cryptfs.c 115 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
/*
 * Copyright (C) 2010 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/* TO DO:
 *   1.  Perhaps keep several copies of the encrypted key, in case something
 *       goes horribly wrong?
 *
 */

#include <sys/types.h>
24
#include <sys/wait.h>
25
#include <sys/stat.h>
26
#include <ctype.h>
27
#include <fcntl.h>
Elliott Hughes's avatar
Elliott Hughes committed
28
#include <inttypes.h>
29 30 31 32 33 34 35 36 37 38
#include <unistd.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <linux/dm-ioctl.h>
#include <libgen.h>
#include <stdlib.h>
#include <sys/param.h>
#include <string.h>
#include <sys/mount.h>
#include <openssl/evp.h>
39
#include <openssl/sha.h>
40
#include <errno.h>
41
#include <ext4.h>
42
#include <linux/kdev_t.h>
43
#include <fs_mgr.h>
44
#include <time.h>
45
#include <math.h>
46 47 48 49
#include "cryptfs.h"
#define LOG_TAG "Cryptfs"
#include "cutils/log.h"
#include "cutils/properties.h"
50
#include "cutils/android_reboot.h"
51
#include "hardware_legacy/power.h"
52
#include <logwrap/logwrap.h>
53
#include "VolumeManager.h"
54
#include "VoldUtil.h"
Kenny Root's avatar
Kenny Root committed
55
#include "crypto_scrypt.h"
Paul Lawrence's avatar
Paul Lawrence committed
56
#include "ext4_crypt.h"
Paul Lawrence's avatar
Paul Lawrence committed
57
#include "ext4_utils.h"
58
#include "f2fs_sparseblock.h"
59
#include "CheckBattery.h"
60
#include "Process.h"
61

62
#include <hardware/keymaster0.h>
63

64 65
#define UNUSED __attribute__((unused))

66 67
#define UNUSED __attribute__((unused))

Ajay Dudani's avatar
Ajay Dudani committed
68 69 70 71
#ifdef CONFIG_HW_DISK_ENCRYPTION
#include "cryptfs_hw.h"
#endif

72 73
#define DM_CRYPT_BUF_SIZE 4096

74 75 76 77
#define HASH_COUNT 2000
#define KEY_LEN_BYTES 16
#define IV_LEN_BYTES 16

78 79
#define KEY_IN_FOOTER  "footer"

80 81 82
// "default_password" encoded into hex (d=0x64 etc)
#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"

83
#define EXT4_FS 1
84
#define F2FS_FS 2
85

86 87
#define TABLE_LOAD_RETRIES 10

88 89 90
#define RSA_KEY_SIZE 2048
#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
#define RSA_EXPONENT 0x10001
91

92 93 94
#define RETRY_MOUNT_ATTEMPTS 10
#define RETRY_MOUNT_DELAY_SECONDS 1

95 96
char *me = "cryptfs";

97
static unsigned char saved_master_key[KEY_LEN_BYTES];
98
static char *saved_mount_point;
99
static int  master_key_saved = 0;
100
static struct crypt_persist_data *persist_data = NULL;
Ken Sumrall's avatar
Ken Sumrall committed
101

102
static int keymaster_init(keymaster0_device_t **keymaster_dev)
103 104 105 106 107 108 109 110 111 112
{
    int rc;

    const hw_module_t* mod;
    rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
    if (rc) {
        ALOGE("could not find any keystore module");
        goto out;
    }

113
    rc = keymaster0_open(mod, keymaster_dev);
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
    if (rc) {
        ALOGE("could not open keymaster device in %s (%s)",
            KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
        goto out;
    }

    return 0;

out:
    *keymaster_dev = NULL;
    return rc;
}

/* Should we use keymaster? */
static int keymaster_check_compatibility()
{
130
    keymaster0_device_t *keymaster_dev = 0;
131 132 133 134 135 136 137 138
    int rc = 0;

    if (keymaster_init(&keymaster_dev)) {
        SLOGE("Failed to init keymaster");
        rc = -1;
        goto out;
    }

Paul Lawrence's avatar
Paul Lawrence committed
139 140 141 142 143 144 145 146
    SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version);

    if (keymaster_dev->common.module->module_api_version
            < KEYMASTER_MODULE_API_VERSION_0_3) {
        rc = 0;
        goto out;
    }

147 148
    if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
        (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
149 150 151 152
        rc = 1;
    }

out:
153
    keymaster0_close(keymaster_dev);
154 155 156 157 158 159 160
    return rc;
}

/* Create a new keymaster key and store it in this footer */
static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
{
    uint8_t* key = 0;
161
    keymaster0_device_t *keymaster_dev = 0;
162 163 164 165 166 167 168 169 170 171

    if (keymaster_init(&keymaster_dev)) {
        SLOGE("Failed to init keymaster");
        return -1;
    }

    int rc = 0;

    keymaster_rsa_keygen_params_t params;
    memset(&params, '\0', sizeof(params));
172 173
    params.public_exponent = RSA_EXPONENT;
    params.modulus_size = RSA_KEY_SIZE;
174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192

    size_t key_size;
    if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, &params,
                                        &key, &key_size)) {
        SLOGE("Failed to generate keypair");
        rc = -1;
        goto out;
    }

    if (key_size > KEYMASTER_BLOB_SIZE) {
        SLOGE("Keymaster key too large for crypto footer");
        rc = -1;
        goto out;
    }

    memcpy(ftr->keymaster_blob, key, key_size);
    ftr->keymaster_blob_size = key_size;

out:
193
    keymaster0_close(keymaster_dev);
194 195 196 197
    free(key);
    return rc;
}

198 199
/* This signs the given object using the keymaster key. */
static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
200 201 202 203 204 205
                                 const unsigned char *object,
                                 const size_t object_size,
                                 unsigned char **signature,
                                 size_t *signature_size)
{
    int rc = 0;
206
    keymaster0_device_t *keymaster_dev = 0;
207 208 209 210 211 212 213 214 215 216 217 218 219 220
    if (keymaster_init(&keymaster_dev)) {
        SLOGE("Failed to init keymaster");
        return -1;
    }

    /* We currently set the digest type to DIGEST_NONE because it's the
     * only supported value for keymaster. A similar issue exists with
     * PADDING_NONE. Long term both of these should likely change.
     */
    keymaster_rsa_sign_params_t params;
    params.digest_type = DIGEST_NONE;
    params.padding_type = PADDING_NONE;

    unsigned char to_sign[RSA_KEY_SIZE_BYTES];
221
    size_t to_sign_size = sizeof(to_sign);
222 223
    memset(to_sign, 0, RSA_KEY_SIZE_BYTES);

224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256
    // To sign a message with RSA, the message must satisfy two
    // constraints:
    //
    // 1. The message, when interpreted as a big-endian numeric value, must
    //    be strictly less than the public modulus of the RSA key.  Note
    //    that because the most significant bit of the public modulus is
    //    guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
    //    key), an n-bit message with most significant bit 0 always
    //    satisfies this requirement.
    //
    // 2. The message must have the same length in bits as the public
    //    modulus of the RSA key.  This requirement isn't mathematically
    //    necessary, but is necessary to ensure consistency in
    //    implementations.
    switch (ftr->kdf_type) {
        case KDF_SCRYPT_KEYMASTER:
            // This ensures the most significant byte of the signed message
            // is zero.  We could have zero-padded to the left instead, but
            // this approach is slightly more robust against changes in
            // object size.  However, it's still broken (but not unusably
            // so) because we really should be using a proper RSA padding
            // function, such as OAEP.
            //
            // TODO(paullawrence): When keymaster 0.4 is available, change
            // this to use the padding options it provides.
            memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
            SLOGI("Signing safely-padded object");
            break;
        default:
            SLOGE("Unknown KDF type %d", ftr->kdf_type);
            return -1;
    }

257 258 259 260 261
    rc = keymaster_dev->sign_data(keymaster_dev,
                                  &params,
                                  ftr->keymaster_blob,
                                  ftr->keymaster_blob_size,
                                  to_sign,
262
                                  to_sign_size,
263 264 265
                                  signature,
                                  signature_size);

266
    keymaster0_close(keymaster_dev);
267 268 269
    return rc;
}

Paul Lawrence's avatar
Paul Lawrence committed
270 271 272 273 274 275 276 277 278 279 280 281 282
/* Store password when userdata is successfully decrypted and mounted.
 * Cleared by cryptfs_clear_password
 *
 * To avoid a double prompt at boot, we need to store the CryptKeeper
 * password and pass it to KeyGuard, which uses it to unlock KeyStore.
 * Since the entire framework is torn down and rebuilt after encryption,
 * we have to use a daemon or similar to store the password. Since vold
 * is secured against IPC except from system processes, it seems a reasonable
 * place to store this.
 *
 * password should be cleared once it has been used.
 *
 * password is aged out after password_max_age_seconds seconds.
283
 */
Paul Lawrence's avatar
Paul Lawrence committed
284 285 286
static char* password = 0;
static int password_expiry_time = 0;
static const int password_max_age_seconds = 60;
287

Ken Sumrall's avatar
Ken Sumrall committed
288
extern struct fstab *fstab;
Ken Sumrall's avatar
Ken Sumrall committed
289

290 291
enum RebootType {reboot, recovery, shutdown};
static void cryptfs_reboot(enum RebootType rt)
292
{
293 294 295 296 297 298 299 300 301 302 303 304
  switch(rt) {
      case reboot:
          property_set(ANDROID_RB_PROPERTY, "reboot");
          break;

      case recovery:
          property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
          break;

      case shutdown:
          property_set(ANDROID_RB_PROPERTY, "shutdown");
          break;
305
    }
306

307 308 309 310 311 312
    sleep(20);

    /* Shouldn't get here, reboot should happen before sleep times out */
    return;
}

313 314 315 316 317 318 319 320 321 322
static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
{
    memset(io, 0, dataSize);
    io->data_size = dataSize;
    io->data_start = sizeof(struct dm_ioctl);
    io->version[0] = 4;
    io->version[1] = 0;
    io->version[2] = 0;
    io->flags = flags;
    if (name) {
323
        strlcpy(io->name, name, sizeof(io->name));
324 325 326
    }
}

Kenny Root's avatar
Kenny Root committed
327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345
/**
 * Gets the default device scrypt parameters for key derivation time tuning.
 * The parameters should lead to about one second derivation time for the
 * given device.
 */
static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
    const int default_params[] = SCRYPT_DEFAULTS;
    int params[] = SCRYPT_DEFAULTS;
    char paramstr[PROPERTY_VALUE_MAX];
    char *token;
    char *saveptr;
    int i;

    property_get(SCRYPT_PROP, paramstr, "");
    if (paramstr[0] != '\0') {
        /*
         * The token we're looking for should be three integers separated by
         * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
         */
Kenny Root's avatar
Kenny Root committed
346 347
        for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
                token != NULL && i < 3;
Kenny Root's avatar
Kenny Root committed
348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376
                i++, token = strtok_r(NULL, ":", &saveptr)) {
            char *endptr;
            params[i] = strtol(token, &endptr, 10);

            /*
             * Check that there was a valid number and it's 8-bit. If not,
             * break out and the end check will take the default values.
             */
            if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
                break;
            }
        }

        /*
         * If there were not enough tokens or a token was malformed (not an
         * integer), it will end up here and the default parameters can be
         * taken.
         */
        if ((i != 3) || (token != NULL)) {
            SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
            memcpy(params, default_params, sizeof(params));
        }
    }

    ftr->N_factor = params[0];
    ftr->r_factor = params[1];
    ftr->p_factor = params[2];
}

377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
static unsigned int get_fs_size(char *dev)
{
    int fd, block_size;
    struct ext4_super_block sb;
    off64_t len;

    if ((fd = open(dev, O_RDONLY)) < 0) {
        SLOGE("Cannot open device to get filesystem size ");
        return 0;
    }

    if (lseek64(fd, 1024, SEEK_SET) < 0) {
        SLOGE("Cannot seek to superblock");
        return 0;
    }

    if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
        SLOGE("Cannot read superblock");
        return 0;
    }

    close(fd);

400 401 402 403
    if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
        SLOGE("Not a valid ext4 superblock");
        return 0;
    }
404 405 406 407 408 409 410 411
    block_size = 1024 << sb.s_log_block_size;
    /* compute length in bytes */
    len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;

    /* return length in sectors */
    return (unsigned int) (len / 512);
}

412
static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
413
{
414 415 416
  static int cached_data = 0;
  static off64_t cached_off = 0;
  static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
417
  int fd;
418
  char key_loc[PROPERTY_VALUE_MAX];
419 420
  char real_blkdev[PROPERTY_VALUE_MAX];
  int rc = -1;
421

422 423
  if (!cached_data) {
    fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
424

425 426 427 428 429
    if (!strcmp(key_loc, KEY_IN_FOOTER)) {
      if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
        SLOGE("Cannot open real block device %s\n", real_blkdev);
        return -1;
      }
430

431 432 433
      unsigned long nr_sec = 0;
      get_blkdev_size(fd, &nr_sec);
      if (nr_sec != 0) {
434 435 436 437 438 439 440 441 442 443 444 445 446 447 448
        /* If it's an encrypted Android partition, the last 16 Kbytes contain the
         * encryption info footer and key, and plenty of bytes to spare for future
         * growth.
         */
        strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
        cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
        cached_data = 1;
      } else {
        SLOGE("Cannot get size of block device %s\n", real_blkdev);
      }
      close(fd);
    } else {
      strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
      cached_off = 0;
      cached_data = 1;
449
    }
450
  }
451

452 453 454
  if (cached_data) {
    if (metadata_fname) {
        *metadata_fname = cached_metadata_fname;
455
    }
456 457
    if (off) {
        *off = cached_off;
458
    }
459
    rc = 0;
460 461
  }

462 463
  return rc;
}
464

465 466 467 468 469 470
/* key or salt can be NULL, in which case just skip writing that value.  Useful to
 * update the failed mount count but not change the key.
 */
static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
{
  int fd;
471
  unsigned int cnt;
472 473 474 475 476 477 478
  /* starting_off is set to the SEEK_SET offset
   * where the crypto structure starts
   */
  off64_t starting_off;
  int rc = -1;
  char *fname = NULL;
  struct stat statbuf;
479

480 481 482 483 484 485 486 487
  if (get_crypt_ftr_info(&fname, &starting_off)) {
    SLOGE("Unable to get crypt_ftr_info\n");
    return -1;
  }
  if (fname[0] != '/') {
    SLOGE("Unexpected value for crypto key location\n");
    return -1;
  }
488 489
  if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) {
    SLOGE("Cannot open footer file %s for put\n", fname);
490
    return -1;
491 492
  }

493 494 495 496 497
  /* Seek to the start of the crypt footer */
  if (lseek64(fd, starting_off, SEEK_SET) == -1) {
    SLOGE("Cannot seek to real block device footer\n");
    goto errout;
  }
498

499 500 501
  if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
    SLOGE("Cannot write real block device footer\n");
    goto errout;
502 503
  }

504 505
  fstat(fd, &statbuf);
  /* If the keys are kept on a raw block device, do not try to truncate it. */
506
  if (S_ISREG(statbuf.st_mode)) {
507
    if (ftruncate(fd, 0x4000)) {
Colin Cross's avatar
Colin Cross committed
508
      SLOGE("Cannot set footer file size\n");
509 510 511 512
      goto errout;
    }
  }

513 514 515 516 517 518 519 520 521
  /* Success! */
  rc = 0;

errout:
  close(fd);
  return rc;

}

522
static inline int unix_read(int  fd, void*  buff, int  len)
523
{
524 525
    return TEMP_FAILURE_RETRY(read(fd, buff, len));
}
526

527 528 529 530
static inline int unix_write(int  fd, const void*  buff, int  len)
{
    return TEMP_FAILURE_RETRY(write(fd, buff, len));
}
531

532 533 534 535 536 537
static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
{
    memset(pdata, 0, len);
    pdata->persist_magic = PERSIST_DATA_MAGIC;
    pdata->persist_valid_entries = 0;
}
538

539 540 541 542 543 544 545
/* A routine to update the passed in crypt_ftr to the lastest version.
 * fd is open read/write on the device that holds the crypto footer and persistent
 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
 */
static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
{
546 547 548 549 550 551 552
    int orig_major = crypt_ftr->major_version;
    int orig_minor = crypt_ftr->minor_version;

    if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
        struct crypt_persist_data *pdata;
        off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;

Kenny Root's avatar
Kenny Root committed
553 554
        SLOGW("upgrading crypto footer to 1.1");

555 556 557 558 559 560 561 562 563 564
        pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
        if (pdata == NULL) {
            SLOGE("Cannot allocate persisent data\n");
            return;
        }
        memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);

        /* Need to initialize the persistent data area */
        if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
            SLOGE("Cannot seek to persisent data offset\n");
565
            free(pdata);
566 567 568 569 570 571 572 573 574 575 576 577 578 579
            return;
        }
        /* Write all zeros to the first copy, making it invalid */
        unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);

        /* Write a valid but empty structure to the second copy */
        init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
        unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);

        /* Update the footer */
        crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
        crypt_ftr->persist_data_offset[0] = pdata_offset;
        crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
        crypt_ftr->minor_version = 1;
580
        free(pdata);
581
    }
582

583
    if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
Kenny Root's avatar
Kenny Root committed
584
        SLOGW("upgrading crypto footer to 1.2");
585 586 587
        /* But keep the old kdf_type.
         * It will get updated later to KDF_SCRYPT after the password has been verified.
         */
Kenny Root's avatar
Kenny Root committed
588 589 590 591 592
        crypt_ftr->kdf_type = KDF_PBKDF2;
        get_device_scrypt_params(crypt_ftr);
        crypt_ftr->minor_version = 2;
    }

593 594 595 596 597 598
    if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
        SLOGW("upgrading crypto footer to 1.3");
        crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
        crypt_ftr->minor_version = 3;
    }

599 600 601 602 603 604
    if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
        if (lseek64(fd, offset, SEEK_SET) == -1) {
            SLOGE("Cannot seek to crypt footer\n");
            return;
        }
        unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
605 606 607 608 609 610 611
    }
}


static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
{
  int fd;
612
  unsigned int cnt;
613 614 615 616 617 618 619 620 621 622
  off64_t starting_off;
  int rc = -1;
  char *fname = NULL;
  struct stat statbuf;

  if (get_crypt_ftr_info(&fname, &starting_off)) {
    SLOGE("Unable to get crypt_ftr_info\n");
    return -1;
  }
  if (fname[0] != '/') {
623
    SLOGE("Unexpected value for crypto key location\n");
624 625 626
    return -1;
  }
  if ( (fd = open(fname, O_RDWR)) < 0) {
627
    SLOGE("Cannot open footer file %s for get\n", fname);
628 629 630 631 632 633 634 635 636 637 638 639 640 641
    return -1;
  }

  /* Make sure it's 16 Kbytes in length */
  fstat(fd, &statbuf);
  if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
    SLOGE("footer file %s is not the expected size!\n", fname);
    goto errout;
  }

  /* Seek to the start of the crypt footer */
  if (lseek64(fd, starting_off, SEEK_SET) == -1) {
    SLOGE("Cannot seek to real block device footer\n");
    goto errout;
642 643 644 645 646 647 648 649
  }

  if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
    SLOGE("Cannot read real block device footer\n");
    goto errout;
  }

  if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
650
    SLOGE("Bad magic for real block device %s\n", fname);
651 652 653
    goto errout;
  }

654 655 656
  if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
    SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
          crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
657 658 659
    goto errout;
  }

660 661 662
  if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
    SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
          crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
663 664
  }

665 666 667
  /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
   * copy on disk before returning.
   */
668
  if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
669
    upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
670 671
  }

672 673 674 675 676 677 678 679
  /* Success! */
  rc = 0;

errout:
  close(fd);
  return rc;
}

680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735
static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
{
    if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
        crypt_ftr->persist_data_offset[1]) {
        SLOGE("Crypt_ftr persist data regions overlap");
        return -1;
    }

    if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
        SLOGE("Crypt_ftr persist data region 0 starts after region 1");
        return -1;
    }

    if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
        (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
        CRYPT_FOOTER_OFFSET) {
        SLOGE("Persistent data extends past crypto footer");
        return -1;
    }

    return 0;
}

static int load_persistent_data(void)
{
    struct crypt_mnt_ftr crypt_ftr;
    struct crypt_persist_data *pdata = NULL;
    char encrypted_state[PROPERTY_VALUE_MAX];
    char *fname;
    int found = 0;
    int fd;
    int ret;
    int i;

    if (persist_data) {
        /* Nothing to do, we've already loaded or initialized it */
        return 0;
    }


    /* If not encrypted, just allocate an empty table and initialize it */
    property_get("ro.crypto.state", encrypted_state, "");
    if (strcmp(encrypted_state, "encrypted") ) {
        pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
        if (pdata) {
            init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
            persist_data = pdata;
            return 0;
        }
        return -1;
    }

    if(get_crypt_ftr_and_key(&crypt_ftr)) {
        return -1;
    }

Paul Lawrence's avatar
Paul Lawrence committed
736 737
    if ((crypt_ftr.major_version < 1)
        || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816
        SLOGE("Crypt_ftr version doesn't support persistent data");
        return -1;
    }

    if (get_crypt_ftr_info(&fname, NULL)) {
        return -1;
    }

    ret = validate_persistent_data_storage(&crypt_ftr);
    if (ret) {
        return -1;
    }

    fd = open(fname, O_RDONLY);
    if (fd < 0) {
        SLOGE("Cannot open %s metadata file", fname);
        return -1;
    }

    if (persist_data == NULL) {
        pdata = malloc(crypt_ftr.persist_data_size);
        if (pdata == NULL) {
            SLOGE("Cannot allocate memory for persistent data");
            goto err;
        }
    }

    for (i = 0; i < 2; i++) {
        if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
            SLOGE("Cannot seek to read persistent data on %s", fname);
            goto err2;
        }
        if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
            SLOGE("Error reading persistent data on iteration %d", i);
            goto err2;
        }
        if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
            found = 1;
            break;
        }
    }

    if (!found) {
        SLOGI("Could not find valid persistent data, creating");
        init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
    }

    /* Success */
    persist_data = pdata;
    close(fd);
    return 0;

err2:
    free(pdata);

err:
    close(fd);
    return -1;
}

static int save_persistent_data(void)
{
    struct crypt_mnt_ftr crypt_ftr;
    struct crypt_persist_data *pdata;
    char *fname;
    off64_t write_offset;
    off64_t erase_offset;
    int fd;
    int ret;

    if (persist_data == NULL) {
        SLOGE("No persistent data to save");
        return -1;
    }

    if(get_crypt_ftr_and_key(&crypt_ftr)) {
        return -1;
    }

Paul Lawrence's avatar
Paul Lawrence committed
817 818
    if ((crypt_ftr.major_version < 1)
        || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866
        SLOGE("Crypt_ftr version doesn't support persistent data");
        return -1;
    }

    ret = validate_persistent_data_storage(&crypt_ftr);
    if (ret) {
        return -1;
    }

    if (get_crypt_ftr_info(&fname, NULL)) {
        return -1;
    }

    fd = open(fname, O_RDWR);
    if (fd < 0) {
        SLOGE("Cannot open %s metadata file", fname);
        return -1;
    }

    pdata = malloc(crypt_ftr.persist_data_size);
    if (pdata == NULL) {
        SLOGE("Cannot allocate persistant data");
        goto err;
    }

    if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
        SLOGE("Cannot seek to read persistent data on %s", fname);
        goto err2;
    }

    if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
            SLOGE("Error reading persistent data before save");
            goto err2;
    }

    if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
        /* The first copy is the curent valid copy, so write to
         * the second copy and erase this one */
       write_offset = crypt_ftr.persist_data_offset[1];
       erase_offset = crypt_ftr.persist_data_offset[0];
    } else {
        /* The second copy must be the valid copy, so write to
         * the first copy, and erase the second */
       write_offset = crypt_ftr.persist_data_offset[0];
       erase_offset = crypt_ftr.persist_data_offset[1];
    }

    /* Write the new copy first, if successful, then erase the old copy */
Björn Landström's avatar
Björn Landström committed
867
    if (lseek64(fd, write_offset, SEEK_SET) < 0) {
868 869 870 871 872
        SLOGE("Cannot seek to write persistent data");
        goto err2;
    }
    if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
        (int) crypt_ftr.persist_data_size) {
Björn Landström's avatar
Björn Landström committed
873
        if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901
            SLOGE("Cannot seek to erase previous persistent data");
            goto err2;
        }
        fsync(fd);
        memset(pdata, 0, crypt_ftr.persist_data_size);
        if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
            (int) crypt_ftr.persist_data_size) {
            SLOGE("Cannot write to erase previous persistent data");
            goto err2;
        }
        fsync(fd);
    } else {
        SLOGE("Cannot write to save persistent data");
        goto err2;
    }

    /* Success */
    free(pdata);
    close(fd);
    return 0;

err2:
    free(pdata);
err:
    close(fd);
    return -1;
}

902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944
static int hexdigit (char c)
{
    if (c >= '0' && c <= '9') return c - '0';
    c = tolower(c);
    if (c >= 'a' && c <= 'f') return c - 'a' + 10;
    return -1;
}

static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
                                               unsigned int* out_keysize)
{
    unsigned int i;
    *out_keysize = 0;

    size_t size = strlen (master_key_ascii);
    if (size % 2) {
        SLOGE("Trying to convert ascii string of odd length");
        return NULL;
    }

    unsigned char* master_key = (unsigned char*) malloc(size / 2);
    if (master_key == 0) {
        SLOGE("Cannot allocate");
        return NULL;
    }

    for (i = 0; i < size; i += 2) {
        int high_nibble = hexdigit (master_key_ascii[i]);
        int low_nibble = hexdigit (master_key_ascii[i + 1]);

        if(high_nibble < 0 || low_nibble < 0) {
            SLOGE("Invalid hex string");
            free (master_key);
            return NULL;
        }

        master_key[*out_keysize] = high_nibble * 16 + low_nibble;
        (*out_keysize)++;
    }

    return master_key;
}

945 946 947
/* Convert a binary key of specified length into an ascii hex string equivalent,
 * without the leading 0x and with null termination
 */
948 949
static void convert_key_to_hex_ascii(const unsigned char *master_key,
        unsigned int keysize, char *master_key_ascii) {
950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966
  unsigned int i, a;
  unsigned char nibble;

  for (i=0, a=0; i<keysize; i++, a+=2) {
    /* For each byte, write out two ascii hex digits */
    nibble = (master_key[i] >> 4) & 0xf;
    master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);

    nibble = master_key[i] & 0xf;
    master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
  }

  /* Add the null termination */
  master_key_ascii[a] = '\0';

}

967 968 969
static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
        const unsigned char *master_key, const char *real_blk_name,
        const char *name, int fd, const char *extra_params) {
970
  _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986
  struct dm_ioctl *io;
  struct dm_target_spec *tgt;
  char *crypt_params;
  char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
  int i;

  io = (struct dm_ioctl *) buffer;

  /* Load the mapping table for this device */
  tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];

  ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
  io->target_count = 1;
  tgt->status = 0;
  tgt->sector_start = 0;
  tgt->length = crypt_ftr->fs_size;
Ajay Dudani's avatar
Ajay Dudani committed
987
#ifdef CONFIG_HW_DISK_ENCRYPTION
988 989 990 991 992 993
  if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
    strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
  }
  else {
    strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
  }
Ajay Dudani's avatar
Ajay Dudani committed
994 995 996
#else
  strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
#endif
997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040

  crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
  convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
  sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
          master_key_ascii, real_blk_name, extra_params);
  crypt_params += strlen(crypt_params) + 1;
  crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
  tgt->next = crypt_params - buffer;

  for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
    if (! ioctl(fd, DM_TABLE_LOAD, io)) {
      break;
    }
    usleep(500000);
  }

  if (i == TABLE_LOAD_RETRIES) {
    /* We failed to load the table, return an error */
    return -1;
  } else {
    return i + 1;
  }
}


static int get_dm_crypt_version(int fd, const char *name,  int *version)
{
    char buffer[DM_CRYPT_BUF_SIZE];
    struct dm_ioctl *io;
    struct dm_target_versions *v;

    io = (struct dm_ioctl *) buffer;

    ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);

    if (ioctl(fd, DM_LIST_VERSIONS, io)) {
        return -1;
    }

    /* Iterate over the returned versions, looking for name of "crypt".
     * When found, get and return the version.
     */
    v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
    while (v->next) {
Ajay Dudani's avatar
Ajay Dudani committed
1041
#ifdef CONFIG_HW_DISK_ENCRYPTION
1042
        if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
Ajay Dudani's avatar
Ajay Dudani committed
1043
#else
1044
        if (! strcmp(v->name, "crypt")) {
Ajay Dudani's avatar
Ajay Dudani committed
1045
#endif
1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057
            /* We found the crypt driver, return the version, and get out */
            version[0] = v->version[0];
            version[1] = v->version[1];
            version[2] = v->version[2];
            return 0;
        }
        v = (struct dm_target_versions *)(((char *)v) + v->next);
    }

    return -1;
}

1058 1059 1060
static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
        const unsigned char *master_key, const char *real_blk_name,
        char *crypto_blk_name, const char *name) {
1061 1062 1063
  char buffer[DM_CRYPT_BUF_SIZE];
  struct dm_ioctl *io;
  unsigned int minor;
Ajay Dudani's avatar
Ajay Dudani committed
1064
  int fd=0;
1065
  int retval = -1;
1066 1067 1068
  int version[3];
  char *extra_params;
  int load_count;
1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091

  if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
    SLOGE("Cannot open device-mapper\n");
    goto errout;
  }

  io = (struct dm_ioctl *) buffer;

  ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
  if (ioctl(fd, DM_DEV_CREATE, io)) {
    SLOGE("Cannot create dm-crypt device\n");
    goto errout;
  }

  /* Get the device status, in particular, the name of it's device file */
  ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
  if (ioctl(fd, DM_DEV_STATUS, io)) {
    SLOGE("Cannot retrieve dm-crypt device status\n");
    goto errout;
  }
  minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
  snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);

1092 1093 1094 1095 1096 1097 1098 1099
  extra_params = "";
  if (! get_dm_crypt_version(fd, name, version)) {
      /* Support for allow_discards was added in version 1.11.0 */
      if ((version[0] >= 2) ||
          ((version[0] == 1) && (version[1] >= 11))) {
          extra_params = "1 allow_discards";
          SLOGI("Enabling support for allow_discards in dmcrypt.\n");
      }
1100 1101
  }

1102 1103 1104
  load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
                                         fd, extra_params);
  if (load_count < 0) {
1105 1106
      SLOGE("Cannot load dm-crypt mapping table.\n");
      goto errout;
1107 1108
  } else if (load_count > 1) {
      SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1109 1110 1111
  }

  /* Resume this device to activate it */
1112
  ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127

  if (ioctl(fd, DM_DEV_SUSPEND, io)) {
    SLOGE("Cannot resume the dm-crypt device\n");
    goto errout;
  }

  /* We made it here with no errors.  Woot! */
  retval = 0;

errout:
  close(fd);   /* If fd is <0 from a failed open call, it's safe to just ignore the close error */

  return retval;
}

1128
static int delete_crypto_blk_dev(char *name)
1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157
{
  int fd;
  char buffer[DM_CRYPT_BUF_SIZE];
  struct dm_ioctl *io;
  int retval = -1;

  if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
    SLOGE("Cannot open device-mapper\n");
    goto errout;
  }

  io = (struct dm_ioctl *) buffer;

  ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
  if (ioctl(fd, DM_DEV_REMOVE, io)) {
    SLOGE("Cannot remove dm-crypt device\n");
    goto errout;
  }

  /* We made it here with no errors.  Woot! */
  retval = 0;

errout:
  close(fd);    /* If fd is <0 from a failed open call, it's safe to just ignore the close error */

  return retval;

}

1158
static int pbkdf2(const char *passwd, const unsigned char *salt,
1159 1160
                  unsigned char *ikey, void *params UNUSED)
{
1161 1162
    SLOGI("Using pbkdf2 for cryptfs KDF");

1163
    /* Turn the password into a key and IV that can decrypt the master key */
1164 1165 1166 1167
    unsigned int keysize;
    char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
    if (!master_key) return -1;
    PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
1168
                           HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1169

1170
    memset(master_key, 0, keysize);
1171 1172
    free (master_key);
    return 0;
Ken Sumrall's avatar
Ken Sumrall committed
1173 1174
}

1175
static int scrypt(const char *passwd, const unsigned char *salt,
1176 1177
                  unsigned char *ikey, void *params)
{
1178 1179
    SLOGI("Using scrypt for cryptfs KDF");

Kenny Root's avatar
Kenny Root committed
1180 1181 1182 1183 1184 1185 1186
    struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;

    int N = 1 << ftr->N_factor;
    int r = 1 << ftr->r_factor;
    int p = 1 << ftr->p_factor;

    /* Turn the password into a key and IV that can decrypt the master key */
1187 1188 1189 1190
    unsigned int keysize;
    unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
    if (!master_key) return -1;
    crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
Kenny Root's avatar
Kenny Root committed
1191
            KEY_LEN_BYTES + IV_LEN_BYTES);
1192

1193
    memset(master_key, 0, keysize);
1194 1195
    free (master_key);
    return 0;
Kenny Root's avatar
Kenny Root committed
1196 1197
}

1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228
static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
                            unsigned char *ikey, void *params)
{
    SLOGI("Using scrypt with keymaster for cryptfs KDF");

    int rc;
    unsigned int key_size;
    size_t signature_size;
    unsigned char* signature;
    struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;

    int N = 1 << ftr->N_factor;
    int r = 1 << ftr->r_factor;
    int p = 1 << ftr->p_factor;

    unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
    if (!master_key) {
        SLOGE("Failed to convert passwd from hex");
        return -1;
    }

    rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
                       N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
    memset(master_key, 0, key_size);
    free(master_key);

    if (rc) {
        SLOGE("scrypt failed");
        return -1;
    }

1229 1230 1231 1232
    if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
                              &signature, &signature_size)) {
        SLOGE("Signing failed");
        return -1;
1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248
    }

    rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
                       N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
    free(signature);

    if (rc) {
        SLOGE("scrypt failed");
        return -1;
    }

    return 0;
}

static int encrypt_master_key(const char *passwd, const unsigned char *salt,
                              const unsigned char *decrypted_master_key,
Kenny Root's avatar
Kenny Root committed
1249 1250
                              unsigned char *encrypted_master_key,
                              struct crypt_mnt_ftr *crypt_ftr)
Ken Sumrall's avatar
Ken Sumrall committed
1251 1252 1253 1254
{
    unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
    EVP_CIPHER_CTX e_ctx;
    int encrypted_len, final_len;
1255
    int rc = 0;
Ken Sumrall's avatar
Ken Sumrall committed
1256

1257
    /* Turn the password into an intermediate key and IV that can decrypt the master key */
Kenny Root's avatar
Kenny Root committed
1258
    get_device_scrypt_params(crypt_ftr);
1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281

    switch (crypt_ftr->kdf_type) {
    case KDF_SCRYPT_KEYMASTER:
        if (keymaster_create_key(crypt_ftr)) {
            SLOGE("keymaster_create_key failed");
            return -1;
        }

        if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
            SLOGE("scrypt failed");
            return -1;
        }
        break;

    case KDF_SCRYPT:
        if (scrypt(passwd, salt, ikey, crypt_ftr)) {
            SLOGE("scrypt failed");
            return -1;
        }
        break;

    default:
        SLOGE("Invalid kdf_type");
1282 1283
        return -1;
    }
Kenny Root's avatar
Kenny Root committed
1284

1285
    /* Initialize the decryption engine */
1286 1287
    EVP_CIPHER_CTX_init(&e_ctx);
    if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1288 1289 1290 1291
        SLOGE("EVP_EncryptInit failed\n");
        return -1;
    }
    EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
Ken Sumrall's avatar
Ken Sumrall committed
1292

1293
    /* Encrypt the master key */
Ken Sumrall's avatar
Ken Sumrall committed
1294 1295
    if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
                              decrypted_master_key, KEY_LEN_BYTES)) {
1296 1297 1298
        SLOGE("EVP_EncryptUpdate failed\n");
        return -1;
    }
1299
    if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1300 1301 1302 1303 1304 1305 1306 1307
        SLOGE("EVP_EncryptFinal failed\n");
        return -1;
    }

    if (encrypted_len + final_len != KEY_LEN_BYTES) {
        SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
        return -1;
    }
1308

1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326
    /* Store the scrypt of the intermediate key, so we can validate if it's a
       password error or mount error when things go wrong.
       Note there's no need to check for errors, since if this is incorrect, we
       simply won't wipe userdata, which is the correct default behavior
    */
    int N = 1 << crypt_ftr->N_factor;
    int r = 1 << crypt_ftr->r_factor;
    int p = 1 << crypt_ftr->p_factor;

    rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
                       crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
                       crypt_ftr->scrypted_intermediate_key,
                       sizeof(crypt_ftr->scrypted_intermediate_key));

    if (rc) {
      SLOGE("encrypt_master_key: crypto_scrypt failed");
    }

1327
    return 0;
1328 1329
}

1330
static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
1331 1332 1333 1334 1335
                                  unsigned char *encrypted_master_key,
                                  unsigned char *decrypted_master_key,
                                  kdf_func kdf, void *kdf_params,
                                  unsigned char** intermediate_key,
                                  size_t* intermediate_key_size)
1336 1337 1338 1339 1340
{
  unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
  EVP_CIPHER_CTX d_ctx;
  int decrypted_len, final_len;

1341 1342
  /* Turn the password into an intermediate key and IV that can decrypt the
     master key */
1343 1344 1345 1346
  if (kdf(passwd, salt, ikey, kdf_params)) {
    SLOGE("kdf failed");
    return -1;
  }
1347 1348

  /* Initialize the decryption engine */
1349 1350
  EVP_CIPHER_CTX_init(&d_ctx);
  if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1351 1352 1353 1354 1355 1356 1357 1358
    return -1;
  }
  EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
  /* Decrypt the master key */
  if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
                            encrypted_master_key, KEY_LEN_BYTES)) {
    return -1;
  }
1359
  if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1360 1361 1362 1363 1364 1365
    return -1;
  }

  if (decrypted_len + final_len != KEY_LEN_BYTES) {
    return -1;
  }
1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376

  /* Copy intermediate key if needed by params */
  if (intermediate_key && intermediate_key_size) {
    *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
    if (intermediate_key) {
      memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
      *intermediate_key_size = KEY_LEN_BYTES;
    }
  }

  return 0;
1377 1378
}

Kenny Root's avatar
Kenny Root committed
1379
static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
Ken Sumrall's avatar
Ken Sumrall committed
1380
{
1381
    if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1382 1383 1384
        *kdf = scrypt_keymaster;
        *kdf_params = ftr;
    } else if (ftr->kdf_type == KDF_SCRYPT) {
Kenny Root's avatar
Kenny Root committed
1385 1386 1387 1388 1389 1390 1391 1392
        *kdf = scrypt;
        *kdf_params = ftr;
    } else {
        *kdf = pbkdf2;
        *kdf_params = NULL;
    }
}

1393
static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
1394 1395 1396
                              struct crypt_mnt_ftr *crypt_ftr,
                              unsigned char** intermediate_key,
                              size_t* intermediate_key_size)
Kenny Root's avatar
Kenny Root committed
1397 1398 1399 1400 1401 1402
{
    kdf_func kdf;
    void *kdf_params;
    int ret;

    get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1403 1404 1405
    ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
                                 decrypted_master_key, kdf, kdf_params,
                                 intermediate_key, intermediate_key_size);
Kenny Root's avatar
Kenny Root committed
1406 1407 1408 1409 1410 1411 1412 1413 1414
    if (ret != 0) {
        SLOGW("failure decrypting master key");
    }

    return ret;
}

static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
        struct crypt_mnt_ftr *crypt_ftr) {
Ken Sumrall's avatar
Ken Sumrall committed
1415
    int fd;
1416
    unsigned char key_buf[KEY_LEN_BYTES];
Ken Sumrall's avatar
Ken Sumrall committed
1417 1418 1419

    /* Get some random bits for a key */
    fd = open("/dev/urandom", O_RDONLY);
1420 1421
    read(fd, key_buf, sizeof(key_buf));
    read(fd, salt, SALT_LEN);
Ken Sumrall's avatar
Ken Sumrall committed
1422 1423 1424
    close(fd);

    /* Now encrypt it with the password */
Kenny Root's avatar
Kenny Root committed
1425
    return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
Ken Sumrall's avatar
Ken Sumrall committed
1426 1427
}

1428
static int wait_and_unmount(char *mountpoint, bool kill)
1429
{
1430
    int i, err, rc;
1431
#define WAIT_UNMOUNT_COUNT 20
1432 1433 1434

    /*  Now umount the tmpfs filesystem */
    for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451
        if (umount(mountpoint) == 0) {
            break;
        }

        if (errno == EINVAL) {
            /* EINVAL is returned if the directory is not a mountpoint,
             * i.e. there is no filesystem mounted there.  So just get out.
             */
            break;
        }

        err = errno;

        /* If allowed, be increasingly aggressive before the last two retries */
        if (kill) {
            if (i == (WAIT_UNMOUNT_COUNT - 3)) {
                SLOGW("sending SIGHUP to processes with open files\n");
1452
                vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1453 1454
            } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
                SLOGW("sending SIGKILL to processes with open files\n");
1455
                vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1456
            }
1457
        }
1458 1459

        sleep(1);
1460 1461 1462 1463 1464 1465
    }

    if (i < WAIT_UNMOUNT_COUNT) {
      SLOGD("unmounting %s succeeded\n", mountpoint);
      rc = 0;
    } else {
1466
      vold_killProcessesWithOpenFiles(mountpoint, 0);
1467
      SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1468 1469 1470 1471 1472 1473
      rc = -1;
    }

    return rc;
}

1474
#define DATA_PREP_TIMEOUT 200
Ken Sumrall's avatar
Ken Sumrall committed
1475 1476 1477 1478 1479 1480 1481 1482 1483
static int prep_data_fs(void)
{
    int i;

    /* Do the prep of the /data filesystem */
    property_set("vold.post_fs_data_done", "0");
    property_set("vold.decrypt", "trigger_post_fs_data");
    SLOGD("Just triggered post_fs_data\n");

1484
    /* Wait a max of 50 seconds, hopefully it takes much less */
Ken Sumrall's avatar
Ken Sumrall committed
1485
    for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1486
        char p[PROPERTY_VALUE_MAX];
Ken Sumrall's avatar
Ken Sumrall committed
1487 1488 1489 1490 1491 1492 1493 1494 1495 1496

        property_get("vold.post_fs_data_done", p, "0");
        if (*p == '1') {
            break;
        } else {
            usleep(250000);
        }
    }
    if (i == DATA_PREP_TIMEOUT) {
        /* Ugh, we failed to prep /data in time.  Bail. */
1497
        SLOGE("post_fs_data timed out!\n");
Ken Sumrall's avatar
Ken Sumrall committed
1498 1499 1500 1501 1502 1503 1504
        return -1;
    } else {
        SLOGD("post_fs_data done\n");
        return 0;
    }
}

1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538
static void cryptfs_set_corrupt()
{
    // Mark the footer as bad
    struct crypt_mnt_ftr crypt_ftr;
    if (get_crypt_ftr_and_key(&crypt_ftr)) {
        SLOGE("Failed to get crypto footer - panic");
        return;
    }

    crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
    if (put_crypt_ftr_and_key(&crypt_ftr)) {
        SLOGE("Failed to set crypto footer - panic");
        return;
    }
}

static void cryptfs_trigger_restart_min_framework()
{
    if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
      SLOGE("Failed to mount tmpfs on data - panic");
      return;
    }

    if (property_set("vold.decrypt", "trigger_post_fs_data")) {
        SLOGE("Failed to trigger post fs data - panic");
        return;
    }

    if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
        SLOGE("Failed to trigger restart min framework - panic");
        return;
    }
}

1539
/* returns < 0 on failure */
1540
static int cryptfs_restart_internal(int restart_main)
1541
{
1542
    char crypto_blkdev[MAXPATHLEN];
1543
    int rc = -1;
1544 1545 1546
    static int restart_successful = 0;

    /* Validate that it's OK to call this routine */
1547
    if (! master_key_saved) {
1548 1549 1550 1551 1552 1553 1554 1555
        SLOGE("Encrypted filesystem not validated, aborting");
        return -1;
    }

    if (restart_successful) {
        SLOGE("System already restarted with encrypted disk, aborting");
        return -1;
    }
1556

1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570
    if (restart_main) {
        /* Here is where we shut down the framework.  The init scripts
         * start all services in one of three classes: core, main or late_start.
         * On boot, we start core and main.  Now, we stop main, but not core,
         * as core includes vold and a few other really important things that
         * we need to keep running.  Once main has stopped, we should be able
         * to umount the tmpfs /data, then mount the encrypted /data.
         * We then restart the class main, and also the class late_start.
         * At the moment, I've only put a few things in late_start that I know
         * are not needed to bring up the framework, and that also cause problems
         * with unmounting the tmpfs /data, but I hope to add add more services
         * to the late_start class as we optimize this to decrease the delay
         * till the user is asked for the password to the filesystem.
         */
1571

1572 1573 1574 1575 1576
        /* The init files are setup to stop the class main when vold.decrypt is
         * set to trigger_reset_main.
         */
        property_set("vold.decrypt", "trigger_reset_main");
        SLOGD("Just asked init to shut down class main\n");
1577

1578 1579 1580 1581 1582 1583 1584
        /* Ugh, shutting down the framework is not synchronous, so until it
         * can be fixed, this horrible hack will wait a moment for it all to
         * shut down before proceeding.  Without it, some devices cannot
         * restart the graphics services.
         */
        sleep(2);
    }
1585

1586 1587 1588 1589
    /* Now that the framework is shutdown, we should be able to umount()
     * the tmpfs filesystem, and mount the real one.
     */

1590 1591 1592 1593 1594 1595
    property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
    if (strlen(crypto_blkdev) == 0) {
        SLOGE("fs_crypto_blkdev not set\n");
        return -1;
    }

1596
    if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1597 1598 1599 1600 1601 1602 1603 1604 1605 1606
        /* If ro.crypto.readonly is set to 1, mount the decrypted
         * filesystem readonly.  This is used when /data is mounted by
         * recovery mode.
         */
        char ro_prop[PROPERTY_VALUE_MAX];
        property_get("ro.crypto.readonly", ro_prop, "");
        if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
            struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
            rec->flags |= MS_RDONLY;
        }
1607

1608
        /* If that succeeded, then mount the decrypted filesystem */
1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633
        int retries = RETRY_MOUNT_ATTEMPTS;
        int mount_rc;
        while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
                                           crypto_blkdev, 0))
               != 0) {
            if (mount_rc == FS_MGR_DOMNT_BUSY) {
                /* TODO: invoke something similar to
                   Process::killProcessWithOpenFiles(DATA_MNT_POINT,
                                   retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
                SLOGI("Failed to mount %s because it is busy - waiting",
                      crypto_blkdev);
                if (--retries) {
                    sleep(RETRY_MOUNT_DELAY_SECONDS);
                } else {
                    /* Let's hope that a reboot clears away whatever is keeping
                       the mount busy */
                    cryptfs_reboot(reboot);
                }
            } else {
                SLOGE("Failed to mount decrypted data");
                cryptfs_set_corrupt();
                cryptfs_trigger_restart_min_framework();
                SLOGI("Started framework to offer wipe");
                return -1;
            }
1634
        }
Ken Sumrall's avatar
Ken Sumrall committed
1635

1636 1637 1638 1639 1640
        property_set("vold.decrypt", "trigger_load_persist_props");
        /* Create necessary paths on /data */
        if (prep_data_fs()) {
            return -1;
        }
1641

1642 1643 1644
        /* startup service classes main and late_start */
        property_set("vold.decrypt", "trigger_restart_framework");
        SLOGD("Just triggered restart_framework\n");
1645

1646 1647
        /* Give it a few moments to get started */
        sleep(1);
1648 1649
    }

1650 1651 1652 1653
    if (rc == 0) {
        restart_successful = 1;
    }

1654 1655 1656
    return rc;
}

1657 1658
int cryptfs_restart(void)
{
Paul Lawrence's avatar
Paul Lawrence committed
1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684
    SLOGI("cryptfs_restart");
    if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
        struct fstab_rec* rec;
        int rc;

        if (e4crypt_restart(DATA_MNT_POINT)) {
            SLOGE("Can't unmount e4crypt temp volume\n");
            return -1;
        }

        rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
        if (!rec) {
            SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT);
            return -1;
        }

        rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0);
        if (rc) {
            SLOGE("Can't mount %s\n", DATA_MNT_POINT);
            return rc;
        }

        property_set("vold.decrypt", "trigger_restart_framework");
        return 0;
    }

1685 1686 1687 1688
    /* Call internal implementation forcing a restart of main service group */
    return cryptfs_restart_internal(1);
}

Paul Lawrence's avatar
Paul Lawrence committed
1689
static int do_crypto_complete(char *mount_point)
1690 1691
{
  struct crypt_mnt_ftr crypt_ftr;
1692
  char encrypted_state[PROPERTY_VALUE_MAX];
1693
  char key_loc[PROPERTY_VALUE_MAX];
1694 1695 1696 1697

  property_get("ro.crypto.state", encrypted_state, "");
  if (strcmp(encrypted_state, "encrypted") ) {
    SLOGE("not running with encryption, aborting");
1698
    return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1699 1700
  }

Paul Lawrence's avatar
Paul Lawrence committed
1701 1702 1703 1704
  if (e4crypt_crypto_complete(mount_point) == 0) {
    return CRYPTO_COMPLETE_ENCRYPTED;
  }

1705
  if (get_crypt_ftr_and_key(&crypt_ftr)) {
Ken Sumrall's avatar
Ken Sumrall committed
1706
    fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1707

1708 1709 1710 1711 1712 1713 1714 1715 1716
    /*
     * Only report this error if key_loc is a file and it exists.
     * If the device was never encrypted, and /data is not mountable for
     * some reason, returning 1 should prevent the UI from presenting the
     * a "enter password" screen, or worse, a "press button to wipe the
     * device" screen.
     */
    if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
      SLOGE("master key file does not exist, aborting");
1717
      return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1718 1719
    } else {
      SLOGE("Error getting crypt footer and key\n");
1720
      return CRYPTO_COMPLETE_BAD_METADATA;
1721
    }
1722 1723
  }

1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737
  // Test for possible error flags
  if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
    SLOGE("Encryption process is partway completed\n");
    return CRYPTO_COMPLETE_PARTIAL;
  }

  if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
    SLOGE("Encryption process was interrupted but cannot continue\n");
    return CRYPTO_COMPLETE_INCONSISTENT;
  }

  if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
    SLOGE("Encryption is successful but data is corrupt\n");
    return CRYPTO_COMPLETE_CORRUPT;
1738 1739 1740
  }

  /* We passed the test! We shall diminish, and return to the west */
1741
  return CRYPTO_COMPLETE_ENCRYPTED;
1742 1743
}

1744 1745
static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
                                   char *passwd, char *mount_point, char *label)
1746 1747
{
  /* Allocate enough space for a 256 bit key, but we may use less */
1748
  unsigned char decrypted_master_key[32];
1749 1750 1751 1752 1753
  char crypto_blkdev[MAXPATHLEN];
  char real_blkdev[MAXPATHLEN];
  char tmp_mount_point[64];
  unsigned int orig_failed_decrypt_count;
  int rc;
1754 1755
  int use_keymaster = 0;
  int upgrade = 0;
1756 1757
  unsigned char* intermediate_key = 0;
  size_t intermediate_key_size = 0;
1758

1759 1760
  SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
  orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1761

1762
  if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1763 1764
    if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
                           &intermediate_key, &intermediate_key_size)) {
1765
      SLOGE("Failed to decrypt master key\n");
1766 1767
      rc = -1;
      goto errout;
1768
    }
1769 1770
  }

1771 1772
  fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));

Ajay Dudani's avatar
Ajay Dudani committed
1773
#ifdef CONFIG_HW_DISK_ENCRYPTION
1774 1775 1776 1777
  if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
    if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
      SLOGE("Hardware encryption key does not match");
    }
Ajay Dudani's avatar
Ajay Dudani committed
1778 1779 1780
  }
#endif

1781 1782
  // Create crypto block device - all (non fatal) code paths
  // need it
1783 1784
  if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
                            real_blkdev, crypto_blkdev, label)) {
1785 1786 1787
     SLOGE("Error creating decrypted block device\n");
     rc = -1;
     goto errout;
1788 1789
  }

1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815
  /* Work out if the problem is the password or the data */
  unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
                                                 scrypted_intermediate_key)];
  int N = 1 << crypt_ftr->N_factor;
  int r = 1 << crypt_ftr->r_factor;
  int p = 1 << crypt_ftr->p_factor;

  rc = crypto_scrypt(intermediate_key, intermediate_key_size,
                     crypt_ftr->salt, sizeof(crypt_ftr->salt),
                     N, r, p, scrypted_intermediate_key,
                     sizeof(scrypted_intermediate_key));

  // Does the key match the crypto footer?
  if (rc == 0 && memcmp(scrypted_intermediate_key,
                        crypt_ftr->scrypted_intermediate_key,
                        sizeof(scrypted_intermediate_key)) == 0) {
    SLOGI("Password matches");
    rc = 0;
  } else {
    /* Try mounting the file system anyway, just in case the problem's with
     * the footer, not the key. */
    sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
    mkdir(tmp_mount_point, 0755);
    if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
      SLOGE("Error temp mounting decrypted block device\n");
      delete_crypto_blk_dev(label);
1816 1817 1818

      rc = ++crypt_ftr->failed_decrypt_count;
      put_crypt_ftr_and_key(crypt_ftr);
1819 1820 1821 1822 1823
    } else {
      /* Success! */
      SLOGI("Password did not match but decrypted drive mounted - continue");
      umount(tmp_mount_point);
      rc = 0;
1824
    }
1825 1826 1827 1828
  }

  if (rc == 0) {
    crypt_ftr->failed_decrypt_count = 0;
1829 1830 1831
    if (orig_failed_decrypt_count != 0) {
      put_crypt_ftr_and_key(crypt_ftr);
    }
1832

1833
    /* Save the name of the crypto block device
1834
     * so we can mount it when restarting the framework. */
1835
    property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1836 1837

    /* Also save a the master key so we can reencrypted the key
1838
     * the key when we want to change the password on it. */
1839
    memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1840
    saved_mount_point = strdup(mount_point);
1841
    master_key_saved = 1;
1842
    SLOGD("%s(): Master key saved\n", __FUNCTION__);
1843
    rc = 0;
1844

1845
    // Upgrade if we're not using the latest KDF.
1846 1847
    use_keymaster = keymaster_check_compatibility();
    if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1848
        // Don't allow downgrade
1849 1850 1851 1852
    } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
        crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
        upgrade = 1;
    } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1853
        crypt_ftr->kdf_type = KDF_SCRYPT;
1854 1855 1856 1857
        upgrade = 1;
    }

    if (upgrade) {
1858 1859
        rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
                                crypt_ftr->master_key, crypt_ftr);
1860
        if (!rc) {
1861
            rc = put_crypt_ftr_and_key(crypt_ftr);
1862 1863
        }
        SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874

        // Do not fail even if upgrade failed - machine is bootable
        // Note that if this code is ever hit, there is a *serious* problem
        // since KDFs should never fail. You *must* fix the kdf before
        // proceeding!
        if (rc) {
          SLOGW("Upgrade failed with error %d,"
                " but continuing with previous state",
                rc);
          rc = 0;
        }
1875
    }
1876 1877
  }

1878 1879 1880 1881 1882
 errout:
  if (intermediate_key) {
    memset(intermediate_key, 0, intermediate_key_size);
    free(intermediate_key);
  }
1883 1884 1885
  return rc;
}

1886
/*
1887 1888 1889 1890 1891
 * Called by vold when it's asked to mount an encrypted external
 * storage volume. The incoming partition has no crypto header/footer,
 * as any metadata is been stored in a separate, small partition.
 *
 * out_crypto_blkdev must be MAXPATHLEN.
1892
 */
1893 1894
int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
        const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1895 1896
    int fd = open(real_blkdev, O_RDONLY);
    if (fd == -1) {
1897
        SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1898 1899 1900 1901 1902
        return -1;
    }

    unsigned long nr_sec = 0;
    get_blkdev_size(fd, &nr_sec);
1903
    close(fd);
1904

1905
    if (nr_sec == 0) {
1906
        SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1907 1908 1909
        return -1;
    }

1910 1911 1912 1913 1914
    struct crypt_mnt_ftr ext_crypt_ftr;
    memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
    ext_crypt_ftr.fs_size = nr_sec;
    ext_crypt_ftr.keysize = keysize;
    strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1915

1916 1917 1918
    return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
            out_crypto_blkdev, label);
}
1919

1920 1921 1922 1923 1924 1925
/*
 * Called by vold when it's asked to unmount an encrypted external
 * storage volume.
 */
int cryptfs_revert_ext_volume(const char* label) {
    return delete_crypto_blk_dev((char*) label);
1926 1927
}

1928 1929 1930 1931 1932
int cryptfs_crypto_complete(void)
{
  return do_crypto_complete("/data");
}

1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950
int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
{
    char encrypted_state[PROPERTY_VALUE_MAX];
    property_get("ro.crypto.state", encrypted_state, "");
    if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
        SLOGE("encrypted fs already validated or not running with encryption,"
              " aborting");
        return -1;
    }

    if (get_crypt_ftr_and_key(crypt_ftr)) {
        SLOGE("Error getting crypt footer and key");
        return -1;
    }

    return 0;
}

1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
/*
 * TODO - transition patterns to new format in calling code
 *        and remove this vile hack, and the use of hex in
 *        the password passing code.
 *
 * Patterns are passed in zero based (i.e. the top left dot
 * is represented by zero, the top middle one etc), but we want
 * to store them '1' based.
 * This is to allow us to migrate the calling code to use this
 * convention. It also solves a nasty problem whereby scrypt ignores
 * trailing zeros, so patterns ending at the top left could be
 * truncated, and similarly, you could add the top left to any
 * pattern and still match.
 * adjust_passwd is a hack function that returns the alternate representation
 * if the password appears to be a pattern (hex numbers all less than 09)
 * If it succeeds we need to try both, and in particular try the alternate
 * first. If the original matches, then we need to update the footer
 * with the alternate.
 * All code that accepts passwords must adjust them first. Since
 * cryptfs_check_passwd is always the first function called after a migration
 * (and indeed on any boot) we only need to do the double try in this
 * function.
 */
char* adjust_passwd(const char* passwd)
{
    size_t index, length;

    if (!passwd) {
        return 0;
    }

    // Check even length. Hex encoded passwords are always
    // an even length, since each character encodes to two characters.
    length = strlen(passwd);
    if (length % 2) {
        SLOGW("Password not correctly hex encoded.");
        return 0;
    }

    // Check password is old-style pattern - a collection of hex
    // encoded bytes less than 9 (00 through 08)
    for (index = 0; index < length; index +=2) {
        if (passwd[index] != '0'
            || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
            return 0;
        }
    }

    // Allocate room for adjusted passwd and null terminate
    char* adjusted = malloc(length + 1);
    adjusted[length] = 0;

    // Add 0x31 ('1') to each character
    for (index = 0; index < length; index += 2) {
        // output is 31 through 39 so set first byte to three, second to src + 1
        adjusted[index] = '3';
        adjusted[index + 1] = passwd[index + 1] + 1;
    }

    return adjusted;
}

2013 2014
int cryptfs_check_passwd(char *passwd)
{
Paul Lawrence's avatar
Paul Lawrence committed
2015 2016 2017 2018 2019
    SLOGI("cryptfs_check_passwd");
    if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
        return e4crypt_check_passwd(DATA_MNT_POINT, passwd);
    }

2020 2021
    struct crypt_mnt_ftr crypt_ftr;
    int rc;
2022

2023 2024 2025
    rc = check_unmounted_and_get_ftr(&crypt_ftr);
    if (rc)
        return rc;
2026

2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051
    char* adjusted_passwd = adjust_passwd(passwd);
    if (adjusted_passwd) {
        int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
        rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd,
                                     DATA_MNT_POINT, "userdata");

        // Maybe the original one still works?
        if (rc) {
            // Don't double count this failure
            crypt_ftr.failed_decrypt_count = failed_decrypt_count;
            rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
                                         DATA_MNT_POINT, "userdata");
            if (!rc) {
                // cryptfs_changepw also adjusts so pass original
                // Note that adjust_passwd only recognises patterns
                // so we can safely use CRYPT_TYPE_PATTERN
                SLOGI("Updating pattern to new format");
                cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
            }
        }
        free(adjusted_passwd);
    } else {
        rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
                                     DATA_MNT_POINT, "userdata");
    }
2052 2053

    if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
Paul Lawrence's avatar
Paul Lawrence committed
2054 2055 2056 2057 2058
        cryptfs_clear_password();
        password = strdup(passwd);
        struct timespec now;
        clock_gettime(CLOCK_BOOTTIME, &now);
        password_expiry_time = now.tv_sec + password_max_age_seconds;
2059 2060
    }

2061 2062 2063
    return rc;
}

2064 2065 2066 2067
int cryptfs_verify_passwd(char *passwd)
{
    struct crypt_mnt_ftr crypt_ftr;
    /* Allocate enough space for a 256 bit key, but we may use less */
2068
    unsigned char decrypted_master_key[32];
2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087
    char encrypted_state[PROPERTY_VALUE_MAX];
    int rc;

    property_get("ro.crypto.state", encrypted_state, "");
    if (strcmp(encrypted_state, "encrypted") ) {
        SLOGE("device not encrypted, aborting");
        return -2;
    }

    if (!master_key_saved) {
        SLOGE("encrypted fs not yet mounted, aborting");
        return -1;
    }

    if (!saved_mount_point) {
        SLOGE("encrypted fs failed to save mount point, aborting");
        return -1;
    }

2088
    if (get_crypt_ftr_and_key(&crypt_ftr)) {
2089 2090 2091 2092 2093 2094 2095 2096
        SLOGE("Error getting crypt footer and key\n");
        return -1;
    }

    if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
        /* If the device has no password, then just say the password is valid */
        rc = 0;
    } else {
2097 2098 2099 2100 2101
        char* adjusted_passwd = adjust_passwd(passwd);
        if (adjusted_passwd) {
            passwd = adjusted_passwd;
        }

2102
        decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2103 2104 2105 2106 2107 2108 2109 2110
        if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
            /* They match, the password is correct */
            rc = 0;
        } else {
            /* If incorrect, sleep for a bit to prevent dictionary attacks */
            sleep(1);
            rc = 1;
        }
2111 2112

        free(adjusted_passwd);
2113 2114 2115 2116 2117
    }

    return rc;
}

2118 2119 2120 2121 2122
/* Initialize a crypt_mnt_ftr structure.  The keysize is
 * defaulted to 16 bytes, and the filesystem size to 0.
 * Presumably, at a minimum, the caller will update the
 * filesystem size and crypto_type_name after calling this function.
 */
2123
static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2124
{
2125 2126 2127
    off64_t off;

    memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2128
    ftr->magic = CRYPT_MNT_MAGIC;
2129 2130
    ftr->major_version = CURRENT_MAJOR_VERSION;
    ftr->minor_version = CURRENT_MINOR_VERSION;
2131
    ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2132
    ftr->keysize = KEY_LEN_BYTES;
2133

2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147
    switch (keymaster_check_compatibility()) {
    case 1:
        ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
        break;

    case 0:
        ftr->kdf_type = KDF_SCRYPT;
        break;

    default:
        SLOGE("keymaster_check_compatibility failed");
        return -1;
    }

Kenny Root's avatar
Kenny Root committed
2148 2149
    get_device_scrypt_params(ftr);

2150 2151 2152 2153 2154 2155
    ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
    if (get_crypt_ftr_info(NULL, &off) == 0) {
        ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
        ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
                                    ftr->persist_data_size;
    }
2156 2157

    return 0;
2158 2159
}

2160
static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2161
{
2162 2163 2164 2165 2166
    const char *args[10];
    char size_str[32]; /* Must be large enough to hold a %lld and null byte */
    int num_args;
    int status;
    int tmp;
2167 2168
    int rc = -1;

2169
    if (type == EXT4_FS) {
2170 2171 2172 2173
        args[0] = "/system/bin/make_ext4fs";
        args[1] = "-a";
        args[2] = "/data";
        args[3] = "-l";
Elliott Hughes's avatar
Elliott Hughes committed
2174
        snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2175 2176 2177 2178 2179
        args[4] = size_str;
        args[5] = crypto_blkdev;
        num_args = 6;
        SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
              args[0], args[1], args[2], args[3], args[4], args[5]);
2180 2181 2182 2183 2184
    } else if (type == F2FS_FS) {
        args[0] = "/system/bin/mkfs.f2fs";
        args[1] = "-t";
        args[2] = "-d1";
        args[3] = crypto_blkdev;
Elliott Hughes's avatar
Elliott Hughes committed
2185
        snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2186 2187 2188 2189
        args[4] = size_str;
        num_args = 5;
        SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
              args[0], args[1], args[2], args[3], args[4]);
2190 2191 2192 2193 2194
    } else {
        SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
        return -1;
    }

2195 2196 2197 2198
    tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);

    if (tmp != 0) {
      SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2199
    } else {
2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210
        if (WIFEXITED(status)) {
            if (WEXITSTATUS(status)) {
                SLOGE("Error creating filesystem on %s, exit status %d ",
                      crypto_blkdev, WEXITSTATUS(status));
            } else {
                SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
                rc = 0;
            }
        } else {
            SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
       }
2211 2212 2213 2214 2215 2216
    }

    return rc;
}

#define CRYPT_INPLACE_BUFSIZE 4096
2217 2218
#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
#define CRYPT_SECTOR_SIZE 512
Paul Lawrence's avatar
Paul Lawrence committed
2219 2220 2221 2222

/* aligned 32K writes tends to make flash happy.
 * SD card association recommends it.
 */
Ajay Dudani's avatar
Ajay Dudani committed
2223
#ifndef CONFIG_HW_DISK_ENCRYPTION
Paul Lawrence's avatar
Paul Lawrence committed
2224
#define BLOCKS_AT_A_TIME 8
Ajay Dudani's avatar
Ajay Dudani committed
2225 2226 2227
#else
#define BLOCKS_AT_A_TIME 1024
#endif
Paul Lawrence's avatar
Paul Lawrence committed
2228 2229 2230 2231 2232 2233 2234 2235

struct encryptGroupsData
{
    int realfd;
    int cryptofd;
    off64_t numblocks;
    off64_t one_pct, cur_pct, new_pct;
    off64_t blocks_already_done, tot_numblocks;
2236
    off64_t used_blocks_already_done, tot_used_blocks;
Paul Lawrence's avatar
Paul Lawrence committed
2237 2238 2239 2240
    char* real_blkdev, * crypto_blkdev;
    int count;
    off64_t offset;
    char* buffer;
2241 2242
    off64_t last_written_sector;
    int completed;
2243 2244
    time_t time_started;
    int remaining_time;
Paul Lawrence's avatar
Paul Lawrence committed
2245 2246
};

2247
static void update_progress(struct encryptGroupsData* data, int is_used)
Paul Lawrence's avatar
Paul Lawrence committed
2248 2249
{
    data->blocks_already_done++;
2250 2251 2252 2253 2254 2255 2256 2257 2258 2259

    if (is_used) {
        data->used_blocks_already_done++;
    }
    if (data->tot_used_blocks) {
        data->new_pct = data->used_blocks_already_done / data->one_pct;
    } else {
        data->new_pct = data->blocks_already_done / data->one_pct;
    }

Paul Lawrence's avatar
Paul Lawrence committed
2260 2261 2262
    if (data->new_pct > data->cur_pct) {
        char buf[8];
        data->cur_pct = data->new_pct;
2263
        snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
Paul Lawrence's avatar
Paul Lawrence committed
2264 2265
        property_set("vold.encrypt_progress", buf);
    }
2266 2267

    if (data->cur_pct >= 5) {
2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287
        struct timespec time_now;
        if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
            SLOGW("Error getting time");
        } else {
            double elapsed_time = difftime(time_now.tv_sec, data->time_started);
            off64_t remaining_blocks = data->tot_used_blocks
                                       - data->used_blocks_already_done;
            int remaining_time = (int)(elapsed_time * remaining_blocks
                                       / data->used_blocks_already_done);

            // Change time only if not yet set, lower, or a lot higher for
            // best user experience
            if (data->remaining_time == -1
                || remaining_time < data->remaining_time
                || remaining_time > data->remaining_time + 60) {
                char buf[8];
                snprintf(buf, sizeof(buf), "%d", remaining_time);
                property_set("vold.encrypt_time_remaining", buf);
                data->remaining_time = remaining_time;
            }
2288 2289
        }
    }
Paul Lawrence's avatar
Paul Lawrence committed
2290 2291
}

Paul Lawrence's avatar
Paul Lawrence committed
2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317
static void log_progress(struct encryptGroupsData const* data, bool completed)
{
    // Precondition - if completed data = 0 else data != 0

    // Track progress so we can skip logging blocks
    static off64_t offset = -1;

    // Need to close existing 'Encrypting from' log?
    if (completed || (offset != -1 && data->offset != offset)) {
        SLOGI("Encrypted to sector %" PRId64,
              offset / info.block_size * CRYPT_SECTOR_SIZE);
        offset = -1;
    }

    // Need to start new 'Encrypting from' log?
    if (!completed && offset != data->offset) {
        SLOGI("Encrypting from sector %" PRId64,
              data->offset / info.block_size * CRYPT_SECTOR_SIZE);
    }

    // Update offset
    if (!completed) {
        offset = data->offset + (off64_t)data->count * info.block_size;
    }
}

Paul Lawrence's avatar
Paul Lawrence committed
2318 2319 2320 2321 2322 2323
static int flush_outstanding_data(struct encryptGroupsData* data)
{
    if (data->count == 0) {
        return 0;
    }

2324
    SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
Paul Lawrence's avatar
Paul Lawrence committed
2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339

    if (pread64(data->realfd, data->buffer,
                info.block_size * data->count, data->offset)
        <= 0) {
        SLOGE("Error reading real_blkdev %s for inplace encrypt",
              data->real_blkdev);
        return -1;
    }

    if (pwrite64(data->cryptofd, data->buffer,
                 info.block_size * data->count, data->offset)
        <= 0) {
        SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
              data->crypto_blkdev);
        return -1;
2340
    } else {
Paul Lawrence's avatar
Paul Lawrence committed
2341
      log_progress(data, false);
Paul Lawrence's avatar
Paul Lawrence committed
2342 2343 2344
    }

    data->count = 0;
2345 2346
    data->last_written_sector = (data->offset + data->count)
                                / info.block_size * CRYPT_SECTOR_SIZE - 1;
Paul Lawrence's avatar
Paul Lawrence committed
2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390
    return 0;
}

static int encrypt_groups(struct encryptGroupsData* data)
{
    unsigned int i;
    u8 *block_bitmap = 0;
    unsigned int block;
    off64_t ret;
    int rc = -1;

    data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
    if (!data->buffer) {
        SLOGE("Failed to allocate crypto buffer");
        goto errout;
    }

    block_bitmap = malloc(info.block_size);
    if (!block_bitmap) {
        SLOGE("failed to allocate block bitmap");
        goto errout;
    }

    for (i = 0; i < aux_info.groups; ++i) {
        SLOGI("Encrypting group %d", i);

        u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
        u32 block_count = min(info.blocks_per_group,
                             aux_info.len_blocks - first_block);

        off64_t offset = (u64)info.block_size
                         * aux_info.bg_desc[i].bg_block_bitmap;

        ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
        if (ret != (int)info.block_size) {
            SLOGE("failed to read all of block group bitmap %d", i);
            goto errout;
        }

        offset = (u64)info.block_size * first_block;

        data->count = 0;

        for (block = 0; block < block_count; block++) {
2391 2392 2393
            int used = bitmap_get_bit(block_bitmap, block);
            update_progress(data, used);
            if (used) {
Paul Lawrence's avatar
Paul Lawrence committed
2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412
                if (data->count == 0) {
                    data->offset = offset;
                }
                data->count++;
            } else {
                if (flush_outstanding_data(data)) {
                    goto errout;
                }
            }

            offset += info.block_size;

            /* Write data if we are aligned or buffer size reached */
            if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
                || data->count == BLOCKS_AT_A_TIME) {
                if (flush_outstanding_data(data)) {
                    goto errout;
                }
            }
2413

2414
            if (!is_battery_ok_to_continue()) {
2415 2416 2417 2418 2419
                SLOGE("Stopping encryption due to low battery");
                rc = 0;
                goto errout;
            }

Paul Lawrence's avatar
Paul Lawrence committed
2420 2421 2422 2423 2424 2425
        }
        if (flush_outstanding_data(data)) {
            goto errout;
        }
    }

2426
    data->completed = 1;
Paul Lawrence's avatar
Paul Lawrence committed
2427 2428 2429
    rc = 0;

errout:
Paul Lawrence's avatar
Paul Lawrence committed
2430
    log_progress(0, true);
Paul Lawrence's avatar
Paul Lawrence committed
2431 2432 2433 2434 2435 2436 2437 2438 2439
    free(data->buffer);
    free(block_bitmap);
    return rc;
}

static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
                                       char *real_blkdev,
                                       off64_t size,
                                       off64_t *size_already_done,
2440 2441
                                       off64_t tot_size,
                                       off64_t previously_encrypted_upto)
Paul Lawrence's avatar
Paul Lawrence committed
2442
{
2443
    u32 i;
Paul Lawrence's avatar
Paul Lawrence committed
2444
    struct encryptGroupsData data;
2445
    int rc; // Can't initialize without causing warning -Wclobbered
Paul Lawrence's avatar
Paul Lawrence committed
2446

2447 2448 2449 2450 2451
    if (previously_encrypted_upto > *size_already_done) {
        SLOGD("Not fast encrypting since resuming part way through");
        return -1;
    }

Paul Lawrence's avatar
Paul Lawrence committed
2452 2453 2454 2455 2456
    memset(&data, 0, sizeof(data));
    data.real_blkdev = real_blkdev;
    data.crypto_blkdev = crypto_blkdev;

    if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) {
2457 2458
        SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
              real_blkdev, errno, strerror(errno));
2459
        rc = -1;
Paul Lawrence's avatar
Paul Lawrence committed
2460 2461 2462 2463
        goto errout;
    }

    if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
2464
        SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2465
              crypto_blkdev, errno, strerror(errno));
2466
        rc = ENABLE_INPLACE_ERR_DEV;
Paul Lawrence's avatar
Paul Lawrence committed
2467 2468 2469 2470
        goto errout;
    }

    if (setjmp(setjmp_env)) {
2471
        SLOGE("Reading ext4 extent caused an exception\n");
2472
        rc = -1;
Paul Lawrence's avatar
Paul Lawrence committed
2473 2474 2475 2476
        goto errout;
    }

    if (read_ext(data.realfd, 0) != 0) {
2477
        SLOGE("Failed to read ext4 extent\n");
2478
        rc = -1;
Paul Lawrence's avatar
Paul Lawrence committed
2479 2480 2481 2482 2483 2484 2485
        goto errout;
    }

    data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
    data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
    data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;

2486
    SLOGI("Encrypting ext4 filesystem in place...");
Paul Lawrence's avatar
Paul Lawrence committed
2487

2488 2489 2490 2491 2492 2493
    data.tot_used_blocks = data.numblocks;
    for (i = 0; i < aux_info.groups; ++i) {
      data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
    }

    data.one_pct = data.tot_used_blocks / 100;
Paul Lawrence's avatar
Paul Lawrence committed
2494
    data.cur_pct = 0;
2495 2496 2497 2498 2499 2500 2501

    struct timespec time_started = {0};
    if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
        SLOGW("Error getting time at start");
        // Note - continue anyway - we'll run with 0
    }
    data.time_started = time_started.tv_sec;
2502
    data.remaining_time = -1;
Paul Lawrence's avatar
Paul Lawrence committed
2503 2504 2505 2506 2507 2508 2509

    rc = encrypt_groups(&data);
    if (rc) {
        SLOGE("Error encrypting groups");
        goto errout;
    }

2510
    *size_already_done += data.completed ? size : data.last_written_sector;
Paul Lawrence's avatar
Paul Lawrence committed
2511 2512 2513 2514 2515 2516 2517 2518 2519
    rc = 0;

errout:
    close(data.realfd);
    close(data.cryptofd);

    return rc;
}

Paul Lawrence's avatar
Paul Lawrence committed
2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543
static void log_progress_f2fs(u64 block, bool completed)
{
    // Precondition - if completed data = 0 else data != 0

    // Track progress so we can skip logging blocks
    static u64 last_block = (u64)-1;

    // Need to close existing 'Encrypting from' log?
    if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
        SLOGI("Encrypted to block %" PRId64, last_block);
        last_block = -1;
    }

    // Need to start new 'Encrypting from' log?
    if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
        SLOGI("Encrypting from block %" PRId64, block);
    }

    // Update offset
    if (!completed) {
        last_block = block;
    }
}

2544 2545 2546 2547 2548 2549 2550 2551 2552 2553
static int encrypt_one_block_f2fs(u64 pos, void *data)
{
    struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;

    priv_dat->blocks_already_done = pos - 1;
    update_progress(priv_dat, 1);

    off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;

    if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2554
        SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2555 2556 2557 2558
        return -1;
    }

    if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2559
        SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2560 2561
        return -1;
    } else {
Paul Lawrence's avatar
Paul Lawrence committed
2562
        log_progress_f2fs(pos, false);
2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576
    }

    return 0;
}

static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
                                       char *real_blkdev,
                                       off64_t size,
                                       off64_t *size_already_done,
                                       off64_t tot_size,
                                       off64_t previously_encrypted_upto)
{
    struct encryptGroupsData data;
    struct f2fs_info *f2fs_info = NULL;
2577
    int rc = ENABLE_INPLACE_ERR_OTHER;
2578 2579
    if (previously_encrypted_upto > *size_already_done) {
        SLOGD("Not fast encrypting since resuming part way through");
2580
        return ENABLE_INPLACE_ERR_OTHER;
2581 2582 2583 2584 2585 2586 2587
    }
    memset(&data, 0, sizeof(data));
    data.real_blkdev = real_blkdev;
    data.crypto_blkdev = crypto_blkdev;
    data.realfd = -1;
    data.cryptofd = -1;
    if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) {
2588
        SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2589 2590 2591 2592
              real_blkdev);
        goto errout;
    }
    if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) {
2593
        SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2594
              crypto_blkdev, errno, strerror(errno));
2595
        rc = ENABLE_INPLACE_ERR_DEV;
2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625
        goto errout;
    }

    f2fs_info = generate_f2fs_info(data.realfd);
    if (!f2fs_info)
      goto errout;

    data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
    data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
    data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;

    data.tot_used_blocks = get_num_blocks_used(f2fs_info);

    data.one_pct = data.tot_used_blocks / 100;
    data.cur_pct = 0;
    data.time_started = time(NULL);
    data.remaining_time = -1;

    data.buffer = malloc(f2fs_info->block_size);
    if (!data.buffer) {
        SLOGE("Failed to allocate crypto buffer");
        goto errout;
    }

    data.count = 0;

    /* Currently, this either runs to completion, or hits a nonrecoverable error */
    rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);

    if (rc) {
2626 2627
        SLOGE("Error in running over f2fs blocks");
        rc = ENABLE_INPLACE_ERR_OTHER;
2628 2629 2630 2631 2632 2633 2634 2635 2636 2637
        goto errout;
    }

    *size_already_done += size;
    rc = 0;

errout:
    if (rc)
        SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);

Paul Lawrence's avatar
Paul Lawrence committed
2638
    log_progress_f2fs(0, true);
2639 2640 2641 2642 2643 2644 2645 2646
    free(f2fs_info);
    free(data.buffer);
    close(data.realfd);
    close(data.cryptofd);

    return rc;
}

Paul Lawrence's avatar
Paul Lawrence committed
2647 2648
static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
                                       off64_t size, off64_t *size_already_done,
2649 2650
                                       off64_t tot_size,
                                       off64_t previously_encrypted_upto)
2651 2652 2653
{
    int realfd, cryptofd;
    char *buf[CRYPT_INPLACE_BUFSIZE];
2654
    int rc = ENABLE_INPLACE_ERR_OTHER;
2655
    off64_t numblocks, i, remainder;
Ken Sumrall's avatar
Ken Sumrall committed
2656
    off64_t one_pct, cur_pct, new_pct;
2657
    off64_t blocks_already_done, tot_numblocks;
Ken Sumrall's avatar
Ken Sumrall committed
2658

2659 2660
    if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 
        SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2661
        return ENABLE_INPLACE_ERR_OTHER;
2662 2663 2664
    }

    if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 
2665 2666
        SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
              crypto_blkdev, errno, strerror(errno));
2667
        close(realfd);
2668
        return ENABLE_INPLACE_ERR_DEV;
2669 2670 2671 2672 2673 2674 2675 2676 2677
    }

    /* This is pretty much a simple loop of reading 4K, and writing 4K.
     * The size passed in is the number of 512 byte sectors in the filesystem.
     * So compute the number of whole 4K blocks we should read/write,
     * and the remainder.
     */
    numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
    remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2678 2679
    tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
    blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2680 2681 2682

    SLOGE("Encrypting filesystem in place...");

2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705
    i = previously_encrypted_upto + 1 - *size_already_done;

    if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
        SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
        goto errout;
    }

    if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
        SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
        goto errout;
    }

    for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
        if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
            SLOGE("Error reading initial sectors from real_blkdev %s for "
                  "inplace encrypt\n", crypto_blkdev);
            goto errout;
        }
        if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
            SLOGE("Error writing initial sectors to crypto_blkdev %s for "
                  "inplace encrypt\n", crypto_blkdev);
            goto errout;
        } else {
2706
            SLOGI("Encrypted 1 block at %" PRId64, i);
2707 2708 2709
        }
    }

2710
    one_pct = tot_numblocks / 100;
Ken Sumrall's avatar
Ken Sumrall committed
2711
    cur_pct = 0;
2712
    /* process the majority of the filesystem in blocks */
2713
    for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2714
        new_pct = (i + blocks_already_done) / one_pct;
Ken Sumrall's avatar
Ken Sumrall committed
2715 2716 2717 2718
        if (new_pct > cur_pct) {
            char buf[8];

            cur_pct = new_pct;
2719
            snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
Ken Sumrall's avatar
Ken Sumrall committed
2720 2721
            property_set("vold.encrypt_progress", buf);
        }
2722
        if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2723
            SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2724 2725 2726
            goto errout;
        }
        if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2727 2728 2729
            SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
            goto errout;
        } else {
2730
            SLOGD("Encrypted %d block at %" PRId64,
2731 2732 2733 2734
                  CRYPT_SECTORS_PER_BUFSIZE,
                  i * CRYPT_SECTORS_PER_BUFSIZE);
        }

2735
       if (!is_battery_ok_to_continue()) {
2736 2737 2738
            SLOGE("Stopping encryption due to low battery");
            *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
            rc = 0;
2739 2740 2741 2742 2743 2744
            goto errout;
        }
    }

    /* Do any remaining sectors */
    for (i=0; i<remainder; i++) {
2745 2746
        if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
            SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2747 2748
            goto errout;
        }
2749 2750
        if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
            SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2751
            goto errout;
2752 2753
        } else {
            SLOGI("Encrypted 1 block at next location");
2754 2755 2756
        }
    }

2757
    *size_already_done += size;
2758 2759 2760 2761 2762 2763 2764 2765 2766
    rc = 0;

errout:
    close(realfd);
    close(cryptofd);

    return rc;
}

2767
/* returns on of the ENABLE_INPLACE_* return codes */
Paul Lawrence's avatar
Paul Lawrence committed
2768 2769
static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
                                  off64_t size, off64_t *size_already_done,
2770 2771
                                  off64_t tot_size,
                                  off64_t previously_encrypted_upto)
Paul Lawrence's avatar
Paul Lawrence committed
2772
{
2773
    int rc_ext4, rc_f2fs, rc_full;
2774
    if (previously_encrypted_upto) {
2775
        SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2776 2777 2778 2779 2780 2781 2782
    }

    if (*size_already_done + size < previously_encrypted_upto) {
        *size_already_done += size;
        return 0;
    }

2783 2784 2785 2786
    /* TODO: identify filesystem type.
     * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
     * then we will drop down to cryptfs_enable_inplace_f2fs.
     * */
2787
    if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2788
                                size, size_already_done,
2789
                                tot_size, previously_encrypted_upto)) == 0) {
2790 2791
      return 0;
    }
2792
    SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2793

2794
    if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2795
                                size, size_already_done,
2796
                                tot_size, previously_encrypted_upto)) == 0) {
2797
      return 0;
Paul Lawrence's avatar
Paul Lawrence committed
2798
    }
2799
    SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
Paul Lawrence's avatar
Paul Lawrence committed
2800

2801
    rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2802 2803
                                       size, size_already_done, tot_size,
                                       previously_encrypted_upto);
2804 2805 2806 2807 2808 2809 2810 2811 2812
    SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);

    /* Hack for b/17898962, the following is the symptom... */
    if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
        && rc_f2fs == ENABLE_INPLACE_ERR_DEV
        && rc_full == ENABLE_INPLACE_ERR_DEV) {
            return ENABLE_INPLACE_ERR_DEV;
    }
    return rc_full;
Paul Lawrence's avatar
Paul Lawrence committed
2813 2814
}

2815 2816
#define CRYPTO_ENABLE_WIPE 1
#define CRYPTO_ENABLE_INPLACE 2
Ken Sumrall's avatar
Ken Sumrall committed
2817 2818 2819

#define FRAMEWORK_BOOT_WAIT 60

2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845
static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
{
    int fd = open(filename, O_RDONLY);
    if (fd == -1) {
        SLOGE("Error opening file %s", filename);
        return -1;
    }

    char block[CRYPT_INPLACE_BUFSIZE];
    memset(block, 0, sizeof(block));
    if (unix_read(fd, block, sizeof(block)) < 0) {
        SLOGE("Error reading file %s", filename);
        close(fd);
        return -1;
    }

    close(fd);

    SHA256_CTX c;
    SHA256_Init(&c);
    SHA256_Update(&c, block, sizeof(block));
    SHA256_Final(buf, &c);

    return 0;
}

2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856
static int get_fs_type(struct fstab_rec *rec)
{
    if (!strcmp(rec->fs_type, "ext4")) {
        return EXT4_FS;
    } else if (!strcmp(rec->fs_type, "f2fs")) {
        return F2FS_FS;
    } else {
        return -1;
    }
}

2857 2858 2859 2860 2861
static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
                                      char *crypto_blkdev, char *real_blkdev,
                                      int previously_encrypted_upto)
{
    off64_t cur_encryption_done=0, tot_encryption_size=0;
2862
    int rc = -1;
2863

2864 2865
    if (!is_battery_ok_to_start()) {
        SLOGW("Not starting encryption due to low battery");
2866 2867 2868 2869 2870 2871 2872
        return 0;
    }

    /* The size of the userdata partition, and add in the vold volumes below */
    tot_encryption_size = crypt_ftr->fs_size;

    if (how == CRYPTO_ENABLE_WIPE) {
2873 2874 2875 2876 2877 2878 2879
        struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
        int fs_type = get_fs_type(rec);
        if (fs_type < 0) {
            SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
            return -1;
        }
        rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2880 2881 2882 2883 2884 2885
    } else if (how == CRYPTO_ENABLE_INPLACE) {
        rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
                                    crypt_ftr->fs_size, &cur_encryption_done,
                                    tot_encryption_size,
                                    previously_encrypted_upto);

2886 2887 2888 2889 2890 2891
        if (rc == ENABLE_INPLACE_ERR_DEV) {
            /* Hack for b/17898962 */
            SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
            cryptfs_reboot(reboot);
        }

2892
        if (!rc) {
2893 2894 2895
            crypt_ftr->encrypted_upto = cur_encryption_done;
        }

2896
        if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2897 2898 2899 2900 2901 2902 2903 2904 2905 2906 2907 2908 2909
            /* The inplace routine never actually sets the progress to 100% due
             * to the round down nature of integer division, so set it here */
            property_set("vold.encrypt_progress", "100");
        }
    } else {
        /* Shouldn't happen */
        SLOGE("cryptfs_enable: internal error, unknown option\n");
        rc = -1;
    }

    return rc;
}

2910 2911
int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
                            int allow_reboot)
2912 2913
{
    int how = 0;
2914
    char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2915
    unsigned char decrypted_master_key[KEY_LEN_BYTES];
2916
    int rc=-1, i;
2917
    struct crypt_mnt_ftr crypt_ftr;
2918
    struct crypt_persist_data *pdata;
2919
    char encrypted_state[PROPERTY_VALUE_MAX];
2920
    char lockid[32] = { 0 };
2921 2922
    char key_loc[PROPERTY_VALUE_MAX];
    int num_vols;
2923
    off64_t previously_encrypted_upto = 0;
2924

2925 2926 2927 2928 2929 2930
    if (!strcmp(howarg, "wipe")) {
      how = CRYPTO_ENABLE_WIPE;
    } else if (! strcmp(howarg, "inplace")) {
      how = CRYPTO_ENABLE_INPLACE;
    } else {
      /* Shouldn't happen, as CommandListener vets the args */
2931
      goto error_unencrypted;
2932 2933
    }

2934 2935 2936 2937 2938 2939
    /* See if an encryption was underway and interrupted */
    if (how == CRYPTO_ENABLE_INPLACE
          && get_crypt_ftr_and_key(&crypt_ftr) == 0
          && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
        previously_encrypted_upto = crypt_ftr.encrypted_upto;
        crypt_ftr.encrypted_upto = 0;
2940 2941 2942 2943 2944 2945 2946 2947 2948
        crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;

        /* At this point, we are in an inconsistent state. Until we successfully
           complete encryption, a reboot will leave us broken. So mark the
           encryption failed in case that happens.
           On successfully completing encryption, remove this flag */
        crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;

        put_crypt_ftr_and_key(&crypt_ftr);
2949 2950 2951 2952 2953 2954 2955 2956 2957 2958
    }

    property_get("ro.crypto.state", encrypted_state, "");
    if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
        SLOGE("Device is already running encrypted, aborting");
        goto error_unencrypted;
    }

    // TODO refactor fs_mgr_get_crypt_info to get both in one call
    fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
Ken Sumrall's avatar
Ken Sumrall committed
2959
    fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2960

2961
    /* Get the size of the real block device */
2962 2963 2964 2965 2966 2967 2968 2969
    int fd = open(real_blkdev, O_RDONLY);
    if (fd == -1) {
        SLOGE("Cannot open block device %s\n", real_blkdev);
        goto error_unencrypted;
    }
    unsigned long nr_sec;
    get_blkdev_size(fd, &nr_sec);
    if (nr_sec == 0) {
2970 2971 2972 2973 2974 2975
        SLOGE("Cannot get size of block device %s\n", real_blkdev);
        goto error_unencrypted;
    }
    close(fd);

    /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2976
    if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2977
        unsigned int fs_size_sec, max_fs_size_sec;
2978
        fs_size_sec = get_fs_size(real_blkdev);
2979 2980 2981
        if (fs_size_sec == 0)
            fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);

2982
        max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2983 2984 2985 2986 2987 2988 2989

        if (fs_size_sec > max_fs_size_sec) {
            SLOGE("Orig filesystem overlaps crypto footer region.  Cannot encrypt in place.");
            goto error_unencrypted;
        }
    }

2990 2991 2992 2993
    /* Get a wakelock as this may take a while, and we don't want the
     * device to sleep on us.  We'll grab a partial wakelock, and if the UI
     * wants to keep the screen on, it can grab a full wakelock.
     */
2994
    snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2995 2996
    acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);

2997
    /* The init files are setup to stop the class main and late start when
Ken Sumrall's avatar
Ken Sumrall committed
2998
     * vold sets trigger_shutdown_framework.
2999 3000 3001 3002
     */
    property_set("vold.decrypt", "trigger_shutdown_framework");
    SLOGD("Just asked init to shut down class main\n");

3003 3004 3005
    /* Ask vold to unmount all devices that it manages */
    if (vold_unmountAll()) {
        SLOGE("Failed to unmount all vold managed devices");
3006
    }
3007 3008

    /* Now unmount the /data partition. */
3009
    if (wait_and_unmount(DATA_MNT_POINT, false)) {
3010 3011 3012 3013 3014
        if (allow_reboot) {
            goto error_shutting_down;
        } else {
            goto error_unencrypted;
        }
Ken Sumrall's avatar
Ken Sumrall committed
3015
    }
3016

Ken Sumrall's avatar
Ken Sumrall committed
3017 3018 3019 3020 3021 3022
    /* Do extra work for a better UX when doing the long inplace encryption */
    if (how == CRYPTO_ENABLE_INPLACE) {
        /* Now that /data is unmounted, we need to mount a tmpfs
         * /data, set a property saying we're doing inplace encryption,
         * and restart the framework.
         */
3023
        if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3024
            goto error_shutting_down;
3025
        }
Ken Sumrall's avatar
Ken Sumrall committed
3026
        /* Tells the framework that inplace encryption is starting */
3027
        property_set("vold.encrypt_progress", "0");
3028

Ken Sumrall's avatar
Ken Sumrall committed
3029 3030 3031
        /* restart the framework. */
        /* Create necessary paths on /data */
        if (prep_data_fs()) {
3032
            goto error_shutting_down;
3033 3034
        }

Ken Sumrall's avatar
Ken Sumrall committed
3035 3036 3037 3038 3039 3040
        /* Ugh, shutting down the framework is not synchronous, so until it
         * can be fixed, this horrible hack will wait a moment for it all to
         * shut down before proceeding.  Without it, some devices cannot
         * restart the graphics services.
         */
        sleep(2);
Ken Sumrall's avatar
Ken Sumrall committed
3041
    }
3042

Ken Sumrall's avatar
Ken Sumrall committed
3043 3044
    /* Start the actual work of making an encrypted filesystem */
    /* Initialize a crypt_mnt_ftr for the partition */
3045
    if (previously_encrypted_upto == 0) {
3046 3047 3048
        if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
            goto error_shutting_down;
        }
3049

3050 3051 3052 3053 3054 3055
        if (!strcmp(key_loc, KEY_IN_FOOTER)) {
            crypt_ftr.fs_size = nr_sec
              - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
        } else {
            crypt_ftr.fs_size = nr_sec;
        }
3056 3057 3058 3059 3060
        /* At this point, we are in an inconsistent state. Until we successfully
           complete encryption, a reboot will leave us broken. So mark the
           encryption failed in case that happens.
           On successfully completing encryption, remove this flag */
        crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3061
        crypt_ftr.crypt_type = crypt_type;
Ajay Dudani's avatar
Ajay Dudani committed
3062 3063 3064 3065 3066
#ifndef CONFIG_HW_DISK_ENCRYPTION
        strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
#else
        strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);

3067
        rc = clear_hw_device_encryption_key();
Ajay Dudani's avatar
Ajay Dudani committed
3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078
        if (!rc) {
          SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
        }

        rc = set_hw_device_encryption_key(passwd,
                                          (char*) crypt_ftr.crypto_type_name);
        if (!rc) {
          SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
          goto error_shutting_down;
        }
#endif
Ken Sumrall's avatar
Ken Sumrall committed
3079

3080 3081 3082 3083 3084
        /* Make an encrypted master key */
        if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
            SLOGE("Cannot create encrypted master key\n");
            goto error_shutting_down;
        }
Ken Sumrall's avatar
Ken Sumrall committed
3085

3086 3087
        /* Write the key to the end of the partition */
        put_crypt_ftr_and_key(&crypt_ftr);
Ken Sumrall's avatar
Ken Sumrall committed
3088

3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101
        /* If any persistent data has been remembered, save it.
         * If none, create a valid empty table and save that.
         */
        if (!persist_data) {
           pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
           if (pdata) {
               init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
               persist_data = pdata;
           }
        }
        if (persist_data) {
            save_persistent_data();
        }
3102 3103
    }

Ajay Dudani's avatar
Ajay Dudani committed
3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115
    if (how == CRYPTO_ENABLE_INPLACE) {
        /* startup service classes main and late_start */
        property_set("vold.decrypt", "trigger_restart_min_framework");
        SLOGD("Just triggered restart_min_framework\n");

        /* OK, the framework is restarted and will soon be showing a
         * progress bar.  Time to setup an encrypted mapping, and
         * either write a new filesystem, or encrypt in place updating
         * the progress bar as we work.
         */
    }

3116
    decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3117 3118 3119
    create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
                          "userdata");

3120 3121 3122 3123 3124 3125 3126 3127 3128 3129
    /* If we are continuing, check checksums match */
    rc = 0;
    if (previously_encrypted_upto) {
        __le8 hash_first_block[SHA256_DIGEST_LENGTH];
        rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);

        if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
                          sizeof(hash_first_block)) != 0) {
            SLOGE("Checksums do not match - trigger wipe");
            rc = -1;
3130 3131
        }
    }
Ken Sumrall's avatar
Ken Sumrall committed
3132

3133 3134 3135 3136 3137 3138 3139
    if (!rc) {
        rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
                                        crypto_blkdev, real_blkdev,
                                        previously_encrypted_upto);
    }

    /* Calculate checksum if we are not finished */
Paul Lawrence's avatar
Paul Lawrence committed
3140 3141
    if (!rc && how == CRYPTO_ENABLE_INPLACE
            && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3142 3143
        rc = cryptfs_SHA256_fileblock(crypto_blkdev,
                                      crypt_ftr.hash_first_block);
3144
        if (rc) {
3145 3146
            SLOGE("Error calculating checksum for continuing encryption");
            rc = -1;
3147
        }
Ken Sumrall's avatar
Ken Sumrall committed
3148 3149 3150
    }

    /* Undo the dm-crypt mapping whether we succeed or not */
3151 3152
    delete_crypto_blk_dev("userdata");

Ken Sumrall's avatar
Ken Sumrall committed
3153 3154
    if (! rc) {
        /* Success */
3155
        crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3156

Paul Lawrence's avatar
Paul Lawrence committed
3157 3158
        if (how == CRYPTO_ENABLE_INPLACE
              && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3159 3160
            SLOGD("Encrypted up to sector %lld - will continue after reboot",
                  crypt_ftr.encrypted_upto);
3161
            crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3162
        }
3163

3164
        put_crypt_ftr_and_key(&crypt_ftr);
3165

Paul Lawrence's avatar
Paul Lawrence committed
3166 3167
        if (how == CRYPTO_ENABLE_WIPE
              || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178
          char value[PROPERTY_VALUE_MAX];
          property_get("ro.crypto.state", value, "");
          if (!strcmp(value, "")) {
            /* default encryption - continue first boot sequence */
            property_set("ro.crypto.state", "encrypted");
            release_wake_lock(lockid);
            cryptfs_check_passwd(DEFAULT_PASSWORD);
            cryptfs_restart_internal(1);
            return 0;
          } else {
            sleep(2); /* Give the UI a chance to show 100% progress */
3179
            cryptfs_reboot(reboot);
3180
          }
3181
        } else {
3182
            sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3183 3184
            cryptfs_reboot(shutdown);
        }
3185
    } else {
3186 3187
        char value[PROPERTY_VALUE_MAX];

Ken Sumrall's avatar
Ken Sumrall committed
3188
        property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3189 3190 3191 3192
        if (!strcmp(value, "1")) {
            /* wipe data if encryption failed */
            SLOGE("encryption failed - rebooting into recovery to wipe data\n");
            mkdir("/cache/recovery", 0700);
3193
            int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600);
3194
            if (fd >= 0) {
3195 3196
                write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
                write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
3197 3198 3199 3200
                close(fd);
            } else {
                SLOGE("could not open /cache/recovery/command\n");
            }
3201
            cryptfs_reboot(recovery);
3202 3203 3204 3205 3206
        } else {
            /* set property to trigger dialog */
            property_set("vold.encrypt_progress", "error_partially_encrypted");
            release_wake_lock(lockid);
        }
3207
        return -1;
Ken Sumrall's avatar
Ken Sumrall committed
3208 3209
    }

3210 3211 3212 3213 3214
    /* hrm, the encrypt step claims success, but the reboot failed.
     * This should not happen.
     * Set the property and return.  Hope the framework can deal with it.
     */
    property_set("vold.encrypt_progress", "error_reboot_failed");
3215
    release_wake_lock(lockid);
Ken Sumrall's avatar
Ken Sumrall committed
3216
    return rc;
3217 3218 3219

error_unencrypted:
    property_set("vold.encrypt_progress", "error_not_encrypted");
3220 3221 3222
    if (lockid[0]) {
        release_wake_lock(lockid);
    }
3223 3224 3225 3226 3227 3228 3229 3230
    return -1;

error_shutting_down:
    /* we failed, and have not encrypted anthing, so the users's data is still intact,
     * but the framework is stopped and not restarted to show the error, so it's up to
     * vold to restart the system.
     */
    SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3231
    cryptfs_reboot(reboot);
3232 3233 3234

    /* shouldn't get here */
    property_set("vold.encrypt_progress", "error_shutting_down");
3235 3236 3237
    if (lockid[0]) {
        release_wake_lock(lockid);
    }
3238
    return -1;
Ken Sumrall's avatar
Ken Sumrall committed
3239 3240
}

3241
int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
3242
{
3243 3244 3245 3246 3247 3248 3249 3250 3251
    char* adjusted_passwd = adjust_passwd(passwd);
    if (adjusted_passwd) {
        passwd = adjusted_passwd;
    }

    int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot);

    free(adjusted_passwd);
    return rc;
3252 3253 3254 3255 3256 3257 3258 3259 3260
}

int cryptfs_enable_default(char *howarg, int allow_reboot)
{
    return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
                          DEFAULT_PASSWORD, allow_reboot);
}

int cryptfs_changepw(int crypt_type, const char *newpw)
Ken Sumrall's avatar
Ken Sumrall committed
3261
{
Paul Lawrence's avatar
Paul Lawrence committed
3262 3263 3264 3265
    if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
        return e4crypt_change_password(DATA_MNT_POINT, crypt_type, newpw);
    }

Ken Sumrall's avatar
Ken Sumrall committed
3266
    struct crypt_mnt_ftr crypt_ftr;
3267
    int rc;
Ken Sumrall's avatar
Ken Sumrall committed
3268 3269

    /* This is only allowed after we've successfully decrypted the master key */
3270
    if (!master_key_saved) {
3271
        SLOGE("Key not saved, aborting");
Ken Sumrall's avatar
Ken Sumrall committed
3272 3273 3274
        return -1;
    }

3275 3276 3277 3278 3279
    if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
        SLOGE("Invalid crypt_type %d", crypt_type);
        return -1;
    }

Ken Sumrall's avatar
Ken Sumrall committed
3280
    /* get key */
3281
    if (get_crypt_ftr_and_key(&crypt_ftr)) {
3282 3283
        SLOGE("Error getting crypt footer and key");
        return -1;
Ken Sumrall's avatar
Ken Sumrall committed
3284 3285
    }

3286 3287
    crypt_ftr.crypt_type = crypt_type;

3288 3289 3290 3291 3292
    char* adjusted_passwd = adjust_passwd(newpw);
    if (adjusted_passwd) {
        newpw = adjusted_passwd;
    }

3293
    rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3294 3295 3296 3297 3298
                                                        : newpw,
                       crypt_ftr.salt,
                       saved_master_key,
                       crypt_ftr.master_key,
                       &crypt_ftr);
3299 3300 3301 3302 3303
    free(adjusted_passwd);
    if (rc) {
        SLOGE("Encrypt master key failed: %d", rc);
        return -1;
    }
3304
    /* save the key */
3305
    put_crypt_ftr_and_key(&crypt_ftr);
3306

Ajay Dudani's avatar
Ajay Dudani committed
3307
#ifdef CONFIG_HW_DISK_ENCRYPTION
3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319
    if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
        if (crypt_type == CRYPT_TYPE_DEFAULT) {
            int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
            SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
            if (!rc)
                return -1;
        } else {
            int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
            SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
            if (!rc)
                return -1;
        }
Ajay Dudani's avatar
Ajay Dudani committed
3320 3321
    }
#endif
3322 3323
    return 0;
}
3324

3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348
static unsigned int persist_get_max_entries(int encrypted) {
    struct crypt_mnt_ftr crypt_ftr;
    unsigned int dsize;
    unsigned int max_persistent_entries;

    /* If encrypted, use the values from the crypt_ftr, otherwise
     * use the values for the current spec.
     */
    if (encrypted) {
        if (get_crypt_ftr_and_key(&crypt_ftr)) {
            return -1;
        }
        dsize = crypt_ftr.persist_data_size;
    } else {
        dsize = CRYPT_PERSIST_DATA_SIZE;
    }

    max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
        sizeof(struct crypt_persist_entry);

    return max_persistent_entries;
}

static int persist_get_key(const char *fieldname, char *value)
3349 3350 3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365
{
    unsigned int i;

    if (persist_data == NULL) {
        return -1;
    }
    for (i = 0; i < persist_data->persist_valid_entries; i++) {
        if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
            /* We found it! */
            strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
            return 0;
        }
    }

    return -1;
}

3366
static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3367 3368 3369 3370 3371 3372 3373 3374 3375
{
    unsigned int i;
    unsigned int num;
    unsigned int max_persistent_entries;

    if (persist_data == NULL) {
        return -1;
    }

3376
    max_persistent_entries = persist_get_max_entries(encrypted);
3377 3378 3379 3380 3381 3382 3383 3384 3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396 3397 3398 3399 3400

    num = persist_data->persist_valid_entries;

    for (i = 0; i < num; i++) {
        if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
            /* We found an existing entry, update it! */
            memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
            strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
            return 0;
        }
    }

    /* We didn't find it, add it to the end, if there is room */
    if (persist_data->persist_valid_entries < max_persistent_entries) {
        memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
        strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
        strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
        persist_data->persist_valid_entries++;
        return 0;
    }

    return -1;
}

3401 3402 3403 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 3415 3416 3417 3418 3419 3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3485 3486 3487 3488 3489
/**
 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
 * sequence and its index is greater than or equal to index. Return 0 otherwise.
 */
static int match_multi_entry(const char *key, const char *field, unsigned index) {
    unsigned int field_len;
    unsigned int key_index;
    field_len = strlen(field);

    if (index == 0) {
        // The first key in a multi-entry field is just the filedname itself.
        if (!strcmp(key, field)) {
            return 1;
        }
    }
    // Match key against "%s_%d" % (field, index)
    if (strlen(key) < field_len + 1 + 1) {
        // Need at least a '_' and a digit.
        return 0;
    }
    if (strncmp(key, field, field_len)) {
        // If the key does not begin with field, it's not a match.
        return 0;
    }
    if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
        return 0;
    }
    return key_index >= index;
}

/*
 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
 * remaining entries starting from index will be deleted.
 * returns PERSIST_DEL_KEY_OK if deletion succeeds,
 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
 *
 */
static int persist_del_keys(const char *fieldname, unsigned index)
{
    unsigned int i;
    unsigned int j;
    unsigned int num;

    if (persist_data == NULL) {
        return PERSIST_DEL_KEY_ERROR_OTHER;
    }

    num = persist_data->persist_valid_entries;

    j = 0; // points to the end of non-deleted entries.
    // Filter out to-be-deleted entries in place.
    for (i = 0; i < num; i++) {
        if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
            persist_data->persist_entry[j] = persist_data->persist_entry[i];
            j++;
        }
    }

    if (j < num) {
        persist_data->persist_valid_entries = j;
        // Zeroise the remaining entries
        memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
        return PERSIST_DEL_KEY_OK;
    } else {
        // Did not find an entry matching the given fieldname
        return PERSIST_DEL_KEY_ERROR_NO_FIELD;
    }
}

static int persist_count_keys(const char *fieldname)
{
    unsigned int i;
    unsigned int count;

    if (persist_data == NULL) {
        return -1;
    }

    count = 0;
    for (i = 0; i < persist_data->persist_valid_entries; i++) {
        if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
            count++;
        }
    }

    return count;
}

3490
/* Return the value of the specified field. */
3491
int cryptfs_getfield(const char *fieldname, char *value, int len)
3492 3493
{
    char temp_value[PROPERTY_VALUE_MAX];
3494 3495 3496 3497
    /* CRYPTO_GETFIELD_OK is success,
     * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
     * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
     * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3498
     */
3499 3500 3501
    int rc = CRYPTO_GETFIELD_ERROR_OTHER;
    int i;
    char temp_field[PROPERTY_KEY_MAX];
3502 3503 3504 3505 3506 3507 3508 3509 3510

    if (persist_data == NULL) {
        load_persistent_data();
        if (persist_data == NULL) {
            SLOGE("Getfield error, cannot load persistent data");
            goto out;
        }
    }

3511 3512
    // Read value from persistent entries. If the original value is split into multiple entries,
    // stitch them back together.
3513
    if (!persist_get_key(fieldname, temp_value)) {
3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541
        // We found it, copy it to the caller's buffer and keep going until all entries are read.
        if (strlcpy(value, temp_value, len) >= (unsigned) len) {
            // value too small
            rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
            goto out;
        }
        rc = CRYPTO_GETFIELD_OK;

        for (i = 1; /* break explicitly */; i++) {
            if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
                    (int) sizeof(temp_field)) {
                // If the fieldname is very long, we stop as soon as it begins to overflow the
                // maximum field length. At this point we have in fact fully read out the original
                // value because cryptfs_setfield would not allow fields with longer names to be
                // written in the first place.
                break;
            }
            if (!persist_get_key(temp_field, temp_value)) {
                  if (strlcat(value, temp_value, len) >= (unsigned)len) {
                      // value too small.
                      rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
                      goto out;
                  }
            } else {
                // Exhaust all entries.
                break;
            }
        }
3542 3543
    } else {
        /* Sadness, it's not there.  Return the error */
3544
        rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3545 3546 3547 3548 3549 3550 3551
    }

out:
    return rc;
}

/* Set the value of the specified field. */
3552
int cryptfs_setfield(const char *fieldname, const char *value)
3553 3554
{
    char encrypted_state[PROPERTY_VALUE_MAX];
3555 3556
    /* 0 is success, negative values are error */
    int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3557
    int encrypted = 0;
3558 3559 3560 3561
    unsigned int field_id;
    char temp_field[PROPERTY_KEY_MAX];
    unsigned int num_entries;
    unsigned int max_keylen;
3562 3563 3564 3565 3566 3567 3568 3569 3570 3571 3572 3573 3574 3575

    if (persist_data == NULL) {
        load_persistent_data();
        if (persist_data == NULL) {
            SLOGE("Setfield error, cannot load persistent data");
            goto out;
        }
    }

    property_get("ro.crypto.state", encrypted_state, "");
    if (!strcmp(encrypted_state, "encrypted") ) {
        encrypted = 1;
    }

3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605
    // Compute the number of entries required to store value, each entry can store up to
    // (PROPERTY_VALUE_MAX - 1) chars
    if (strlen(value) == 0) {
        // Empty value also needs one entry to store.
        num_entries = 1;
    } else {
        num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
    }

    max_keylen = strlen(fieldname);
    if (num_entries > 1) {
        // Need an extra "_%d" suffix.
        max_keylen += 1 + log10(num_entries);
    }
    if (max_keylen > PROPERTY_KEY_MAX - 1) {
        rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
        goto out;
    }

    // Make sure we have enough space to write the new value
    if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
        persist_get_max_entries(encrypted)) {
        rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
        goto out;
    }

    // Now that we know persist_data has enough space for value, let's delete the old field first
    // to make up space.
    persist_del_keys(fieldname, 0);

3606
    if (persist_set_key(fieldname, value, encrypted)) {
3607 3608
        // fail to set key, should not happen as we have already checked the available space
        SLOGE("persist_set_key() error during setfield()");
3609 3610 3611
        goto out;
    }

3612 3613 3614 3615 3616 3617 3618 3619 3620 3621
    for (field_id = 1; field_id < num_entries; field_id++) {
        snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);

        if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
            // fail to set key, should not happen as we have already checked the available space.
            SLOGE("persist_set_key() error during setfield()");
            goto out;
        }
    }

3622 3623 3624 3625 3626 3627 3628 3629
    /* If we are running encrypted, save the persistent data now */
    if (encrypted) {
        if (save_persistent_data()) {
            SLOGE("Setfield error, cannot save persistent data");
            goto out;
        }
    }

3630
    rc = CRYPTO_SETFIELD_OK;
3631 3632 3633 3634

out:
    return rc;
}
3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664

/* Checks userdata. Attempt to mount the volume if default-
 * encrypted.
 * On success trigger next init phase and return 0.
 * Currently do not handle failure - see TODO below.
 */
int cryptfs_mount_default_encrypted(void)
{
    char decrypt_state[PROPERTY_VALUE_MAX];
    property_get("vold.decrypt", decrypt_state, "0");
    if (!strcmp(decrypt_state, "0")) {
        SLOGE("Not encrypted - should not call here");
    } else {
        int crypt_type = cryptfs_get_password_type();
        if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
            SLOGE("Bad crypt type - error");
        } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
            SLOGD("Password is not default - "
                  "starting min framework to prompt");
            property_set("vold.decrypt", "trigger_restart_min_framework");
            return 0;
        } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
            SLOGD("Password is default - restarting filesystem");
            cryptfs_restart_internal(0);
            return 0;
        } else {
            SLOGE("Encrypted, default crypt type but can't decrypt");
        }
    }

3665 3666
    /** Corrupt. Allow us to boot into framework, which will detect bad
        crypto when it calls do_crypto_complete, then do a factory reset
3667
     */
3668
    property_set("vold.decrypt", "trigger_restart_min_framework");
3669 3670 3671 3672 3673 3674 3675
    return 0;
}

/* Returns type of the password, default, pattern, pin or password.
 */
int cryptfs_get_password_type(void)
{
Paul Lawrence's avatar
Paul Lawrence committed
3676 3677 3678 3679
    if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
        return e4crypt_get_password_type(DATA_MNT_POINT);
    }

3680 3681 3682 3683 3684 3685 3686
    struct crypt_mnt_ftr crypt_ftr;

    if (get_crypt_ftr_and_key(&crypt_ftr)) {
        SLOGE("Error getting crypt footer and key\n");
        return -1;
    }

3687 3688 3689 3690
    if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
        return -1;
    }

3691 3692
    return crypt_ftr.crypt_type;
}
3693

Paul Lawrence's avatar
Paul Lawrence committed
3694
const char* cryptfs_get_password()
3695
{
Paul Lawrence's avatar
Paul Lawrence committed
3696 3697 3698 3699
    if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
        return e4crypt_get_password(DATA_MNT_POINT);
    }

Paul Lawrence's avatar
Paul Lawrence committed
3700
    struct timespec now;
3701
    clock_gettime(CLOCK_BOOTTIME, &now);
Paul Lawrence's avatar
Paul Lawrence committed
3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718
    if (now.tv_sec < password_expiry_time) {
        return password;
    } else {
        cryptfs_clear_password();
        return 0;
    }
}

void cryptfs_clear_password()
{
    if (password) {
        size_t len = strlen(password);
        memset(password, 0, len);
        free(password);
        password = 0;
        password_expiry_time = 0;
    }
3719
}