1 /*
2  * Copyright (C) 2010 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 /* TO DO:
18  *   1.  Perhaps keep several copies of the encrypted key, in case something
19  *       goes horribly wrong?
20  *
21  */
22 
23 #include <sys/types.h>
24 #include <sys/wait.h>
25 #include <sys/stat.h>
26 #include <ctype.h>
27 #include <fcntl.h>
28 #include <inttypes.h>
29 #include <unistd.h>
30 #include <stdio.h>
31 #include <sys/ioctl.h>
32 #include <linux/dm-ioctl.h>
33 #include <libgen.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <string.h>
37 #include <sys/mount.h>
38 #include <openssl/evp.h>
39 #include <openssl/sha.h>
40 #include <errno.h>
41 #include <ext4.h>
42 #include <linux/kdev_t.h>
43 #include <fs_mgr.h>
44 #include <time.h>
45 #include <math.h>
46 #include "cryptfs.h"
47 #define LOG_TAG "Cryptfs"
48 #include "cutils/log.h"
49 #include "cutils/properties.h"
50 #include "cutils/android_reboot.h"
51 #include "hardware_legacy/power.h"
52 #include <logwrap/logwrap.h>
53 #include "VolumeManager.h"
54 #include "VoldUtil.h"
55 #include "crypto_scrypt.h"
56 #include "Ext4Crypt.h"
57 #include "ext4_crypt_init_extensions.h"
58 #include "ext4_utils.h"
59 #include "f2fs_sparseblock.h"
60 #include "CheckBattery.h"
61 #include "Process.h"
62 
63 #include <hardware/keymaster0.h>
64 #include <hardware/keymaster1.h>
65 
66 #define UNUSED __attribute__((unused))
67 
68 #define UNUSED __attribute__((unused))
69 
70 #ifdef CONFIG_HW_DISK_ENCRYPTION
71 #include "cryptfs_hw.h"
72 #endif
73 
74 #define DM_CRYPT_BUF_SIZE 4096
75 
76 #define HASH_COUNT 2000
77 #define KEY_LEN_BYTES 16
78 #define IV_LEN_BYTES 16
79 
80 #define KEY_IN_FOOTER  "footer"
81 
82 #define DEFAULT_PASSWORD "default_password"
83 
84 #define EXT4_FS 1
85 #define F2FS_FS 2
86 
87 #define TABLE_LOAD_RETRIES 10
88 
89 #define RSA_KEY_SIZE 2048
90 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
91 #define RSA_EXPONENT 0x10001
92 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1  // Maximum one try per second
93 
94 #define RETRY_MOUNT_ATTEMPTS 10
95 #define RETRY_MOUNT_DELAY_SECONDS 1
96 
97 char *me = "cryptfs";
98 
99 static unsigned char saved_master_key[KEY_LEN_BYTES];
100 static char *saved_mount_point;
101 static int  master_key_saved = 0;
102 static struct crypt_persist_data *persist_data = NULL;
103 
keymaster_init(keymaster0_device_t ** keymaster0_dev,keymaster1_device_t ** keymaster1_dev)104 static int keymaster_init(keymaster0_device_t **keymaster0_dev,
105                           keymaster1_device_t **keymaster1_dev)
106 {
107     int rc;
108 
109     const hw_module_t* mod;
110     rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
111     if (rc) {
112         ALOGE("could not find any keystore module");
113         goto err;
114     }
115 
116     SLOGI("keymaster module name is %s", mod->name);
117     SLOGI("keymaster version is %d", mod->module_api_version);
118 
119     *keymaster0_dev = NULL;
120     *keymaster1_dev = NULL;
121     if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
122         SLOGI("Found keymaster1 module, using keymaster1 API.");
123         rc = keymaster1_open(mod, keymaster1_dev);
124     } else {
125         SLOGI("Found keymaster0 module, using keymaster0 API.");
126         rc = keymaster0_open(mod, keymaster0_dev);
127     }
128 
129     if (rc) {
130         ALOGE("could not open keymaster device in %s (%s)",
131               KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
132         goto err;
133     }
134 
135     return 0;
136 
137 err:
138     *keymaster0_dev = NULL;
139     *keymaster1_dev = NULL;
140     return rc;
141 }
142 
143 /* Should we use keymaster? */
keymaster_check_compatibility()144 static int keymaster_check_compatibility()
145 {
146     keymaster0_device_t *keymaster0_dev = 0;
147     keymaster1_device_t *keymaster1_dev = 0;
148     int rc = 0;
149 
150     if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
151         SLOGE("Failed to init keymaster");
152         rc = -1;
153         goto out;
154     }
155 
156     if (keymaster1_dev) {
157         rc = 1;
158         goto out;
159     }
160 
161     // TODO(swillden): Check to see if there's any reason to require v0.3.  I think v0.1 and v0.2
162     // should work.
163     if (keymaster0_dev->common.module->module_api_version
164             < KEYMASTER_MODULE_API_VERSION_0_3) {
165         rc = 0;
166         goto out;
167     }
168 
169     if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
170         (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
171         rc = 1;
172     }
173 
174 out:
175     if (keymaster1_dev) {
176         keymaster1_close(keymaster1_dev);
177     }
178     if (keymaster0_dev) {
179         keymaster0_close(keymaster0_dev);
180     }
181     return rc;
182 }
183 
184 /* Create a new keymaster key and store it in this footer */
keymaster_create_key(struct crypt_mnt_ftr * ftr)185 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
186 {
187     uint8_t* key = 0;
188     keymaster0_device_t *keymaster0_dev = 0;
189     keymaster1_device_t *keymaster1_dev = 0;
190 
191     if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
192         SLOGE("Failed to init keymaster");
193         return -1;
194     }
195 
196     int rc = 0;
197     size_t key_size = 0;
198     if (keymaster1_dev) {
199         keymaster_key_param_t params[] = {
200             /* Algorithm & size specifications.  Stick with RSA for now.  Switch to AES later. */
201             keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA),
202             keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE),
203             keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT),
204 
205 	    /* The only allowed purpose for this key is signing. */
206 	    keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN),
207 
208             /* Padding & digest specifications. */
209             keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
210             keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
211 
212             /* Require that the key be usable in standalone mode.  File system isn't available. */
213             keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE),
214 
215             /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */
216             keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED),
217 
218             /* Rate-limit key usage attempts, to rate-limit brute force */
219             keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT),
220         };
221         keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
222         keymaster_key_blob_t key_blob;
223         keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, &param_set,
224                                                                &key_blob,
225                                                                NULL /* characteristics */);
226         if (error != KM_ERROR_OK) {
227             SLOGE("Failed to generate keymaster1 key, error %d", error);
228             rc = -1;
229             goto out;
230         }
231 
232         key = (uint8_t*)key_blob.key_material;
233         key_size = key_blob.key_material_size;
234     }
235     else if (keymaster0_dev) {
236         keymaster_rsa_keygen_params_t params;
237         memset(&params, '\0', sizeof(params));
238         params.public_exponent = RSA_EXPONENT;
239         params.modulus_size = RSA_KEY_SIZE;
240 
241         if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, &params,
242                                              &key, &key_size)) {
243             SLOGE("Failed to generate keypair");
244             rc = -1;
245             goto out;
246         }
247     } else {
248         SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device");
249         rc = -1;
250         goto out;
251     }
252 
253     if (key_size > KEYMASTER_BLOB_SIZE) {
254         SLOGE("Keymaster key too large for crypto footer");
255         rc = -1;
256         goto out;
257     }
258 
259     memcpy(ftr->keymaster_blob, key, key_size);
260     ftr->keymaster_blob_size = key_size;
261 
262 out:
263     if (keymaster0_dev)
264         keymaster0_close(keymaster0_dev);
265     if (keymaster1_dev)
266         keymaster1_close(keymaster1_dev);
267     free(key);
268     return rc;
269 }
270 
271 /* This signs the given object using the keymaster key. */
keymaster_sign_object(struct crypt_mnt_ftr * ftr,const unsigned char * object,const size_t object_size,unsigned char ** signature,size_t * signature_size)272 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
273                                  const unsigned char *object,
274                                  const size_t object_size,
275                                  unsigned char **signature,
276                                  size_t *signature_size)
277 {
278     int rc = 0;
279     keymaster0_device_t *keymaster0_dev = 0;
280     keymaster1_device_t *keymaster1_dev = 0;
281     if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) {
282         SLOGE("Failed to init keymaster");
283         rc = -1;
284         goto out;
285     }
286 
287     unsigned char to_sign[RSA_KEY_SIZE_BYTES];
288     size_t to_sign_size = sizeof(to_sign);
289     memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
290 
291     // To sign a message with RSA, the message must satisfy two
292     // constraints:
293     //
294     // 1. The message, when interpreted as a big-endian numeric value, must
295     //    be strictly less than the public modulus of the RSA key.  Note
296     //    that because the most significant bit of the public modulus is
297     //    guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
298     //    key), an n-bit message with most significant bit 0 always
299     //    satisfies this requirement.
300     //
301     // 2. The message must have the same length in bits as the public
302     //    modulus of the RSA key.  This requirement isn't mathematically
303     //    necessary, but is necessary to ensure consistency in
304     //    implementations.
305     switch (ftr->kdf_type) {
306         case KDF_SCRYPT_KEYMASTER:
307             // This ensures the most significant byte of the signed message
308             // is zero.  We could have zero-padded to the left instead, but
309             // this approach is slightly more robust against changes in
310             // object size.  However, it's still broken (but not unusably
311             // so) because we really should be using a proper deterministic
312             // RSA padding function, such as PKCS1.
313             memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
314             SLOGI("Signing safely-padded object");
315             break;
316         default:
317             SLOGE("Unknown KDF type %d", ftr->kdf_type);
318             rc = -1;
319             goto out;
320     }
321 
322     if (keymaster0_dev) {
323         keymaster_rsa_sign_params_t params;
324         params.digest_type = DIGEST_NONE;
325         params.padding_type = PADDING_NONE;
326 
327         rc = keymaster0_dev->sign_data(keymaster0_dev,
328                                       &params,
329                                       ftr->keymaster_blob,
330                                       ftr->keymaster_blob_size,
331                                       to_sign,
332                                       to_sign_size,
333                                       signature,
334                                       signature_size);
335         goto out;
336     } else if (keymaster1_dev) {
337         keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size };
338         keymaster_key_param_t params[] = {
339             keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE),
340             keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE),
341         };
342         keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) };
343         keymaster_operation_handle_t op_handle;
344         keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
345                                                         &param_set, NULL /* out_params */,
346                                                         &op_handle);
347         if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) {
348             // Key usage has been rate-limited.  Wait a bit and try again.
349             sleep(KEYMASTER_CRYPTFS_RATE_LIMIT);
350             error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key,
351                                           &param_set, NULL /* out_params */,
352                                           &op_handle);
353         }
354         if (error != KM_ERROR_OK) {
355             SLOGE("Error starting keymaster signature transaction: %d", error);
356             rc = -1;
357             goto out;
358         }
359 
360         keymaster_blob_t input = { to_sign, to_sign_size };
361         size_t input_consumed;
362         error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */,
363                                        &input, &input_consumed, NULL /* out_params */,
364                                        NULL /* output */);
365         if (error != KM_ERROR_OK) {
366             SLOGE("Error sending data to keymaster signature transaction: %d", error);
367             rc = -1;
368             goto out;
369         }
370         if (input_consumed != to_sign_size) {
371             // This should never happen.  If it does, it's a bug in the keymaster implementation.
372             SLOGE("Keymaster update() did not consume all data.");
373             keymaster1_dev->abort(keymaster1_dev, op_handle);
374             rc = -1;
375             goto out;
376         }
377 
378         keymaster_blob_t tmp_sig;
379         error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */,
380                                        NULL /* verify signature */, NULL /* out_params */,
381                                        &tmp_sig);
382         if (error != KM_ERROR_OK) {
383             SLOGE("Error finishing keymaster signature transaction: %d", error);
384             rc = -1;
385             goto out;
386         }
387 
388         *signature = (uint8_t*)tmp_sig.data;
389         *signature_size = tmp_sig.data_length;
390     } else {
391         SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device.");
392         rc = -1;
393         goto out;
394     }
395 
396     out:
397         if (keymaster1_dev)
398             keymaster1_close(keymaster1_dev);
399         if (keymaster0_dev)
400             keymaster0_close(keymaster0_dev);
401 
402         return rc;
403 }
404 
405 /* Store password when userdata is successfully decrypted and mounted.
406  * Cleared by cryptfs_clear_password
407  *
408  * To avoid a double prompt at boot, we need to store the CryptKeeper
409  * password and pass it to KeyGuard, which uses it to unlock KeyStore.
410  * Since the entire framework is torn down and rebuilt after encryption,
411  * we have to use a daemon or similar to store the password. Since vold
412  * is secured against IPC except from system processes, it seems a reasonable
413  * place to store this.
414  *
415  * password should be cleared once it has been used.
416  *
417  * password is aged out after password_max_age_seconds seconds.
418  */
419 static char* password = 0;
420 static int password_expiry_time = 0;
421 static const int password_max_age_seconds = 60;
422 
423 extern struct fstab *fstab;
424 
425 enum RebootType {reboot, recovery, shutdown};
cryptfs_reboot(enum RebootType rt)426 static void cryptfs_reboot(enum RebootType rt)
427 {
428   switch(rt) {
429       case reboot:
430           property_set(ANDROID_RB_PROPERTY, "reboot");
431           break;
432 
433       case recovery:
434           property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
435           break;
436 
437       case shutdown:
438           property_set(ANDROID_RB_PROPERTY, "shutdown");
439           break;
440     }
441 
442     sleep(20);
443 
444     /* Shouldn't get here, reboot should happen before sleep times out */
445     return;
446 }
447 
ioctl_init(struct dm_ioctl * io,size_t dataSize,const char * name,unsigned flags)448 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
449 {
450     memset(io, 0, dataSize);
451     io->data_size = dataSize;
452     io->data_start = sizeof(struct dm_ioctl);
453     io->version[0] = 4;
454     io->version[1] = 0;
455     io->version[2] = 0;
456     io->flags = flags;
457     if (name) {
458         strlcpy(io->name, name, sizeof(io->name));
459     }
460 }
461 
462 /**
463  * Gets the default device scrypt parameters for key derivation time tuning.
464  * The parameters should lead to about one second derivation time for the
465  * given device.
466  */
get_device_scrypt_params(struct crypt_mnt_ftr * ftr)467 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
468     const int default_params[] = SCRYPT_DEFAULTS;
469     int params[] = SCRYPT_DEFAULTS;
470     char paramstr[PROPERTY_VALUE_MAX];
471     char *token;
472     char *saveptr;
473     int i;
474 
475     property_get(SCRYPT_PROP, paramstr, "");
476     if (paramstr[0] != '\0') {
477         /*
478          * The token we're looking for should be three integers separated by
479          * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
480          */
481         for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
482                 token != NULL && i < 3;
483                 i++, token = strtok_r(NULL, ":", &saveptr)) {
484             char *endptr;
485             params[i] = strtol(token, &endptr, 10);
486 
487             /*
488              * Check that there was a valid number and it's 8-bit. If not,
489              * break out and the end check will take the default values.
490              */
491             if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
492                 break;
493             }
494         }
495 
496         /*
497          * If there were not enough tokens or a token was malformed (not an
498          * integer), it will end up here and the default parameters can be
499          * taken.
500          */
501         if ((i != 3) || (token != NULL)) {
502             SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
503             memcpy(params, default_params, sizeof(params));
504         }
505     }
506 
507     ftr->N_factor = params[0];
508     ftr->r_factor = params[1];
509     ftr->p_factor = params[2];
510 }
511 
get_fs_size(char * dev)512 static unsigned int get_fs_size(char *dev)
513 {
514     int fd, block_size;
515     struct ext4_super_block sb;
516     off64_t len;
517 
518     if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) {
519         SLOGE("Cannot open device to get filesystem size ");
520         return 0;
521     }
522 
523     if (lseek64(fd, 1024, SEEK_SET) < 0) {
524         SLOGE("Cannot seek to superblock");
525         return 0;
526     }
527 
528     if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
529         SLOGE("Cannot read superblock");
530         return 0;
531     }
532 
533     close(fd);
534 
535     if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
536         SLOGE("Not a valid ext4 superblock");
537         return 0;
538     }
539     block_size = 1024 << sb.s_log_block_size;
540     /* compute length in bytes */
541     len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
542 
543     /* return length in sectors */
544     return (unsigned int) (len / 512);
545 }
546 
get_crypt_ftr_info(char ** metadata_fname,off64_t * off)547 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
548 {
549   static int cached_data = 0;
550   static off64_t cached_off = 0;
551   static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
552   int fd;
553   char key_loc[PROPERTY_VALUE_MAX];
554   char real_blkdev[PROPERTY_VALUE_MAX];
555   int rc = -1;
556 
557   if (!cached_data) {
558     fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
559 
560     if (!strcmp(key_loc, KEY_IN_FOOTER)) {
561       if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
562         SLOGE("Cannot open real block device %s\n", real_blkdev);
563         return -1;
564       }
565 
566       unsigned long nr_sec = 0;
567       get_blkdev_size(fd, &nr_sec);
568       if (nr_sec != 0) {
569         /* If it's an encrypted Android partition, the last 16 Kbytes contain the
570          * encryption info footer and key, and plenty of bytes to spare for future
571          * growth.
572          */
573         strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
574         cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
575         cached_data = 1;
576       } else {
577         SLOGE("Cannot get size of block device %s\n", real_blkdev);
578       }
579       close(fd);
580     } else {
581       strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
582       cached_off = 0;
583       cached_data = 1;
584     }
585   }
586 
587   if (cached_data) {
588     if (metadata_fname) {
589         *metadata_fname = cached_metadata_fname;
590     }
591     if (off) {
592         *off = cached_off;
593     }
594     rc = 0;
595   }
596 
597   return rc;
598 }
599 
600 /* key or salt can be NULL, in which case just skip writing that value.  Useful to
601  * update the failed mount count but not change the key.
602  */
put_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)603 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
604 {
605   int fd;
606   unsigned int cnt;
607   /* starting_off is set to the SEEK_SET offset
608    * where the crypto structure starts
609    */
610   off64_t starting_off;
611   int rc = -1;
612   char *fname = NULL;
613   struct stat statbuf;
614 
615   if (get_crypt_ftr_info(&fname, &starting_off)) {
616     SLOGE("Unable to get crypt_ftr_info\n");
617     return -1;
618   }
619   if (fname[0] != '/') {
620     SLOGE("Unexpected value for crypto key location\n");
621     return -1;
622   }
623   if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) {
624     SLOGE("Cannot open footer file %s for put\n", fname);
625     return -1;
626   }
627 
628   /* Seek to the start of the crypt footer */
629   if (lseek64(fd, starting_off, SEEK_SET) == -1) {
630     SLOGE("Cannot seek to real block device footer\n");
631     goto errout;
632   }
633 
634   if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
635     SLOGE("Cannot write real block device footer\n");
636     goto errout;
637   }
638 
639   fstat(fd, &statbuf);
640   /* If the keys are kept on a raw block device, do not try to truncate it. */
641   if (S_ISREG(statbuf.st_mode)) {
642     if (ftruncate(fd, 0x4000)) {
643       SLOGE("Cannot set footer file size\n");
644       goto errout;
645     }
646   }
647 
648   /* Success! */
649   rc = 0;
650 
651 errout:
652   close(fd);
653   return rc;
654 
655 }
656 
unix_read(int fd,void * buff,int len)657 static inline int unix_read(int  fd, void*  buff, int  len)
658 {
659     return TEMP_FAILURE_RETRY(read(fd, buff, len));
660 }
661 
unix_write(int fd,const void * buff,int len)662 static inline int unix_write(int  fd, const void*  buff, int  len)
663 {
664     return TEMP_FAILURE_RETRY(write(fd, buff, len));
665 }
666 
init_empty_persist_data(struct crypt_persist_data * pdata,int len)667 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
668 {
669     memset(pdata, 0, len);
670     pdata->persist_magic = PERSIST_DATA_MAGIC;
671     pdata->persist_valid_entries = 0;
672 }
673 
674 /* A routine to update the passed in crypt_ftr to the lastest version.
675  * fd is open read/write on the device that holds the crypto footer and persistent
676  * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
677  * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
678  */
upgrade_crypt_ftr(int fd,struct crypt_mnt_ftr * crypt_ftr,off64_t offset)679 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
680 {
681     int orig_major = crypt_ftr->major_version;
682     int orig_minor = crypt_ftr->minor_version;
683 
684     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
685         struct crypt_persist_data *pdata;
686         off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
687 
688         SLOGW("upgrading crypto footer to 1.1");
689 
690         pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
691         if (pdata == NULL) {
692             SLOGE("Cannot allocate persisent data\n");
693             return;
694         }
695         memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
696 
697         /* Need to initialize the persistent data area */
698         if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
699             SLOGE("Cannot seek to persisent data offset\n");
700             free(pdata);
701             return;
702         }
703         /* Write all zeros to the first copy, making it invalid */
704         unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
705 
706         /* Write a valid but empty structure to the second copy */
707         init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
708         unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
709 
710         /* Update the footer */
711         crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
712         crypt_ftr->persist_data_offset[0] = pdata_offset;
713         crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
714         crypt_ftr->minor_version = 1;
715         free(pdata);
716     }
717 
718     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
719         SLOGW("upgrading crypto footer to 1.2");
720         /* But keep the old kdf_type.
721          * It will get updated later to KDF_SCRYPT after the password has been verified.
722          */
723         crypt_ftr->kdf_type = KDF_PBKDF2;
724         get_device_scrypt_params(crypt_ftr);
725         crypt_ftr->minor_version = 2;
726     }
727 
728     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
729         SLOGW("upgrading crypto footer to 1.3");
730         crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
731         crypt_ftr->minor_version = 3;
732     }
733 
734     if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
735         if (lseek64(fd, offset, SEEK_SET) == -1) {
736             SLOGE("Cannot seek to crypt footer\n");
737             return;
738         }
739         unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
740     }
741 }
742 
743 
get_crypt_ftr_and_key(struct crypt_mnt_ftr * crypt_ftr)744 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
745 {
746   int fd;
747   unsigned int cnt;
748   off64_t starting_off;
749   int rc = -1;
750   char *fname = NULL;
751   struct stat statbuf;
752 
753   if (get_crypt_ftr_info(&fname, &starting_off)) {
754     SLOGE("Unable to get crypt_ftr_info\n");
755     return -1;
756   }
757   if (fname[0] != '/') {
758     SLOGE("Unexpected value for crypto key location\n");
759     return -1;
760   }
761   if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) {
762     SLOGE("Cannot open footer file %s for get\n", fname);
763     return -1;
764   }
765 
766   /* Make sure it's 16 Kbytes in length */
767   fstat(fd, &statbuf);
768   if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
769     SLOGE("footer file %s is not the expected size!\n", fname);
770     goto errout;
771   }
772 
773   /* Seek to the start of the crypt footer */
774   if (lseek64(fd, starting_off, SEEK_SET) == -1) {
775     SLOGE("Cannot seek to real block device footer\n");
776     goto errout;
777   }
778 
779   if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
780     SLOGE("Cannot read real block device footer\n");
781     goto errout;
782   }
783 
784   if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
785     SLOGE("Bad magic for real block device %s\n", fname);
786     goto errout;
787   }
788 
789   if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
790     SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
791           crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
792     goto errout;
793   }
794 
795   if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
796     SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
797           crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
798   }
799 
800   /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
801    * copy on disk before returning.
802    */
803   if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
804     upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
805   }
806 
807   /* Success! */
808   rc = 0;
809 
810 errout:
811   close(fd);
812   return rc;
813 }
814 
validate_persistent_data_storage(struct crypt_mnt_ftr * crypt_ftr)815 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
816 {
817     if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
818         crypt_ftr->persist_data_offset[1]) {
819         SLOGE("Crypt_ftr persist data regions overlap");
820         return -1;
821     }
822 
823     if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
824         SLOGE("Crypt_ftr persist data region 0 starts after region 1");
825         return -1;
826     }
827 
828     if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
829         (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
830         CRYPT_FOOTER_OFFSET) {
831         SLOGE("Persistent data extends past crypto footer");
832         return -1;
833     }
834 
835     return 0;
836 }
837 
load_persistent_data(void)838 static int load_persistent_data(void)
839 {
840     struct crypt_mnt_ftr crypt_ftr;
841     struct crypt_persist_data *pdata = NULL;
842     char encrypted_state[PROPERTY_VALUE_MAX];
843     char *fname;
844     int found = 0;
845     int fd;
846     int ret;
847     int i;
848 
849     if (persist_data) {
850         /* Nothing to do, we've already loaded or initialized it */
851         return 0;
852     }
853 
854 
855     /* If not encrypted, just allocate an empty table and initialize it */
856     property_get("ro.crypto.state", encrypted_state, "");
857     if (strcmp(encrypted_state, "encrypted") ) {
858         pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
859         if (pdata) {
860             init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
861             persist_data = pdata;
862             return 0;
863         }
864         return -1;
865     }
866 
867     if(get_crypt_ftr_and_key(&crypt_ftr)) {
868         return -1;
869     }
870 
871     if ((crypt_ftr.major_version < 1)
872         || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
873         SLOGE("Crypt_ftr version doesn't support persistent data");
874         return -1;
875     }
876 
877     if (get_crypt_ftr_info(&fname, NULL)) {
878         return -1;
879     }
880 
881     ret = validate_persistent_data_storage(&crypt_ftr);
882     if (ret) {
883         return -1;
884     }
885 
886     fd = open(fname, O_RDONLY|O_CLOEXEC);
887     if (fd < 0) {
888         SLOGE("Cannot open %s metadata file", fname);
889         return -1;
890     }
891 
892     if (persist_data == NULL) {
893         pdata = malloc(crypt_ftr.persist_data_size);
894         if (pdata == NULL) {
895             SLOGE("Cannot allocate memory for persistent data");
896             goto err;
897         }
898     }
899 
900     for (i = 0; i < 2; i++) {
901         if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
902             SLOGE("Cannot seek to read persistent data on %s", fname);
903             goto err2;
904         }
905         if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
906             SLOGE("Error reading persistent data on iteration %d", i);
907             goto err2;
908         }
909         if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
910             found = 1;
911             break;
912         }
913     }
914 
915     if (!found) {
916         SLOGI("Could not find valid persistent data, creating");
917         init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
918     }
919 
920     /* Success */
921     persist_data = pdata;
922     close(fd);
923     return 0;
924 
925 err2:
926     free(pdata);
927 
928 err:
929     close(fd);
930     return -1;
931 }
932 
save_persistent_data(void)933 static int save_persistent_data(void)
934 {
935     struct crypt_mnt_ftr crypt_ftr;
936     struct crypt_persist_data *pdata;
937     char *fname;
938     off64_t write_offset;
939     off64_t erase_offset;
940     int fd;
941     int ret;
942 
943     if (persist_data == NULL) {
944         SLOGE("No persistent data to save");
945         return -1;
946     }
947 
948     if(get_crypt_ftr_and_key(&crypt_ftr)) {
949         return -1;
950     }
951 
952     if ((crypt_ftr.major_version < 1)
953         || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
954         SLOGE("Crypt_ftr version doesn't support persistent data");
955         return -1;
956     }
957 
958     ret = validate_persistent_data_storage(&crypt_ftr);
959     if (ret) {
960         return -1;
961     }
962 
963     if (get_crypt_ftr_info(&fname, NULL)) {
964         return -1;
965     }
966 
967     fd = open(fname, O_RDWR|O_CLOEXEC);
968     if (fd < 0) {
969         SLOGE("Cannot open %s metadata file", fname);
970         return -1;
971     }
972 
973     pdata = malloc(crypt_ftr.persist_data_size);
974     if (pdata == NULL) {
975         SLOGE("Cannot allocate persistant data");
976         goto err;
977     }
978 
979     if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
980         SLOGE("Cannot seek to read persistent data on %s", fname);
981         goto err2;
982     }
983 
984     if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
985             SLOGE("Error reading persistent data before save");
986             goto err2;
987     }
988 
989     if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
990         /* The first copy is the curent valid copy, so write to
991          * the second copy and erase this one */
992        write_offset = crypt_ftr.persist_data_offset[1];
993        erase_offset = crypt_ftr.persist_data_offset[0];
994     } else {
995         /* The second copy must be the valid copy, so write to
996          * the first copy, and erase the second */
997        write_offset = crypt_ftr.persist_data_offset[0];
998        erase_offset = crypt_ftr.persist_data_offset[1];
999     }
1000 
1001     /* Write the new copy first, if successful, then erase the old copy */
1002     if (lseek64(fd, write_offset, SEEK_SET) < 0) {
1003         SLOGE("Cannot seek to write persistent data");
1004         goto err2;
1005     }
1006     if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
1007         (int) crypt_ftr.persist_data_size) {
1008         if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
1009             SLOGE("Cannot seek to erase previous persistent data");
1010             goto err2;
1011         }
1012         fsync(fd);
1013         memset(pdata, 0, crypt_ftr.persist_data_size);
1014         if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
1015             (int) crypt_ftr.persist_data_size) {
1016             SLOGE("Cannot write to erase previous persistent data");
1017             goto err2;
1018         }
1019         fsync(fd);
1020     } else {
1021         SLOGE("Cannot write to save persistent data");
1022         goto err2;
1023     }
1024 
1025     /* Success */
1026     free(pdata);
1027     close(fd);
1028     return 0;
1029 
1030 err2:
1031     free(pdata);
1032 err:
1033     close(fd);
1034     return -1;
1035 }
1036 
1037 /* Convert a binary key of specified length into an ascii hex string equivalent,
1038  * without the leading 0x and with null termination
1039  */
convert_key_to_hex_ascii(const unsigned char * master_key,unsigned int keysize,char * master_key_ascii)1040 static void convert_key_to_hex_ascii(const unsigned char *master_key,
1041                                      unsigned int keysize, char *master_key_ascii) {
1042     unsigned int i, a;
1043     unsigned char nibble;
1044 
1045     for (i=0, a=0; i<keysize; i++, a+=2) {
1046         /* For each byte, write out two ascii hex digits */
1047         nibble = (master_key[i] >> 4) & 0xf;
1048         master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
1049 
1050         nibble = master_key[i] & 0xf;
1051         master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
1052     }
1053 
1054     /* Add the null termination */
1055     master_key_ascii[a] = '\0';
1056 
1057 }
1058 
load_crypto_mapping_table(struct crypt_mnt_ftr * crypt_ftr,const unsigned char * master_key,const char * real_blk_name,const char * name,int fd,const char * extra_params)1059 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
1060         const unsigned char *master_key, const char *real_blk_name,
1061         const char *name, int fd, const char *extra_params) {
1062   _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE];
1063   struct dm_ioctl *io;
1064   struct dm_target_spec *tgt;
1065   char *crypt_params;
1066   char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
1067   int i;
1068 
1069   io = (struct dm_ioctl *) buffer;
1070 
1071   /* Load the mapping table for this device */
1072   tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
1073 
1074   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1075   io->target_count = 1;
1076   tgt->status = 0;
1077   tgt->sector_start = 0;
1078   tgt->length = crypt_ftr->fs_size;
1079 #ifdef CONFIG_HW_DISK_ENCRYPTION
1080   if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1081     strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
1082   }
1083   else {
1084     strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1085   }
1086 #else
1087   strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
1088 #endif
1089 
1090   crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
1091   convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
1092   sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
1093           master_key_ascii, real_blk_name, extra_params);
1094   crypt_params += strlen(crypt_params) + 1;
1095   crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
1096   tgt->next = crypt_params - buffer;
1097 
1098   for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
1099     if (! ioctl(fd, DM_TABLE_LOAD, io)) {
1100       break;
1101     }
1102     usleep(500000);
1103   }
1104 
1105   if (i == TABLE_LOAD_RETRIES) {
1106     /* We failed to load the table, return an error */
1107     return -1;
1108   } else {
1109     return i + 1;
1110   }
1111 }
1112 
1113 
get_dm_crypt_version(int fd,const char * name,int * version)1114 static int get_dm_crypt_version(int fd, const char *name,  int *version)
1115 {
1116     char buffer[DM_CRYPT_BUF_SIZE];
1117     struct dm_ioctl *io;
1118     struct dm_target_versions *v;
1119 
1120     io = (struct dm_ioctl *) buffer;
1121 
1122     ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1123 
1124     if (ioctl(fd, DM_LIST_VERSIONS, io)) {
1125         return -1;
1126     }
1127 
1128     /* Iterate over the returned versions, looking for name of "crypt".
1129      * When found, get and return the version.
1130      */
1131     v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
1132     while (v->next) {
1133 #ifdef CONFIG_HW_DISK_ENCRYPTION
1134         if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
1135 #else
1136         if (! strcmp(v->name, "crypt")) {
1137 #endif
1138             /* We found the crypt driver, return the version, and get out */
1139             version[0] = v->version[0];
1140             version[1] = v->version[1];
1141             version[2] = v->version[2];
1142             return 0;
1143         }
1144         v = (struct dm_target_versions *)(((char *)v) + v->next);
1145     }
1146 
1147     return -1;
1148 }
1149 
1150 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr,
1151         const unsigned char *master_key, const char *real_blk_name,
1152         char *crypto_blk_name, const char *name) {
1153   char buffer[DM_CRYPT_BUF_SIZE];
1154   struct dm_ioctl *io;
1155   unsigned int minor;
1156   int fd=0;
1157   int retval = -1;
1158   int version[3];
1159   char *extra_params;
1160   int load_count;
1161 
1162   if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1163     SLOGE("Cannot open device-mapper\n");
1164     goto errout;
1165   }
1166 
1167   io = (struct dm_ioctl *) buffer;
1168 
1169   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1170   if (ioctl(fd, DM_DEV_CREATE, io)) {
1171     SLOGE("Cannot create dm-crypt device\n");
1172     goto errout;
1173   }
1174 
1175   /* Get the device status, in particular, the name of it's device file */
1176   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1177   if (ioctl(fd, DM_DEV_STATUS, io)) {
1178     SLOGE("Cannot retrieve dm-crypt device status\n");
1179     goto errout;
1180   }
1181   minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
1182   snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
1183 
1184   extra_params = "";
1185   if (! get_dm_crypt_version(fd, name, version)) {
1186       /* Support for allow_discards was added in version 1.11.0 */
1187       if ((version[0] >= 2) ||
1188           ((version[0] == 1) && (version[1] >= 11))) {
1189           extra_params = "1 allow_discards";
1190           SLOGI("Enabling support for allow_discards in dmcrypt.\n");
1191       }
1192   }
1193 
1194   load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
1195                                          fd, extra_params);
1196   if (load_count < 0) {
1197       SLOGE("Cannot load dm-crypt mapping table.\n");
1198       goto errout;
1199   } else if (load_count > 1) {
1200       SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
1201   }
1202 
1203   /* Resume this device to activate it */
1204   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1205 
1206   if (ioctl(fd, DM_DEV_SUSPEND, io)) {
1207     SLOGE("Cannot resume the dm-crypt device\n");
1208     goto errout;
1209   }
1210 
1211   /* We made it here with no errors.  Woot! */
1212   retval = 0;
1213 
1214 errout:
1215   close(fd);   /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1216 
1217   return retval;
1218 }
1219 
1220 static int delete_crypto_blk_dev(char *name)
1221 {
1222   int fd;
1223   char buffer[DM_CRYPT_BUF_SIZE];
1224   struct dm_ioctl *io;
1225   int retval = -1;
1226 
1227   if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) {
1228     SLOGE("Cannot open device-mapper\n");
1229     goto errout;
1230   }
1231 
1232   io = (struct dm_ioctl *) buffer;
1233 
1234   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
1235   if (ioctl(fd, DM_DEV_REMOVE, io)) {
1236     SLOGE("Cannot remove dm-crypt device\n");
1237     goto errout;
1238   }
1239 
1240   /* We made it here with no errors.  Woot! */
1241   retval = 0;
1242 
1243 errout:
1244   close(fd);    /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
1245 
1246   return retval;
1247 
1248 }
1249 
1250 static int pbkdf2(const char *passwd, const unsigned char *salt,
1251                   unsigned char *ikey, void *params UNUSED)
1252 {
1253     SLOGI("Using pbkdf2 for cryptfs KDF");
1254 
1255     /* Turn the password into a key and IV that can decrypt the master key */
1256     PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd),
1257                            salt, SALT_LEN,
1258                            HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
1259 
1260     return 0;
1261 }
1262 
1263 static int scrypt(const char *passwd, const unsigned char *salt,
1264                   unsigned char *ikey, void *params)
1265 {
1266     SLOGI("Using scrypt for cryptfs KDF");
1267 
1268     struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1269 
1270     int N = 1 << ftr->N_factor;
1271     int r = 1 << ftr->r_factor;
1272     int p = 1 << ftr->p_factor;
1273 
1274     /* Turn the password into a key and IV that can decrypt the master key */
1275     unsigned int keysize;
1276     crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1277                   salt, SALT_LEN, N, r, p, ikey,
1278                   KEY_LEN_BYTES + IV_LEN_BYTES);
1279 
1280    return 0;
1281 }
1282 
1283 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
1284                             unsigned char *ikey, void *params)
1285 {
1286     SLOGI("Using scrypt with keymaster for cryptfs KDF");
1287 
1288     int rc;
1289     size_t signature_size;
1290     unsigned char* signature;
1291     struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
1292 
1293     int N = 1 << ftr->N_factor;
1294     int r = 1 << ftr->r_factor;
1295     int p = 1 << ftr->p_factor;
1296 
1297     rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd),
1298                        salt, SALT_LEN, N, r, p, ikey,
1299                        KEY_LEN_BYTES + IV_LEN_BYTES);
1300 
1301     if (rc) {
1302         SLOGE("scrypt failed");
1303         return -1;
1304     }
1305 
1306     if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
1307                               &signature, &signature_size)) {
1308         SLOGE("Signing failed");
1309         return -1;
1310     }
1311 
1312     rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
1313                        N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
1314     free(signature);
1315 
1316     if (rc) {
1317         SLOGE("scrypt failed");
1318         return -1;
1319     }
1320 
1321     return 0;
1322 }
1323 
1324 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
1325                               const unsigned char *decrypted_master_key,
1326                               unsigned char *encrypted_master_key,
1327                               struct crypt_mnt_ftr *crypt_ftr)
1328 {
1329     unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1330     EVP_CIPHER_CTX e_ctx;
1331     int encrypted_len, final_len;
1332     int rc = 0;
1333 
1334     /* Turn the password into an intermediate key and IV that can decrypt the master key */
1335     get_device_scrypt_params(crypt_ftr);
1336 
1337     switch (crypt_ftr->kdf_type) {
1338     case KDF_SCRYPT_KEYMASTER:
1339         if (keymaster_create_key(crypt_ftr)) {
1340             SLOGE("keymaster_create_key failed");
1341             return -1;
1342         }
1343 
1344         if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
1345             SLOGE("scrypt failed");
1346             return -1;
1347         }
1348         break;
1349 
1350     case KDF_SCRYPT:
1351         if (scrypt(passwd, salt, ikey, crypt_ftr)) {
1352             SLOGE("scrypt failed");
1353             return -1;
1354         }
1355         break;
1356 
1357     default:
1358         SLOGE("Invalid kdf_type");
1359         return -1;
1360     }
1361 
1362     /* Initialize the decryption engine */
1363     EVP_CIPHER_CTX_init(&e_ctx);
1364     if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1365         SLOGE("EVP_EncryptInit failed\n");
1366         return -1;
1367     }
1368     EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
1369 
1370     /* Encrypt the master key */
1371     if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
1372                             decrypted_master_key, KEY_LEN_BYTES)) {
1373         SLOGE("EVP_EncryptUpdate failed\n");
1374         return -1;
1375     }
1376     if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
1377         SLOGE("EVP_EncryptFinal failed\n");
1378         return -1;
1379     }
1380 
1381     if (encrypted_len + final_len != KEY_LEN_BYTES) {
1382         SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
1383         return -1;
1384     }
1385 
1386     /* Store the scrypt of the intermediate key, so we can validate if it's a
1387        password error or mount error when things go wrong.
1388        Note there's no need to check for errors, since if this is incorrect, we
1389        simply won't wipe userdata, which is the correct default behavior
1390     */
1391     int N = 1 << crypt_ftr->N_factor;
1392     int r = 1 << crypt_ftr->r_factor;
1393     int p = 1 << crypt_ftr->p_factor;
1394 
1395     rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
1396                        crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
1397                        crypt_ftr->scrypted_intermediate_key,
1398                        sizeof(crypt_ftr->scrypted_intermediate_key));
1399 
1400     if (rc) {
1401       SLOGE("encrypt_master_key: crypto_scrypt failed");
1402     }
1403 
1404     return 0;
1405 }
1406 
1407 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
1408                                   unsigned char *encrypted_master_key,
1409                                   unsigned char *decrypted_master_key,
1410                                   kdf_func kdf, void *kdf_params,
1411                                   unsigned char** intermediate_key,
1412                                   size_t* intermediate_key_size)
1413 {
1414   unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
1415   EVP_CIPHER_CTX d_ctx;
1416   int decrypted_len, final_len;
1417 
1418   /* Turn the password into an intermediate key and IV that can decrypt the
1419      master key */
1420   if (kdf(passwd, salt, ikey, kdf_params)) {
1421     SLOGE("kdf failed");
1422     return -1;
1423   }
1424 
1425   /* Initialize the decryption engine */
1426   EVP_CIPHER_CTX_init(&d_ctx);
1427   if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) {
1428     return -1;
1429   }
1430   EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
1431   /* Decrypt the master key */
1432   if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
1433                             encrypted_master_key, KEY_LEN_BYTES)) {
1434     return -1;
1435   }
1436   if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
1437     return -1;
1438   }
1439 
1440   if (decrypted_len + final_len != KEY_LEN_BYTES) {
1441     return -1;
1442   }
1443 
1444   /* Copy intermediate key if needed by params */
1445   if (intermediate_key && intermediate_key_size) {
1446     *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
1447     if (intermediate_key) {
1448       memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
1449       *intermediate_key_size = KEY_LEN_BYTES;
1450     }
1451   }
1452 
1453   return 0;
1454 }
1455 
1456 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
1457 {
1458     if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1459         *kdf = scrypt_keymaster;
1460         *kdf_params = ftr;
1461     } else if (ftr->kdf_type == KDF_SCRYPT) {
1462         *kdf = scrypt;
1463         *kdf_params = ftr;
1464     } else {
1465         *kdf = pbkdf2;
1466         *kdf_params = NULL;
1467     }
1468 }
1469 
1470 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
1471                               struct crypt_mnt_ftr *crypt_ftr,
1472                               unsigned char** intermediate_key,
1473                               size_t* intermediate_key_size)
1474 {
1475     kdf_func kdf;
1476     void *kdf_params;
1477     int ret;
1478 
1479     get_kdf_func(crypt_ftr, &kdf, &kdf_params);
1480     ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
1481                                  decrypted_master_key, kdf, kdf_params,
1482                                  intermediate_key, intermediate_key_size);
1483     if (ret != 0) {
1484         SLOGW("failure decrypting master key");
1485     }
1486 
1487     return ret;
1488 }
1489 
1490 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
1491         struct crypt_mnt_ftr *crypt_ftr) {
1492     int fd;
1493     unsigned char key_buf[KEY_LEN_BYTES];
1494 
1495     /* Get some random bits for a key */
1496     fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
1497     read(fd, key_buf, sizeof(key_buf));
1498     read(fd, salt, SALT_LEN);
1499     close(fd);
1500 
1501     /* Now encrypt it with the password */
1502     return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
1503 }
1504 
1505 int wait_and_unmount(const char *mountpoint, bool kill)
1506 {
1507     int i, err, rc;
1508 #define WAIT_UNMOUNT_COUNT 20
1509 
1510     /*  Now umount the tmpfs filesystem */
1511     for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
1512         if (umount(mountpoint) == 0) {
1513             break;
1514         }
1515 
1516         if (errno == EINVAL) {
1517             /* EINVAL is returned if the directory is not a mountpoint,
1518              * i.e. there is no filesystem mounted there.  So just get out.
1519              */
1520             break;
1521         }
1522 
1523         err = errno;
1524 
1525         /* If allowed, be increasingly aggressive before the last two retries */
1526         if (kill) {
1527             if (i == (WAIT_UNMOUNT_COUNT - 3)) {
1528                 SLOGW("sending SIGHUP to processes with open files\n");
1529                 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM);
1530             } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
1531                 SLOGW("sending SIGKILL to processes with open files\n");
1532                 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL);
1533             }
1534         }
1535 
1536         sleep(1);
1537     }
1538 
1539     if (i < WAIT_UNMOUNT_COUNT) {
1540       SLOGD("unmounting %s succeeded\n", mountpoint);
1541       rc = 0;
1542     } else {
1543       vold_killProcessesWithOpenFiles(mountpoint, 0);
1544       SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
1545       rc = -1;
1546     }
1547 
1548     return rc;
1549 }
1550 
1551 #define DATA_PREP_TIMEOUT 1000
1552 static int prep_data_fs(void)
1553 {
1554     int i;
1555 
1556     /* Do the prep of the /data filesystem */
1557     property_set("vold.post_fs_data_done", "0");
1558     property_set("vold.decrypt", "trigger_post_fs_data");
1559     SLOGD("Just triggered post_fs_data\n");
1560 
1561     /* Wait a max of 50 seconds, hopefully it takes much less */
1562     for (i=0; i<DATA_PREP_TIMEOUT; i++) {
1563         char p[PROPERTY_VALUE_MAX];
1564 
1565         property_get("vold.post_fs_data_done", p, "0");
1566         if (*p == '1') {
1567             break;
1568         } else {
1569             usleep(50000);
1570         }
1571     }
1572     if (i == DATA_PREP_TIMEOUT) {
1573         /* Ugh, we failed to prep /data in time.  Bail. */
1574         SLOGE("post_fs_data timed out!\n");
1575         return -1;
1576     } else {
1577         SLOGD("post_fs_data done\n");
1578         return 0;
1579     }
1580 }
1581 
1582 static void cryptfs_set_corrupt()
1583 {
1584     // Mark the footer as bad
1585     struct crypt_mnt_ftr crypt_ftr;
1586     if (get_crypt_ftr_and_key(&crypt_ftr)) {
1587         SLOGE("Failed to get crypto footer - panic");
1588         return;
1589     }
1590 
1591     crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
1592     if (put_crypt_ftr_and_key(&crypt_ftr)) {
1593         SLOGE("Failed to set crypto footer - panic");
1594         return;
1595     }
1596 }
1597 
1598 static void cryptfs_trigger_restart_min_framework()
1599 {
1600     if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
1601       SLOGE("Failed to mount tmpfs on data - panic");
1602       return;
1603     }
1604 
1605     if (property_set("vold.decrypt", "trigger_post_fs_data")) {
1606         SLOGE("Failed to trigger post fs data - panic");
1607         return;
1608     }
1609 
1610     if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
1611         SLOGE("Failed to trigger restart min framework - panic");
1612         return;
1613     }
1614 }
1615 
1616 /* returns < 0 on failure */
1617 static int cryptfs_restart_internal(int restart_main)
1618 {
1619     char crypto_blkdev[MAXPATHLEN];
1620     int rc = -1;
1621     static int restart_successful = 0;
1622 
1623     /* Validate that it's OK to call this routine */
1624     if (! master_key_saved) {
1625         SLOGE("Encrypted filesystem not validated, aborting");
1626         return -1;
1627     }
1628 
1629     if (restart_successful) {
1630         SLOGE("System already restarted with encrypted disk, aborting");
1631         return -1;
1632     }
1633 
1634     if (restart_main) {
1635         /* Here is where we shut down the framework.  The init scripts
1636          * start all services in one of three classes: core, main or late_start.
1637          * On boot, we start core and main.  Now, we stop main, but not core,
1638          * as core includes vold and a few other really important things that
1639          * we need to keep running.  Once main has stopped, we should be able
1640          * to umount the tmpfs /data, then mount the encrypted /data.
1641          * We then restart the class main, and also the class late_start.
1642          * At the moment, I've only put a few things in late_start that I know
1643          * are not needed to bring up the framework, and that also cause problems
1644          * with unmounting the tmpfs /data, but I hope to add add more services
1645          * to the late_start class as we optimize this to decrease the delay
1646          * till the user is asked for the password to the filesystem.
1647          */
1648 
1649         /* The init files are setup to stop the class main when vold.decrypt is
1650          * set to trigger_reset_main.
1651          */
1652         property_set("vold.decrypt", "trigger_reset_main");
1653         SLOGD("Just asked init to shut down class main\n");
1654 
1655         /* Ugh, shutting down the framework is not synchronous, so until it
1656          * can be fixed, this horrible hack will wait a moment for it all to
1657          * shut down before proceeding.  Without it, some devices cannot
1658          * restart the graphics services.
1659          */
1660         sleep(2);
1661     }
1662 
1663     /* Now that the framework is shutdown, we should be able to umount()
1664      * the tmpfs filesystem, and mount the real one.
1665      */
1666 
1667     property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
1668     if (strlen(crypto_blkdev) == 0) {
1669         SLOGE("fs_crypto_blkdev not set\n");
1670         return -1;
1671     }
1672 
1673     if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
1674         /* If ro.crypto.readonly is set to 1, mount the decrypted
1675          * filesystem readonly.  This is used when /data is mounted by
1676          * recovery mode.
1677          */
1678         char ro_prop[PROPERTY_VALUE_MAX];
1679         property_get("ro.crypto.readonly", ro_prop, "");
1680         if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
1681             struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1682             rec->flags |= MS_RDONLY;
1683         }
1684 
1685         /* If that succeeded, then mount the decrypted filesystem */
1686         int retries = RETRY_MOUNT_ATTEMPTS;
1687         int mount_rc;
1688         while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
1689                                            crypto_blkdev, 0))
1690                != 0) {
1691             if (mount_rc == FS_MGR_DOMNT_BUSY) {
1692                 /* TODO: invoke something similar to
1693                    Process::killProcessWithOpenFiles(DATA_MNT_POINT,
1694                                    retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
1695                 SLOGI("Failed to mount %s because it is busy - waiting",
1696                       crypto_blkdev);
1697                 if (--retries) {
1698                     sleep(RETRY_MOUNT_DELAY_SECONDS);
1699                 } else {
1700                     /* Let's hope that a reboot clears away whatever is keeping
1701                        the mount busy */
1702                     cryptfs_reboot(reboot);
1703                 }
1704             } else {
1705                 SLOGE("Failed to mount decrypted data");
1706                 cryptfs_set_corrupt();
1707                 cryptfs_trigger_restart_min_framework();
1708                 SLOGI("Started framework to offer wipe");
1709                 return -1;
1710             }
1711         }
1712 
1713         property_set("vold.decrypt", "trigger_load_persist_props");
1714         /* Create necessary paths on /data */
1715         if (prep_data_fs()) {
1716             return -1;
1717         }
1718 
1719         /* startup service classes main and late_start */
1720         property_set("vold.decrypt", "trigger_restart_framework");
1721         SLOGD("Just triggered restart_framework\n");
1722 
1723         /* Give it a few moments to get started */
1724         sleep(1);
1725     }
1726 
1727     if (rc == 0) {
1728         restart_successful = 1;
1729     }
1730 
1731     return rc;
1732 }
1733 
1734 int cryptfs_restart(void)
1735 {
1736     SLOGI("cryptfs_restart");
1737     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
1738         struct fstab_rec* rec;
1739         int rc;
1740 
1741         if (e4crypt_restart(DATA_MNT_POINT)) {
1742             SLOGE("Can't unmount e4crypt temp volume\n");
1743             return -1;
1744         }
1745 
1746         rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
1747         if (!rec) {
1748             SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT);
1749             return -1;
1750         }
1751 
1752         rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0);
1753         if (rc) {
1754             SLOGE("Can't mount %s\n", DATA_MNT_POINT);
1755             return rc;
1756         }
1757 
1758         property_set("vold.decrypt", "trigger_restart_framework");
1759         return 0;
1760     }
1761 
1762     /* Call internal implementation forcing a restart of main service group */
1763     return cryptfs_restart_internal(1);
1764 }
1765 
1766 static int do_crypto_complete(char *mount_point)
1767 {
1768   struct crypt_mnt_ftr crypt_ftr;
1769   char encrypted_state[PROPERTY_VALUE_MAX];
1770   char key_loc[PROPERTY_VALUE_MAX];
1771 
1772   property_get("ro.crypto.state", encrypted_state, "");
1773   if (strcmp(encrypted_state, "encrypted") ) {
1774     SLOGE("not running with encryption, aborting");
1775     return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1776   }
1777 
1778   if (e4crypt_crypto_complete(mount_point) == 0) {
1779     return CRYPTO_COMPLETE_ENCRYPTED;
1780   }
1781 
1782   if (get_crypt_ftr_and_key(&crypt_ftr)) {
1783     fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
1784 
1785     /*
1786      * Only report this error if key_loc is a file and it exists.
1787      * If the device was never encrypted, and /data is not mountable for
1788      * some reason, returning 1 should prevent the UI from presenting the
1789      * a "enter password" screen, or worse, a "press button to wipe the
1790      * device" screen.
1791      */
1792     if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
1793       SLOGE("master key file does not exist, aborting");
1794       return CRYPTO_COMPLETE_NOT_ENCRYPTED;
1795     } else {
1796       SLOGE("Error getting crypt footer and key\n");
1797       return CRYPTO_COMPLETE_BAD_METADATA;
1798     }
1799   }
1800 
1801   // Test for possible error flags
1802   if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
1803     SLOGE("Encryption process is partway completed\n");
1804     return CRYPTO_COMPLETE_PARTIAL;
1805   }
1806 
1807   if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
1808     SLOGE("Encryption process was interrupted but cannot continue\n");
1809     return CRYPTO_COMPLETE_INCONSISTENT;
1810   }
1811 
1812   if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
1813     SLOGE("Encryption is successful but data is corrupt\n");
1814     return CRYPTO_COMPLETE_CORRUPT;
1815   }
1816 
1817   /* We passed the test! We shall diminish, and return to the west */
1818   return CRYPTO_COMPLETE_ENCRYPTED;
1819 }
1820 
1821 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
1822                                    char *passwd, char *mount_point, char *label)
1823 {
1824   /* Allocate enough space for a 256 bit key, but we may use less */
1825   unsigned char decrypted_master_key[32];
1826   char crypto_blkdev[MAXPATHLEN];
1827   char real_blkdev[MAXPATHLEN];
1828   char tmp_mount_point[64];
1829   unsigned int orig_failed_decrypt_count;
1830   int rc;
1831   int use_keymaster = 0;
1832   int upgrade = 0;
1833   unsigned char* intermediate_key = 0;
1834   size_t intermediate_key_size = 0;
1835 
1836   SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
1837   orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
1838 
1839   if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
1840     if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
1841                            &intermediate_key, &intermediate_key_size)) {
1842       SLOGE("Failed to decrypt master key\n");
1843       rc = -1;
1844       goto errout;
1845     }
1846   }
1847 
1848   fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
1849 
1850 #ifdef CONFIG_HW_DISK_ENCRYPTION
1851   if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
1852     if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
1853       SLOGE("Hardware encryption key does not match");
1854     }
1855   }
1856 #endif
1857 
1858   // Create crypto block device - all (non fatal) code paths
1859   // need it
1860   if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
1861                             real_blkdev, crypto_blkdev, label)) {
1862      SLOGE("Error creating decrypted block device\n");
1863      rc = -1;
1864      goto errout;
1865   }
1866 
1867   /* Work out if the problem is the password or the data */
1868   unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
1869                                                  scrypted_intermediate_key)];
1870   int N = 1 << crypt_ftr->N_factor;
1871   int r = 1 << crypt_ftr->r_factor;
1872   int p = 1 << crypt_ftr->p_factor;
1873 
1874   rc = crypto_scrypt(intermediate_key, intermediate_key_size,
1875                      crypt_ftr->salt, sizeof(crypt_ftr->salt),
1876                      N, r, p, scrypted_intermediate_key,
1877                      sizeof(scrypted_intermediate_key));
1878 
1879   // Does the key match the crypto footer?
1880   if (rc == 0 && memcmp(scrypted_intermediate_key,
1881                         crypt_ftr->scrypted_intermediate_key,
1882                         sizeof(scrypted_intermediate_key)) == 0) {
1883     SLOGI("Password matches");
1884     rc = 0;
1885   } else {
1886     /* Try mounting the file system anyway, just in case the problem's with
1887      * the footer, not the key. */
1888     sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
1889     mkdir(tmp_mount_point, 0755);
1890     if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
1891       SLOGE("Error temp mounting decrypted block device\n");
1892       delete_crypto_blk_dev(label);
1893 
1894       rc = ++crypt_ftr->failed_decrypt_count;
1895       put_crypt_ftr_and_key(crypt_ftr);
1896     } else {
1897       /* Success! */
1898       SLOGI("Password did not match but decrypted drive mounted - continue");
1899       umount(tmp_mount_point);
1900       rc = 0;
1901     }
1902   }
1903 
1904   if (rc == 0) {
1905     crypt_ftr->failed_decrypt_count = 0;
1906     if (orig_failed_decrypt_count != 0) {
1907       put_crypt_ftr_and_key(crypt_ftr);
1908     }
1909 
1910     /* Save the name of the crypto block device
1911      * so we can mount it when restarting the framework. */
1912     property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
1913 
1914     /* Also save a the master key so we can reencrypted the key
1915      * the key when we want to change the password on it. */
1916     memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
1917     saved_mount_point = strdup(mount_point);
1918     master_key_saved = 1;
1919     SLOGD("%s(): Master key saved\n", __FUNCTION__);
1920     rc = 0;
1921 
1922     // Upgrade if we're not using the latest KDF.
1923     use_keymaster = keymaster_check_compatibility();
1924     if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
1925         // Don't allow downgrade
1926     } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
1927         crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
1928         upgrade = 1;
1929     } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
1930         crypt_ftr->kdf_type = KDF_SCRYPT;
1931         upgrade = 1;
1932     }
1933 
1934     if (upgrade) {
1935         rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
1936                                 crypt_ftr->master_key, crypt_ftr);
1937         if (!rc) {
1938             rc = put_crypt_ftr_and_key(crypt_ftr);
1939         }
1940         SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
1941 
1942         // Do not fail even if upgrade failed - machine is bootable
1943         // Note that if this code is ever hit, there is a *serious* problem
1944         // since KDFs should never fail. You *must* fix the kdf before
1945         // proceeding!
1946         if (rc) {
1947           SLOGW("Upgrade failed with error %d,"
1948                 " but continuing with previous state",
1949                 rc);
1950           rc = 0;
1951         }
1952     }
1953   }
1954 
1955  errout:
1956   if (intermediate_key) {
1957     memset(intermediate_key, 0, intermediate_key_size);
1958     free(intermediate_key);
1959   }
1960   return rc;
1961 }
1962 
1963 /*
1964  * Called by vold when it's asked to mount an encrypted external
1965  * storage volume. The incoming partition has no crypto header/footer,
1966  * as any metadata is been stored in a separate, small partition.
1967  *
1968  * out_crypto_blkdev must be MAXPATHLEN.
1969  */
1970 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
1971         const unsigned char* key, int keysize, char* out_crypto_blkdev) {
1972     int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
1973     if (fd == -1) {
1974         SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno));
1975         return -1;
1976     }
1977 
1978     unsigned long nr_sec = 0;
1979     get_blkdev_size(fd, &nr_sec);
1980     close(fd);
1981 
1982     if (nr_sec == 0) {
1983         SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno));
1984         return -1;
1985     }
1986 
1987     struct crypt_mnt_ftr ext_crypt_ftr;
1988     memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
1989     ext_crypt_ftr.fs_size = nr_sec;
1990     ext_crypt_ftr.keysize = keysize;
1991     strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
1992 
1993     return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev,
1994             out_crypto_blkdev, label);
1995 }
1996 
1997 /*
1998  * Called by vold when it's asked to unmount an encrypted external
1999  * storage volume.
2000  */
2001 int cryptfs_revert_ext_volume(const char* label) {
2002     return delete_crypto_blk_dev((char*) label);
2003 }
2004 
2005 int cryptfs_crypto_complete(void)
2006 {
2007   return do_crypto_complete("/data");
2008 }
2009 
2010 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
2011 {
2012     char encrypted_state[PROPERTY_VALUE_MAX];
2013     property_get("ro.crypto.state", encrypted_state, "");
2014     if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
2015         SLOGE("encrypted fs already validated or not running with encryption,"
2016               " aborting");
2017         return -1;
2018     }
2019 
2020     if (get_crypt_ftr_and_key(crypt_ftr)) {
2021         SLOGE("Error getting crypt footer and key");
2022         return -1;
2023     }
2024 
2025     return 0;
2026 }
2027 
2028 int cryptfs_check_passwd(char *passwd)
2029 {
2030     SLOGI("cryptfs_check_passwd");
2031     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
2032         return e4crypt_check_passwd(DATA_MNT_POINT, passwd);
2033     }
2034 
2035     struct crypt_mnt_ftr crypt_ftr;
2036     int rc;
2037 
2038     rc = check_unmounted_and_get_ftr(&crypt_ftr);
2039     if (rc)
2040         return rc;
2041 
2042     rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
2043                                  DATA_MNT_POINT, "userdata");
2044 
2045     if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
2046         cryptfs_clear_password();
2047         password = strdup(passwd);
2048         struct timespec now;
2049         clock_gettime(CLOCK_BOOTTIME, &now);
2050         password_expiry_time = now.tv_sec + password_max_age_seconds;
2051     }
2052 
2053     return rc;
2054 }
2055 
2056 int cryptfs_verify_passwd(char *passwd)
2057 {
2058     struct crypt_mnt_ftr crypt_ftr;
2059     /* Allocate enough space for a 256 bit key, but we may use less */
2060     unsigned char decrypted_master_key[32];
2061     char encrypted_state[PROPERTY_VALUE_MAX];
2062     int rc;
2063 
2064     property_get("ro.crypto.state", encrypted_state, "");
2065     if (strcmp(encrypted_state, "encrypted") ) {
2066         SLOGE("device not encrypted, aborting");
2067         return -2;
2068     }
2069 
2070     if (!master_key_saved) {
2071         SLOGE("encrypted fs not yet mounted, aborting");
2072         return -1;
2073     }
2074 
2075     if (!saved_mount_point) {
2076         SLOGE("encrypted fs failed to save mount point, aborting");
2077         return -1;
2078     }
2079 
2080     if (get_crypt_ftr_and_key(&crypt_ftr)) {
2081         SLOGE("Error getting crypt footer and key\n");
2082         return -1;
2083     }
2084 
2085     if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
2086         /* If the device has no password, then just say the password is valid */
2087         rc = 0;
2088     } else {
2089         decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
2090         if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
2091             /* They match, the password is correct */
2092             rc = 0;
2093         } else {
2094             /* If incorrect, sleep for a bit to prevent dictionary attacks */
2095             sleep(1);
2096             rc = 1;
2097         }
2098     }
2099 
2100     return rc;
2101 }
2102 
2103 /* Initialize a crypt_mnt_ftr structure.  The keysize is
2104  * defaulted to 16 bytes, and the filesystem size to 0.
2105  * Presumably, at a minimum, the caller will update the
2106  * filesystem size and crypto_type_name after calling this function.
2107  */
2108 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
2109 {
2110     off64_t off;
2111 
2112     memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
2113     ftr->magic = CRYPT_MNT_MAGIC;
2114     ftr->major_version = CURRENT_MAJOR_VERSION;
2115     ftr->minor_version = CURRENT_MINOR_VERSION;
2116     ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
2117     ftr->keysize = KEY_LEN_BYTES;
2118 
2119     switch (keymaster_check_compatibility()) {
2120     case 1:
2121         ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
2122         break;
2123 
2124     case 0:
2125         ftr->kdf_type = KDF_SCRYPT;
2126         break;
2127 
2128     default:
2129         SLOGE("keymaster_check_compatibility failed");
2130         return -1;
2131     }
2132 
2133     get_device_scrypt_params(ftr);
2134 
2135     ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
2136     if (get_crypt_ftr_info(NULL, &off) == 0) {
2137         ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
2138         ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
2139                                     ftr->persist_data_size;
2140     }
2141 
2142     return 0;
2143 }
2144 
2145 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
2146 {
2147     const char *args[10];
2148     char size_str[32]; /* Must be large enough to hold a %lld and null byte */
2149     int num_args;
2150     int status;
2151     int tmp;
2152     int rc = -1;
2153 
2154     if (type == EXT4_FS) {
2155         args[0] = "/system/bin/make_ext4fs";
2156         args[1] = "-a";
2157         args[2] = "/data";
2158         args[3] = "-l";
2159         snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
2160         args[4] = size_str;
2161         args[5] = crypto_blkdev;
2162         num_args = 6;
2163         SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
2164               args[0], args[1], args[2], args[3], args[4], args[5]);
2165     } else if (type == F2FS_FS) {
2166         args[0] = "/system/bin/mkfs.f2fs";
2167         args[1] = "-t";
2168         args[2] = "-d1";
2169         args[3] = crypto_blkdev;
2170         snprintf(size_str, sizeof(size_str), "%" PRId64, size);
2171         args[4] = size_str;
2172         num_args = 5;
2173         SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
2174               args[0], args[1], args[2], args[3], args[4]);
2175     } else {
2176         SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
2177         return -1;
2178     }
2179 
2180     tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
2181 
2182     if (tmp != 0) {
2183       SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
2184     } else {
2185         if (WIFEXITED(status)) {
2186             if (WEXITSTATUS(status)) {
2187                 SLOGE("Error creating filesystem on %s, exit status %d ",
2188                       crypto_blkdev, WEXITSTATUS(status));
2189             } else {
2190                 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
2191                 rc = 0;
2192             }
2193         } else {
2194             SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
2195        }
2196     }
2197 
2198     return rc;
2199 }
2200 
2201 #define CRYPT_INPLACE_BUFSIZE 4096
2202 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
2203 #define CRYPT_SECTOR_SIZE 512
2204 
2205 /* aligned 32K writes tends to make flash happy.
2206  * SD card association recommends it.
2207  */
2208 #ifndef CONFIG_HW_DISK_ENCRYPTION
2209 #define BLOCKS_AT_A_TIME 8
2210 #else
2211 #define BLOCKS_AT_A_TIME 1024
2212 #endif
2213 
2214 struct encryptGroupsData
2215 {
2216     int realfd;
2217     int cryptofd;
2218     off64_t numblocks;
2219     off64_t one_pct, cur_pct, new_pct;
2220     off64_t blocks_already_done, tot_numblocks;
2221     off64_t used_blocks_already_done, tot_used_blocks;
2222     char* real_blkdev, * crypto_blkdev;
2223     int count;
2224     off64_t offset;
2225     char* buffer;
2226     off64_t last_written_sector;
2227     int completed;
2228     time_t time_started;
2229     int remaining_time;
2230 };
2231 
2232 static void update_progress(struct encryptGroupsData* data, int is_used)
2233 {
2234     data->blocks_already_done++;
2235 
2236     if (is_used) {
2237         data->used_blocks_already_done++;
2238     }
2239     if (data->tot_used_blocks) {
2240         data->new_pct = data->used_blocks_already_done / data->one_pct;
2241     } else {
2242         data->new_pct = data->blocks_already_done / data->one_pct;
2243     }
2244 
2245     if (data->new_pct > data->cur_pct) {
2246         char buf[8];
2247         data->cur_pct = data->new_pct;
2248         snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
2249         property_set("vold.encrypt_progress", buf);
2250     }
2251 
2252     if (data->cur_pct >= 5) {
2253         struct timespec time_now;
2254         if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
2255             SLOGW("Error getting time");
2256         } else {
2257             double elapsed_time = difftime(time_now.tv_sec, data->time_started);
2258             off64_t remaining_blocks = data->tot_used_blocks
2259                                        - data->used_blocks_already_done;
2260             int remaining_time = (int)(elapsed_time * remaining_blocks
2261                                        / data->used_blocks_already_done);
2262 
2263             // Change time only if not yet set, lower, or a lot higher for
2264             // best user experience
2265             if (data->remaining_time == -1
2266                 || remaining_time < data->remaining_time
2267                 || remaining_time > data->remaining_time + 60) {
2268                 char buf[8];
2269                 snprintf(buf, sizeof(buf), "%d", remaining_time);
2270                 property_set("vold.encrypt_time_remaining", buf);
2271                 data->remaining_time = remaining_time;
2272             }
2273         }
2274     }
2275 }
2276 
2277 static void log_progress(struct encryptGroupsData const* data, bool completed)
2278 {
2279     // Precondition - if completed data = 0 else data != 0
2280 
2281     // Track progress so we can skip logging blocks
2282     static off64_t offset = -1;
2283 
2284     // Need to close existing 'Encrypting from' log?
2285     if (completed || (offset != -1 && data->offset != offset)) {
2286         SLOGI("Encrypted to sector %" PRId64,
2287               offset / info.block_size * CRYPT_SECTOR_SIZE);
2288         offset = -1;
2289     }
2290 
2291     // Need to start new 'Encrypting from' log?
2292     if (!completed && offset != data->offset) {
2293         SLOGI("Encrypting from sector %" PRId64,
2294               data->offset / info.block_size * CRYPT_SECTOR_SIZE);
2295     }
2296 
2297     // Update offset
2298     if (!completed) {
2299         offset = data->offset + (off64_t)data->count * info.block_size;
2300     }
2301 }
2302 
2303 static int flush_outstanding_data(struct encryptGroupsData* data)
2304 {
2305     if (data->count == 0) {
2306         return 0;
2307     }
2308 
2309     SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
2310 
2311     if (pread64(data->realfd, data->buffer,
2312                 info.block_size * data->count, data->offset)
2313         <= 0) {
2314         SLOGE("Error reading real_blkdev %s for inplace encrypt",
2315               data->real_blkdev);
2316         return -1;
2317     }
2318 
2319     if (pwrite64(data->cryptofd, data->buffer,
2320                  info.block_size * data->count, data->offset)
2321         <= 0) {
2322         SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
2323               data->crypto_blkdev);
2324         return -1;
2325     } else {
2326       log_progress(data, false);
2327     }
2328 
2329     data->count = 0;
2330     data->last_written_sector = (data->offset + data->count)
2331                                 / info.block_size * CRYPT_SECTOR_SIZE - 1;
2332     return 0;
2333 }
2334 
2335 static int encrypt_groups(struct encryptGroupsData* data)
2336 {
2337     unsigned int i;
2338     u8 *block_bitmap = 0;
2339     unsigned int block;
2340     off64_t ret;
2341     int rc = -1;
2342 
2343     data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
2344     if (!data->buffer) {
2345         SLOGE("Failed to allocate crypto buffer");
2346         goto errout;
2347     }
2348 
2349     block_bitmap = malloc(info.block_size);
2350     if (!block_bitmap) {
2351         SLOGE("failed to allocate block bitmap");
2352         goto errout;
2353     }
2354 
2355     for (i = 0; i < aux_info.groups; ++i) {
2356         SLOGI("Encrypting group %d", i);
2357 
2358         u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
2359         u32 block_count = min(info.blocks_per_group,
2360                              aux_info.len_blocks - first_block);
2361 
2362         off64_t offset = (u64)info.block_size
2363                          * aux_info.bg_desc[i].bg_block_bitmap;
2364 
2365         ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
2366         if (ret != (int)info.block_size) {
2367             SLOGE("failed to read all of block group bitmap %d", i);
2368             goto errout;
2369         }
2370 
2371         offset = (u64)info.block_size * first_block;
2372 
2373         data->count = 0;
2374 
2375         for (block = 0; block < block_count; block++) {
2376             int used = bitmap_get_bit(block_bitmap, block);
2377             update_progress(data, used);
2378             if (used) {
2379                 if (data->count == 0) {
2380                     data->offset = offset;
2381                 }
2382                 data->count++;
2383             } else {
2384                 if (flush_outstanding_data(data)) {
2385                     goto errout;
2386                 }
2387             }
2388 
2389             offset += info.block_size;
2390 
2391             /* Write data if we are aligned or buffer size reached */
2392             if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
2393                 || data->count == BLOCKS_AT_A_TIME) {
2394                 if (flush_outstanding_data(data)) {
2395                     goto errout;
2396                 }
2397             }
2398 
2399             if (!is_battery_ok_to_continue()) {
2400                 SLOGE("Stopping encryption due to low battery");
2401                 rc = 0;
2402                 goto errout;
2403             }
2404 
2405         }
2406         if (flush_outstanding_data(data)) {
2407             goto errout;
2408         }
2409     }
2410 
2411     data->completed = 1;
2412     rc = 0;
2413 
2414 errout:
2415     log_progress(0, true);
2416     free(data->buffer);
2417     free(block_bitmap);
2418     return rc;
2419 }
2420 
2421 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
2422                                        char *real_blkdev,
2423                                        off64_t size,
2424                                        off64_t *size_already_done,
2425                                        off64_t tot_size,
2426                                        off64_t previously_encrypted_upto)
2427 {
2428     u32 i;
2429     struct encryptGroupsData data;
2430     int rc; // Can't initialize without causing warning -Wclobbered
2431 
2432     if (previously_encrypted_upto > *size_already_done) {
2433         SLOGD("Not fast encrypting since resuming part way through");
2434         return -1;
2435     }
2436 
2437     memset(&data, 0, sizeof(data));
2438     data.real_blkdev = real_blkdev;
2439     data.crypto_blkdev = crypto_blkdev;
2440 
2441     if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2442         SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
2443               real_blkdev, errno, strerror(errno));
2444         rc = -1;
2445         goto errout;
2446     }
2447 
2448     if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2449         SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
2450               crypto_blkdev, errno, strerror(errno));
2451         rc = ENABLE_INPLACE_ERR_DEV;
2452         goto errout;
2453     }
2454 
2455     if (setjmp(setjmp_env)) {
2456         SLOGE("Reading ext4 extent caused an exception\n");
2457         rc = -1;
2458         goto errout;
2459     }
2460 
2461     if (read_ext(data.realfd, 0) != 0) {
2462         SLOGE("Failed to read ext4 extent\n");
2463         rc = -1;
2464         goto errout;
2465     }
2466 
2467     data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2468     data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2469     data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2470 
2471     SLOGI("Encrypting ext4 filesystem in place...");
2472 
2473     data.tot_used_blocks = data.numblocks;
2474     for (i = 0; i < aux_info.groups; ++i) {
2475       data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
2476     }
2477 
2478     data.one_pct = data.tot_used_blocks / 100;
2479     data.cur_pct = 0;
2480 
2481     struct timespec time_started = {0};
2482     if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
2483         SLOGW("Error getting time at start");
2484         // Note - continue anyway - we'll run with 0
2485     }
2486     data.time_started = time_started.tv_sec;
2487     data.remaining_time = -1;
2488 
2489     rc = encrypt_groups(&data);
2490     if (rc) {
2491         SLOGE("Error encrypting groups");
2492         goto errout;
2493     }
2494 
2495     *size_already_done += data.completed ? size : data.last_written_sector;
2496     rc = 0;
2497 
2498 errout:
2499     close(data.realfd);
2500     close(data.cryptofd);
2501 
2502     return rc;
2503 }
2504 
2505 static void log_progress_f2fs(u64 block, bool completed)
2506 {
2507     // Precondition - if completed data = 0 else data != 0
2508 
2509     // Track progress so we can skip logging blocks
2510     static u64 last_block = (u64)-1;
2511 
2512     // Need to close existing 'Encrypting from' log?
2513     if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
2514         SLOGI("Encrypted to block %" PRId64, last_block);
2515         last_block = -1;
2516     }
2517 
2518     // Need to start new 'Encrypting from' log?
2519     if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
2520         SLOGI("Encrypting from block %" PRId64, block);
2521     }
2522 
2523     // Update offset
2524     if (!completed) {
2525         last_block = block;
2526     }
2527 }
2528 
2529 static int encrypt_one_block_f2fs(u64 pos, void *data)
2530 {
2531     struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
2532 
2533     priv_dat->blocks_already_done = pos - 1;
2534     update_progress(priv_dat, 1);
2535 
2536     off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
2537 
2538     if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2539         SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2540         return -1;
2541     }
2542 
2543     if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
2544         SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
2545         return -1;
2546     } else {
2547         log_progress_f2fs(pos, false);
2548     }
2549 
2550     return 0;
2551 }
2552 
2553 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
2554                                        char *real_blkdev,
2555                                        off64_t size,
2556                                        off64_t *size_already_done,
2557                                        off64_t tot_size,
2558                                        off64_t previously_encrypted_upto)
2559 {
2560     struct encryptGroupsData data;
2561     struct f2fs_info *f2fs_info = NULL;
2562     int rc = ENABLE_INPLACE_ERR_OTHER;
2563     if (previously_encrypted_upto > *size_already_done) {
2564         SLOGD("Not fast encrypting since resuming part way through");
2565         return ENABLE_INPLACE_ERR_OTHER;
2566     }
2567     memset(&data, 0, sizeof(data));
2568     data.real_blkdev = real_blkdev;
2569     data.crypto_blkdev = crypto_blkdev;
2570     data.realfd = -1;
2571     data.cryptofd = -1;
2572     if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) {
2573         SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
2574               real_blkdev);
2575         goto errout;
2576     }
2577     if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2578         SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
2579               crypto_blkdev, errno, strerror(errno));
2580         rc = ENABLE_INPLACE_ERR_DEV;
2581         goto errout;
2582     }
2583 
2584     f2fs_info = generate_f2fs_info(data.realfd);
2585     if (!f2fs_info)
2586       goto errout;
2587 
2588     data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2589     data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2590     data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2591 
2592     data.tot_used_blocks = get_num_blocks_used(f2fs_info);
2593 
2594     data.one_pct = data.tot_used_blocks / 100;
2595     data.cur_pct = 0;
2596     data.time_started = time(NULL);
2597     data.remaining_time = -1;
2598 
2599     data.buffer = malloc(f2fs_info->block_size);
2600     if (!data.buffer) {
2601         SLOGE("Failed to allocate crypto buffer");
2602         goto errout;
2603     }
2604 
2605     data.count = 0;
2606 
2607     /* Currently, this either runs to completion, or hits a nonrecoverable error */
2608     rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
2609 
2610     if (rc) {
2611         SLOGE("Error in running over f2fs blocks");
2612         rc = ENABLE_INPLACE_ERR_OTHER;
2613         goto errout;
2614     }
2615 
2616     *size_already_done += size;
2617     rc = 0;
2618 
2619 errout:
2620     if (rc)
2621         SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
2622 
2623     log_progress_f2fs(0, true);
2624     free(f2fs_info);
2625     free(data.buffer);
2626     close(data.realfd);
2627     close(data.cryptofd);
2628 
2629     return rc;
2630 }
2631 
2632 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
2633                                        off64_t size, off64_t *size_already_done,
2634                                        off64_t tot_size,
2635                                        off64_t previously_encrypted_upto)
2636 {
2637     int realfd, cryptofd;
2638     char *buf[CRYPT_INPLACE_BUFSIZE];
2639     int rc = ENABLE_INPLACE_ERR_OTHER;
2640     off64_t numblocks, i, remainder;
2641     off64_t one_pct, cur_pct, new_pct;
2642     off64_t blocks_already_done, tot_numblocks;
2643 
2644     if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) {
2645         SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
2646         return ENABLE_INPLACE_ERR_OTHER;
2647     }
2648 
2649     if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) {
2650         SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
2651               crypto_blkdev, errno, strerror(errno));
2652         close(realfd);
2653         return ENABLE_INPLACE_ERR_DEV;
2654     }
2655 
2656     /* This is pretty much a simple loop of reading 4K, and writing 4K.
2657      * The size passed in is the number of 512 byte sectors in the filesystem.
2658      * So compute the number of whole 4K blocks we should read/write,
2659      * and the remainder.
2660      */
2661     numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
2662     remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
2663     tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
2664     blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
2665 
2666     SLOGE("Encrypting filesystem in place...");
2667 
2668     i = previously_encrypted_upto + 1 - *size_already_done;
2669 
2670     if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2671         SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
2672         goto errout;
2673     }
2674 
2675     if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
2676         SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
2677         goto errout;
2678     }
2679 
2680     for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
2681         if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2682             SLOGE("Error reading initial sectors from real_blkdev %s for "
2683                   "inplace encrypt\n", crypto_blkdev);
2684             goto errout;
2685         }
2686         if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2687             SLOGE("Error writing initial sectors to crypto_blkdev %s for "
2688                   "inplace encrypt\n", crypto_blkdev);
2689             goto errout;
2690         } else {
2691             SLOGI("Encrypted 1 block at %" PRId64, i);
2692         }
2693     }
2694 
2695     one_pct = tot_numblocks / 100;
2696     cur_pct = 0;
2697     /* process the majority of the filesystem in blocks */
2698     for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
2699         new_pct = (i + blocks_already_done) / one_pct;
2700         if (new_pct > cur_pct) {
2701             char buf[8];
2702 
2703             cur_pct = new_pct;
2704             snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
2705             property_set("vold.encrypt_progress", buf);
2706         }
2707         if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2708             SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
2709             goto errout;
2710         }
2711         if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
2712             SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2713             goto errout;
2714         } else {
2715             SLOGD("Encrypted %d block at %" PRId64,
2716                   CRYPT_SECTORS_PER_BUFSIZE,
2717                   i * CRYPT_SECTORS_PER_BUFSIZE);
2718         }
2719 
2720        if (!is_battery_ok_to_continue()) {
2721             SLOGE("Stopping encryption due to low battery");
2722             *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
2723             rc = 0;
2724             goto errout;
2725         }
2726     }
2727 
2728     /* Do any remaining sectors */
2729     for (i=0; i<remainder; i++) {
2730         if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2731             SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
2732             goto errout;
2733         }
2734         if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
2735             SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
2736             goto errout;
2737         } else {
2738             SLOGI("Encrypted 1 block at next location");
2739         }
2740     }
2741 
2742     *size_already_done += size;
2743     rc = 0;
2744 
2745 errout:
2746     close(realfd);
2747     close(cryptofd);
2748 
2749     return rc;
2750 }
2751 
2752 /* returns on of the ENABLE_INPLACE_* return codes */
2753 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
2754                                   off64_t size, off64_t *size_already_done,
2755                                   off64_t tot_size,
2756                                   off64_t previously_encrypted_upto)
2757 {
2758     int rc_ext4, rc_f2fs, rc_full;
2759     if (previously_encrypted_upto) {
2760         SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
2761     }
2762 
2763     if (*size_already_done + size < previously_encrypted_upto) {
2764         *size_already_done += size;
2765         return 0;
2766     }
2767 
2768     /* TODO: identify filesystem type.
2769      * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
2770      * then we will drop down to cryptfs_enable_inplace_f2fs.
2771      * */
2772     if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
2773                                 size, size_already_done,
2774                                 tot_size, previously_encrypted_upto)) == 0) {
2775       return 0;
2776     }
2777     SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
2778 
2779     if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
2780                                 size, size_already_done,
2781                                 tot_size, previously_encrypted_upto)) == 0) {
2782       return 0;
2783     }
2784     SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
2785 
2786     rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
2787                                        size, size_already_done, tot_size,
2788                                        previously_encrypted_upto);
2789     SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
2790 
2791     /* Hack for b/17898962, the following is the symptom... */
2792     if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
2793         && rc_f2fs == ENABLE_INPLACE_ERR_DEV
2794         && rc_full == ENABLE_INPLACE_ERR_DEV) {
2795             return ENABLE_INPLACE_ERR_DEV;
2796     }
2797     return rc_full;
2798 }
2799 
2800 #define CRYPTO_ENABLE_WIPE 1
2801 #define CRYPTO_ENABLE_INPLACE 2
2802 
2803 #define FRAMEWORK_BOOT_WAIT 60
2804 
2805 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
2806 {
2807     int fd = open(filename, O_RDONLY|O_CLOEXEC);
2808     if (fd == -1) {
2809         SLOGE("Error opening file %s", filename);
2810         return -1;
2811     }
2812 
2813     char block[CRYPT_INPLACE_BUFSIZE];
2814     memset(block, 0, sizeof(block));
2815     if (unix_read(fd, block, sizeof(block)) < 0) {
2816         SLOGE("Error reading file %s", filename);
2817         close(fd);
2818         return -1;
2819     }
2820 
2821     close(fd);
2822 
2823     SHA256_CTX c;
2824     SHA256_Init(&c);
2825     SHA256_Update(&c, block, sizeof(block));
2826     SHA256_Final(buf, &c);
2827 
2828     return 0;
2829 }
2830 
2831 static int get_fs_type(struct fstab_rec *rec)
2832 {
2833     if (!strcmp(rec->fs_type, "ext4")) {
2834         return EXT4_FS;
2835     } else if (!strcmp(rec->fs_type, "f2fs")) {
2836         return F2FS_FS;
2837     } else {
2838         return -1;
2839     }
2840 }
2841 
2842 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
2843                                       char *crypto_blkdev, char *real_blkdev,
2844                                       int previously_encrypted_upto)
2845 {
2846     off64_t cur_encryption_done=0, tot_encryption_size=0;
2847     int rc = -1;
2848 
2849     if (!is_battery_ok_to_start()) {
2850         SLOGW("Not starting encryption due to low battery");
2851         return 0;
2852     }
2853 
2854     /* The size of the userdata partition, and add in the vold volumes below */
2855     tot_encryption_size = crypt_ftr->fs_size;
2856 
2857     if (how == CRYPTO_ENABLE_WIPE) {
2858         struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
2859         int fs_type = get_fs_type(rec);
2860         if (fs_type < 0) {
2861             SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
2862             return -1;
2863         }
2864         rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
2865     } else if (how == CRYPTO_ENABLE_INPLACE) {
2866         rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
2867                                     crypt_ftr->fs_size, &cur_encryption_done,
2868                                     tot_encryption_size,
2869                                     previously_encrypted_upto);
2870 
2871         if (rc == ENABLE_INPLACE_ERR_DEV) {
2872             /* Hack for b/17898962 */
2873             SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
2874             cryptfs_reboot(reboot);
2875         }
2876 
2877         if (!rc) {
2878             crypt_ftr->encrypted_upto = cur_encryption_done;
2879         }
2880 
2881         if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
2882             /* The inplace routine never actually sets the progress to 100% due
2883              * to the round down nature of integer division, so set it here */
2884             property_set("vold.encrypt_progress", "100");
2885         }
2886     } else {
2887         /* Shouldn't happen */
2888         SLOGE("cryptfs_enable: internal error, unknown option\n");
2889         rc = -1;
2890     }
2891 
2892     return rc;
2893 }
2894 
2895 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
2896                             int allow_reboot)
2897 {
2898     int how = 0;
2899     char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
2900     unsigned char decrypted_master_key[KEY_LEN_BYTES];
2901     int rc=-1, i;
2902     struct crypt_mnt_ftr crypt_ftr;
2903     struct crypt_persist_data *pdata;
2904     char encrypted_state[PROPERTY_VALUE_MAX];
2905     char lockid[32] = { 0 };
2906     char key_loc[PROPERTY_VALUE_MAX];
2907     int num_vols;
2908     off64_t previously_encrypted_upto = 0;
2909 
2910     if (!strcmp(howarg, "wipe")) {
2911       how = CRYPTO_ENABLE_WIPE;
2912     } else if (! strcmp(howarg, "inplace")) {
2913       how = CRYPTO_ENABLE_INPLACE;
2914     } else {
2915       /* Shouldn't happen, as CommandListener vets the args */
2916       goto error_unencrypted;
2917     }
2918 
2919     /* See if an encryption was underway and interrupted */
2920     if (how == CRYPTO_ENABLE_INPLACE
2921           && get_crypt_ftr_and_key(&crypt_ftr) == 0
2922           && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
2923         previously_encrypted_upto = crypt_ftr.encrypted_upto;
2924         crypt_ftr.encrypted_upto = 0;
2925         crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
2926 
2927         /* At this point, we are in an inconsistent state. Until we successfully
2928            complete encryption, a reboot will leave us broken. So mark the
2929            encryption failed in case that happens.
2930            On successfully completing encryption, remove this flag */
2931         crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
2932 
2933         put_crypt_ftr_and_key(&crypt_ftr);
2934     }
2935 
2936     property_get("ro.crypto.state", encrypted_state, "");
2937     if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
2938         SLOGE("Device is already running encrypted, aborting");
2939         goto error_unencrypted;
2940     }
2941 
2942     // TODO refactor fs_mgr_get_crypt_info to get both in one call
2943     fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
2944     fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
2945 
2946     /* Get the size of the real block device */
2947     int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC);
2948     if (fd == -1) {
2949         SLOGE("Cannot open block device %s\n", real_blkdev);
2950         goto error_unencrypted;
2951     }
2952     unsigned long nr_sec;
2953     get_blkdev_size(fd, &nr_sec);
2954     if (nr_sec == 0) {
2955         SLOGE("Cannot get size of block device %s\n", real_blkdev);
2956         goto error_unencrypted;
2957     }
2958     close(fd);
2959 
2960     /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
2961     if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
2962         unsigned int fs_size_sec, max_fs_size_sec;
2963         fs_size_sec = get_fs_size(real_blkdev);
2964         if (fs_size_sec == 0)
2965             fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
2966 
2967         max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
2968 
2969         if (fs_size_sec > max_fs_size_sec) {
2970             SLOGE("Orig filesystem overlaps crypto footer region.  Cannot encrypt in place.");
2971             goto error_unencrypted;
2972         }
2973     }
2974 
2975     /* Get a wakelock as this may take a while, and we don't want the
2976      * device to sleep on us.  We'll grab a partial wakelock, and if the UI
2977      * wants to keep the screen on, it can grab a full wakelock.
2978      */
2979     snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
2980     acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
2981 
2982     /* The init files are setup to stop the class main and late start when
2983      * vold sets trigger_shutdown_framework.
2984      */
2985     property_set("vold.decrypt", "trigger_shutdown_framework");
2986     SLOGD("Just asked init to shut down class main\n");
2987 
2988     /* Ask vold to unmount all devices that it manages */
2989     if (vold_unmountAll()) {
2990         SLOGE("Failed to unmount all vold managed devices");
2991     }
2992 
2993     /* Now unmount the /data partition. */
2994     if (wait_and_unmount(DATA_MNT_POINT, false)) {
2995         if (allow_reboot) {
2996             goto error_shutting_down;
2997         } else {
2998             goto error_unencrypted;
2999         }
3000     }
3001 
3002     /* Do extra work for a better UX when doing the long inplace encryption */
3003     if (how == CRYPTO_ENABLE_INPLACE) {
3004         /* Now that /data is unmounted, we need to mount a tmpfs
3005          * /data, set a property saying we're doing inplace encryption,
3006          * and restart the framework.
3007          */
3008         if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
3009             goto error_shutting_down;
3010         }
3011         /* Tells the framework that inplace encryption is starting */
3012         property_set("vold.encrypt_progress", "0");
3013 
3014         /* restart the framework. */
3015         /* Create necessary paths on /data */
3016         if (prep_data_fs()) {
3017             goto error_shutting_down;
3018         }
3019 
3020         /* Ugh, shutting down the framework is not synchronous, so until it
3021          * can be fixed, this horrible hack will wait a moment for it all to
3022          * shut down before proceeding.  Without it, some devices cannot
3023          * restart the graphics services.
3024          */
3025         sleep(2);
3026     }
3027 
3028     /* Start the actual work of making an encrypted filesystem */
3029     /* Initialize a crypt_mnt_ftr for the partition */
3030     if (previously_encrypted_upto == 0) {
3031         if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
3032             goto error_shutting_down;
3033         }
3034 
3035         if (!strcmp(key_loc, KEY_IN_FOOTER)) {
3036             crypt_ftr.fs_size = nr_sec
3037               - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
3038         } else {
3039             crypt_ftr.fs_size = nr_sec;
3040         }
3041         /* At this point, we are in an inconsistent state. Until we successfully
3042            complete encryption, a reboot will leave us broken. So mark the
3043            encryption failed in case that happens.
3044            On successfully completing encryption, remove this flag */
3045         crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
3046         crypt_ftr.crypt_type = crypt_type;
3047 #ifndef CONFIG_HW_DISK_ENCRYPTION
3048         strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
3049 #else
3050         strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
3051 
3052         rc = clear_hw_device_encryption_key();
3053         if (!rc) {
3054           SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
3055         }
3056 
3057         rc = set_hw_device_encryption_key(passwd,
3058                                           (char*) crypt_ftr.crypto_type_name);
3059         if (!rc) {
3060           SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
3061           goto error_shutting_down;
3062         }
3063 #endif
3064 
3065         /* Make an encrypted master key */
3066         if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
3067             SLOGE("Cannot create encrypted master key\n");
3068             goto error_shutting_down;
3069         }
3070 
3071         /* Write the key to the end of the partition */
3072         put_crypt_ftr_and_key(&crypt_ftr);
3073 
3074         /* If any persistent data has been remembered, save it.
3075          * If none, create a valid empty table and save that.
3076          */
3077         if (!persist_data) {
3078            pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
3079            if (pdata) {
3080                init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
3081                persist_data = pdata;
3082            }
3083         }
3084         if (persist_data) {
3085             save_persistent_data();
3086         }
3087     }
3088 
3089     if (how == CRYPTO_ENABLE_INPLACE) {
3090         /* startup service classes main and late_start */
3091         property_set("vold.decrypt", "trigger_restart_min_framework");
3092         SLOGD("Just triggered restart_min_framework\n");
3093 
3094         /* OK, the framework is restarted and will soon be showing a
3095          * progress bar.  Time to setup an encrypted mapping, and
3096          * either write a new filesystem, or encrypt in place updating
3097          * the progress bar as we work.
3098          */
3099     }
3100 
3101     decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
3102     create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
3103                           "userdata");
3104 
3105     /* If we are continuing, check checksums match */
3106     rc = 0;
3107     if (previously_encrypted_upto) {
3108         __le8 hash_first_block[SHA256_DIGEST_LENGTH];
3109         rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
3110 
3111         if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
3112                           sizeof(hash_first_block)) != 0) {
3113             SLOGE("Checksums do not match - trigger wipe");
3114             rc = -1;
3115         }
3116     }
3117 
3118     if (!rc) {
3119         rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
3120                                         crypto_blkdev, real_blkdev,
3121                                         previously_encrypted_upto);
3122     }
3123 
3124     /* Calculate checksum if we are not finished */
3125     if (!rc && how == CRYPTO_ENABLE_INPLACE
3126             && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3127         rc = cryptfs_SHA256_fileblock(crypto_blkdev,
3128                                       crypt_ftr.hash_first_block);
3129         if (rc) {
3130             SLOGE("Error calculating checksum for continuing encryption");
3131             rc = -1;
3132         }
3133     }
3134 
3135     /* Undo the dm-crypt mapping whether we succeed or not */
3136     delete_crypto_blk_dev("userdata");
3137 
3138     if (! rc) {
3139         /* Success */
3140         crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
3141 
3142         if (how == CRYPTO_ENABLE_INPLACE
3143               && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
3144             SLOGD("Encrypted up to sector %lld - will continue after reboot",
3145                   crypt_ftr.encrypted_upto);
3146             crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
3147         }
3148 
3149         put_crypt_ftr_and_key(&crypt_ftr);
3150 
3151         if (how == CRYPTO_ENABLE_WIPE
3152               || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
3153           char value[PROPERTY_VALUE_MAX];
3154           property_get("ro.crypto.state", value, "");
3155           if (!strcmp(value, "")) {
3156             /* default encryption - continue first boot sequence */
3157             property_set("ro.crypto.state", "encrypted");
3158             release_wake_lock(lockid);
3159             cryptfs_check_passwd(DEFAULT_PASSWORD);
3160             cryptfs_restart_internal(1);
3161             return 0;
3162           } else {
3163             sleep(2); /* Give the UI a chance to show 100% progress */
3164             cryptfs_reboot(reboot);
3165           }
3166         } else {
3167             sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
3168             cryptfs_reboot(shutdown);
3169         }
3170     } else {
3171         char value[PROPERTY_VALUE_MAX];
3172 
3173         property_get("ro.vold.wipe_on_crypt_fail", value, "0");
3174         if (!strcmp(value, "1")) {
3175             /* wipe data if encryption failed */
3176             SLOGE("encryption failed - rebooting into recovery to wipe data\n");
3177             mkdir("/cache/recovery", 0700);
3178             int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0600);
3179             if (fd >= 0) {
3180                 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
3181                 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
3182                 close(fd);
3183             } else {
3184                 SLOGE("could not open /cache/recovery/command\n");
3185             }
3186             cryptfs_reboot(recovery);
3187         } else {
3188             /* set property to trigger dialog */
3189             property_set("vold.encrypt_progress", "error_partially_encrypted");
3190             release_wake_lock(lockid);
3191         }
3192         return -1;
3193     }
3194 
3195     /* hrm, the encrypt step claims success, but the reboot failed.
3196      * This should not happen.
3197      * Set the property and return.  Hope the framework can deal with it.
3198      */
3199     property_set("vold.encrypt_progress", "error_reboot_failed");
3200     release_wake_lock(lockid);
3201     return rc;
3202 
3203 error_unencrypted:
3204     property_set("vold.encrypt_progress", "error_not_encrypted");
3205     if (lockid[0]) {
3206         release_wake_lock(lockid);
3207     }
3208     return -1;
3209 
3210 error_shutting_down:
3211     /* we failed, and have not encrypted anthing, so the users's data is still intact,
3212      * but the framework is stopped and not restarted to show the error, so it's up to
3213      * vold to restart the system.
3214      */
3215     SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
3216     cryptfs_reboot(reboot);
3217 
3218     /* shouldn't get here */
3219     property_set("vold.encrypt_progress", "error_shutting_down");
3220     if (lockid[0]) {
3221         release_wake_lock(lockid);
3222     }
3223     return -1;
3224 }
3225 
3226 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
3227 {
3228     return cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
3229 }
3230 
3231 int cryptfs_enable_default(char *howarg, int allow_reboot)
3232 {
3233     return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
3234                           DEFAULT_PASSWORD, allow_reboot);
3235 }
3236 
3237 int cryptfs_changepw(int crypt_type, const char *newpw)
3238 {
3239     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3240         return e4crypt_change_password(DATA_MNT_POINT, crypt_type, newpw);
3241     }
3242 
3243     struct crypt_mnt_ftr crypt_ftr;
3244     int rc;
3245 
3246     /* This is only allowed after we've successfully decrypted the master key */
3247     if (!master_key_saved) {
3248         SLOGE("Key not saved, aborting");
3249         return -1;
3250     }
3251 
3252     if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3253         SLOGE("Invalid crypt_type %d", crypt_type);
3254         return -1;
3255     }
3256 
3257     /* get key */
3258     if (get_crypt_ftr_and_key(&crypt_ftr)) {
3259         SLOGE("Error getting crypt footer and key");
3260         return -1;
3261     }
3262 
3263     crypt_ftr.crypt_type = crypt_type;
3264 
3265     rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
3266                                                         : newpw,
3267                        crypt_ftr.salt,
3268                        saved_master_key,
3269                        crypt_ftr.master_key,
3270                        &crypt_ftr);
3271     if (rc) {
3272         SLOGE("Encrypt master key failed: %d", rc);
3273         return -1;
3274     }
3275     /* save the key */
3276     put_crypt_ftr_and_key(&crypt_ftr);
3277 
3278 #ifdef CONFIG_HW_DISK_ENCRYPTION
3279     if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
3280         if (crypt_type == CRYPT_TYPE_DEFAULT) {
3281             int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
3282             SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
3283             if (!rc)
3284                 return -1;
3285         } else {
3286             int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
3287             SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
3288             if (!rc)
3289                 return -1;
3290         }
3291     }
3292 #endif
3293     return 0;
3294 }
3295 
3296 static unsigned int persist_get_max_entries(int encrypted) {
3297     struct crypt_mnt_ftr crypt_ftr;
3298     unsigned int dsize;
3299     unsigned int max_persistent_entries;
3300 
3301     /* If encrypted, use the values from the crypt_ftr, otherwise
3302      * use the values for the current spec.
3303      */
3304     if (encrypted) {
3305         if (get_crypt_ftr_and_key(&crypt_ftr)) {
3306             return -1;
3307         }
3308         dsize = crypt_ftr.persist_data_size;
3309     } else {
3310         dsize = CRYPT_PERSIST_DATA_SIZE;
3311     }
3312 
3313     max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
3314         sizeof(struct crypt_persist_entry);
3315 
3316     return max_persistent_entries;
3317 }
3318 
3319 static int persist_get_key(const char *fieldname, char *value)
3320 {
3321     unsigned int i;
3322 
3323     if (persist_data == NULL) {
3324         return -1;
3325     }
3326     for (i = 0; i < persist_data->persist_valid_entries; i++) {
3327         if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3328             /* We found it! */
3329             strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
3330             return 0;
3331         }
3332     }
3333 
3334     return -1;
3335 }
3336 
3337 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
3338 {
3339     unsigned int i;
3340     unsigned int num;
3341     unsigned int max_persistent_entries;
3342 
3343     if (persist_data == NULL) {
3344         return -1;
3345     }
3346 
3347     max_persistent_entries = persist_get_max_entries(encrypted);
3348 
3349     num = persist_data->persist_valid_entries;
3350 
3351     for (i = 0; i < num; i++) {
3352         if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
3353             /* We found an existing entry, update it! */
3354             memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
3355             strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
3356             return 0;
3357         }
3358     }
3359 
3360     /* We didn't find it, add it to the end, if there is room */
3361     if (persist_data->persist_valid_entries < max_persistent_entries) {
3362         memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
3363         strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
3364         strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
3365         persist_data->persist_valid_entries++;
3366         return 0;
3367     }
3368 
3369     return -1;
3370 }
3371 
3372 /**
3373  * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
3374  * sequence and its index is greater than or equal to index. Return 0 otherwise.
3375  */
3376 static int match_multi_entry(const char *key, const char *field, unsigned index) {
3377     unsigned int field_len;
3378     unsigned int key_index;
3379     field_len = strlen(field);
3380 
3381     if (index == 0) {
3382         // The first key in a multi-entry field is just the filedname itself.
3383         if (!strcmp(key, field)) {
3384             return 1;
3385         }
3386     }
3387     // Match key against "%s_%d" % (field, index)
3388     if (strlen(key) < field_len + 1 + 1) {
3389         // Need at least a '_' and a digit.
3390         return 0;
3391     }
3392     if (strncmp(key, field, field_len)) {
3393         // If the key does not begin with field, it's not a match.
3394         return 0;
3395     }
3396     if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
3397         return 0;
3398     }
3399     return key_index >= index;
3400 }
3401 
3402 /*
3403  * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
3404  * remaining entries starting from index will be deleted.
3405  * returns PERSIST_DEL_KEY_OK if deletion succeeds,
3406  * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
3407  * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
3408  *
3409  */
3410 static int persist_del_keys(const char *fieldname, unsigned index)
3411 {
3412     unsigned int i;
3413     unsigned int j;
3414     unsigned int num;
3415 
3416     if (persist_data == NULL) {
3417         return PERSIST_DEL_KEY_ERROR_OTHER;
3418     }
3419 
3420     num = persist_data->persist_valid_entries;
3421 
3422     j = 0; // points to the end of non-deleted entries.
3423     // Filter out to-be-deleted entries in place.
3424     for (i = 0; i < num; i++) {
3425         if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
3426             persist_data->persist_entry[j] = persist_data->persist_entry[i];
3427             j++;
3428         }
3429     }
3430 
3431     if (j < num) {
3432         persist_data->persist_valid_entries = j;
3433         // Zeroise the remaining entries
3434         memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
3435         return PERSIST_DEL_KEY_OK;
3436     } else {
3437         // Did not find an entry matching the given fieldname
3438         return PERSIST_DEL_KEY_ERROR_NO_FIELD;
3439     }
3440 }
3441 
3442 static int persist_count_keys(const char *fieldname)
3443 {
3444     unsigned int i;
3445     unsigned int count;
3446 
3447     if (persist_data == NULL) {
3448         return -1;
3449     }
3450 
3451     count = 0;
3452     for (i = 0; i < persist_data->persist_valid_entries; i++) {
3453         if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
3454             count++;
3455         }
3456     }
3457 
3458     return count;
3459 }
3460 
3461 /* Return the value of the specified field. */
3462 int cryptfs_getfield(const char *fieldname, char *value, int len)
3463 {
3464     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3465         return e4crypt_get_field(DATA_MNT_POINT, fieldname, value, len);
3466     }
3467 
3468     char temp_value[PROPERTY_VALUE_MAX];
3469     /* CRYPTO_GETFIELD_OK is success,
3470      * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
3471      * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
3472      * CRYPTO_GETFIELD_ERROR_OTHER is any other error
3473      */
3474     int rc = CRYPTO_GETFIELD_ERROR_OTHER;
3475     int i;
3476     char temp_field[PROPERTY_KEY_MAX];
3477 
3478     if (persist_data == NULL) {
3479         load_persistent_data();
3480         if (persist_data == NULL) {
3481             SLOGE("Getfield error, cannot load persistent data");
3482             goto out;
3483         }
3484     }
3485 
3486     // Read value from persistent entries. If the original value is split into multiple entries,
3487     // stitch them back together.
3488     if (!persist_get_key(fieldname, temp_value)) {
3489         // We found it, copy it to the caller's buffer and keep going until all entries are read.
3490         if (strlcpy(value, temp_value, len) >= (unsigned) len) {
3491             // value too small
3492             rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3493             goto out;
3494         }
3495         rc = CRYPTO_GETFIELD_OK;
3496 
3497         for (i = 1; /* break explicitly */; i++) {
3498             if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
3499                     (int) sizeof(temp_field)) {
3500                 // If the fieldname is very long, we stop as soon as it begins to overflow the
3501                 // maximum field length. At this point we have in fact fully read out the original
3502                 // value because cryptfs_setfield would not allow fields with longer names to be
3503                 // written in the first place.
3504                 break;
3505             }
3506             if (!persist_get_key(temp_field, temp_value)) {
3507                   if (strlcat(value, temp_value, len) >= (unsigned)len) {
3508                       // value too small.
3509                       rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
3510                       goto out;
3511                   }
3512             } else {
3513                 // Exhaust all entries.
3514                 break;
3515             }
3516         }
3517     } else {
3518         /* Sadness, it's not there.  Return the error */
3519         rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
3520     }
3521 
3522 out:
3523     return rc;
3524 }
3525 
3526 /* Set the value of the specified field. */
3527 int cryptfs_setfield(const char *fieldname, const char *value)
3528 {
3529     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3530         return e4crypt_set_field(DATA_MNT_POINT, fieldname, value);
3531     }
3532 
3533     char encrypted_state[PROPERTY_VALUE_MAX];
3534     /* 0 is success, negative values are error */
3535     int rc = CRYPTO_SETFIELD_ERROR_OTHER;
3536     int encrypted = 0;
3537     unsigned int field_id;
3538     char temp_field[PROPERTY_KEY_MAX];
3539     unsigned int num_entries;
3540     unsigned int max_keylen;
3541 
3542     if (persist_data == NULL) {
3543         load_persistent_data();
3544         if (persist_data == NULL) {
3545             SLOGE("Setfield error, cannot load persistent data");
3546             goto out;
3547         }
3548     }
3549 
3550     property_get("ro.crypto.state", encrypted_state, "");
3551     if (!strcmp(encrypted_state, "encrypted") ) {
3552         encrypted = 1;
3553     }
3554 
3555     // Compute the number of entries required to store value, each entry can store up to
3556     // (PROPERTY_VALUE_MAX - 1) chars
3557     if (strlen(value) == 0) {
3558         // Empty value also needs one entry to store.
3559         num_entries = 1;
3560     } else {
3561         num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
3562     }
3563 
3564     max_keylen = strlen(fieldname);
3565     if (num_entries > 1) {
3566         // Need an extra "_%d" suffix.
3567         max_keylen += 1 + log10(num_entries);
3568     }
3569     if (max_keylen > PROPERTY_KEY_MAX - 1) {
3570         rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
3571         goto out;
3572     }
3573 
3574     // Make sure we have enough space to write the new value
3575     if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
3576         persist_get_max_entries(encrypted)) {
3577         rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
3578         goto out;
3579     }
3580 
3581     // Now that we know persist_data has enough space for value, let's delete the old field first
3582     // to make up space.
3583     persist_del_keys(fieldname, 0);
3584 
3585     if (persist_set_key(fieldname, value, encrypted)) {
3586         // fail to set key, should not happen as we have already checked the available space
3587         SLOGE("persist_set_key() error during setfield()");
3588         goto out;
3589     }
3590 
3591     for (field_id = 1; field_id < num_entries; field_id++) {
3592         snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
3593 
3594         if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
3595             // fail to set key, should not happen as we have already checked the available space.
3596             SLOGE("persist_set_key() error during setfield()");
3597             goto out;
3598         }
3599     }
3600 
3601     /* If we are running encrypted, save the persistent data now */
3602     if (encrypted) {
3603         if (save_persistent_data()) {
3604             SLOGE("Setfield error, cannot save persistent data");
3605             goto out;
3606         }
3607     }
3608 
3609     rc = CRYPTO_SETFIELD_OK;
3610 
3611 out:
3612     return rc;
3613 }
3614 
3615 /* Checks userdata. Attempt to mount the volume if default-
3616  * encrypted.
3617  * On success trigger next init phase and return 0.
3618  * Currently do not handle failure - see TODO below.
3619  */
3620 int cryptfs_mount_default_encrypted(void)
3621 {
3622     char decrypt_state[PROPERTY_VALUE_MAX];
3623     property_get("vold.decrypt", decrypt_state, "0");
3624     if (!strcmp(decrypt_state, "0")) {
3625         SLOGE("Not encrypted - should not call here");
3626     } else {
3627         int crypt_type = cryptfs_get_password_type();
3628         if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
3629             SLOGE("Bad crypt type - error");
3630         } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
3631             SLOGD("Password is not default - "
3632                   "starting min framework to prompt");
3633             property_set("vold.decrypt", "trigger_restart_min_framework");
3634             return 0;
3635         } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
3636             SLOGD("Password is default - restarting filesystem");
3637             cryptfs_restart_internal(0);
3638             return 0;
3639         } else {
3640             SLOGE("Encrypted, default crypt type but can't decrypt");
3641         }
3642     }
3643 
3644     /** Corrupt. Allow us to boot into framework, which will detect bad
3645         crypto when it calls do_crypto_complete, then do a factory reset
3646      */
3647     property_set("vold.decrypt", "trigger_restart_min_framework");
3648     return 0;
3649 }
3650 
3651 /* Returns type of the password, default, pattern, pin or password.
3652  */
3653 int cryptfs_get_password_type(void)
3654 {
3655     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3656         return e4crypt_get_password_type(DATA_MNT_POINT);
3657     }
3658 
3659     struct crypt_mnt_ftr crypt_ftr;
3660 
3661     if (get_crypt_ftr_and_key(&crypt_ftr)) {
3662         SLOGE("Error getting crypt footer and key\n");
3663         return -1;
3664     }
3665 
3666     if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
3667         return -1;
3668     }
3669 
3670     return crypt_ftr.crypt_type;
3671 }
3672 
3673 const char* cryptfs_get_password()
3674 {
3675     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3676         return e4crypt_get_password(DATA_MNT_POINT);
3677     }
3678 
3679     struct timespec now;
3680     clock_gettime(CLOCK_BOOTTIME, &now);
3681     if (now.tv_sec < password_expiry_time) {
3682         return password;
3683     } else {
3684         cryptfs_clear_password();
3685         return 0;
3686     }
3687 }
3688 
3689 void cryptfs_clear_password()
3690 {
3691     if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
3692         e4crypt_clear_password(DATA_MNT_POINT);
3693     }
3694 
3695     if (password) {
3696         size_t len = strlen(password);
3697         memset(password, 0, len);
3698         free(password);
3699         password = 0;
3700         password_expiry_time = 0;
3701     }
3702 }
3703 
3704 int cryptfs_enable_file()
3705 {
3706     return e4crypt_enable(DATA_MNT_POINT);
3707 }
3708 
3709 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
3710 {
3711     if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
3712         SLOGE("Failed to initialize crypt_ftr");
3713         return -1;
3714     }
3715 
3716     if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
3717                                     crypt_ftr->salt, crypt_ftr)) {
3718         SLOGE("Cannot create encrypted master key\n");
3719         return -1;
3720     }
3721 
3722     //crypt_ftr->keysize = key_length / 8;
3723     return 0;
3724 }
3725 
3726 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
3727                            unsigned char* master_key)
3728 {
3729     int rc;
3730 
3731     unsigned char* intermediate_key = 0;
3732     size_t intermediate_key_size = 0;
3733 
3734     if (password == 0 || *password == 0) {
3735         password = DEFAULT_PASSWORD;
3736     }
3737 
3738     rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
3739                             &intermediate_key_size);
3740 
3741     int N = 1 << ftr->N_factor;
3742     int r = 1 << ftr->r_factor;
3743     int p = 1 << ftr->p_factor;
3744 
3745     unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
3746 
3747     rc = crypto_scrypt(intermediate_key, intermediate_key_size,
3748                        ftr->salt, sizeof(ftr->salt), N, r, p,
3749                        scrypted_intermediate_key,
3750                        sizeof(scrypted_intermediate_key));
3751 
3752     free(intermediate_key);
3753 
3754     if (rc) {
3755         SLOGE("Can't calculate intermediate key");
3756         return rc;
3757     }
3758 
3759     return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
3760                   intermediate_key_size);
3761 }
3762 
3763 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
3764                          const unsigned char* master_key)
3765 {
3766     return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
3767                               ftr);
3768 }
3769