1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 /* TO DO:
18 * 1. Perhaps keep several copies of the encrypted key, in case something
19 * goes horribly wrong?
20 *
21 */
22
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
40 #include <errno.h>
41 #include <ext4.h>
42 #include <linux/kdev_t.h>
43 #include <fs_mgr.h>
44 #include <time.h>
45 #include <math.h>
46 #include "cryptfs.h"
47 #define LOG_TAG "Cryptfs"
48 #include "cutils/log.h"
49 #include "cutils/properties.h"
50 #include "cutils/android_reboot.h"
51 #include "hardware_legacy/power.h"
52 #include <logwrap/logwrap.h>
53 #include "VolumeManager.h"
54 #include "VoldUtil.h"
55 #include "crypto_scrypt.h"
56 #include "Ext4Crypt.h"
57 #include "ext4_crypt_init_extensions.h"
58 #include "ext4_utils.h"
59 #include "f2fs_sparseblock.h"
60 #include "CheckBattery.h"
61 #include "Process.h"
62
63 #include <hardware/keymaster0.h>
64 #include <hardware/keymaster1.h>
65
66 #define UNUSED __attribute__((unused))
67
68 #define UNUSED __attribute__((unused))
69
70 #ifdef CONFIG_HW_DISK_ENCRYPTION
71 #include "cryptfs_hw.h"
72 #endif
73
74 #define DM_CRYPT_BUF_SIZE 4096
75
76 #define HASH_COUNT 2000
77 #define KEY_LEN_BYTES 16
78 #define IV_LEN_BYTES 16
79
80 #define KEY_IN_FOOTER "footer"
81
82 #define DEFAULT_PASSWORD "default_password"
83
84 #define EXT4_FS 1
85 #define F2FS_FS 2
86
87 #define TABLE_LOAD_RETRIES 10
88
89 #define RSA_KEY_SIZE 2048
90 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
91 #define RSA_EXPONENT 0x10001
92 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
93
94 #define RETRY_MOUNT_ATTEMPTS 10
95 #define RETRY_MOUNT_DELAY_SECONDS 1
96
97 char *me = "cryptfs";
98
99 static unsigned char saved_master_key[KEY_LEN_BYTES];
100 static char *saved_mount_point;
101 static int master_key_saved = 0;
102 static struct crypt_persist_data *persist_data = NULL;
103
keymaster_init(keymaster0_device_t ** keymaster0_dev,keymaster1_device_t ** keymaster1_dev)104 static int keymaster_init(keymaster0_device_t **keymaster0_dev,
105 keymaster1_device_t **keymaster1_dev)
106 {
107 int rc;
108
109 const hw_module_t* mod;
110 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
111 if (rc) {
112 ALOGE("could not find any keystore module");
113 goto err;
114 }
115
116 SLOGI("keymaster module name is %s", mod->name);
117 SLOGI("keymaster version is %d", mod->module_api_version);
118
119 *keymaster0_dev = NULL;
120 *keymaster1_dev = NULL;
121 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
122 SLOGI("Found keymaster1 module, using keymaster1 API.");
123 rc = keymaster1_open(mod, keymaster1_dev);
124 } else {
125 SLOGI("Found keymaster0 module, using keymaster0 API.");
126 rc = keymaster0_open(mod, keymaster0_dev);
127 }
128
129 if (rc) {
130 ALOGE("could not open keymaster device in %s (%s)",
131 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
132 goto err;
133 }
134
135 return 0;
136
137 err:
138 *keymaster0_dev = NULL;
139 *keymaster1_dev = NULL;
140 return rc;
141 }
142
143 /* Should we use keymaster? */
keymaster_check_compatibility()144 static int keymaster_check_compatibility()
145 {
146 keymaster0_device_t *keymaster0_dev = 0;
147 keymaster1_device_t *keymaster1_dev = 0;
148 int rc = 0;
149
150 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
151 SLOGE("Failed to init keymaster");
152 rc = -1;
153 goto out;
154 }
155
156 if (keymaster1_dev) {
157 rc = 1;
158 goto out;
159 }
160
161 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2
162 // should work.
163 if (keymaster0_dev->common.module->module_api_version
164 < KEYMASTER_MODULE_API_VERSION_0_3) {
165 rc = 0;
166 goto out;
167 }
168
169 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
170 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
171 rc = 1;
172 }
173
174 out:
175 if (keymaster1_dev) {
176 keymaster1_close(keymaster1_dev);
177 }
178 if (keymaster0_dev) {
179 keymaster0_close(keymaster0_dev);
180 }
181 return rc;
182 }
183
184 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)185 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
186 {
187 uint8_t* key = 0;
188 keymaster0_device_t *keymaster0_dev = 0;
189 keymaster1_device_t *keymaster1_dev = 0;
190
191 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
192 SLOGE("Failed to init keymaster");
193 return -1;
194 }
195
196 int rc = 0;
197 size_t key_size = 0;
198 if (keymaster1_dev) {
199 keymaster_key_param_t params[] = {
200 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */
201 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
202 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
203 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
204
205 /* The only allowed purpose for this key is signing. */
206 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
207
208 /* Padding & digest specifications. */
209 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
210 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
211
212 /* Require that the key be usable in standalone mode. File system isn't available. */
213 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
214
215 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
216 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
217
218 /* Rate-limit key usage attempts, to rate-limit brute force */
219 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
220 };
221 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
222 keymaster_key_blob_t key_blob;
223 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set,
224 &key_blob,
225 NULL /* characteristics */);
226 if (error != KM_ERROR_OK) {
227 SLOGE("Failed to generate keymaster1 key, error %d", error);
228 rc = -1;
229 goto out;
230 }
231
232 key = (uint8_t*)key_blob.key_material;
233 key_size = key_blob.key_material_size;
234 }
235 else if (keymaster0_dev) {
236 keymaster_rsa_keygen_params_t params;
237 memset(¶ms, '\0', sizeof(params));
238 params.public_exponent = RSA_EXPONENT;
239 params.modulus_size = RSA_KEY_SIZE;
240
241 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms,
242 &key, &key_size)) {
243 SLOGE("Failed to generate keypair");
244 rc = -1;
245 goto out;
246 }
247 } else {
248 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
249 rc = -1;
250 goto out;
251 }
252
253 if (key_size > KEYMASTER_BLOB_SIZE) {
254 SLOGE("Keymaster key too large for crypto footer");
255 rc = -1;
256 goto out;
257 }
258
259 memcpy(ftr->keymaster_blob, key, key_size);
260 ftr->keymaster_blob_size = key_size;
261
262 out:
263 if (keymaster0_dev)
264 keymaster0_close(keymaster0_dev);
265 if (keymaster1_dev)
266 keymaster1_close(keymaster1_dev);
267 free(key);
268 return rc;
269 }
270
271 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)272 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
273 const unsigned char *object,
274 const size_t object_size,
275 unsigned char **signature,
276 size_t *signature_size)
277 {
278 int rc = 0;
279 keymaster0_device_t *keymaster0_dev = 0;
280 keymaster1_device_t *keymaster1_dev = 0;
281 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
282 SLOGE("Failed to init keymaster");
283 rc = -1;
284 goto out;
285 }
286
287 unsigned char to_sign[RSA_KEY_SIZE_BYTES];
288 size_t to_sign_size = sizeof(to_sign);
289 memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
290
291 // To sign a message with RSA, the message must satisfy two
292 // constraints:
293 //
294 // 1. The message, when interpreted as a big-endian numeric value, must
295 // be strictly less than the public modulus of the RSA key. Note
296 // that because the most significant bit of the public modulus is
297 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
298 // key), an n-bit message with most significant bit 0 always
299 // satisfies this requirement.
300 //
301 // 2. The message must have the same length in bits as the public
302 // modulus of the RSA key. This requirement isn't mathematically
303 // necessary, but is necessary to ensure consistency in
304 // implementations.
305 switch (ftr->kdf_type) {
306 case KDF_SCRYPT_KEYMASTER:
307 // This ensures the most significant byte of the signed message
308 // is zero. We could have zero-padded to the left instead, but
309 // this approach is slightly more robust against changes in
310 // object size. However, it's still broken (but not unusably
311 // so) because we really should be using a proper deterministic
312 // RSA padding function, such as PKCS1.
313 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
314 SLOGI("Signing safely-padded object");
315 break;
316 default:
317 SLOGE("Unknown KDF type %d", ftr->kdf_type);
318 rc = -1;
319 goto out;
320 }
321
322 if (keymaster0_dev) {
323 keymaster_rsa_sign_params_t params;
324 params.digest_type = DIGEST_NONE;
325 params.padding_type = PADDING_NONE;
326
327 rc = keymaster0_dev->sign_data(keymaster0_dev,
328 ¶ms,
329 ftr->keymaster_blob,
330 ftr->keymaster_blob_size,
331 to_sign,
332 to_sign_size,
333 signature,
334 signature_size);
335 goto out;
336 } else if (keymaster1_dev) {
337 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
338 keymaster_key_param_t params[] = {
339 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
340 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
341 };
342 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
343 keymaster_operation_handle_t op_handle;
344 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
345 ¶m_set, NULL /* out_params */,
346 &op_handle);
347 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
348 // Key usage has been rate-limited. Wait a bit and try again.
349 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
350 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
351 ¶m_set, NULL /* out_params */,
352 &op_handle);
353 }
354 if (error != KM_ERROR_OK) {
355 SLOGE("Error starting keymaster signature transaction: %d", error);
356 rc = -1;
357 goto out;
358 }
359
360 keymaster_blob_t input = { to_sign, to_sign_size };
361 size_t input_consumed;
362 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
363 &input, &input_consumed, NULL /* out_params */,
364 NULL /* output */);
365 if (error != KM_ERROR_OK) {
366 SLOGE("Error sending data to keymaster signature transaction: %d", error);
367 rc = -1;
368 goto out;
369 }
370 if (input_consumed != to_sign_size) {
371 // This should never happen. If it does, it's a bug in the keymaster implementation.
372 SLOGE("Keymaster update() did not consume all data.");
373 keymaster1_dev->abort(keymaster1_dev, op_handle);
374 rc = -1;
375 goto out;
376 }
377
378 keymaster_blob_t tmp_sig;
379 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
380 NULL /* verify signature */, NULL /* out_params */,
381 &tmp_sig);
382 if (error != KM_ERROR_OK) {
383 SLOGE("Error finishing keymaster signature transaction: %d", error);
384 rc = -1;
385 goto out;
386 }
387
388 *signature = (uint8_t*)tmp_sig.data;
389 *signature_size = tmp_sig.data_length;
390 } else {
391 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
392 rc = -1;
393 goto out;
394 }
395
396 out:
397 if (keymaster1_dev)
398 keymaster1_close(keymaster1_dev);
399 if (keymaster0_dev)
400 keymaster0_close(keymaster0_dev);
401
402 return rc;
403 }
404
405 /* Store password when userdata is successfully decrypted and mounted.
406 * Cleared by cryptfs_clear_password
407 *
408 * To avoid a double prompt at boot, we need to store the CryptKeeper
409 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
410 * Since the entire framework is torn down and rebuilt after encryption,
411 * we have to use a daemon or similar to store the password. Since vold
412 * is secured against IPC except from system processes, it seems a reasonable
413 * place to store this.
414 *
415 * password should be cleared once it has been used.
416 *
417 * password is aged out after password_max_age_seconds seconds.
418 */
419 static char* password = 0;
420 static int password_expiry_time = 0;
421 static const int password_max_age_seconds = 60;
422
423 extern struct fstab *fstab;
424
425 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)426 static void cryptfs_reboot(enum RebootType rt)
427 {
428 switch(rt) {
429 case reboot:
430 property_set(ANDROID_RB_PROPERTY, "reboot");
431 break;
432
433 case recovery:
434 property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
435 break;
436
437 case shutdown:
438 property_set(ANDROID_RB_PROPERTY, "shutdown");
439 break;
440 }
441
442 sleep(20);
443
444 /* Shouldn't get here, reboot should happen before sleep times out */
445 return;
446 }
447
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)448 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
449 {
450 memset(io, 0, dataSize);
451 io->data_size = dataSize;
452 io->data_start = sizeof(struct dm_ioctl);
453 io->version[0] = 4;
454 io->version[1] = 0;
455 io->version[2] = 0;
456 io->flags = flags;
457 if (name) {
458 strlcpy(io->name, name, sizeof(io->name));
459 }
460 }
461
462 /**
463 * Gets the default device scrypt parameters for key derivation time tuning.
464 * The parameters should lead to about one second derivation time for the
465 * given device.
466 */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)467 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
468 const int default_params[] = SCRYPT_DEFAULTS;
469 int params[] = SCRYPT_DEFAULTS;
470 char paramstr[PROPERTY_VALUE_MAX];
471 char *token;
472 char *saveptr;
473 int i;
474
475 property_get(SCRYPT_PROP, paramstr, "");
476 if (paramstr[0] != '\0') {
477 /*
478 * The token we're looking for should be three integers separated by
479 * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
480 */
481 for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
482 token != NULL && i < 3;
483 i++, token = strtok_r(NULL, ":", &saveptr)) {
484 char *endptr;
485 params[i] = strtol(token, &endptr, 10);
486
487 /*
488 * Check that there was a valid number and it's 8-bit. If not,
489 * break out and the end check will take the default values.
490 */
491 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
492 break;
493 }
494 }
495
496 /*
497 * If there were not enough tokens or a token was malformed (not an
498 * integer), it will end up here and the default parameters can be
499 * taken.
500 */
501 if ((i != 3) || (token != NULL)) {
502 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
503 memcpy(params, default_params, sizeof(params));
504 }
505 }
506
507 ftr->N_factor = params[0];
508 ftr->r_factor = params[1];
509 ftr->p_factor = params[2];
510 }
511
get_fs_size(char * dev)512 static unsigned int get_fs_size(char *dev)
513 {
514 int fd, block_size;
515 struct ext4_super_block sb;
516 off64_t len;
517
518 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
519 SLOGE("Cannot open device to get filesystem size ");
520 return 0;
521 }
522
523 if (lseek64(fd, 1024, SEEK_SET) < 0) {
524 SLOGE("Cannot seek to superblock");
525 return 0;
526 }
527
528 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
529 SLOGE("Cannot read superblock");
530 return 0;
531 }
532
533 close(fd);
534
535 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
536 SLOGE("Not a valid ext4 superblock");
537 return 0;
538 }
539 block_size = 1024 << sb.s_log_block_size;
540 /* compute length in bytes */
541 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
542
543 /* return length in sectors */
544 return (unsigned int) (len / 512);
545 }
546
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)547 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
548 {
549 static int cached_data = 0;
550 static off64_t cached_off = 0;
551 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
552 int fd;
553 char key_loc[PROPERTY_VALUE_MAX];
554 char real_blkdev[PROPERTY_VALUE_MAX];
555 int rc = -1;
556
557 if (!cached_data) {
558 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
559
560 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
561 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
562 SLOGE("Cannot open real block device %s\n", real_blkdev);
563 return -1;
564 }
565
566 unsigned long nr_sec = 0;
567 get_blkdev_size(fd, &nr_sec);
568 if (nr_sec != 0) {
569 /* If it's an encrypted Android partition, the last 16 Kbytes contain the
570 * encryption info footer and key, and plenty of bytes to spare for future
571 * growth.
572 */
573 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
574 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
575 cached_data = 1;
576 } else {
577 SLOGE("Cannot get size of block device %s\n", real_blkdev);
578 }
579 close(fd);
580 } else {
581 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
582 cached_off = 0;
583 cached_data = 1;
584 }
585 }
586
587 if (cached_data) {
588 if (metadata_fname) {
589 *metadata_fname = cached_metadata_fname;
590 }
591 if (off) {
592 *off = cached_off;
593 }
594 rc = 0;
595 }
596
597 return rc;
598 }
599
600 /* key or salt can be NULL, in which case just skip writing that value. Useful to
601 * update the failed mount count but not change the key.
602 */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)603 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
604 {
605 int fd;
606 unsigned int cnt;
607 /* starting_off is set to the SEEK_SET offset
608 * where the crypto structure starts
609 */
610 off64_t starting_off;
611 int rc = -1;
612 char *fname = NULL;
613 struct stat statbuf;
614
615 if (get_crypt_ftr_info(&fname, &starting_off)) {
616 SLOGE("Unable to get crypt_ftr_info\n");
617 return -1;
618 }
619 if (fname[0] != '/') {
620 SLOGE("Unexpected value for crypto key location\n");
621 return -1;
622 }
623 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
624 SLOGE("Cannot open footer file %s for put\n", fname);
625 return -1;
626 }
627
628 /* Seek to the start of the crypt footer */
629 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
630 SLOGE("Cannot seek to real block device footer\n");
631 goto errout;
632 }
633
634 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
635 SLOGE("Cannot write real block device footer\n");
636 goto errout;
637 }
638
639 fstat(fd, &statbuf);
640 /* If the keys are kept on a raw block device, do not try to truncate it. */
641 if (S_ISREG(statbuf.st_mode)) {
642 if (ftruncate(fd, 0x4000)) {
643 SLOGE("Cannot set footer file size\n");
644 goto errout;
645 }
646 }
647
648 /* Success! */
649 rc = 0;
650
651 errout:
652 close(fd);
653 return rc;
654
655 }
656
unix_read(int fd,void * buff,int len)657 static inline int unix_read(int fd, void* buff, int len)
658 {
659 return TEMP_FAILURE_RETRY(read(fd, buff, len));
660 }
661
unix_write(int fd,const void * buff,int len)662 static inline int unix_write(int fd, const void* buff, int len)
663 {
664 return TEMP_FAILURE_RETRY(write(fd, buff, len));
665 }
666
init_empty_persist_data(struct crypt_persist_data * pdata,int len)667 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
668 {
669 memset(pdata, 0, len);
670 pdata->persist_magic = PERSIST_DATA_MAGIC;
671 pdata->persist_valid_entries = 0;
672 }
673
674 /* A routine to update the passed in crypt_ftr to the lastest version.
675 * fd is open read/write on the device that holds the crypto footer and persistent
676 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
677 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
678 */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)679 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
680 {
681 int orig_major = crypt_ftr->major_version;
682 int orig_minor = crypt_ftr->minor_version;
683
684 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
685 struct crypt_persist_data *pdata;
686 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
687
688 SLOGW("upgrading crypto footer to 1.1");
689
690 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
691 if (pdata == NULL) {
692 SLOGE("Cannot allocate persisent data\n");
693 return;
694 }
695 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
696
697 /* Need to initialize the persistent data area */
698 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
699 SLOGE("Cannot seek to persisent data offset\n");
700 free(pdata);
701 return;
702 }
703 /* Write all zeros to the first copy, making it invalid */
704 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
705
706 /* Write a valid but empty structure to the second copy */
707 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
708 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
709
710 /* Update the footer */
711 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
712 crypt_ftr->persist_data_offset[0] = pdata_offset;
713 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
714 crypt_ftr->minor_version = 1;
715 free(pdata);
716 }
717
718 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
719 SLOGW("upgrading crypto footer to 1.2");
720 /* But keep the old kdf_type.
721 * It will get updated later to KDF_SCRYPT after the password has been verified.
722 */
723 crypt_ftr->kdf_type = KDF_PBKDF2;
724 get_device_scrypt_params(crypt_ftr);
725 crypt_ftr->minor_version = 2;
726 }
727
728 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
729 SLOGW("upgrading crypto footer to 1.3");
730 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
731 crypt_ftr->minor_version = 3;
732 }
733
734 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
735 if (lseek64(fd, offset, SEEK_SET) == -1) {
736 SLOGE("Cannot seek to crypt footer\n");
737 return;
738 }
739 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
740 }
741 }
742
743
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)744 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
745 {
746 int fd;
747 unsigned int cnt;
748 off64_t starting_off;
749 int rc = -1;
750 char *fname = NULL;
751 struct stat statbuf;
752
753 if (get_crypt_ftr_info(&fname, &starting_off)) {
754 SLOGE("Unable to get crypt_ftr_info\n");
755 return -1;
756 }
757 if (fname[0] != '/') {
758 SLOGE("Unexpected value for crypto key location\n");
759 return -1;
760 }
761 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
762 SLOGE("Cannot open footer file %s for get\n", fname);
763 return -1;
764 }
765
766 /* Make sure it's 16 Kbytes in length */
767 fstat(fd, &statbuf);
768 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
769 SLOGE("footer file %s is not the expected size!\n", fname);
770 goto errout;
771 }
772
773 /* Seek to the start of the crypt footer */
774 if (lseek64(fd, starting_off, SEEK_SET) == -1) {
775 SLOGE("Cannot seek to real block device footer\n");
776 goto errout;
777 }
778
779 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
780 SLOGE("Cannot read real block device footer\n");
781 goto errout;
782 }
783
784 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
785 SLOGE("Bad magic for real block device %s\n", fname);
786 goto errout;
787 }
788
789 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
790 SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
791 crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
792 goto errout;
793 }
794
795 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
796 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
797 crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
798 }
799
800 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
801 * copy on disk before returning.
802 */
803 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
804 upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
805 }
806
807 /* Success! */
808 rc = 0;
809
810 errout:
811 close(fd);
812 return rc;
813 }
814
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)815 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
816 {
817 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
818 crypt_ftr->persist_data_offset[1]) {
819 SLOGE("Crypt_ftr persist data regions overlap");
820 return -1;
821 }
822
823 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
824 SLOGE("Crypt_ftr persist data region 0 starts after region 1");
825 return -1;
826 }
827
828 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
829 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
830 CRYPT_FOOTER_OFFSET) {
831 SLOGE("Persistent data extends past crypto footer");
832 return -1;
833 }
834
835 return 0;
836 }
837
load_persistent_data(void)838 static int load_persistent_data(void)
839 {
840 struct crypt_mnt_ftr crypt_ftr;
841 struct crypt_persist_data *pdata = NULL;
842 char encrypted_state[PROPERTY_VALUE_MAX];
843 char *fname;
844 int found = 0;
845 int fd;
846 int ret;
847 int i;
848
849 if (persist_data) {
850 /* Nothing to do, we've already loaded or initialized it */
851 return 0;
852 }
853
854
855 /* If not encrypted, just allocate an empty table and initialize it */
856 property_get("ro.crypto.state", encrypted_state, "");
857 if (strcmp(encrypted_state, "encrypted") ) {
858 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
859 if (pdata) {
860 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
861 persist_data = pdata;
862 return 0;
863 }
864 return -1;
865 }
866
867 if(get_crypt_ftr_and_key(&crypt_ftr)) {
868 return -1;
869 }
870
871 if ((crypt_ftr.major_version < 1)
872 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
873 SLOGE("Crypt_ftr version doesn't support persistent data");
874 return -1;
875 }
876
877 if (get_crypt_ftr_info(&fname, NULL)) {
878 return -1;
879 }
880
881 ret = validate_persistent_data_storage(&crypt_ftr);
882 if (ret) {
883 return -1;
884 }
885
886 fd = open(fname, O_RDONLY|O_CLOEXEC);
887 if (fd < 0) {
888 SLOGE("Cannot open %s metadata file", fname);
889 return -1;
890 }
891
892 if (persist_data == NULL) {
893 pdata = malloc(crypt_ftr.persist_data_size);
894 if (pdata == NULL) {
895 SLOGE("Cannot allocate memory for persistent data");
896 goto err;
897 }
898 }
899
900 for (i = 0; i < 2; i++) {
901 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
902 SLOGE("Cannot seek to read persistent data on %s", fname);
903 goto err2;
904 }
905 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
906 SLOGE("Error reading persistent data on iteration %d", i);
907 goto err2;
908 }
909 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
910 found = 1;
911 break;
912 }
913 }
914
915 if (!found) {
916 SLOGI("Could not find valid persistent data, creating");
917 init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
918 }
919
920 /* Success */
921 persist_data = pdata;
922 close(fd);
923 return 0;
924
925 err2:
926 free(pdata);
927
928 err:
929 close(fd);
930 return -1;
931 }
932
save_persistent_data(void)933 static int save_persistent_data(void)
934 {
935 struct crypt_mnt_ftr crypt_ftr;
936 struct crypt_persist_data *pdata;
937 char *fname;
938 off64_t write_offset;
939 off64_t erase_offset;
940 int fd;
941 int ret;
942
943 if (persist_data == NULL) {
944 SLOGE("No persistent data to save");
945 return -1;
946 }
947
948 if(get_crypt_ftr_and_key(&crypt_ftr)) {
949 return -1;
950 }
951
952 if ((crypt_ftr.major_version < 1)
953 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
954 SLOGE("Crypt_ftr version doesn't support persistent data");
955 return -1;
956 }
957
958 ret = validate_persistent_data_storage(&crypt_ftr);
959 if (ret) {
960 return -1;
961 }
962
963 if (get_crypt_ftr_info(&fname, NULL)) {
964 return -1;
965 }
966
967 fd = open(fname, O_RDWR|O_CLOEXEC);
968 if (fd < 0) {
969 SLOGE("Cannot open %s metadata file", fname);
970 return -1;
971 }
972
973 pdata = malloc(crypt_ftr.persist_data_size);
974 if (pdata == NULL) {
975 SLOGE("Cannot allocate persistant data");
976 goto err;
977 }
978
979 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
980 SLOGE("Cannot seek to read persistent data on %s", fname);
981 goto err2;
982 }
983
984 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
985 SLOGE("Error reading persistent data before save");
986 goto err2;
987 }
988
989 if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
990 /* The first copy is the curent valid copy, so write to
991 * the second copy and erase this one */
992 write_offset = crypt_ftr.persist_data_offset[1];
993 erase_offset = crypt_ftr.persist_data_offset[0];
994 } else {
995 /* The second copy must be the valid copy, so write to
996 * the first copy, and erase the second */
997 write_offset = crypt_ftr.persist_data_offset[0];
998 erase_offset = crypt_ftr.persist_data_offset[1];
999 }
1000
1001 /* Write the new copy first, if successful, then erase the old copy */
1002 if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1003 SLOGE("Cannot seek to write persistent data");
1004 goto err2;
1005 }
1006 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1007 (int) crypt_ftr.persist_data_size) {
1008 if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1009 SLOGE("Cannot seek to erase previous persistent data");
1010 goto err2;
1011 }
1012 fsync(fd);
1013 memset(pdata, 0, crypt_ftr.persist_data_size);
1014 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
1015 (int) crypt_ftr.persist_data_size) {
1016 SLOGE("Cannot write to erase previous persistent data");
1017 goto err2;
1018 }
1019 fsync(fd);
1020 } else {
1021 SLOGE("Cannot write to save persistent data");
1022 goto err2;
1023 }
1024
1025 /* Success */
1026 free(pdata);
1027 close(fd);
1028 return 0;
1029
1030 err2:
1031 free(pdata);
1032 err:
1033 close(fd);
1034 return -1;
1035 }
1036
1037 /* Convert a binary key of specified length into an ascii hex string equivalent,
1038 * without the leading 0x and with null termination
1039 */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)1040 static void convert_key_to_hex_ascii(const unsigned char *master_key,
1041 unsigned int keysize, char *master_key_ascii) {
1042 unsigned int i, a;
1043 unsigned char nibble;
1044
1045 for (i=0, a=0; i<keysize; i++, a+=2) {
1046 /* For each byte, write out two ascii hex digits */
1047 nibble = (master_key[i] >> 4) & 0xf;
1048 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1049
1050 nibble = master_key[i] & 0xf;
1051 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1052 }
1053
1054 /* Add the null termination */
1055 master_key_ascii[a] = '\0';
1056
1057 }
1058
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)1059 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1060 const unsigned char *master_key, const char *real_blk_name,
1061 const char *name, int fd, const char *extra_params) {
1062 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1063 struct dm_ioctl *io;
1064 struct dm_target_spec *tgt;
1065 char *crypt_params;
1066 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1067 int i;
1068
1069 io = (struct dm_ioctl *) buffer;
1070
1071 /* Load the mapping table for this device */
1072 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1073
1074 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1075 io->target_count = 1;
1076 tgt->status = 0;
1077 tgt->sector_start = 0;
1078 tgt->length = crypt_ftr->fs_size;
1079 #ifdef CONFIG_HW_DISK_ENCRYPTION
1080 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1081 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
1082 }
1083 else {
1084 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1085 }
1086 #else
1087 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1088 #endif
1089
1090 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1091 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1092 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1093 master_key_ascii, real_blk_name, extra_params);
1094 crypt_params += strlen(crypt_params) + 1;
1095 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1096 tgt->next = crypt_params - buffer;
1097
1098 for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1099 if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1100 break;
1101 }
1102 usleep(500000);
1103 }
1104
1105 if (i == TABLE_LOAD_RETRIES) {
1106 /* We failed to load the table, return an error */
1107 return -1;
1108 } else {
1109 return i + 1;
1110 }
1111 }
1112
1113
get_dm_crypt_version(int fd,const char * name,int * version)1114 static int get_dm_crypt_version(int fd, const char *name, int *version)
1115 {
1116 char buffer[DM_CRYPT_BUF_SIZE];
1117 struct dm_ioctl *io;
1118 struct dm_target_versions *v;
1119
1120 io = (struct dm_ioctl *) buffer;
1121
1122 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1123
1124 if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1125 return -1;
1126 }
1127
1128 /* Iterate over the returned versions, looking for name of "crypt".
1129 * When found, get and return the version.
1130 */
1131 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1132 while (v->next) {
1133 #ifdef CONFIG_HW_DISK_ENCRYPTION
1134 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1135 #else
1136 if (! strcmp(v->name, "crypt")) {
1137 #endif
1138 /* We found the crypt driver, return the version, and get out */
1139 version[0] = v->version[0];
1140 version[1] = v->version[1];
1141 version[2] = v->version[2];
1142 return 0;
1143 }
1144 v = (struct dm_target_versions *)(((char *)v) + v->next);
1145 }
1146
1147 return -1;
1148 }
1149
1150 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
1151 const unsigned char *master_key, const char *real_blk_name,
1152 char *crypto_blk_name, const char *name) {
1153 char buffer[DM_CRYPT_BUF_SIZE];
1154 struct dm_ioctl *io;
1155 unsigned int minor;
1156 int fd=0;
1157 int retval = -1;
1158 int version[3];
1159 char *extra_params;
1160 int load_count;
1161
1162 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1163 SLOGE("Cannot open device-mapper\n");
1164 goto errout;
1165 }
1166
1167 io = (struct dm_ioctl *) buffer;
1168
1169 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1170 if (ioctl(fd, DM_DEV_CREATE, io)) {
1171 SLOGE("Cannot create dm-crypt device\n");
1172 goto errout;
1173 }
1174
1175 /* Get the device status, in particular, the name of it's device file */
1176 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1177 if (ioctl(fd, DM_DEV_STATUS, io)) {
1178 SLOGE("Cannot retrieve dm-crypt device status\n");
1179 goto errout;
1180 }
1181 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1182 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1183
1184 extra_params = "";
1185 if (! get_dm_crypt_version(fd, name, version)) {
1186 /* Support for allow_discards was added in version 1.11.0 */
1187 if ((version[0] >= 2) ||
1188 ((version[0] == 1) && (version[1] >= 11))) {
1189 extra_params = "1 allow_discards";
1190 SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1191 }
1192 }
1193
1194 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1195 fd, extra_params);
1196 if (load_count < 0) {
1197 SLOGE("Cannot load dm-crypt mapping table.\n");
1198 goto errout;
1199 } else if (load_count > 1) {
1200 SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1201 }
1202
1203 /* Resume this device to activate it */
1204 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1205
1206 if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1207 SLOGE("Cannot resume the dm-crypt device\n");
1208 goto errout;
1209 }
1210
1211 /* We made it here with no errors. Woot! */
1212 retval = 0;
1213
1214 errout:
1215 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1216
1217 return retval;
1218 }
1219
1220 static int delete_crypto_blk_dev(char *name)
1221 {
1222 int fd;
1223 char buffer[DM_CRYPT_BUF_SIZE];
1224 struct dm_ioctl *io;
1225 int retval = -1;
1226
1227 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1228 SLOGE("Cannot open device-mapper\n");
1229 goto errout;
1230 }
1231
1232 io = (struct dm_ioctl *) buffer;
1233
1234 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1235 if (ioctl(fd, DM_DEV_REMOVE, io)) {
1236 SLOGE("Cannot remove dm-crypt device\n");
1237 goto errout;
1238 }
1239
1240 /* We made it here with no errors. Woot! */
1241 retval = 0;
1242
1243 errout:
1244 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1245
1246 return retval;
1247
1248 }
1249
1250 static int pbkdf2(const char *passwd, const unsigned char *salt,
1251 unsigned char *ikey, void *params UNUSED)
1252 {
1253 SLOGI("Using pbkdf2 for cryptfs KDF");
1254
1255 /* Turn the password into a key and IV that can decrypt the master key */
1256 PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd),
1257 salt, SALT_LEN,
1258 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1259
1260 return 0;
1261 }
1262
1263 static int scrypt(const char *passwd, const unsigned char *salt,
1264 unsigned char *ikey, void *params)
1265 {
1266 SLOGI("Using scrypt for cryptfs KDF");
1267
1268 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1269
1270 int N = 1 << ftr->N_factor;
1271 int r = 1 << ftr->r_factor;
1272 int p = 1 << ftr->p_factor;
1273
1274 /* Turn the password into a key and IV that can decrypt the master key */
1275 unsigned int keysize;
1276 crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1277 salt, SALT_LEN, N, r, p, ikey,
1278 KEY_LEN_BYTES + IV_LEN_BYTES);
1279
1280 return 0;
1281 }
1282
1283 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1284 unsigned char *ikey, void *params)
1285 {
1286 SLOGI("Using scrypt with keymaster for cryptfs KDF");
1287
1288 int rc;
1289 size_t signature_size;
1290 unsigned char* signature;
1291 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1292
1293 int N = 1 << ftr->N_factor;
1294 int r = 1 << ftr->r_factor;
1295 int p = 1 << ftr->p_factor;
1296
1297 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1298 salt, SALT_LEN, N, r, p, ikey,
1299 KEY_LEN_BYTES + IV_LEN_BYTES);
1300
1301 if (rc) {
1302 SLOGE("scrypt failed");
1303 return -1;
1304 }
1305
1306 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1307 &signature, &signature_size)) {
1308 SLOGE("Signing failed");
1309 return -1;
1310 }
1311
1312 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1313 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1314 free(signature);
1315
1316 if (rc) {
1317 SLOGE("scrypt failed");
1318 return -1;
1319 }
1320
1321 return 0;
1322 }
1323
1324 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1325 const unsigned char *decrypted_master_key,
1326 unsigned char *encrypted_master_key,
1327 struct crypt_mnt_ftr *crypt_ftr)
1328 {
1329 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1330 EVP_CIPHER_CTX e_ctx;
1331 int encrypted_len, final_len;
1332 int rc = 0;
1333
1334 /* Turn the password into an intermediate key and IV that can decrypt the master key */
1335 get_device_scrypt_params(crypt_ftr);
1336
1337 switch (crypt_ftr->kdf_type) {
1338 case KDF_SCRYPT_KEYMASTER:
1339 if (keymaster_create_key(crypt_ftr)) {
1340 SLOGE("keymaster_create_key failed");
1341 return -1;
1342 }
1343
1344 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1345 SLOGE("scrypt failed");
1346 return -1;
1347 }
1348 break;
1349
1350 case KDF_SCRYPT:
1351 if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1352 SLOGE("scrypt failed");
1353 return -1;
1354 }
1355 break;
1356
1357 default:
1358 SLOGE("Invalid kdf_type");
1359 return -1;
1360 }
1361
1362 /* Initialize the decryption engine */
1363 EVP_CIPHER_CTX_init(&e_ctx);
1364 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1365 SLOGE("EVP_EncryptInit failed\n");
1366 return -1;
1367 }
1368 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1369
1370 /* Encrypt the master key */
1371 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1372 decrypted_master_key, KEY_LEN_BYTES)) {
1373 SLOGE("EVP_EncryptUpdate failed\n");
1374 return -1;
1375 }
1376 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1377 SLOGE("EVP_EncryptFinal failed\n");
1378 return -1;
1379 }
1380
1381 if (encrypted_len + final_len != KEY_LEN_BYTES) {
1382 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1383 return -1;
1384 }
1385
1386 /* Store the scrypt of the intermediate key, so we can validate if it's a
1387 password error or mount error when things go wrong.
1388 Note there's no need to check for errors, since if this is incorrect, we
1389 simply won't wipe userdata, which is the correct default behavior
1390 */
1391 int N = 1 << crypt_ftr->N_factor;
1392 int r = 1 << crypt_ftr->r_factor;
1393 int p = 1 << crypt_ftr->p_factor;
1394
1395 rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1396 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1397 crypt_ftr->scrypted_intermediate_key,
1398 sizeof(crypt_ftr->scrypted_intermediate_key));
1399
1400 if (rc) {
1401 SLOGE("encrypt_master_key: crypto_scrypt failed");
1402 }
1403
1404 return 0;
1405 }
1406
1407 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1408 unsigned char *encrypted_master_key,
1409 unsigned char *decrypted_master_key,
1410 kdf_func kdf, void *kdf_params,
1411 unsigned char** intermediate_key,
1412 size_t* intermediate_key_size)
1413 {
1414 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1415 EVP_CIPHER_CTX d_ctx;
1416 int decrypted_len, final_len;
1417
1418 /* Turn the password into an intermediate key and IV that can decrypt the
1419 master key */
1420 if (kdf(passwd, salt, ikey, kdf_params)) {
1421 SLOGE("kdf failed");
1422 return -1;
1423 }
1424
1425 /* Initialize the decryption engine */
1426 EVP_CIPHER_CTX_init(&d_ctx);
1427 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1428 return -1;
1429 }
1430 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1431 /* Decrypt the master key */
1432 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1433 encrypted_master_key, KEY_LEN_BYTES)) {
1434 return -1;
1435 }
1436 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1437 return -1;
1438 }
1439
1440 if (decrypted_len + final_len != KEY_LEN_BYTES) {
1441 return -1;
1442 }
1443
1444 /* Copy intermediate key if needed by params */
1445 if (intermediate_key && intermediate_key_size) {
1446 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1447 if (intermediate_key) {
1448 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1449 *intermediate_key_size = KEY_LEN_BYTES;
1450 }
1451 }
1452
1453 return 0;
1454 }
1455
1456 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1457 {
1458 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1459 *kdf = scrypt_keymaster;
1460 *kdf_params = ftr;
1461 } else if (ftr->kdf_type == KDF_SCRYPT) {
1462 *kdf = scrypt;
1463 *kdf_params = ftr;
1464 } else {
1465 *kdf = pbkdf2;
1466 *kdf_params = NULL;
1467 }
1468 }
1469
1470 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1471 struct crypt_mnt_ftr *crypt_ftr,
1472 unsigned char** intermediate_key,
1473 size_t* intermediate_key_size)
1474 {
1475 kdf_func kdf;
1476 void *kdf_params;
1477 int ret;
1478
1479 get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1480 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1481 decrypted_master_key, kdf, kdf_params,
1482 intermediate_key, intermediate_key_size);
1483 if (ret != 0) {
1484 SLOGW("failure decrypting master key");
1485 }
1486
1487 return ret;
1488 }
1489
1490 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1491 struct crypt_mnt_ftr *crypt_ftr) {
1492 int fd;
1493 unsigned char key_buf[KEY_LEN_BYTES];
1494
1495 /* Get some random bits for a key */
1496 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1497 read(fd, key_buf, sizeof(key_buf));
1498 read(fd, salt, SALT_LEN);
1499 close(fd);
1500
1501 /* Now encrypt it with the password */
1502 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1503 }
1504
1505 int wait_and_unmount(const char *mountpoint, bool kill)
1506 {
1507 int i, err, rc;
1508 #define WAIT_UNMOUNT_COUNT 20
1509
1510 /* Now umount the tmpfs filesystem */
1511 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1512 if (umount(mountpoint) == 0) {
1513 break;
1514 }
1515
1516 if (errno == EINVAL) {
1517 /* EINVAL is returned if the directory is not a mountpoint,
1518 * i.e. there is no filesystem mounted there. So just get out.
1519 */
1520 break;
1521 }
1522
1523 err = errno;
1524
1525 /* If allowed, be increasingly aggressive before the last two retries */
1526 if (kill) {
1527 if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1528 SLOGW("sending SIGHUP to processes with open files\n");
1529 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1530 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1531 SLOGW("sending SIGKILL to processes with open files\n");
1532 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1533 }
1534 }
1535
1536 sleep(1);
1537 }
1538
1539 if (i < WAIT_UNMOUNT_COUNT) {
1540 SLOGD("unmounting %s succeeded\n", mountpoint);
1541 rc = 0;
1542 } else {
1543 vold_killProcessesWithOpenFiles(mountpoint, 0);
1544 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1545 rc = -1;
1546 }
1547
1548 return rc;
1549 }
1550
1551 #define DATA_PREP_TIMEOUT 1000
1552 static int prep_data_fs(void)
1553 {
1554 int i;
1555
1556 /* Do the prep of the /data filesystem */
1557 property_set("vold.post_fs_data_done", "0");
1558 property_set("vold.decrypt", "trigger_post_fs_data");
1559 SLOGD("Just triggered post_fs_data\n");
1560
1561 /* Wait a max of 50 seconds, hopefully it takes much less */
1562 for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1563 char p[PROPERTY_VALUE_MAX];
1564
1565 property_get("vold.post_fs_data_done", p, "0");
1566 if (*p == '1') {
1567 break;
1568 } else {
1569 usleep(50000);
1570 }
1571 }
1572 if (i == DATA_PREP_TIMEOUT) {
1573 /* Ugh, we failed to prep /data in time. Bail. */
1574 SLOGE("post_fs_data timed out!\n");
1575 return -1;
1576 } else {
1577 SLOGD("post_fs_data done\n");
1578 return 0;
1579 }
1580 }
1581
1582 static void cryptfs_set_corrupt()
1583 {
1584 // Mark the footer as bad
1585 struct crypt_mnt_ftr crypt_ftr;
1586 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1587 SLOGE("Failed to get crypto footer - panic");
1588 return;
1589 }
1590
1591 crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1592 if (put_crypt_ftr_and_key(&crypt_ftr)) {
1593 SLOGE("Failed to set crypto footer - panic");
1594 return;
1595 }
1596 }
1597
1598 static void cryptfs_trigger_restart_min_framework()
1599 {
1600 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1601 SLOGE("Failed to mount tmpfs on data - panic");
1602 return;
1603 }
1604
1605 if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1606 SLOGE("Failed to trigger post fs data - panic");
1607 return;
1608 }
1609
1610 if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1611 SLOGE("Failed to trigger restart min framework - panic");
1612 return;
1613 }
1614 }
1615
1616 /* returns < 0 on failure */
1617 static int cryptfs_restart_internal(int restart_main)
1618 {
1619 char crypto_blkdev[MAXPATHLEN];
1620 int rc = -1;
1621 static int restart_successful = 0;
1622
1623 /* Validate that it's OK to call this routine */
1624 if (! master_key_saved) {
1625 SLOGE("Encrypted filesystem not validated, aborting");
1626 return -1;
1627 }
1628
1629 if (restart_successful) {
1630 SLOGE("System already restarted with encrypted disk, aborting");
1631 return -1;
1632 }
1633
1634 if (restart_main) {
1635 /* Here is where we shut down the framework. The init scripts
1636 * start all services in one of three classes: core, main or late_start.
1637 * On boot, we start core and main. Now, we stop main, but not core,
1638 * as core includes vold and a few other really important things that
1639 * we need to keep running. Once main has stopped, we should be able
1640 * to umount the tmpfs /data, then mount the encrypted /data.
1641 * We then restart the class main, and also the class late_start.
1642 * At the moment, I've only put a few things in late_start that I know
1643 * are not needed to bring up the framework, and that also cause problems
1644 * with unmounting the tmpfs /data, but I hope to add add more services
1645 * to the late_start class as we optimize this to decrease the delay
1646 * till the user is asked for the password to the filesystem.
1647 */
1648
1649 /* The init files are setup to stop the class main when vold.decrypt is
1650 * set to trigger_reset_main.
1651 */
1652 property_set("vold.decrypt", "trigger_reset_main");
1653 SLOGD("Just asked init to shut down class main\n");
1654
1655 /* Ugh, shutting down the framework is not synchronous, so until it
1656 * can be fixed, this horrible hack will wait a moment for it all to
1657 * shut down before proceeding. Without it, some devices cannot
1658 * restart the graphics services.
1659 */
1660 sleep(2);
1661 }
1662
1663 /* Now that the framework is shutdown, we should be able to umount()
1664 * the tmpfs filesystem, and mount the real one.
1665 */
1666
1667 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1668 if (strlen(crypto_blkdev) == 0) {
1669 SLOGE("fs_crypto_blkdev not set\n");
1670 return -1;
1671 }
1672
1673 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1674 /* If ro.crypto.readonly is set to 1, mount the decrypted
1675 * filesystem readonly. This is used when /data is mounted by
1676 * recovery mode.
1677 */
1678 char ro_prop[PROPERTY_VALUE_MAX];
1679 property_get("ro.crypto.readonly", ro_prop, "");
1680 if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1681 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1682 rec->flags |= MS_RDONLY;
1683 }
1684
1685 /* If that succeeded, then mount the decrypted filesystem */
1686 int retries = RETRY_MOUNT_ATTEMPTS;
1687 int mount_rc;
1688 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1689 crypto_blkdev, 0))
1690 != 0) {
1691 if (mount_rc == FS_MGR_DOMNT_BUSY) {
1692 /* TODO: invoke something similar to
1693 Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1694 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1695 SLOGI("Failed to mount %s because it is busy - waiting",
1696 crypto_blkdev);
1697 if (--retries) {
1698 sleep(RETRY_MOUNT_DELAY_SECONDS);
1699 } else {
1700 /* Let's hope that a reboot clears away whatever is keeping
1701 the mount busy */
1702 cryptfs_reboot(reboot);
1703 }
1704 } else {
1705 SLOGE("Failed to mount decrypted data");
1706 cryptfs_set_corrupt();
1707 cryptfs_trigger_restart_min_framework();
1708 SLOGI("Started framework to offer wipe");
1709 return -1;
1710 }
1711 }
1712
1713 property_set("vold.decrypt", "trigger_load_persist_props");
1714 /* Create necessary paths on /data */
1715 if (prep_data_fs()) {
1716 return -1;
1717 }
1718
1719 /* startup service classes main and late_start */
1720 property_set("vold.decrypt", "trigger_restart_framework");
1721 SLOGD("Just triggered restart_framework\n");
1722
1723 /* Give it a few moments to get started */
1724 sleep(1);
1725 }
1726
1727 if (rc == 0) {
1728 restart_successful = 1;
1729 }
1730
1731 return rc;
1732 }
1733
1734 int cryptfs_restart(void)
1735 {
1736 SLOGI("cryptfs_restart");
1737 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
1738 struct fstab_rec* rec;
1739 int rc;
1740
1741 if (e4crypt_restart(DATA_MNT_POINT)) {
1742 SLOGE("Can't unmount e4crypt temp volume\n");
1743 return -1;
1744 }
1745
1746 rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1747 if (!rec) {
1748 SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT);
1749 return -1;
1750 }
1751
1752 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0);
1753 if (rc) {
1754 SLOGE("Can't mount %s\n", DATA_MNT_POINT);
1755 return rc;
1756 }
1757
1758 property_set("vold.decrypt", "trigger_restart_framework");
1759 return 0;
1760 }
1761
1762 /* Call internal implementation forcing a restart of main service group */
1763 return cryptfs_restart_internal(1);
1764 }
1765
1766 static int do_crypto_complete(char *mount_point)
1767 {
1768 struct crypt_mnt_ftr crypt_ftr;
1769 char encrypted_state[PROPERTY_VALUE_MAX];
1770 char key_loc[PROPERTY_VALUE_MAX];
1771
1772 property_get("ro.crypto.state", encrypted_state, "");
1773 if (strcmp(encrypted_state, "encrypted") ) {
1774 SLOGE("not running with encryption, aborting");
1775 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1776 }
1777
1778 if (e4crypt_crypto_complete(mount_point) == 0) {
1779 return CRYPTO_COMPLETE_ENCRYPTED;
1780 }
1781
1782 if (get_crypt_ftr_and_key(&crypt_ftr)) {
1783 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1784
1785 /*
1786 * Only report this error if key_loc is a file and it exists.
1787 * If the device was never encrypted, and /data is not mountable for
1788 * some reason, returning 1 should prevent the UI from presenting the
1789 * a "enter password" screen, or worse, a "press button to wipe the
1790 * device" screen.
1791 */
1792 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1793 SLOGE("master key file does not exist, aborting");
1794 return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1795 } else {
1796 SLOGE("Error getting crypt footer and key\n");
1797 return CRYPTO_COMPLETE_BAD_METADATA;
1798 }
1799 }
1800
1801 // Test for possible error flags
1802 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1803 SLOGE("Encryption process is partway completed\n");
1804 return CRYPTO_COMPLETE_PARTIAL;
1805 }
1806
1807 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1808 SLOGE("Encryption process was interrupted but cannot continue\n");
1809 return CRYPTO_COMPLETE_INCONSISTENT;
1810 }
1811
1812 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1813 SLOGE("Encryption is successful but data is corrupt\n");
1814 return CRYPTO_COMPLETE_CORRUPT;
1815 }
1816
1817 /* We passed the test! We shall diminish, and return to the west */
1818 return CRYPTO_COMPLETE_ENCRYPTED;
1819 }
1820
1821 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1822 char *passwd, char *mount_point, char *label)
1823 {
1824 /* Allocate enough space for a 256 bit key, but we may use less */
1825 unsigned char decrypted_master_key[32];
1826 char crypto_blkdev[MAXPATHLEN];
1827 char real_blkdev[MAXPATHLEN];
1828 char tmp_mount_point[64];
1829 unsigned int orig_failed_decrypt_count;
1830 int rc;
1831 int use_keymaster = 0;
1832 int upgrade = 0;
1833 unsigned char* intermediate_key = 0;
1834 size_t intermediate_key_size = 0;
1835
1836 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1837 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1838
1839 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1840 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1841 &intermediate_key, &intermediate_key_size)) {
1842 SLOGE("Failed to decrypt master key\n");
1843 rc = -1;
1844 goto errout;
1845 }
1846 }
1847
1848 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1849
1850 #ifdef CONFIG_HW_DISK_ENCRYPTION
1851 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1852 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1853 SLOGE("Hardware encryption key does not match");
1854 }
1855 }
1856 #endif
1857
1858 // Create crypto block device - all (non fatal) code paths
1859 // need it
1860 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1861 real_blkdev, crypto_blkdev, label)) {
1862 SLOGE("Error creating decrypted block device\n");
1863 rc = -1;
1864 goto errout;
1865 }
1866
1867 /* Work out if the problem is the password or the data */
1868 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1869 scrypted_intermediate_key)];
1870 int N = 1 << crypt_ftr->N_factor;
1871 int r = 1 << crypt_ftr->r_factor;
1872 int p = 1 << crypt_ftr->p_factor;
1873
1874 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1875 crypt_ftr->salt, sizeof(crypt_ftr->salt),
1876 N, r, p, scrypted_intermediate_key,
1877 sizeof(scrypted_intermediate_key));
1878
1879 // Does the key match the crypto footer?
1880 if (rc == 0 && memcmp(scrypted_intermediate_key,
1881 crypt_ftr->scrypted_intermediate_key,
1882 sizeof(scrypted_intermediate_key)) == 0) {
1883 SLOGI("Password matches");
1884 rc = 0;
1885 } else {
1886 /* Try mounting the file system anyway, just in case the problem's with
1887 * the footer, not the key. */
1888 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1889 mkdir(tmp_mount_point, 0755);
1890 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1891 SLOGE("Error temp mounting decrypted block device\n");
1892 delete_crypto_blk_dev(label);
1893
1894 rc = ++crypt_ftr->failed_decrypt_count;
1895 put_crypt_ftr_and_key(crypt_ftr);
1896 } else {
1897 /* Success! */
1898 SLOGI("Password did not match but decrypted drive mounted - continue");
1899 umount(tmp_mount_point);
1900 rc = 0;
1901 }
1902 }
1903
1904 if (rc == 0) {
1905 crypt_ftr->failed_decrypt_count = 0;
1906 if (orig_failed_decrypt_count != 0) {
1907 put_crypt_ftr_and_key(crypt_ftr);
1908 }
1909
1910 /* Save the name of the crypto block device
1911 * so we can mount it when restarting the framework. */
1912 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1913
1914 /* Also save a the master key so we can reencrypted the key
1915 * the key when we want to change the password on it. */
1916 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1917 saved_mount_point = strdup(mount_point);
1918 master_key_saved = 1;
1919 SLOGD("%s(): Master key saved\n", __FUNCTION__);
1920 rc = 0;
1921
1922 // Upgrade if we're not using the latest KDF.
1923 use_keymaster = keymaster_check_compatibility();
1924 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1925 // Don't allow downgrade
1926 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1927 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1928 upgrade = 1;
1929 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1930 crypt_ftr->kdf_type = KDF_SCRYPT;
1931 upgrade = 1;
1932 }
1933
1934 if (upgrade) {
1935 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1936 crypt_ftr->master_key, crypt_ftr);
1937 if (!rc) {
1938 rc = put_crypt_ftr_and_key(crypt_ftr);
1939 }
1940 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1941
1942 // Do not fail even if upgrade failed - machine is bootable
1943 // Note that if this code is ever hit, there is a *serious* problem
1944 // since KDFs should never fail. You *must* fix the kdf before
1945 // proceeding!
1946 if (rc) {
1947 SLOGW("Upgrade failed with error %d,"
1948 " but continuing with previous state",
1949 rc);
1950 rc = 0;
1951 }
1952 }
1953 }
1954
1955 errout:
1956 if (intermediate_key) {
1957 memset(intermediate_key, 0, intermediate_key_size);
1958 free(intermediate_key);
1959 }
1960 return rc;
1961 }
1962
1963 /*
1964 * Called by vold when it's asked to mount an encrypted external
1965 * storage volume. The incoming partition has no crypto header/footer,
1966 * as any metadata is been stored in a separate, small partition.
1967 *
1968 * out_crypto_blkdev must be MAXPATHLEN.
1969 */
1970 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1971 const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1972 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1973 if (fd == -1) {
1974 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1975 return -1;
1976 }
1977
1978 unsigned long nr_sec = 0;
1979 get_blkdev_size(fd, &nr_sec);
1980 close(fd);
1981
1982 if (nr_sec == 0) {
1983 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1984 return -1;
1985 }
1986
1987 struct crypt_mnt_ftr ext_crypt_ftr;
1988 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1989 ext_crypt_ftr.fs_size = nr_sec;
1990 ext_crypt_ftr.keysize = keysize;
1991 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1992
1993 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1994 out_crypto_blkdev, label);
1995 }
1996
1997 /*
1998 * Called by vold when it's asked to unmount an encrypted external
1999 * storage volume.
2000 */
2001 int cryptfs_revert_ext_volume(const char* label) {
2002 return delete_crypto_blk_dev((char*) label);
2003 }
2004
2005 int cryptfs_crypto_complete(void)
2006 {
2007 return do_crypto_complete("/data");
2008 }
2009
2010 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
2011 {
2012 char encrypted_state[PROPERTY_VALUE_MAX];
2013 property_get("ro.crypto.state", encrypted_state, "");
2014 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
2015 SLOGE("encrypted fs already validated or not running with encryption,"
2016 " aborting");
2017 return -1;
2018 }
2019
2020 if (get_crypt_ftr_and_key(crypt_ftr)) {
2021 SLOGE("Error getting crypt footer and key");
2022 return -1;
2023 }
2024
2025 return 0;
2026 }
2027
2028 int cryptfs_check_passwd(char *passwd)
2029 {
2030 SLOGI("cryptfs_check_passwd");
2031 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
2032 return e4crypt_check_passwd(DATA_MNT_POINT, passwd);
2033 }
2034
2035 struct crypt_mnt_ftr crypt_ftr;
2036 int rc;
2037
2038 rc = check_unmounted_and_get_ftr(&crypt_ftr);
2039 if (rc)
2040 return rc;
2041
2042 rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2043 DATA_MNT_POINT, "userdata");
2044
2045 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2046 cryptfs_clear_password();
2047 password = strdup(passwd);
2048 struct timespec now;
2049 clock_gettime(CLOCK_BOOTTIME, &now);
2050 password_expiry_time = now.tv_sec + password_max_age_seconds;
2051 }
2052
2053 return rc;
2054 }
2055
2056 int cryptfs_verify_passwd(char *passwd)
2057 {
2058 struct crypt_mnt_ftr crypt_ftr;
2059 /* Allocate enough space for a 256 bit key, but we may use less */
2060 unsigned char decrypted_master_key[32];
2061 char encrypted_state[PROPERTY_VALUE_MAX];
2062 int rc;
2063
2064 property_get("ro.crypto.state", encrypted_state, "");
2065 if (strcmp(encrypted_state, "encrypted") ) {
2066 SLOGE("device not encrypted, aborting");
2067 return -2;
2068 }
2069
2070 if (!master_key_saved) {
2071 SLOGE("encrypted fs not yet mounted, aborting");
2072 return -1;
2073 }
2074
2075 if (!saved_mount_point) {
2076 SLOGE("encrypted fs failed to save mount point, aborting");
2077 return -1;
2078 }
2079
2080 if (get_crypt_ftr_and_key(&crypt_ftr)) {
2081 SLOGE("Error getting crypt footer and key\n");
2082 return -1;
2083 }
2084
2085 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2086 /* If the device has no password, then just say the password is valid */
2087 rc = 0;
2088 } else {
2089 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2090 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2091 /* They match, the password is correct */
2092 rc = 0;
2093 } else {
2094 /* If incorrect, sleep for a bit to prevent dictionary attacks */
2095 sleep(1);
2096 rc = 1;
2097 }
2098 }
2099
2100 return rc;
2101 }
2102
2103 /* Initialize a crypt_mnt_ftr structure. The keysize is
2104 * defaulted to 16 bytes, and the filesystem size to 0.
2105 * Presumably, at a minimum, the caller will update the
2106 * filesystem size and crypto_type_name after calling this function.
2107 */
2108 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2109 {
2110 off64_t off;
2111
2112 memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2113 ftr->magic = CRYPT_MNT_MAGIC;
2114 ftr->major_version = CURRENT_MAJOR_VERSION;
2115 ftr->minor_version = CURRENT_MINOR_VERSION;
2116 ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2117 ftr->keysize = KEY_LEN_BYTES;
2118
2119 switch (keymaster_check_compatibility()) {
2120 case 1:
2121 ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2122 break;
2123
2124 case 0:
2125 ftr->kdf_type = KDF_SCRYPT;
2126 break;
2127
2128 default:
2129 SLOGE("keymaster_check_compatibility failed");
2130 return -1;
2131 }
2132
2133 get_device_scrypt_params(ftr);
2134
2135 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2136 if (get_crypt_ftr_info(NULL, &off) == 0) {
2137 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2138 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2139 ftr->persist_data_size;
2140 }
2141
2142 return 0;
2143 }
2144
2145 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2146 {
2147 const char *args[10];
2148 char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2149 int num_args;
2150 int status;
2151 int tmp;
2152 int rc = -1;
2153
2154 if (type == EXT4_FS) {
2155 args[0] = "/system/bin/make_ext4fs";
2156 args[1] = "-a";
2157 args[2] = "/data";
2158 args[3] = "-l";
2159 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2160 args[4] = size_str;
2161 args[5] = crypto_blkdev;
2162 num_args = 6;
2163 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2164 args[0], args[1], args[2], args[3], args[4], args[5]);
2165 } else if (type == F2FS_FS) {
2166 args[0] = "/system/bin/mkfs.f2fs";
2167 args[1] = "-t";
2168 args[2] = "-d1";
2169 args[3] = crypto_blkdev;
2170 snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2171 args[4] = size_str;
2172 num_args = 5;
2173 SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2174 args[0], args[1], args[2], args[3], args[4]);
2175 } else {
2176 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2177 return -1;
2178 }
2179
2180 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2181
2182 if (tmp != 0) {
2183 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2184 } else {
2185 if (WIFEXITED(status)) {
2186 if (WEXITSTATUS(status)) {
2187 SLOGE("Error creating filesystem on %s, exit status %d ",
2188 crypto_blkdev, WEXITSTATUS(status));
2189 } else {
2190 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2191 rc = 0;
2192 }
2193 } else {
2194 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2195 }
2196 }
2197
2198 return rc;
2199 }
2200
2201 #define CRYPT_INPLACE_BUFSIZE 4096
2202 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2203 #define CRYPT_SECTOR_SIZE 512
2204
2205 /* aligned 32K writes tends to make flash happy.
2206 * SD card association recommends it.
2207 */
2208 #ifndef CONFIG_HW_DISK_ENCRYPTION
2209 #define BLOCKS_AT_A_TIME 8
2210 #else
2211 #define BLOCKS_AT_A_TIME 1024
2212 #endif
2213
2214 struct encryptGroupsData
2215 {
2216 int realfd;
2217 int cryptofd;
2218 off64_t numblocks;
2219 off64_t one_pct, cur_pct, new_pct;
2220 off64_t blocks_already_done, tot_numblocks;
2221 off64_t used_blocks_already_done, tot_used_blocks;
2222 char* real_blkdev, * crypto_blkdev;
2223 int count;
2224 off64_t offset;
2225 char* buffer;
2226 off64_t last_written_sector;
2227 int completed;
2228 time_t time_started;
2229 int remaining_time;
2230 };
2231
2232 static void update_progress(struct encryptGroupsData* data, int is_used)
2233 {
2234 data->blocks_already_done++;
2235
2236 if (is_used) {
2237 data->used_blocks_already_done++;
2238 }
2239 if (data->tot_used_blocks) {
2240 data->new_pct = data->used_blocks_already_done / data->one_pct;
2241 } else {
2242 data->new_pct = data->blocks_already_done / data->one_pct;
2243 }
2244
2245 if (data->new_pct > data->cur_pct) {
2246 char buf[8];
2247 data->cur_pct = data->new_pct;
2248 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2249 property_set("vold.encrypt_progress", buf);
2250 }
2251
2252 if (data->cur_pct >= 5) {
2253 struct timespec time_now;
2254 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2255 SLOGW("Error getting time");
2256 } else {
2257 double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2258 off64_t remaining_blocks = data->tot_used_blocks
2259 - data->used_blocks_already_done;
2260 int remaining_time = (int)(elapsed_time * remaining_blocks
2261 / data->used_blocks_already_done);
2262
2263 // Change time only if not yet set, lower, or a lot higher for
2264 // best user experience
2265 if (data->remaining_time == -1
2266 || remaining_time < data->remaining_time
2267 || remaining_time > data->remaining_time + 60) {
2268 char buf[8];
2269 snprintf(buf, sizeof(buf), "%d", remaining_time);
2270 property_set("vold.encrypt_time_remaining", buf);
2271 data->remaining_time = remaining_time;
2272 }
2273 }
2274 }
2275 }
2276
2277 static void log_progress(struct encryptGroupsData const* data, bool completed)
2278 {
2279 // Precondition - if completed data = 0 else data != 0
2280
2281 // Track progress so we can skip logging blocks
2282 static off64_t offset = -1;
2283
2284 // Need to close existing 'Encrypting from' log?
2285 if (completed || (offset != -1 && data->offset != offset)) {
2286 SLOGI("Encrypted to sector %" PRId64,
2287 offset / info.block_size * CRYPT_SECTOR_SIZE);
2288 offset = -1;
2289 }
2290
2291 // Need to start new 'Encrypting from' log?
2292 if (!completed && offset != data->offset) {
2293 SLOGI("Encrypting from sector %" PRId64,
2294 data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2295 }
2296
2297 // Update offset
2298 if (!completed) {
2299 offset = data->offset + (off64_t)data->count * info.block_size;
2300 }
2301 }
2302
2303 static int flush_outstanding_data(struct encryptGroupsData* data)
2304 {
2305 if (data->count == 0) {
2306 return 0;
2307 }
2308
2309 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2310
2311 if (pread64(data->realfd, data->buffer,
2312 info.block_size * data->count, data->offset)
2313 <= 0) {
2314 SLOGE("Error reading real_blkdev %s for inplace encrypt",
2315 data->real_blkdev);
2316 return -1;
2317 }
2318
2319 if (pwrite64(data->cryptofd, data->buffer,
2320 info.block_size * data->count, data->offset)
2321 <= 0) {
2322 SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2323 data->crypto_blkdev);
2324 return -1;
2325 } else {
2326 log_progress(data, false);
2327 }
2328
2329 data->count = 0;
2330 data->last_written_sector = (data->offset + data->count)
2331 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2332 return 0;
2333 }
2334
2335 static int encrypt_groups(struct encryptGroupsData* data)
2336 {
2337 unsigned int i;
2338 u8 *block_bitmap = 0;
2339 unsigned int block;
2340 off64_t ret;
2341 int rc = -1;
2342
2343 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2344 if (!data->buffer) {
2345 SLOGE("Failed to allocate crypto buffer");
2346 goto errout;
2347 }
2348
2349 block_bitmap = malloc(info.block_size);
2350 if (!block_bitmap) {
2351 SLOGE("failed to allocate block bitmap");
2352 goto errout;
2353 }
2354
2355 for (i = 0; i < aux_info.groups; ++i) {
2356 SLOGI("Encrypting group %d", i);
2357
2358 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2359 u32 block_count = min(info.blocks_per_group,
2360 aux_info.len_blocks - first_block);
2361
2362 off64_t offset = (u64)info.block_size
2363 * aux_info.bg_desc[i].bg_block_bitmap;
2364
2365 ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2366 if (ret != (int)info.block_size) {
2367 SLOGE("failed to read all of block group bitmap %d", i);
2368 goto errout;
2369 }
2370
2371 offset = (u64)info.block_size * first_block;
2372
2373 data->count = 0;
2374
2375 for (block = 0; block < block_count; block++) {
2376 int used = bitmap_get_bit(block_bitmap, block);
2377 update_progress(data, used);
2378 if (used) {
2379 if (data->count == 0) {
2380 data->offset = offset;
2381 }
2382 data->count++;
2383 } else {
2384 if (flush_outstanding_data(data)) {
2385 goto errout;
2386 }
2387 }
2388
2389 offset += info.block_size;
2390
2391 /* Write data if we are aligned or buffer size reached */
2392 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2393 || data->count == BLOCKS_AT_A_TIME) {
2394 if (flush_outstanding_data(data)) {
2395 goto errout;
2396 }
2397 }
2398
2399 if (!is_battery_ok_to_continue()) {
2400 SLOGE("Stopping encryption due to low battery");
2401 rc = 0;
2402 goto errout;
2403 }
2404
2405 }
2406 if (flush_outstanding_data(data)) {
2407 goto errout;
2408 }
2409 }
2410
2411 data->completed = 1;
2412 rc = 0;
2413
2414 errout:
2415 log_progress(0, true);
2416 free(data->buffer);
2417 free(block_bitmap);
2418 return rc;
2419 }
2420
2421 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2422 char *real_blkdev,
2423 off64_t size,
2424 off64_t *size_already_done,
2425 off64_t tot_size,
2426 off64_t previously_encrypted_upto)
2427 {
2428 u32 i;
2429 struct encryptGroupsData data;
2430 int rc; // Can't initialize without causing warning -Wclobbered
2431
2432 if (previously_encrypted_upto > *size_already_done) {
2433 SLOGD("Not fast encrypting since resuming part way through");
2434 return -1;
2435 }
2436
2437 memset(&data, 0, sizeof(data));
2438 data.real_blkdev = real_blkdev;
2439 data.crypto_blkdev = crypto_blkdev;
2440
2441 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2442 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2443 real_blkdev, errno, strerror(errno));
2444 rc = -1;
2445 goto errout;
2446 }
2447
2448 // Wait until the block device appears. Re-use the mount retry values since it is reasonable.
2449 int retries = RETRY_MOUNT_ATTEMPTS;
2450 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2451 if (--retries) {
2452 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n",
2453 crypto_blkdev, errno, strerror(errno));
2454 sleep(RETRY_MOUNT_DELAY_SECONDS);
2455 } else {
2456 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2457 crypto_blkdev, errno, strerror(errno));
2458 rc = ENABLE_INPLACE_ERR_DEV;
2459 goto errout;
2460 }
2461 }
2462
2463 if (setjmp(setjmp_env)) {
2464 SLOGE("Reading ext4 extent caused an exception\n");
2465 rc = -1;
2466 goto errout;
2467 }
2468
2469 if (read_ext(data.realfd, 0) != 0) {
2470 SLOGE("Failed to read ext4 extent\n");
2471 rc = -1;
2472 goto errout;
2473 }
2474
2475 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2476 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2477 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2478
2479 SLOGI("Encrypting ext4 filesystem in place...");
2480
2481 data.tot_used_blocks = data.numblocks;
2482 for (i = 0; i < aux_info.groups; ++i) {
2483 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2484 }
2485
2486 data.one_pct = data.tot_used_blocks / 100;
2487 data.cur_pct = 0;
2488
2489 struct timespec time_started = {0};
2490 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2491 SLOGW("Error getting time at start");
2492 // Note - continue anyway - we'll run with 0
2493 }
2494 data.time_started = time_started.tv_sec;
2495 data.remaining_time = -1;
2496
2497 rc = encrypt_groups(&data);
2498 if (rc) {
2499 SLOGE("Error encrypting groups");
2500 goto errout;
2501 }
2502
2503 *size_already_done += data.completed ? size : data.last_written_sector;
2504 rc = 0;
2505
2506 errout:
2507 close(data.realfd);
2508 close(data.cryptofd);
2509
2510 return rc;
2511 }
2512
2513 static void log_progress_f2fs(u64 block, bool completed)
2514 {
2515 // Precondition - if completed data = 0 else data != 0
2516
2517 // Track progress so we can skip logging blocks
2518 static u64 last_block = (u64)-1;
2519
2520 // Need to close existing 'Encrypting from' log?
2521 if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2522 SLOGI("Encrypted to block %" PRId64, last_block);
2523 last_block = -1;
2524 }
2525
2526 // Need to start new 'Encrypting from' log?
2527 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2528 SLOGI("Encrypting from block %" PRId64, block);
2529 }
2530
2531 // Update offset
2532 if (!completed) {
2533 last_block = block;
2534 }
2535 }
2536
2537 static int encrypt_one_block_f2fs(u64 pos, void *data)
2538 {
2539 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2540
2541 priv_dat->blocks_already_done = pos - 1;
2542 update_progress(priv_dat, 1);
2543
2544 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2545
2546 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2547 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2548 return -1;
2549 }
2550
2551 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2552 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2553 return -1;
2554 } else {
2555 log_progress_f2fs(pos, false);
2556 }
2557
2558 return 0;
2559 }
2560
2561 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2562 char *real_blkdev,
2563 off64_t size,
2564 off64_t *size_already_done,
2565 off64_t tot_size,
2566 off64_t previously_encrypted_upto)
2567 {
2568 struct encryptGroupsData data;
2569 struct f2fs_info *f2fs_info = NULL;
2570 int rc = ENABLE_INPLACE_ERR_OTHER;
2571 if (previously_encrypted_upto > *size_already_done) {
2572 SLOGD("Not fast encrypting since resuming part way through");
2573 return ENABLE_INPLACE_ERR_OTHER;
2574 }
2575 memset(&data, 0, sizeof(data));
2576 data.real_blkdev = real_blkdev;
2577 data.crypto_blkdev = crypto_blkdev;
2578 data.realfd = -1;
2579 data.cryptofd = -1;
2580 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2581 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2582 real_blkdev);
2583 goto errout;
2584 }
2585 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2586 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2587 crypto_blkdev, errno, strerror(errno));
2588 rc = ENABLE_INPLACE_ERR_DEV;
2589 goto errout;
2590 }
2591
2592 f2fs_info = generate_f2fs_info(data.realfd);
2593 if (!f2fs_info)
2594 goto errout;
2595
2596 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2597 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2598 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2599
2600 data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2601
2602 data.one_pct = data.tot_used_blocks / 100;
2603 data.cur_pct = 0;
2604 data.time_started = time(NULL);
2605 data.remaining_time = -1;
2606
2607 data.buffer = malloc(f2fs_info->block_size);
2608 if (!data.buffer) {
2609 SLOGE("Failed to allocate crypto buffer");
2610 goto errout;
2611 }
2612
2613 data.count = 0;
2614
2615 /* Currently, this either runs to completion, or hits a nonrecoverable error */
2616 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2617
2618 if (rc) {
2619 SLOGE("Error in running over f2fs blocks");
2620 rc = ENABLE_INPLACE_ERR_OTHER;
2621 goto errout;
2622 }
2623
2624 *size_already_done += size;
2625 rc = 0;
2626
2627 errout:
2628 if (rc)
2629 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2630
2631 log_progress_f2fs(0, true);
2632 free(f2fs_info);
2633 free(data.buffer);
2634 close(data.realfd);
2635 close(data.cryptofd);
2636
2637 return rc;
2638 }
2639
2640 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2641 off64_t size, off64_t *size_already_done,
2642 off64_t tot_size,
2643 off64_t previously_encrypted_upto)
2644 {
2645 int realfd, cryptofd;
2646 char *buf[CRYPT_INPLACE_BUFSIZE];
2647 int rc = ENABLE_INPLACE_ERR_OTHER;
2648 off64_t numblocks, i, remainder;
2649 off64_t one_pct, cur_pct, new_pct;
2650 off64_t blocks_already_done, tot_numblocks;
2651
2652 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2653 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2654 return ENABLE_INPLACE_ERR_OTHER;
2655 }
2656
2657 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2658 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2659 crypto_blkdev, errno, strerror(errno));
2660 close(realfd);
2661 return ENABLE_INPLACE_ERR_DEV;
2662 }
2663
2664 /* This is pretty much a simple loop of reading 4K, and writing 4K.
2665 * The size passed in is the number of 512 byte sectors in the filesystem.
2666 * So compute the number of whole 4K blocks we should read/write,
2667 * and the remainder.
2668 */
2669 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2670 remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2671 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2672 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2673
2674 SLOGE("Encrypting filesystem in place...");
2675
2676 i = previously_encrypted_upto + 1 - *size_already_done;
2677
2678 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2679 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2680 goto errout;
2681 }
2682
2683 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2684 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2685 goto errout;
2686 }
2687
2688 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2689 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2690 SLOGE("Error reading initial sectors from real_blkdev %s for "
2691 "inplace encrypt\n", crypto_blkdev);
2692 goto errout;
2693 }
2694 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2695 SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2696 "inplace encrypt\n", crypto_blkdev);
2697 goto errout;
2698 } else {
2699 SLOGI("Encrypted 1 block at %" PRId64, i);
2700 }
2701 }
2702
2703 one_pct = tot_numblocks / 100;
2704 cur_pct = 0;
2705 /* process the majority of the filesystem in blocks */
2706 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2707 new_pct = (i + blocks_already_done) / one_pct;
2708 if (new_pct > cur_pct) {
2709 char buf[8];
2710
2711 cur_pct = new_pct;
2712 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2713 property_set("vold.encrypt_progress", buf);
2714 }
2715 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2716 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2717 goto errout;
2718 }
2719 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2720 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2721 goto errout;
2722 } else {
2723 SLOGD("Encrypted %d block at %" PRId64,
2724 CRYPT_SECTORS_PER_BUFSIZE,
2725 i * CRYPT_SECTORS_PER_BUFSIZE);
2726 }
2727
2728 if (!is_battery_ok_to_continue()) {
2729 SLOGE("Stopping encryption due to low battery");
2730 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2731 rc = 0;
2732 goto errout;
2733 }
2734 }
2735
2736 /* Do any remaining sectors */
2737 for (i=0; i<remainder; i++) {
2738 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2739 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2740 goto errout;
2741 }
2742 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2743 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2744 goto errout;
2745 } else {
2746 SLOGI("Encrypted 1 block at next location");
2747 }
2748 }
2749
2750 *size_already_done += size;
2751 rc = 0;
2752
2753 errout:
2754 close(realfd);
2755 close(cryptofd);
2756
2757 return rc;
2758 }
2759
2760 /* returns on of the ENABLE_INPLACE_* return codes */
2761 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2762 off64_t size, off64_t *size_already_done,
2763 off64_t tot_size,
2764 off64_t previously_encrypted_upto)
2765 {
2766 int rc_ext4, rc_f2fs, rc_full;
2767 if (previously_encrypted_upto) {
2768 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2769 }
2770
2771 if (*size_already_done + size < previously_encrypted_upto) {
2772 *size_already_done += size;
2773 return 0;
2774 }
2775
2776 /* TODO: identify filesystem type.
2777 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2778 * then we will drop down to cryptfs_enable_inplace_f2fs.
2779 * */
2780 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2781 size, size_already_done,
2782 tot_size, previously_encrypted_upto)) == 0) {
2783 return 0;
2784 }
2785 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2786
2787 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2788 size, size_already_done,
2789 tot_size, previously_encrypted_upto)) == 0) {
2790 return 0;
2791 }
2792 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2793
2794 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2795 size, size_already_done, tot_size,
2796 previously_encrypted_upto);
2797 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2798
2799 /* Hack for b/17898962, the following is the symptom... */
2800 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2801 && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2802 && rc_full == ENABLE_INPLACE_ERR_DEV) {
2803 return ENABLE_INPLACE_ERR_DEV;
2804 }
2805 return rc_full;
2806 }
2807
2808 #define CRYPTO_ENABLE_WIPE 1
2809 #define CRYPTO_ENABLE_INPLACE 2
2810
2811 #define FRAMEWORK_BOOT_WAIT 60
2812
2813 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2814 {
2815 int fd = open(filename, O_RDONLY|O_CLOEXEC);
2816 if (fd == -1) {
2817 SLOGE("Error opening file %s", filename);
2818 return -1;
2819 }
2820
2821 char block[CRYPT_INPLACE_BUFSIZE];
2822 memset(block, 0, sizeof(block));
2823 if (unix_read(fd, block, sizeof(block)) < 0) {
2824 SLOGE("Error reading file %s", filename);
2825 close(fd);
2826 return -1;
2827 }
2828
2829 close(fd);
2830
2831 SHA256_CTX c;
2832 SHA256_Init(&c);
2833 SHA256_Update(&c, block, sizeof(block));
2834 SHA256_Final(buf, &c);
2835
2836 return 0;
2837 }
2838
2839 static int get_fs_type(struct fstab_rec *rec)
2840 {
2841 if (!strcmp(rec->fs_type, "ext4")) {
2842 return EXT4_FS;
2843 } else if (!strcmp(rec->fs_type, "f2fs")) {
2844 return F2FS_FS;
2845 } else {
2846 return -1;
2847 }
2848 }
2849
2850 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2851 char *crypto_blkdev, char *real_blkdev,
2852 int previously_encrypted_upto)
2853 {
2854 off64_t cur_encryption_done=0, tot_encryption_size=0;
2855 int rc = -1;
2856
2857 if (!is_battery_ok_to_start()) {
2858 SLOGW("Not starting encryption due to low battery");
2859 return 0;
2860 }
2861
2862 /* The size of the userdata partition, and add in the vold volumes below */
2863 tot_encryption_size = crypt_ftr->fs_size;
2864
2865 if (how == CRYPTO_ENABLE_WIPE) {
2866 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2867 int fs_type = get_fs_type(rec);
2868 if (fs_type < 0) {
2869 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2870 return -1;
2871 }
2872 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2873 } else if (how == CRYPTO_ENABLE_INPLACE) {
2874 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2875 crypt_ftr->fs_size, &cur_encryption_done,
2876 tot_encryption_size,
2877 previously_encrypted_upto);
2878
2879 if (rc == ENABLE_INPLACE_ERR_DEV) {
2880 /* Hack for b/17898962 */
2881 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2882 cryptfs_reboot(reboot);
2883 }
2884
2885 if (!rc) {
2886 crypt_ftr->encrypted_upto = cur_encryption_done;
2887 }
2888
2889 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2890 /* The inplace routine never actually sets the progress to 100% due
2891 * to the round down nature of integer division, so set it here */
2892 property_set("vold.encrypt_progress", "100");
2893 }
2894 } else {
2895 /* Shouldn't happen */
2896 SLOGE("cryptfs_enable: internal error, unknown option\n");
2897 rc = -1;
2898 }
2899
2900 return rc;
2901 }
2902
2903 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2904 int no_ui)
2905 {
2906 int how = 0;
2907 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2908 unsigned char decrypted_master_key[KEY_LEN_BYTES];
2909 int rc=-1, i;
2910 struct crypt_mnt_ftr crypt_ftr;
2911 struct crypt_persist_data *pdata;
2912 char encrypted_state[PROPERTY_VALUE_MAX];
2913 char lockid[32] = { 0 };
2914 char key_loc[PROPERTY_VALUE_MAX];
2915 int num_vols;
2916 off64_t previously_encrypted_upto = 0;
2917
2918 if (!strcmp(howarg, "wipe")) {
2919 how = CRYPTO_ENABLE_WIPE;
2920 } else if (! strcmp(howarg, "inplace")) {
2921 how = CRYPTO_ENABLE_INPLACE;
2922 } else {
2923 /* Shouldn't happen, as CommandListener vets the args */
2924 goto error_unencrypted;
2925 }
2926
2927 /* See if an encryption was underway and interrupted */
2928 if (how == CRYPTO_ENABLE_INPLACE
2929 && get_crypt_ftr_and_key(&crypt_ftr) == 0
2930 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
2931 previously_encrypted_upto = crypt_ftr.encrypted_upto;
2932 crypt_ftr.encrypted_upto = 0;
2933 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2934
2935 /* At this point, we are in an inconsistent state. Until we successfully
2936 complete encryption, a reboot will leave us broken. So mark the
2937 encryption failed in case that happens.
2938 On successfully completing encryption, remove this flag */
2939 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2940
2941 put_crypt_ftr_and_key(&crypt_ftr);
2942 }
2943
2944 property_get("ro.crypto.state", encrypted_state, "");
2945 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2946 SLOGE("Device is already running encrypted, aborting");
2947 goto error_unencrypted;
2948 }
2949
2950 // TODO refactor fs_mgr_get_crypt_info to get both in one call
2951 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2952 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2953
2954 /* Get the size of the real block device */
2955 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2956 if (fd == -1) {
2957 SLOGE("Cannot open block device %s\n", real_blkdev);
2958 goto error_unencrypted;
2959 }
2960 unsigned long nr_sec;
2961 get_blkdev_size(fd, &nr_sec);
2962 if (nr_sec == 0) {
2963 SLOGE("Cannot get size of block device %s\n", real_blkdev);
2964 goto error_unencrypted;
2965 }
2966 close(fd);
2967
2968 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2969 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2970 unsigned int fs_size_sec, max_fs_size_sec;
2971 fs_size_sec = get_fs_size(real_blkdev);
2972 if (fs_size_sec == 0)
2973 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2974
2975 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2976
2977 if (fs_size_sec > max_fs_size_sec) {
2978 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
2979 goto error_unencrypted;
2980 }
2981 }
2982
2983 /* Get a wakelock as this may take a while, and we don't want the
2984 * device to sleep on us. We'll grab a partial wakelock, and if the UI
2985 * wants to keep the screen on, it can grab a full wakelock.
2986 */
2987 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2988 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2989
2990 /* The init files are setup to stop the class main and late start when
2991 * vold sets trigger_shutdown_framework.
2992 */
2993 property_set("vold.decrypt", "trigger_shutdown_framework");
2994 SLOGD("Just asked init to shut down class main\n");
2995
2996 /* Ask vold to unmount all devices that it manages */
2997 if (vold_unmountAll()) {
2998 SLOGE("Failed to unmount all vold managed devices");
2999 }
3000
3001 /* Now unmount the /data partition. */
3002 if (wait_and_unmount(DATA_MNT_POINT, false)) {
3003 goto error_unencrypted;
3004 }
3005
3006 /* Do extra work for a better UX when doing the long inplace encryption */
3007 if (how == CRYPTO_ENABLE_INPLACE) {
3008 /* Now that /data is unmounted, we need to mount a tmpfs
3009 * /data, set a property saying we're doing inplace encryption,
3010 * and restart the framework.
3011 */
3012 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3013 goto error_shutting_down;
3014 }
3015 /* Tells the framework that inplace encryption is starting */
3016 property_set("vold.encrypt_progress", "0");
3017
3018 /* restart the framework. */
3019 /* Create necessary paths on /data */
3020 if (prep_data_fs()) {
3021 goto error_shutting_down;
3022 }
3023
3024 /* Ugh, shutting down the framework is not synchronous, so until it
3025 * can be fixed, this horrible hack will wait a moment for it all to
3026 * shut down before proceeding. Without it, some devices cannot
3027 * restart the graphics services.
3028 */
3029 sleep(2);
3030 }
3031
3032 /* Start the actual work of making an encrypted filesystem */
3033 /* Initialize a crypt_mnt_ftr for the partition */
3034 if (previously_encrypted_upto == 0) {
3035 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3036 goto error_shutting_down;
3037 }
3038
3039 if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3040 crypt_ftr.fs_size = nr_sec
3041 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3042 } else {
3043 crypt_ftr.fs_size = nr_sec;
3044 }
3045 /* At this point, we are in an inconsistent state. Until we successfully
3046 complete encryption, a reboot will leave us broken. So mark the
3047 encryption failed in case that happens.
3048 On successfully completing encryption, remove this flag */
3049 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3050 crypt_ftr.crypt_type = crypt_type;
3051 #ifndef CONFIG_HW_DISK_ENCRYPTION
3052 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3053 #else
3054 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
3055
3056 rc = clear_hw_device_encryption_key();
3057 if (!rc) {
3058 SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
3059 }
3060
3061 rc = set_hw_device_encryption_key(passwd,
3062 (char*) crypt_ftr.crypto_type_name);
3063 if (!rc) {
3064 SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
3065 goto error_shutting_down;
3066 }
3067 #endif
3068
3069 /* Make an encrypted master key */
3070 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3071 SLOGE("Cannot create encrypted master key\n");
3072 goto error_shutting_down;
3073 }
3074
3075 /* Write the key to the end of the partition */
3076 put_crypt_ftr_and_key(&crypt_ftr);
3077
3078 /* If any persistent data has been remembered, save it.
3079 * If none, create a valid empty table and save that.
3080 */
3081 if (!persist_data) {
3082 pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3083 if (pdata) {
3084 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3085 persist_data = pdata;
3086 }
3087 }
3088 if (persist_data) {
3089 save_persistent_data();
3090 }
3091 }
3092
3093 if (how == CRYPTO_ENABLE_INPLACE && !no_ui) {
3094 /* startup service classes main and late_start */
3095 property_set("vold.decrypt", "trigger_restart_min_framework");
3096 SLOGD("Just triggered restart_min_framework\n");
3097
3098 /* OK, the framework is restarted and will soon be showing a
3099 * progress bar. Time to setup an encrypted mapping, and
3100 * either write a new filesystem, or encrypt in place updating
3101 * the progress bar as we work.
3102 */
3103 }
3104
3105 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3106 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3107 "userdata");
3108
3109 /* If we are continuing, check checksums match */
3110 rc = 0;
3111 if (previously_encrypted_upto) {
3112 __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3113 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3114
3115 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3116 sizeof(hash_first_block)) != 0) {
3117 SLOGE("Checksums do not match - trigger wipe");
3118 rc = -1;
3119 }
3120 }
3121
3122 if (!rc) {
3123 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3124 crypto_blkdev, real_blkdev,
3125 previously_encrypted_upto);
3126 }
3127
3128 /* Calculate checksum if we are not finished */
3129 if (!rc && how == CRYPTO_ENABLE_INPLACE
3130 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3131 rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3132 crypt_ftr.hash_first_block);
3133 if (rc) {
3134 SLOGE("Error calculating checksum for continuing encryption");
3135 rc = -1;
3136 }
3137 }
3138
3139 /* Undo the dm-crypt mapping whether we succeed or not */
3140 delete_crypto_blk_dev("userdata");
3141
3142 if (! rc) {
3143 /* Success */
3144 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3145
3146 if (how == CRYPTO_ENABLE_INPLACE
3147 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3148 SLOGD("Encrypted up to sector %lld - will continue after reboot",
3149 crypt_ftr.encrypted_upto);
3150 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3151 }
3152
3153 put_crypt_ftr_and_key(&crypt_ftr);
3154
3155 if (how == CRYPTO_ENABLE_WIPE
3156 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3157 char value[PROPERTY_VALUE_MAX];
3158 property_get("ro.crypto.state", value, "");
3159 if (!strcmp(value, "")) {
3160 /* default encryption - continue first boot sequence */
3161 property_set("ro.crypto.state", "encrypted");
3162 release_wake_lock(lockid);
3163 cryptfs_check_passwd(DEFAULT_PASSWORD);
3164 cryptfs_restart_internal(1);
3165 return 0;
3166 } else {
3167 sleep(2); /* Give the UI a chance to show 100% progress */
3168 cryptfs_reboot(reboot);
3169 }
3170 } else {
3171 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3172 cryptfs_reboot(shutdown);
3173 }
3174 } else {
3175 char value[PROPERTY_VALUE_MAX];
3176
3177 property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3178 if (!strcmp(value, "1")) {
3179 /* wipe data if encryption failed */
3180 SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3181 mkdir("/cache/recovery", 0700);
3182 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0600);
3183 if (fd >= 0) {
3184 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
3185 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
3186 close(fd);
3187 } else {
3188 SLOGE("could not open /cache/recovery/command\n");
3189 }
3190 cryptfs_reboot(recovery);
3191 } else {
3192 /* set property to trigger dialog */
3193 property_set("vold.encrypt_progress", "error_partially_encrypted");
3194 release_wake_lock(lockid);
3195 }
3196 return -1;
3197 }
3198
3199 /* hrm, the encrypt step claims success, but the reboot failed.
3200 * This should not happen.
3201 * Set the property and return. Hope the framework can deal with it.
3202 */
3203 property_set("vold.encrypt_progress", "error_reboot_failed");
3204 release_wake_lock(lockid);
3205 return rc;
3206
3207 error_unencrypted:
3208 property_set("vold.encrypt_progress", "error_not_encrypted");
3209 if (lockid[0]) {
3210 release_wake_lock(lockid);
3211 }
3212 return -1;
3213
3214 error_shutting_down:
3215 /* we failed, and have not encrypted anthing, so the users's data is still intact,
3216 * but the framework is stopped and not restarted to show the error, so it's up to
3217 * vold to restart the system.
3218 */
3219 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3220 cryptfs_reboot(reboot);
3221
3222 /* shouldn't get here */
3223 property_set("vold.encrypt_progress", "error_shutting_down");
3224 if (lockid[0]) {
3225 release_wake_lock(lockid);
3226 }
3227 return -1;
3228 }
3229
3230 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui)
3231 {
3232 return cryptfs_enable_internal(howarg, type, passwd, no_ui);
3233 }
3234
3235 int cryptfs_enable_default(char *howarg, int no_ui)
3236 {
3237 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3238 DEFAULT_PASSWORD, no_ui);
3239 }
3240
3241 int cryptfs_changepw(int crypt_type, const char *newpw)
3242 {
3243 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3244 return e4crypt_change_password(DATA_MNT_POINT, crypt_type,
3245 crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3246 : newpw);
3247 }
3248
3249 struct crypt_mnt_ftr crypt_ftr;
3250 int rc;
3251
3252 /* This is only allowed after we've successfully decrypted the master key */
3253 if (!master_key_saved) {
3254 SLOGE("Key not saved, aborting");
3255 return -1;
3256 }
3257
3258 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3259 SLOGE("Invalid crypt_type %d", crypt_type);
3260 return -1;
3261 }
3262
3263 /* get key */
3264 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3265 SLOGE("Error getting crypt footer and key");
3266 return -1;
3267 }
3268
3269 crypt_ftr.crypt_type = crypt_type;
3270
3271 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3272 : newpw,
3273 crypt_ftr.salt,
3274 saved_master_key,
3275 crypt_ftr.master_key,
3276 &crypt_ftr);
3277 if (rc) {
3278 SLOGE("Encrypt master key failed: %d", rc);
3279 return -1;
3280 }
3281 /* save the key */
3282 put_crypt_ftr_and_key(&crypt_ftr);
3283
3284 #ifdef CONFIG_HW_DISK_ENCRYPTION
3285 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
3286 if (crypt_type == CRYPT_TYPE_DEFAULT) {
3287 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
3288 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
3289 if (!rc)
3290 return -1;
3291 } else {
3292 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
3293 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
3294 if (!rc)
3295 return -1;
3296 }
3297 }
3298 #endif
3299 return 0;
3300 }
3301
3302 static unsigned int persist_get_max_entries(int encrypted) {
3303 struct crypt_mnt_ftr crypt_ftr;
3304 unsigned int dsize;
3305 unsigned int max_persistent_entries;
3306
3307 /* If encrypted, use the values from the crypt_ftr, otherwise
3308 * use the values for the current spec.
3309 */
3310 if (encrypted) {
3311 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3312 return -1;
3313 }
3314 dsize = crypt_ftr.persist_data_size;
3315 } else {
3316 dsize = CRYPT_PERSIST_DATA_SIZE;
3317 }
3318
3319 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3320 sizeof(struct crypt_persist_entry);
3321
3322 return max_persistent_entries;
3323 }
3324
3325 static int persist_get_key(const char *fieldname, char *value)
3326 {
3327 unsigned int i;
3328
3329 if (persist_data == NULL) {
3330 return -1;
3331 }
3332 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3333 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3334 /* We found it! */
3335 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3336 return 0;
3337 }
3338 }
3339
3340 return -1;
3341 }
3342
3343 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3344 {
3345 unsigned int i;
3346 unsigned int num;
3347 unsigned int max_persistent_entries;
3348
3349 if (persist_data == NULL) {
3350 return -1;
3351 }
3352
3353 max_persistent_entries = persist_get_max_entries(encrypted);
3354
3355 num = persist_data->persist_valid_entries;
3356
3357 for (i = 0; i < num; i++) {
3358 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3359 /* We found an existing entry, update it! */
3360 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3361 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3362 return 0;
3363 }
3364 }
3365
3366 /* We didn't find it, add it to the end, if there is room */
3367 if (persist_data->persist_valid_entries < max_persistent_entries) {
3368 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3369 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3370 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3371 persist_data->persist_valid_entries++;
3372 return 0;
3373 }
3374
3375 return -1;
3376 }
3377
3378 /**
3379 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3380 * sequence and its index is greater than or equal to index. Return 0 otherwise.
3381 */
3382 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3383 unsigned int field_len;
3384 unsigned int key_index;
3385 field_len = strlen(field);
3386
3387 if (index == 0) {
3388 // The first key in a multi-entry field is just the filedname itself.
3389 if (!strcmp(key, field)) {
3390 return 1;
3391 }
3392 }
3393 // Match key against "%s_%d" % (field, index)
3394 if (strlen(key) < field_len + 1 + 1) {
3395 // Need at least a '_' and a digit.
3396 return 0;
3397 }
3398 if (strncmp(key, field, field_len)) {
3399 // If the key does not begin with field, it's not a match.
3400 return 0;
3401 }
3402 if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3403 return 0;
3404 }
3405 return key_index >= index;
3406 }
3407
3408 /*
3409 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3410 * remaining entries starting from index will be deleted.
3411 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3412 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3413 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3414 *
3415 */
3416 static int persist_del_keys(const char *fieldname, unsigned index)
3417 {
3418 unsigned int i;
3419 unsigned int j;
3420 unsigned int num;
3421
3422 if (persist_data == NULL) {
3423 return PERSIST_DEL_KEY_ERROR_OTHER;
3424 }
3425
3426 num = persist_data->persist_valid_entries;
3427
3428 j = 0; // points to the end of non-deleted entries.
3429 // Filter out to-be-deleted entries in place.
3430 for (i = 0; i < num; i++) {
3431 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3432 persist_data->persist_entry[j] = persist_data->persist_entry[i];
3433 j++;
3434 }
3435 }
3436
3437 if (j < num) {
3438 persist_data->persist_valid_entries = j;
3439 // Zeroise the remaining entries
3440 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3441 return PERSIST_DEL_KEY_OK;
3442 } else {
3443 // Did not find an entry matching the given fieldname
3444 return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3445 }
3446 }
3447
3448 static int persist_count_keys(const char *fieldname)
3449 {
3450 unsigned int i;
3451 unsigned int count;
3452
3453 if (persist_data == NULL) {
3454 return -1;
3455 }
3456
3457 count = 0;
3458 for (i = 0; i < persist_data->persist_valid_entries; i++) {
3459 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3460 count++;
3461 }
3462 }
3463
3464 return count;
3465 }
3466
3467 /* Return the value of the specified field. */
3468 int cryptfs_getfield(const char *fieldname, char *value, int len)
3469 {
3470 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3471 return e4crypt_get_field(DATA_MNT_POINT, fieldname, value, len);
3472 }
3473
3474 char temp_value[PROPERTY_VALUE_MAX];
3475 /* CRYPTO_GETFIELD_OK is success,
3476 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3477 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3478 * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3479 */
3480 int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3481 int i;
3482 char temp_field[PROPERTY_KEY_MAX];
3483
3484 if (persist_data == NULL) {
3485 load_persistent_data();
3486 if (persist_data == NULL) {
3487 SLOGE("Getfield error, cannot load persistent data");
3488 goto out;
3489 }
3490 }
3491
3492 // Read value from persistent entries. If the original value is split into multiple entries,
3493 // stitch them back together.
3494 if (!persist_get_key(fieldname, temp_value)) {
3495 // We found it, copy it to the caller's buffer and keep going until all entries are read.
3496 if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3497 // value too small
3498 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3499 goto out;
3500 }
3501 rc = CRYPTO_GETFIELD_OK;
3502
3503 for (i = 1; /* break explicitly */; i++) {
3504 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3505 (int) sizeof(temp_field)) {
3506 // If the fieldname is very long, we stop as soon as it begins to overflow the
3507 // maximum field length. At this point we have in fact fully read out the original
3508 // value because cryptfs_setfield would not allow fields with longer names to be
3509 // written in the first place.
3510 break;
3511 }
3512 if (!persist_get_key(temp_field, temp_value)) {
3513 if (strlcat(value, temp_value, len) >= (unsigned)len) {
3514 // value too small.
3515 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3516 goto out;
3517 }
3518 } else {
3519 // Exhaust all entries.
3520 break;
3521 }
3522 }
3523 } else {
3524 /* Sadness, it's not there. Return the error */
3525 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3526 }
3527
3528 out:
3529 return rc;
3530 }
3531
3532 /* Set the value of the specified field. */
3533 int cryptfs_setfield(const char *fieldname, const char *value)
3534 {
3535 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3536 return e4crypt_set_field(DATA_MNT_POINT, fieldname, value);
3537 }
3538
3539 char encrypted_state[PROPERTY_VALUE_MAX];
3540 /* 0 is success, negative values are error */
3541 int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3542 int encrypted = 0;
3543 unsigned int field_id;
3544 char temp_field[PROPERTY_KEY_MAX];
3545 unsigned int num_entries;
3546 unsigned int max_keylen;
3547
3548 if (persist_data == NULL) {
3549 load_persistent_data();
3550 if (persist_data == NULL) {
3551 SLOGE("Setfield error, cannot load persistent data");
3552 goto out;
3553 }
3554 }
3555
3556 property_get("ro.crypto.state", encrypted_state, "");
3557 if (!strcmp(encrypted_state, "encrypted") ) {
3558 encrypted = 1;
3559 }
3560
3561 // Compute the number of entries required to store value, each entry can store up to
3562 // (PROPERTY_VALUE_MAX - 1) chars
3563 if (strlen(value) == 0) {
3564 // Empty value also needs one entry to store.
3565 num_entries = 1;
3566 } else {
3567 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3568 }
3569
3570 max_keylen = strlen(fieldname);
3571 if (num_entries > 1) {
3572 // Need an extra "_%d" suffix.
3573 max_keylen += 1 + log10(num_entries);
3574 }
3575 if (max_keylen > PROPERTY_KEY_MAX - 1) {
3576 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3577 goto out;
3578 }
3579
3580 // Make sure we have enough space to write the new value
3581 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3582 persist_get_max_entries(encrypted)) {
3583 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3584 goto out;
3585 }
3586
3587 // Now that we know persist_data has enough space for value, let's delete the old field first
3588 // to make up space.
3589 persist_del_keys(fieldname, 0);
3590
3591 if (persist_set_key(fieldname, value, encrypted)) {
3592 // fail to set key, should not happen as we have already checked the available space
3593 SLOGE("persist_set_key() error during setfield()");
3594 goto out;
3595 }
3596
3597 for (field_id = 1; field_id < num_entries; field_id++) {
3598 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3599
3600 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3601 // fail to set key, should not happen as we have already checked the available space.
3602 SLOGE("persist_set_key() error during setfield()");
3603 goto out;
3604 }
3605 }
3606
3607 /* If we are running encrypted, save the persistent data now */
3608 if (encrypted) {
3609 if (save_persistent_data()) {
3610 SLOGE("Setfield error, cannot save persistent data");
3611 goto out;
3612 }
3613 }
3614
3615 rc = CRYPTO_SETFIELD_OK;
3616
3617 out:
3618 return rc;
3619 }
3620
3621 /* Checks userdata. Attempt to mount the volume if default-
3622 * encrypted.
3623 * On success trigger next init phase and return 0.
3624 * Currently do not handle failure - see TODO below.
3625 */
3626 int cryptfs_mount_default_encrypted(void)
3627 {
3628 char decrypt_state[PROPERTY_VALUE_MAX];
3629 property_get("vold.decrypt", decrypt_state, "0");
3630 if (!strcmp(decrypt_state, "0")) {
3631 SLOGE("Not encrypted - should not call here");
3632 } else {
3633 int crypt_type = cryptfs_get_password_type();
3634 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3635 SLOGE("Bad crypt type - error");
3636 } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3637 SLOGD("Password is not default - "
3638 "starting min framework to prompt");
3639 property_set("vold.decrypt", "trigger_restart_min_framework");
3640 return 0;
3641 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3642 SLOGD("Password is default - restarting filesystem");
3643 cryptfs_restart_internal(0);
3644 return 0;
3645 } else {
3646 SLOGE("Encrypted, default crypt type but can't decrypt");
3647 }
3648 }
3649
3650 /** Corrupt. Allow us to boot into framework, which will detect bad
3651 crypto when it calls do_crypto_complete, then do a factory reset
3652 */
3653 property_set("vold.decrypt", "trigger_restart_min_framework");
3654 return 0;
3655 }
3656
3657 /* Returns type of the password, default, pattern, pin or password.
3658 */
3659 int cryptfs_get_password_type(void)
3660 {
3661 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3662 return e4crypt_get_password_type(DATA_MNT_POINT);
3663 }
3664
3665 struct crypt_mnt_ftr crypt_ftr;
3666
3667 if (get_crypt_ftr_and_key(&crypt_ftr)) {
3668 SLOGE("Error getting crypt footer and key\n");
3669 return -1;
3670 }
3671
3672 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3673 return -1;
3674 }
3675
3676 return crypt_ftr.crypt_type;
3677 }
3678
3679 const char* cryptfs_get_password()
3680 {
3681 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3682 return e4crypt_get_password(DATA_MNT_POINT);
3683 }
3684
3685 struct timespec now;
3686 clock_gettime(CLOCK_BOOTTIME, &now);
3687 if (now.tv_sec < password_expiry_time) {
3688 return password;
3689 } else {
3690 cryptfs_clear_password();
3691 return 0;
3692 }
3693 }
3694
3695 void cryptfs_clear_password()
3696 {
3697 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3698 e4crypt_clear_password(DATA_MNT_POINT);
3699 }
3700
3701 if (password) {
3702 size_t len = strlen(password);
3703 memset(password, 0, len);
3704 free(password);
3705 password = 0;
3706 password_expiry_time = 0;
3707 }
3708 }
3709
3710 int cryptfs_enable_file()
3711 {
3712 return e4crypt_enable(DATA_MNT_POINT);
3713 }
3714
3715 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3716 {
3717 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3718 SLOGE("Failed to initialize crypt_ftr");
3719 return -1;
3720 }
3721
3722 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3723 crypt_ftr->salt, crypt_ftr)) {
3724 SLOGE("Cannot create encrypted master key\n");
3725 return -1;
3726 }
3727
3728 //crypt_ftr->keysize = key_length / 8;
3729 return 0;
3730 }
3731
3732 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3733 unsigned char* master_key)
3734 {
3735 int rc;
3736
3737 unsigned char* intermediate_key = 0;
3738 size_t intermediate_key_size = 0;
3739
3740 if (password == 0 || *password == 0) {
3741 password = DEFAULT_PASSWORD;
3742 }
3743
3744 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3745 &intermediate_key_size);
3746
3747 int N = 1 << ftr->N_factor;
3748 int r = 1 << ftr->r_factor;
3749 int p = 1 << ftr->p_factor;
3750
3751 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3752
3753 rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3754 ftr->salt, sizeof(ftr->salt), N, r, p,
3755 scrypted_intermediate_key,
3756 sizeof(scrypted_intermediate_key));
3757
3758 free(intermediate_key);
3759
3760 if (rc) {
3761 SLOGE("Can't calculate intermediate key");
3762 return rc;
3763 }
3764
3765 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3766 intermediate_key_size);
3767 }
3768
3769 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3770 const unsigned char* master_key)
3771 {
3772 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3773 ftr);
3774 }
3775