_point[64];
1524 unsigned int orig_failed_decrypt_count;
Dees Troyc657cc02015-01-16 22:48:47 +00001525 int rc = 0;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001526 kdf_func kdf;
1527 void *kdf_params;
1528 int use_keymaster = 0;
1529 int upgrade = 0;
1530 unsigned char* intermediate_key = 0;
1531 size_t intermediate_key_size = 0;
1532
1533 printf("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1534 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1535
1536 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1537 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1538 &intermediate_key, &intermediate_key_size)) {
1539 printf("Failed to decrypt master key\n");
1540 rc = -1;
1541 goto errout;
1542 }
1543 }
1544
Dees Troyc657cc02015-01-16 22:48:47 +00001545#ifdef CONFIG_HW_DISK_ENCRYPTION
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001546 int key_index = 0;
1547 if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
1548 key_index = verify_and_update_hw_fde_passwd(passwd, crypt_ftr);
1549 if (key_index < 0) {
1550 rc = crypt_ftr->failed_decrypt_count;
1551 goto errout;
1552 }
1553 else {
1554 if (is_ice_enabled()) {
1555 if (create_crypto_blk_dev(crypt_ftr, (unsigned char*)&key_index,
1556 real_blkdev, crypto_blkdev, label)) {
1557 printf("Error creating decrypted block device");
1558 rc = -1;
1559 goto errout;
1560 }
1561 } else {
1562 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1563 real_blkdev, crypto_blkdev, label)) {
1564 printf("Error creating decrypted block device");
1565 rc = -1;
1566 goto errout;
1567 }
Dees Troyc657cc02015-01-16 22:48:47 +00001568 }
1569 }
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001570 } else {
1571 /* in case HW FDE is delivered through OTA and device is already encrypted
1572 * using SW FDE, we should let user continue using SW FDE until userdata is
1573 * wiped.
1574 */
1575 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1576 real_blkdev, crypto_blkdev, label)) {
1577 printf("Error creating decrypted block device");
1578 rc = -1;
1579 goto errout;
1580 }
Dees Troyc657cc02015-01-16 22:48:47 +00001581 }
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001582#else
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001583 // Create crypto block device - all (non fatal) code paths
1584 // need it
1585 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1586 real_blkdev, crypto_blkdev, label)) {
1587 printf("Error creating decrypted block device\n");
1588 rc = -1;
1589 goto errout;
1590 }
Ethan Yonkerba95ad12016-01-18 15:18:15 -06001591#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001592
1593 /* Work out if the problem is the password or the data */
1594 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1595 scrypted_intermediate_key)];
1596 int N = 1 << crypt_ftr->N_factor;
1597 int r = 1 << crypt_ftr->r_factor;
1598 int p = 1 << crypt_ftr->p_factor;
1599
1600 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1601 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1602 N, r, p, scrypted_intermediate_key,
1603 sizeof(scrypted_intermediate_key));
1604
1605 // Does the key match the crypto footer?
1606 if (rc == 0 && memcmp(scrypted_intermediate_key,
1607 crypt_ftr->scrypted_intermediate_key,
1608 sizeof(scrypted_intermediate_key)) == 0) {
1609 printf("Password matches\n");
1610 rc = 0;
1611 } else {
1612 /* Try mounting the file system anyway, just in case the problem's with
1613 * the footer, not the key. */
1614 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1615 mkdir(tmp_mount_point, 0755);
Ethan Yonkerceb1e8a2015-12-22 11:41:40 -06001616 if (mount(crypto_blkdev, tmp_mount_point, file_system, 0, NULL) != 0) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001617 printf("Error temp mounting decrypted block device '%s'\n", crypto_blkdev);
1618 delete_crypto_blk_dev(label);
1619
1620 rc = ++crypt_ftr->failed_decrypt_count;
1621 //put_crypt_ftr_and_key(crypt_ftr); // Do not penalize for attempting to decrypt in recovery
1622 } else {
1623 /* Success! */
1624 printf("Password did not match but decrypted drive mounted - continue\n");
1625 umount(tmp_mount_point);
1626 rc = 0;
1627 }
1628 }
1629
1630 if (rc == 0) {
1631 /*crypt_ftr->failed_decrypt_count = 0;
1632 if (orig_failed_decrypt_count != 0) {
1633 put_crypt_ftr_and_key(crypt_ftr);
1634 }*/
1635
1636 /* Save the name of the crypto block device
1637 * so we can mount it when restarting the framework. */
1638 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1639
1640 /* Also save a the master key so we can reencrypted the key
1641 * the key when we want to change the password on it. */
1642 /*memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1643 saved_mount_point = strdup(mount_point);
1644 master_key_saved = 1;
1645 printf("%s(): Master key saved\n", __FUNCTION__);*/
1646 rc = 0;
1647
1648 // Upgrade if we're not using the latest KDF.
1649 /*use_keymaster = keymaster_check_compatibility();
1650 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1651 // Don't allow downgrade
1652 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1653 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1654 upgrade = 1;
1655 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1656 crypt_ftr->kdf_type = KDF_SCRYPT;
1657 upgrade = 1;
1658 }
1659
1660 if (upgrade) {
1661 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1662 crypt_ftr->master_key, crypt_ftr);
1663 if (!rc) {
1664 rc = put_crypt_ftr_and_key(crypt_ftr);
1665 }
1666 printf("Key Derivation Function upgrade: rc=%d\n", rc);
1667
1668 // Do not fail even if upgrade failed - machine is bootable
1669 // Note that if this code is ever hit, there is a *serious* problem
1670 // since KDFs should never fail. You *must* fix the kdf before
1671 // proceeding!
1672 if (rc) {
1673 printf("Upgrade failed with error %d,"
1674 " but continuing with previous state\n",
1675 rc);
1676 rc = 0;
1677 }
1678 }*/
1679 }
1680
1681 errout:
1682 if (intermediate_key) {
1683 memset(intermediate_key, 0, intermediate_key_size);
1684 free(intermediate_key);
1685 }
1686 return rc;
1687}
1688
1689/* Called by vold when it wants to undo the crypto mapping of a volume it
1690 * manages. This is usually in response to a factory reset, when we want
1691 * to undo the crypto mapping so the volume is formatted in the clear.
1692 */
1693int cryptfs_revert_volume(const char *label)
1694{
1695 return delete_crypto_blk_dev((char *)label);
1696}
1697
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001698int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
1699{
1700 char encrypted_state[PROPERTY_VALUE_MAX];
1701 property_get("ro.crypto.state", encrypted_state, "");
1702 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
1703 printf("encrypted fs already validated or not running with encryption,"
Ethan Yonkercceebb82014-11-18 10:17:59 -06001704 " aborting\n");
1705 //return -1;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001706 }
1707
1708 if (get_crypt_ftr_and_key(crypt_ftr)) {
Ethan Yonkercceebb82014-11-18 10:17:59 -06001709 printf("Error getting crypt footer and key\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001710 return -1;
1711 }
1712
1713 return 0;
1714}
1715
1716/*
1717 * TODO - transition patterns to new format in calling code
1718 * and remove this vile hack, and the use of hex in
1719 * the password passing code.
1720 *
1721 * Patterns are passed in zero based (i.e. the top left dot
1722 * is represented by zero, the top middle one etc), but we want
1723 * to store them '1' based.
1724 * This is to allow us to migrate the calling code to use this
1725 * convention. It also solves a nasty problem whereby scrypt ignores
1726 * trailing zeros, so patterns ending at the top left could be
1727 * truncated, and similarly, you could add the top left to any
1728 * pattern and still match.
1729 * adjust_passwd is a hack function that returns the alternate representation
1730 * if the password appears to be a pattern (hex numbers all less than 09)
1731 * If it succeeds we need to try both, and in particular try the alternate
1732 * first. If the original matches, then we need to update the footer
1733 * with the alternate.
1734 * All code that accepts passwords must adjust them first. Since
1735 * cryptfs_check_passwd is always the first function called after a migration
1736 * (and indeed on any boot) we only need to do the double try in this
1737 * function.
1738 */
1739char* adjust_passwd(const char* passwd)
1740{
1741 size_t index, length;
1742
1743 if (!passwd) {
1744 return 0;
1745 }
1746
1747 // Check even length. Hex encoded passwords are always
1748 // an even length, since each character encodes to two characters.
1749 length = strlen(passwd);
1750 if (length % 2) {
Dees Troyc657cc02015-01-16 22:48:47 +00001751 printf("Password not correctly hex encoded.\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001752 return 0;
1753 }
1754
1755 // Check password is old-style pattern - a collection of hex
1756 // encoded bytes less than 9 (00 through 08)
1757 for (index = 0; index < length; index +=2) {
1758 if (passwd[index] != '0'
1759 || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
1760 return 0;
1761 }
1762 }
1763
1764 // Allocate room for adjusted passwd and null terminate
1765 char* adjusted = malloc(length + 1);
1766 adjusted[length] = 0;
1767
1768 // Add 0x31 ('1') to each character
1769 for (index = 0; index < length; index += 2) {
1770 // output is 31 through 39 so set first byte to three, second to src + 1
1771 adjusted[index] = '3';
1772 adjusted[index + 1] = passwd[index + 1] + 1;
1773 }
1774
1775 return adjusted;
1776}
1777
1778/*
1779 * Passwords in L get passed from Android to cryptfs in hex, so a '1'
1780 * gets converted to '31' where 31 is 0x31 which is the ascii character
1781 * code in hex of the character '1'. This function will convert the
1782 * regular character codes to their hexadecimal representation to make
1783 * decrypt work properly with Android 5.0 lollipop decryption.
1784 */
Dees Troyc657cc02015-01-16 22:48:47 +00001785char* hexadj_passwd(const char* passwd, int has_hw_crypto)
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001786{
1787 size_t index, length;
Dees Troyc657cc02015-01-16 22:48:47 +00001788 const char* ptr = passwd;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001789
1790 if (!passwd) {
1791 return 0;
1792 }
1793
1794 length = strlen(passwd);
1795
1796 // Allocate room for hex passwd and null terminate
1797 char* hex = malloc((length * 2) + 1);
1798 hex[length * 2] = 0;
1799
1800 // Convert to hex
1801 for (index = 0; index < length; index++) {
1802 sprintf(hex + (index * 2), "%02X", *ptr);
1803 ptr++;
1804 }
Dees Troyc657cc02015-01-16 22:48:47 +00001805#ifdef CONFIG_HW_DISK_ENCRYPTION
1806 if (has_hw_crypto) {
1807 printf("hexadj_passwd converting to lower case for hardware disk crypto.\n");
1808 length *= 2;
1809 for (index = 0; index < length; index++) {
1810 hex[index] = tolower(hex[index]);
1811 }
1812 }
1813#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001814 return hex;
1815}
1816
Ethan Yonker253368a2014-11-25 15:00:52 -06001817int cryptfs_check_footer()
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001818{
1819 int rc = -1;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001820 struct crypt_mnt_ftr crypt_ftr;
1821
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001822 rc = get_crypt_ftr_and_key(&crypt_ftr);
1823
1824 return rc;
1825}
1826
1827int cryptfs_check_passwd(char *passwd)
1828{
1829 struct crypt_mnt_ftr crypt_ftr;
1830 int rc;
Dees Troyc657cc02015-01-16 22:48:47 +00001831 int has_hw_crypto = 0;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001832
1833 rc = check_unmounted_and_get_ftr(&crypt_ftr);
1834 if (rc)
1835 return rc;
1836
Dees Troyc657cc02015-01-16 22:48:47 +00001837#ifdef CONFIG_HW_DISK_ENCRYPTION
1838 printf("CONFIG_HW_DISK_ENCRYPTION present\n");
1839 if (is_hw_fde_enabled() && is_hw_disk_encryption((char*) crypt_ftr.crypto_type_name))
1840 has_hw_crypto = 1;
1841#endif
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001842
Dees Troyc657cc02015-01-16 22:48:47 +00001843 //if (passwd) printf("passwd: '%s'\n", passwd);
1844 char* adjusted_passwd;
1845 if (!has_hw_crypto)
1846 adjusted_passwd = adjust_passwd(passwd);
1847 //if (adjusted_passwd) printf("adjusted_passwd: '%s'\n", adjusted_passwd);
1848 char* hex_passwd = hexadj_passwd(passwd, has_hw_crypto);
1849 //if (hex_passwd) printf("hex_passwd: '%s'\n", hex_passwd);
1850 printf("has_hw_crypto is %i\n", has_hw_crypto);
1851 if (!has_hw_crypto && adjusted_passwd) {
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001852 int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
Dees Troyc657cc02015-01-16 22:48:47 +00001853 //printf("trying adjusted password '%s'\n", adjusted_passwd);
1854 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001855 DATA_MNT_POINT, "userdata");
1856
1857 // Maybe the original one still works?
1858 if (rc) {
1859 // Don't double count this failure
Dees Troyc657cc02015-01-16 22:48:47 +00001860 //printf("trying passwd '%s'\n", passwd);
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001861 crypt_ftr.failed_decrypt_count = failed_decrypt_count;
1862 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
1863 DATA_MNT_POINT, "userdata");
1864 if (!rc) {
1865 // cryptfs_changepw also adjusts so pass original
1866 // Note that adjust_passwd only recognises patterns
1867 // so we can safely use CRYPT_TYPE_PATTERN
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001868 printf("TWRP NOT Updating pattern to new format\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001869 //cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
1870 } else if (hex_passwd) {
Dees Troyc657cc02015-01-16 22:48:47 +00001871 //printf("trying hex_passwd '%s'\n", hex_passwd);
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001872 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
1873 DATA_MNT_POINT, "userdata");
1874 }
1875 }
1876 free(adjusted_passwd);
1877 } else {
Dees Troyc657cc02015-01-16 22:48:47 +00001878 if (hex_passwd) {
1879 //printf("2trying hex_passwd '%s'\n", hex_passwd);
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001880 rc = test_mount_encrypted_fs(&crypt_ftr, hex_passwd,
Dees Troyc657cc02015-01-16 22:48:47 +00001881 DATA_MNT_POINT, "userdata");
1882 } else {
1883 rc = 1;
1884 }
1885 if (rc && passwd) {
1886 //printf("2trying passwd '%s'\n", passwd);
1887 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001888 DATA_MNT_POINT, "userdata");
1889 }
1890 }
1891
1892 if (hex_passwd)
1893 free(hex_passwd);
1894
1895 /*if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
Dees Troyc657cc02015-01-16 22:48:47 +00001896 printf("cryptfs_check_passwd update expiry time?\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001897 cryptfs_clear_password();
1898 password = strdup(passwd);
1899 struct timespec now;
1900 clock_gettime(CLOCK_BOOTTIME, &now);
1901 password_expiry_time = now.tv_sec + password_max_age_seconds;
1902 }*/
1903
1904 return rc;
1905}
1906
1907int cryptfs_verify_passwd(char *passwd)
1908{
1909 struct crypt_mnt_ftr crypt_ftr;
1910 /* Allocate enough space for a 256 bit key, but we may use less */
1911 unsigned char decrypted_master_key[32];
1912 char encrypted_state[PROPERTY_VALUE_MAX];
1913 int rc;
1914
1915 property_get("ro.crypto.state", encrypted_state, "");
1916 if (strcmp(encrypted_state, "encrypted") ) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001917 printf("device not encrypted, aborting\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001918 return -2;
1919 }
1920
1921 if (!master_key_saved) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001922 printf("encrypted fs not yet mounted, aborting\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001923 return -1;
1924 }
1925
1926 if (!saved_mount_point) {
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001927 printf("encrypted fs failed to save mount point, aborting\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001928 return -1;
1929 }
1930
1931 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1932 printf("Error getting crypt footer and key\n");
1933 return -1;
1934 }
1935
1936 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
1937 /* If the device has no password, then just say the password is valid */
1938 rc = 0;
1939 } else {
1940 char* adjusted_passwd = adjust_passwd(passwd);
1941 if (adjusted_passwd) {
1942 passwd = adjusted_passwd;
1943 }
1944
1945 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
1946 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
1947 /* They match, the password is correct */
1948 rc = 0;
1949 } else {
1950 /* If incorrect, sleep for a bit to prevent dictionary attacks */
1951 sleep(1);
1952 rc = 1;
1953 }
1954
1955 free(adjusted_passwd);
1956 }
1957
1958 return rc;
1959}
1960
1961/* Initialize a crypt_mnt_ftr structure. The keysize is
1962 * defaulted to 16 bytes, and the filesystem size to 0.
1963 * Presumably, at a minimum, the caller will update the
1964 * filesystem size and crypto_type_name after calling this function.
1965 */
1966static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
1967{
1968 off64_t off;
1969
1970 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
1971 ftr->magic = CRYPT_MNT_MAGIC;
1972 ftr->major_version = CURRENT_MAJOR_VERSION;
1973 ftr->minor_version = CURRENT_MINOR_VERSION;
1974 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
1975 ftr->keysize = KEY_LEN_BYTES;
1976
1977 switch (keymaster_check_compatibility()) {
1978 case 1:
1979 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1980 break;
1981
1982 case 0:
1983 ftr->kdf_type = KDF_SCRYPT;
1984 break;
1985
1986 default:
Ethan Yonkerc798c9c2015-10-09 11:15:26 -05001987 printf("keymaster_check_compatibility failed\n");
Ethan Yonker4eca40d2014-11-11 14:52:28 -06001988 return -1;
1989 }
1990
1991 get_device_scrypt_params(ftr);
1992
1993 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
1994 if (get_crypt_ftr_info(NULL, &off) == 0) {
1995 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
1996 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
1997 ftr->persist_data_size;
1998 }
1999
2000 return 0;
2001}
2002
Ethan Yonker4eca40d2014-11-11 14:52:28 -06002003/* Returns type of the password, default, pattern, pin or password.
2004 */
2005int cryptfs_get_password_type(void)
2006{
2007 struct crypt_mnt_ftr crypt_ftr;
Ethan Yonker4eca40d2014-11-11 14:52:28 -06002008
2009 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2010 printf("Error getting crypt footer and key\n");
2011 return -1;
2012 }
2013
2014 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
2015 return -1;
2016 }
2017
2018 return crypt_ftr.crypt_type;
2019}