Home | History | Annotate | Download | only in vold
      1 /*
      2  * Copyright (C) 2010 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 /* TO DO:
     18  *   1.  Perhaps keep several copies of the encrypted key, in case something
     19  *       goes horribly wrong?
     20  *
     21  */
     22 
     23 #include <sys/types.h>
     24 #include <sys/wait.h>
     25 #include <sys/stat.h>
     26 #include <ctype.h>
     27 #include <fcntl.h>
     28 #include <inttypes.h>
     29 #include <unistd.h>
     30 #include <stdio.h>
     31 #include <sys/ioctl.h>
     32 #include <linux/dm-ioctl.h>
     33 #include <libgen.h>
     34 #include <stdlib.h>
     35 #include <sys/param.h>
     36 #include <string.h>
     37 #include <sys/mount.h>
     38 #include <openssl/evp.h>
     39 #include <errno.h>
     40 #include <ext4.h>
     41 #include <linux/kdev_t.h>
     42 #include <fs_mgr.h>
     43 #include <time.h>
     44 #include <math.h>
     45 #include "cryptfs.h"
     46 #define LOG_TAG "Cryptfs"
     47 #include "cutils/log.h"
     48 #include "cutils/properties.h"
     49 #include "cutils/android_reboot.h"
     50 #include "hardware_legacy/power.h"
     51 #include <logwrap/logwrap.h>
     52 #include "VolumeManager.h"
     53 #include "VoldUtil.h"
     54 #include "crypto_scrypt.h"
     55 #include "ext4_utils.h"
     56 #include "f2fs_sparseblock.h"
     57 #include "CheckBattery.h"
     58 #include "Process.h"
     59 
     60 #include <hardware/keymaster.h>
     61 
     62 #define UNUSED __attribute__((unused))
     63 
     64 #define UNUSED __attribute__((unused))
     65 
     66 #ifdef CONFIG_HW_DISK_ENCRYPTION
     67 #include "cryptfs_hw.h"
     68 #endif
     69 
     70 #define DM_CRYPT_BUF_SIZE 4096
     71 
     72 #define HASH_COUNT 2000
     73 #define KEY_LEN_BYTES 16
     74 #define IV_LEN_BYTES 16
     75 
     76 #define KEY_IN_FOOTER  "footer"
     77 
     78 // "default_password" encoded into hex (d=0x64 etc)
     79 #define DEFAULT_PASSWORD "64656661756c745f70617373776f7264"
     80 
     81 #define EXT4_FS 1
     82 #define F2FS_FS 2
     83 
     84 #define TABLE_LOAD_RETRIES 10
     85 
     86 #define RSA_KEY_SIZE 2048
     87 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
     88 #define RSA_EXPONENT 0x10001
     89 
     90 #define RETRY_MOUNT_ATTEMPTS 10
     91 #define RETRY_MOUNT_DELAY_SECONDS 1
     92 
     93 char *me = "cryptfs";
     94 
     95 static unsigned char saved_master_key[KEY_LEN_BYTES];
     96 static char *saved_mount_point;
     97 static int  master_key_saved = 0;
     98 static struct crypt_persist_data *persist_data = NULL;
     99 
    100 static int keymaster_init(keymaster_device_t **keymaster_dev)
    101 {
    102     int rc;
    103 
    104     const hw_module_t* mod;
    105     rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
    106     if (rc) {
    107         ALOGE("could not find any keystore module");
    108         goto out;
    109     }
    110 
    111     rc = keymaster_open(mod, keymaster_dev);
    112     if (rc) {
    113         ALOGE("could not open keymaster device in %s (%s)",
    114             KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc));
    115         goto out;
    116     }
    117 
    118     return 0;
    119 
    120 out:
    121     *keymaster_dev = NULL;
    122     return rc;
    123 }
    124 
    125 /* Should we use keymaster? */
    126 static int keymaster_check_compatibility()
    127 {
    128     keymaster_device_t *keymaster_dev = 0;
    129     int rc = 0;
    130 
    131     if (keymaster_init(&keymaster_dev)) {
    132         SLOGE("Failed to init keymaster");
    133         rc = -1;
    134         goto out;
    135     }
    136 
    137     SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version);
    138 
    139     if (keymaster_dev->common.module->module_api_version
    140             < KEYMASTER_MODULE_API_VERSION_0_3) {
    141         rc = 0;
    142         goto out;
    143     }
    144 
    145     if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) &&
    146         (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) {
    147         rc = 1;
    148     }
    149 
    150 out:
    151     keymaster_close(keymaster_dev);
    152     return rc;
    153 }
    154 
    155 /* Create a new keymaster key and store it in this footer */
    156 static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
    157 {
    158     uint8_t* key = 0;
    159     keymaster_device_t *keymaster_dev = 0;
    160 
    161     if (keymaster_init(&keymaster_dev)) {
    162         SLOGE("Failed to init keymaster");
    163         return -1;
    164     }
    165 
    166     int rc = 0;
    167 
    168     keymaster_rsa_keygen_params_t params;
    169     memset(&params, '\0', sizeof(params));
    170     params.public_exponent = RSA_EXPONENT;
    171     params.modulus_size = RSA_KEY_SIZE;
    172 
    173     size_t key_size;
    174     if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, &params,
    175                                         &key, &key_size)) {
    176         SLOGE("Failed to generate keypair");
    177         rc = -1;
    178         goto out;
    179     }
    180 
    181     if (key_size > KEYMASTER_BLOB_SIZE) {
    182         SLOGE("Keymaster key too large for crypto footer");
    183         rc = -1;
    184         goto out;
    185     }
    186 
    187     memcpy(ftr->keymaster_blob, key, key_size);
    188     ftr->keymaster_blob_size = key_size;
    189 
    190 out:
    191     keymaster_close(keymaster_dev);
    192     free(key);
    193     return rc;
    194 }
    195 
    196 /* This signs the given object using the keymaster key. */
    197 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr,
    198                                  const unsigned char *object,
    199                                  const size_t object_size,
    200                                  unsigned char **signature,
    201                                  size_t *signature_size)
    202 {
    203     int rc = 0;
    204     keymaster_device_t *keymaster_dev = 0;
    205     if (keymaster_init(&keymaster_dev)) {
    206         SLOGE("Failed to init keymaster");
    207         return -1;
    208     }
    209 
    210     /* We currently set the digest type to DIGEST_NONE because it's the
    211      * only supported value for keymaster. A similar issue exists with
    212      * PADDING_NONE. Long term both of these should likely change.
    213      */
    214     keymaster_rsa_sign_params_t params;
    215     params.digest_type = DIGEST_NONE;
    216     params.padding_type = PADDING_NONE;
    217 
    218     unsigned char to_sign[RSA_KEY_SIZE_BYTES];
    219     size_t to_sign_size = sizeof(to_sign);
    220     memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
    221 
    222     // To sign a message with RSA, the message must satisfy two
    223     // constraints:
    224     //
    225     // 1. The message, when interpreted as a big-endian numeric value, must
    226     //    be strictly less than the public modulus of the RSA key.  Note
    227     //    that because the most significant bit of the public modulus is
    228     //    guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
    229     //    key), an n-bit message with most significant bit 0 always
    230     //    satisfies this requirement.
    231     //
    232     // 2. The message must have the same length in bits as the public
    233     //    modulus of the RSA key.  This requirement isn't mathematically
    234     //    necessary, but is necessary to ensure consistency in
    235     //    implementations.
    236     switch (ftr->kdf_type) {
    237         case KDF_SCRYPT_KEYMASTER_UNPADDED:
    238             // This is broken: It produces a message which is shorter than
    239             // the public modulus, failing criterion 2.
    240             memcpy(to_sign, object, object_size);
    241             to_sign_size = object_size;
    242             SLOGI("Signing unpadded object");
    243             break;
    244         case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
    245             // This is broken: Since the value of object is uniformly
    246             // distributed, it produces a message that is larger than the
    247             // public modulus with probability 0.25.
    248             memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size));
    249             SLOGI("Signing end-padded object");
    250             break;
    251         case KDF_SCRYPT_KEYMASTER:
    252             // This ensures the most significant byte of the signed message
    253             // is zero.  We could have zero-padded to the left instead, but
    254             // this approach is slightly more robust against changes in
    255             // object size.  However, it's still broken (but not unusably
    256             // so) because we really should be using a proper RSA padding
    257             // function, such as OAEP.
    258             //
    259             // TODO(paullawrence): When keymaster 0.4 is available, change
    260             // this to use the padding options it provides.
    261             memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size));
    262             SLOGI("Signing safely-padded object");
    263             break;
    264         default:
    265             SLOGE("Unknown KDF type %d", ftr->kdf_type);
    266             return -1;
    267     }
    268 
    269     rc = keymaster_dev->sign_data(keymaster_dev,
    270                                   &params,
    271                                   ftr->keymaster_blob,
    272                                   ftr->keymaster_blob_size,
    273                                   to_sign,
    274                                   to_sign_size,
    275                                   signature,
    276                                   signature_size);
    277 
    278     keymaster_close(keymaster_dev);
    279     return rc;
    280 }
    281 
    282 /* Store password when userdata is successfully decrypted and mounted.
    283  * Cleared by cryptfs_clear_password
    284  *
    285  * To avoid a double prompt at boot, we need to store the CryptKeeper
    286  * password and pass it to KeyGuard, which uses it to unlock KeyStore.
    287  * Since the entire framework is torn down and rebuilt after encryption,
    288  * we have to use a daemon or similar to store the password. Since vold
    289  * is secured against IPC except from system processes, it seems a reasonable
    290  * place to store this.
    291  *
    292  * password should be cleared once it has been used.
    293  *
    294  * password is aged out after password_max_age_seconds seconds.
    295  */
    296 static char* password = 0;
    297 static int password_expiry_time = 0;
    298 static const int password_max_age_seconds = 60;
    299 
    300 extern struct fstab *fstab;
    301 
    302 enum RebootType {reboot, recovery, shutdown};
    303 static void cryptfs_reboot(enum RebootType rt)
    304 {
    305   switch(rt) {
    306       case reboot:
    307           property_set(ANDROID_RB_PROPERTY, "reboot");
    308           break;
    309 
    310       case recovery:
    311           property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
    312           break;
    313 
    314       case shutdown:
    315           property_set(ANDROID_RB_PROPERTY, "shutdown");
    316           break;
    317     }
    318 
    319     sleep(20);
    320 
    321     /* Shouldn't get here, reboot should happen before sleep times out */
    322     return;
    323 }
    324 
    325 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags)
    326 {
    327     memset(io, 0, dataSize);
    328     io->data_size = dataSize;
    329     io->data_start = sizeof(struct dm_ioctl);
    330     io->version[0] = 4;
    331     io->version[1] = 0;
    332     io->version[2] = 0;
    333     io->flags = flags;
    334     if (name) {
    335         strncpy(io->name, name, sizeof(io->name));
    336     }
    337 }
    338 
    339 /**
    340  * Gets the default device scrypt parameters for key derivation time tuning.
    341  * The parameters should lead to about one second derivation time for the
    342  * given device.
    343  */
    344 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) {
    345     const int default_params[] = SCRYPT_DEFAULTS;
    346     int params[] = SCRYPT_DEFAULTS;
    347     char paramstr[PROPERTY_VALUE_MAX];
    348     char *token;
    349     char *saveptr;
    350     int i;
    351 
    352     property_get(SCRYPT_PROP, paramstr, "");
    353     if (paramstr[0] != '\0') {
    354         /*
    355          * The token we're looking for should be three integers separated by
    356          * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
    357          */
    358         for (i = 0, token = strtok_r(paramstr, ":", &saveptr);
    359                 token != NULL && i < 3;
    360                 i++, token = strtok_r(NULL, ":", &saveptr)) {
    361             char *endptr;
    362             params[i] = strtol(token, &endptr, 10);
    363 
    364             /*
    365              * Check that there was a valid number and it's 8-bit. If not,
    366              * break out and the end check will take the default values.
    367              */
    368             if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
    369                 break;
    370             }
    371         }
    372 
    373         /*
    374          * If there were not enough tokens or a token was malformed (not an
    375          * integer), it will end up here and the default parameters can be
    376          * taken.
    377          */
    378         if ((i != 3) || (token != NULL)) {
    379             SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
    380             memcpy(params, default_params, sizeof(params));
    381         }
    382     }
    383 
    384     ftr->N_factor = params[0];
    385     ftr->r_factor = params[1];
    386     ftr->p_factor = params[2];
    387 }
    388 
    389 static unsigned int get_fs_size(char *dev)
    390 {
    391     int fd, block_size;
    392     struct ext4_super_block sb;
    393     off64_t len;
    394 
    395     if ((fd = open(dev, O_RDONLY)) < 0) {
    396         SLOGE("Cannot open device to get filesystem size ");
    397         return 0;
    398     }
    399 
    400     if (lseek64(fd, 1024, SEEK_SET) < 0) {
    401         SLOGE("Cannot seek to superblock");
    402         return 0;
    403     }
    404 
    405     if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
    406         SLOGE("Cannot read superblock");
    407         return 0;
    408     }
    409 
    410     close(fd);
    411 
    412     if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
    413         SLOGE("Not a valid ext4 superblock");
    414         return 0;
    415     }
    416     block_size = 1024 << sb.s_log_block_size;
    417     /* compute length in bytes */
    418     len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
    419 
    420     /* return length in sectors */
    421     return (unsigned int) (len / 512);
    422 }
    423 
    424 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off)
    425 {
    426   static int cached_data = 0;
    427   static off64_t cached_off = 0;
    428   static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
    429   int fd;
    430   char key_loc[PROPERTY_VALUE_MAX];
    431   char real_blkdev[PROPERTY_VALUE_MAX];
    432   unsigned int nr_sec;
    433   int rc = -1;
    434 
    435   if (!cached_data) {
    436     fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc));
    437 
    438     if (!strcmp(key_loc, KEY_IN_FOOTER)) {
    439       if ( (fd = open(real_blkdev, O_RDWR)) < 0) {
    440         SLOGE("Cannot open real block device %s\n", real_blkdev);
    441         return -1;
    442       }
    443 
    444       if ((nr_sec = get_blkdev_size(fd))) {
    445         /* If it's an encrypted Android partition, the last 16 Kbytes contain the
    446          * encryption info footer and key, and plenty of bytes to spare for future
    447          * growth.
    448          */
    449         strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname));
    450         cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET;
    451         cached_data = 1;
    452       } else {
    453         SLOGE("Cannot get size of block device %s\n", real_blkdev);
    454       }
    455       close(fd);
    456     } else {
    457       strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname));
    458       cached_off = 0;
    459       cached_data = 1;
    460     }
    461   }
    462 
    463   if (cached_data) {
    464     if (metadata_fname) {
    465         *metadata_fname = cached_metadata_fname;
    466     }
    467     if (off) {
    468         *off = cached_off;
    469     }
    470     rc = 0;
    471   }
    472 
    473   return rc;
    474 }
    475 
    476 /* key or salt can be NULL, in which case just skip writing that value.  Useful to
    477  * update the failed mount count but not change the key.
    478  */
    479 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
    480 {
    481   int fd;
    482   unsigned int nr_sec, cnt;
    483   /* starting_off is set to the SEEK_SET offset
    484    * where the crypto structure starts
    485    */
    486   off64_t starting_off;
    487   int rc = -1;
    488   char *fname = NULL;
    489   struct stat statbuf;
    490 
    491   if (get_crypt_ftr_info(&fname, &starting_off)) {
    492     SLOGE("Unable to get crypt_ftr_info\n");
    493     return -1;
    494   }
    495   if (fname[0] != '/') {
    496     SLOGE("Unexpected value for crypto key location\n");
    497     return -1;
    498   }
    499   if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) {
    500     SLOGE("Cannot open footer file %s for put\n", fname);
    501     return -1;
    502   }
    503 
    504   /* Seek to the start of the crypt footer */
    505   if (lseek64(fd, starting_off, SEEK_SET) == -1) {
    506     SLOGE("Cannot seek to real block device footer\n");
    507     goto errout;
    508   }
    509 
    510   if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
    511     SLOGE("Cannot write real block device footer\n");
    512     goto errout;
    513   }
    514 
    515   fstat(fd, &statbuf);
    516   /* If the keys are kept on a raw block device, do not try to truncate it. */
    517   if (S_ISREG(statbuf.st_mode)) {
    518     if (ftruncate(fd, 0x4000)) {
    519       SLOGE("Cannot set footer file size\n");
    520       goto errout;
    521     }
    522   }
    523 
    524   /* Success! */
    525   rc = 0;
    526 
    527 errout:
    528   close(fd);
    529   return rc;
    530 
    531 }
    532 
    533 static inline int unix_read(int  fd, void*  buff, int  len)
    534 {
    535     return TEMP_FAILURE_RETRY(read(fd, buff, len));
    536 }
    537 
    538 static inline int unix_write(int  fd, const void*  buff, int  len)
    539 {
    540     return TEMP_FAILURE_RETRY(write(fd, buff, len));
    541 }
    542 
    543 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len)
    544 {
    545     memset(pdata, 0, len);
    546     pdata->persist_magic = PERSIST_DATA_MAGIC;
    547     pdata->persist_valid_entries = 0;
    548 }
    549 
    550 /* A routine to update the passed in crypt_ftr to the lastest version.
    551  * fd is open read/write on the device that holds the crypto footer and persistent
    552  * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
    553  * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
    554  */
    555 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset)
    556 {
    557     int orig_major = crypt_ftr->major_version;
    558     int orig_minor = crypt_ftr->minor_version;
    559 
    560     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
    561         struct crypt_persist_data *pdata;
    562         off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
    563 
    564         SLOGW("upgrading crypto footer to 1.1");
    565 
    566         pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
    567         if (pdata == NULL) {
    568             SLOGE("Cannot allocate persisent data\n");
    569             return;
    570         }
    571         memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
    572 
    573         /* Need to initialize the persistent data area */
    574         if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
    575             SLOGE("Cannot seek to persisent data offset\n");
    576             return;
    577         }
    578         /* Write all zeros to the first copy, making it invalid */
    579         unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
    580 
    581         /* Write a valid but empty structure to the second copy */
    582         init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
    583         unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
    584 
    585         /* Update the footer */
    586         crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
    587         crypt_ftr->persist_data_offset[0] = pdata_offset;
    588         crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
    589         crypt_ftr->minor_version = 1;
    590     }
    591 
    592     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
    593         SLOGW("upgrading crypto footer to 1.2");
    594         /* But keep the old kdf_type.
    595          * It will get updated later to KDF_SCRYPT after the password has been verified.
    596          */
    597         crypt_ftr->kdf_type = KDF_PBKDF2;
    598         get_device_scrypt_params(crypt_ftr);
    599         crypt_ftr->minor_version = 2;
    600     }
    601 
    602     if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
    603         SLOGW("upgrading crypto footer to 1.3");
    604         crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
    605         crypt_ftr->minor_version = 3;
    606     }
    607 
    608     if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
    609         if (lseek64(fd, offset, SEEK_SET) == -1) {
    610             SLOGE("Cannot seek to crypt footer\n");
    611             return;
    612         }
    613         unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
    614     }
    615 }
    616 
    617 
    618 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr)
    619 {
    620   int fd;
    621   unsigned int nr_sec, cnt;
    622   off64_t starting_off;
    623   int rc = -1;
    624   char *fname = NULL;
    625   struct stat statbuf;
    626 
    627   if (get_crypt_ftr_info(&fname, &starting_off)) {
    628     SLOGE("Unable to get crypt_ftr_info\n");
    629     return -1;
    630   }
    631   if (fname[0] != '/') {
    632     SLOGE("Unexpected value for crypto key location\n");
    633     return -1;
    634   }
    635   if ( (fd = open(fname, O_RDWR)) < 0) {
    636     SLOGE("Cannot open footer file %s for get\n", fname);
    637     return -1;
    638   }
    639 
    640   /* Make sure it's 16 Kbytes in length */
    641   fstat(fd, &statbuf);
    642   if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
    643     SLOGE("footer file %s is not the expected size!\n", fname);
    644     goto errout;
    645   }
    646 
    647   /* Seek to the start of the crypt footer */
    648   if (lseek64(fd, starting_off, SEEK_SET) == -1) {
    649     SLOGE("Cannot seek to real block device footer\n");
    650     goto errout;
    651   }
    652 
    653   if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
    654     SLOGE("Cannot read real block device footer\n");
    655     goto errout;
    656   }
    657 
    658   if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
    659     SLOGE("Bad magic for real block device %s\n", fname);
    660     goto errout;
    661   }
    662 
    663   if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
    664     SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
    665           crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
    666     goto errout;
    667   }
    668 
    669   if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
    670     SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
    671           crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
    672   }
    673 
    674   /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
    675    * copy on disk before returning.
    676    */
    677   if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
    678     upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
    679   }
    680 
    681   /* Success! */
    682   rc = 0;
    683 
    684 errout:
    685   close(fd);
    686   return rc;
    687 }
    688 
    689 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr)
    690 {
    691     if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
    692         crypt_ftr->persist_data_offset[1]) {
    693         SLOGE("Crypt_ftr persist data regions overlap");
    694         return -1;
    695     }
    696 
    697     if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
    698         SLOGE("Crypt_ftr persist data region 0 starts after region 1");
    699         return -1;
    700     }
    701 
    702     if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
    703         (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
    704         CRYPT_FOOTER_OFFSET) {
    705         SLOGE("Persistent data extends past crypto footer");
    706         return -1;
    707     }
    708 
    709     return 0;
    710 }
    711 
    712 static int load_persistent_data(void)
    713 {
    714     struct crypt_mnt_ftr crypt_ftr;
    715     struct crypt_persist_data *pdata = NULL;
    716     char encrypted_state[PROPERTY_VALUE_MAX];
    717     char *fname;
    718     int found = 0;
    719     int fd;
    720     int ret;
    721     int i;
    722 
    723     if (persist_data) {
    724         /* Nothing to do, we've already loaded or initialized it */
    725         return 0;
    726     }
    727 
    728 
    729     /* If not encrypted, just allocate an empty table and initialize it */
    730     property_get("ro.crypto.state", encrypted_state, "");
    731     if (strcmp(encrypted_state, "encrypted") ) {
    732         pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
    733         if (pdata) {
    734             init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
    735             persist_data = pdata;
    736             return 0;
    737         }
    738         return -1;
    739     }
    740 
    741     if(get_crypt_ftr_and_key(&crypt_ftr)) {
    742         return -1;
    743     }
    744 
    745     if ((crypt_ftr.major_version < 1)
    746         || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
    747         SLOGE("Crypt_ftr version doesn't support persistent data");
    748         return -1;
    749     }
    750 
    751     if (get_crypt_ftr_info(&fname, NULL)) {
    752         return -1;
    753     }
    754 
    755     ret = validate_persistent_data_storage(&crypt_ftr);
    756     if (ret) {
    757         return -1;
    758     }
    759 
    760     fd = open(fname, O_RDONLY);
    761     if (fd < 0) {
    762         SLOGE("Cannot open %s metadata file", fname);
    763         return -1;
    764     }
    765 
    766     if (persist_data == NULL) {
    767         pdata = malloc(crypt_ftr.persist_data_size);
    768         if (pdata == NULL) {
    769             SLOGE("Cannot allocate memory for persistent data");
    770             goto err;
    771         }
    772     }
    773 
    774     for (i = 0; i < 2; i++) {
    775         if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
    776             SLOGE("Cannot seek to read persistent data on %s", fname);
    777             goto err2;
    778         }
    779         if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){
    780             SLOGE("Error reading persistent data on iteration %d", i);
    781             goto err2;
    782         }
    783         if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
    784             found = 1;
    785             break;
    786         }
    787     }
    788 
    789     if (!found) {
    790         SLOGI("Could not find valid persistent data, creating");
    791         init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
    792     }
    793 
    794     /* Success */
    795     persist_data = pdata;
    796     close(fd);
    797     return 0;
    798 
    799 err2:
    800     free(pdata);
    801 
    802 err:
    803     close(fd);
    804     return -1;
    805 }
    806 
    807 static int save_persistent_data(void)
    808 {
    809     struct crypt_mnt_ftr crypt_ftr;
    810     struct crypt_persist_data *pdata;
    811     char *fname;
    812     off64_t write_offset;
    813     off64_t erase_offset;
    814     int found = 0;
    815     int fd;
    816     int ret;
    817 
    818     if (persist_data == NULL) {
    819         SLOGE("No persistent data to save");
    820         return -1;
    821     }
    822 
    823     if(get_crypt_ftr_and_key(&crypt_ftr)) {
    824         return -1;
    825     }
    826 
    827     if ((crypt_ftr.major_version < 1)
    828         || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
    829         SLOGE("Crypt_ftr version doesn't support persistent data");
    830         return -1;
    831     }
    832 
    833     ret = validate_persistent_data_storage(&crypt_ftr);
    834     if (ret) {
    835         return -1;
    836     }
    837 
    838     if (get_crypt_ftr_info(&fname, NULL)) {
    839         return -1;
    840     }
    841 
    842     fd = open(fname, O_RDWR);
    843     if (fd < 0) {
    844         SLOGE("Cannot open %s metadata file", fname);
    845         return -1;
    846     }
    847 
    848     pdata = malloc(crypt_ftr.persist_data_size);
    849     if (pdata == NULL) {
    850         SLOGE("Cannot allocate persistant data");
    851         goto err;
    852     }
    853 
    854     if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
    855         SLOGE("Cannot seek to read persistent data on %s", fname);
    856         goto err2;
    857     }
    858 
    859     if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
    860             SLOGE("Error reading persistent data before save");
    861             goto err2;
    862     }
    863 
    864     if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
    865         /* The first copy is the curent valid copy, so write to
    866          * the second copy and erase this one */
    867        write_offset = crypt_ftr.persist_data_offset[1];
    868        erase_offset = crypt_ftr.persist_data_offset[0];
    869     } else {
    870         /* The second copy must be the valid copy, so write to
    871          * the first copy, and erase the second */
    872        write_offset = crypt_ftr.persist_data_offset[0];
    873        erase_offset = crypt_ftr.persist_data_offset[1];
    874     }
    875 
    876     /* Write the new copy first, if successful, then erase the old copy */
    877     if (lseek(fd, write_offset, SEEK_SET) < 0) {
    878         SLOGE("Cannot seek to write persistent data");
    879         goto err2;
    880     }
    881     if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
    882         (int) crypt_ftr.persist_data_size) {
    883         if (lseek(fd, erase_offset, SEEK_SET) < 0) {
    884             SLOGE("Cannot seek to erase previous persistent data");
    885             goto err2;
    886         }
    887         fsync(fd);
    888         memset(pdata, 0, crypt_ftr.persist_data_size);
    889         if (unix_write(fd, pdata, crypt_ftr.persist_data_size) !=
    890             (int) crypt_ftr.persist_data_size) {
    891             SLOGE("Cannot write to erase previous persistent data");
    892             goto err2;
    893         }
    894         fsync(fd);
    895     } else {
    896         SLOGE("Cannot write to save persistent data");
    897         goto err2;
    898     }
    899 
    900     /* Success */
    901     free(pdata);
    902     close(fd);
    903     return 0;
    904 
    905 err2:
    906     free(pdata);
    907 err:
    908     close(fd);
    909     return -1;
    910 }
    911 
    912 static int hexdigit (char c)
    913 {
    914     if (c >= '0' && c <= '9') return c - '0';
    915     c = tolower(c);
    916     if (c >= 'a' && c <= 'f') return c - 'a' + 10;
    917     return -1;
    918 }
    919 
    920 static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii,
    921                                                unsigned int* out_keysize)
    922 {
    923     unsigned int i;
    924     *out_keysize = 0;
    925 
    926     size_t size = strlen (master_key_ascii);
    927     if (size % 2) {
    928         SLOGE("Trying to convert ascii string of odd length");
    929         return NULL;
    930     }
    931 
    932     unsigned char* master_key = (unsigned char*) malloc(size / 2);
    933     if (master_key == 0) {
    934         SLOGE("Cannot allocate");
    935         return NULL;
    936     }
    937 
    938     for (i = 0; i < size; i += 2) {
    939         int high_nibble = hexdigit (master_key_ascii[i]);
    940         int low_nibble = hexdigit (master_key_ascii[i + 1]);
    941 
    942         if(high_nibble < 0 || low_nibble < 0) {
    943             SLOGE("Invalid hex string");
    944             free (master_key);
    945             return NULL;
    946         }
    947 
    948         master_key[*out_keysize] = high_nibble * 16 + low_nibble;
    949         (*out_keysize)++;
    950     }
    951 
    952     return master_key;
    953 }
    954 
    955 /* Convert a binary key of specified length into an ascii hex string equivalent,
    956  * without the leading 0x and with null termination
    957  */
    958 static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize,
    959                               char *master_key_ascii)
    960 {
    961   unsigned int i, a;
    962   unsigned char nibble;
    963 
    964   for (i=0, a=0; i<keysize; i++, a+=2) {
    965     /* For each byte, write out two ascii hex digits */
    966     nibble = (master_key[i] >> 4) & 0xf;
    967     master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
    968 
    969     nibble = master_key[i] & 0xf;
    970     master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30);
    971   }
    972 
    973   /* Add the null termination */
    974   master_key_ascii[a] = '\0';
    975 
    976 }
    977 
    978 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
    979                                      char *real_blk_name, const char *name, int fd,
    980                                      char *extra_params)
    981 {
    982   char buffer[DM_CRYPT_BUF_SIZE];
    983   struct dm_ioctl *io;
    984   struct dm_target_spec *tgt;
    985   char *crypt_params;
    986   char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
    987   int i;
    988 
    989   io = (struct dm_ioctl *) buffer;
    990 
    991   /* Load the mapping table for this device */
    992   tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)];
    993 
    994   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
    995   io->target_count = 1;
    996   tgt->status = 0;
    997   tgt->sector_start = 0;
    998   tgt->length = crypt_ftr->fs_size;
    999 #ifdef CONFIG_HW_DISK_ENCRYPTION
   1000   if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
   1001     strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME);
   1002   }
   1003   else {
   1004     strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
   1005   }
   1006 #else
   1007   strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
   1008 #endif
   1009 
   1010   crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
   1011   convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
   1012   sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name,
   1013           master_key_ascii, real_blk_name, extra_params);
   1014   crypt_params += strlen(crypt_params) + 1;
   1015   crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
   1016   tgt->next = crypt_params - buffer;
   1017 
   1018   for (i = 0; i < TABLE_LOAD_RETRIES; i++) {
   1019     if (! ioctl(fd, DM_TABLE_LOAD, io)) {
   1020       break;
   1021     }
   1022     usleep(500000);
   1023   }
   1024 
   1025   if (i == TABLE_LOAD_RETRIES) {
   1026     /* We failed to load the table, return an error */
   1027     return -1;
   1028   } else {
   1029     return i + 1;
   1030   }
   1031 }
   1032 
   1033 
   1034 static int get_dm_crypt_version(int fd, const char *name,  int *version)
   1035 {
   1036     char buffer[DM_CRYPT_BUF_SIZE];
   1037     struct dm_ioctl *io;
   1038     struct dm_target_versions *v;
   1039     int i;
   1040 
   1041     io = (struct dm_ioctl *) buffer;
   1042 
   1043     ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
   1044 
   1045     if (ioctl(fd, DM_LIST_VERSIONS, io)) {
   1046         return -1;
   1047     }
   1048 
   1049     /* Iterate over the returned versions, looking for name of "crypt".
   1050      * When found, get and return the version.
   1051      */
   1052     v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
   1053     while (v->next) {
   1054 #ifdef CONFIG_HW_DISK_ENCRYPTION
   1055         if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
   1056 #else
   1057         if (! strcmp(v->name, "crypt")) {
   1058 #endif
   1059             /* We found the crypt driver, return the version, and get out */
   1060             version[0] = v->version[0];
   1061             version[1] = v->version[1];
   1062             version[2] = v->version[2];
   1063             return 0;
   1064         }
   1065         v = (struct dm_target_versions *)(((char *)v) + v->next);
   1066     }
   1067 
   1068     return -1;
   1069 }
   1070 
   1071 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key,
   1072                                     char *real_blk_name, char *crypto_blk_name, const char *name)
   1073 {
   1074   char buffer[DM_CRYPT_BUF_SIZE];
   1075   char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */
   1076   char *crypt_params;
   1077   struct dm_ioctl *io;
   1078   struct dm_target_spec *tgt;
   1079   unsigned int minor;
   1080   int fd=0;
   1081   int i;
   1082   int retval = -1;
   1083   int version[3];
   1084   char *extra_params;
   1085   int load_count;
   1086 
   1087   if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
   1088     SLOGE("Cannot open device-mapper\n");
   1089     goto errout;
   1090   }
   1091 
   1092   io = (struct dm_ioctl *) buffer;
   1093 
   1094   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
   1095   if (ioctl(fd, DM_DEV_CREATE, io)) {
   1096     SLOGE("Cannot create dm-crypt device\n");
   1097     goto errout;
   1098   }
   1099 
   1100   /* Get the device status, in particular, the name of it's device file */
   1101   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
   1102   if (ioctl(fd, DM_DEV_STATUS, io)) {
   1103     SLOGE("Cannot retrieve dm-crypt device status\n");
   1104     goto errout;
   1105   }
   1106   minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
   1107   snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
   1108 
   1109   extra_params = "";
   1110   if (! get_dm_crypt_version(fd, name, version)) {
   1111       /* Support for allow_discards was added in version 1.11.0 */
   1112       if ((version[0] >= 2) ||
   1113           ((version[0] == 1) && (version[1] >= 11))) {
   1114           extra_params = "1 allow_discards";
   1115           SLOGI("Enabling support for allow_discards in dmcrypt.\n");
   1116       }
   1117   }
   1118 
   1119   load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name,
   1120                                          fd, extra_params);
   1121   if (load_count < 0) {
   1122       SLOGE("Cannot load dm-crypt mapping table.\n");
   1123       goto errout;
   1124   } else if (load_count > 1) {
   1125       SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
   1126   }
   1127 
   1128   /* Resume this device to activate it */
   1129   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
   1130 
   1131   if (ioctl(fd, DM_DEV_SUSPEND, io)) {
   1132     SLOGE("Cannot resume the dm-crypt device\n");
   1133     goto errout;
   1134   }
   1135 
   1136   /* We made it here with no errors.  Woot! */
   1137   retval = 0;
   1138 
   1139 errout:
   1140   close(fd);   /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
   1141 
   1142   return retval;
   1143 }
   1144 
   1145 static int delete_crypto_blk_dev(char *name)
   1146 {
   1147   int fd;
   1148   char buffer[DM_CRYPT_BUF_SIZE];
   1149   struct dm_ioctl *io;
   1150   int retval = -1;
   1151 
   1152   if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) {
   1153     SLOGE("Cannot open device-mapper\n");
   1154     goto errout;
   1155   }
   1156 
   1157   io = (struct dm_ioctl *) buffer;
   1158 
   1159   ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0);
   1160   if (ioctl(fd, DM_DEV_REMOVE, io)) {
   1161     SLOGE("Cannot remove dm-crypt device\n");
   1162     goto errout;
   1163   }
   1164 
   1165   /* We made it here with no errors.  Woot! */
   1166   retval = 0;
   1167 
   1168 errout:
   1169   close(fd);    /* If fd is <0 from a failed open call, it's safe to just ignore the close error */
   1170 
   1171   return retval;
   1172 
   1173 }
   1174 
   1175 static int pbkdf2(const char *passwd, const unsigned char *salt,
   1176                   unsigned char *ikey, void *params UNUSED)
   1177 {
   1178     SLOGI("Using pbkdf2 for cryptfs KDF");
   1179 
   1180     /* Turn the password into a key and IV that can decrypt the master key */
   1181     unsigned int keysize;
   1182     char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize);
   1183     if (!master_key) return -1;
   1184     PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN,
   1185                            HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey);
   1186 
   1187     memset(master_key, 0, keysize);
   1188     free (master_key);
   1189     return 0;
   1190 }
   1191 
   1192 static int scrypt(const char *passwd, const unsigned char *salt,
   1193                   unsigned char *ikey, void *params)
   1194 {
   1195     SLOGI("Using scrypt for cryptfs KDF");
   1196 
   1197     struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
   1198 
   1199     int N = 1 << ftr->N_factor;
   1200     int r = 1 << ftr->r_factor;
   1201     int p = 1 << ftr->p_factor;
   1202 
   1203     /* Turn the password into a key and IV that can decrypt the master key */
   1204     unsigned int keysize;
   1205     unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize);
   1206     if (!master_key) return -1;
   1207     crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey,
   1208             KEY_LEN_BYTES + IV_LEN_BYTES);
   1209 
   1210     memset(master_key, 0, keysize);
   1211     free (master_key);
   1212     return 0;
   1213 }
   1214 
   1215 static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
   1216                             unsigned char *ikey, void *params)
   1217 {
   1218     SLOGI("Using scrypt with keymaster for cryptfs KDF");
   1219 
   1220     int rc;
   1221     unsigned int key_size;
   1222     size_t signature_size;
   1223     unsigned char* signature;
   1224     struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
   1225 
   1226     int N = 1 << ftr->N_factor;
   1227     int r = 1 << ftr->r_factor;
   1228     int p = 1 << ftr->p_factor;
   1229 
   1230     unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size);
   1231     if (!master_key) {
   1232         SLOGE("Failed to convert passwd from hex");
   1233         return -1;
   1234     }
   1235 
   1236     rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN,
   1237                        N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
   1238     memset(master_key, 0, key_size);
   1239     free(master_key);
   1240 
   1241     if (rc) {
   1242         SLOGE("scrypt failed");
   1243         return -1;
   1244     }
   1245 
   1246     if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES,
   1247                               &signature, &signature_size)) {
   1248         SLOGE("Signing failed");
   1249         return -1;
   1250     }
   1251 
   1252     rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN,
   1253                        N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES);
   1254     free(signature);
   1255 
   1256     if (rc) {
   1257         SLOGE("scrypt failed");
   1258         return -1;
   1259     }
   1260 
   1261     return 0;
   1262 }
   1263 
   1264 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
   1265                               const unsigned char *decrypted_master_key,
   1266                               unsigned char *encrypted_master_key,
   1267                               struct crypt_mnt_ftr *crypt_ftr)
   1268 {
   1269     unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
   1270     EVP_CIPHER_CTX e_ctx;
   1271     int encrypted_len, final_len;
   1272     int rc = 0;
   1273 
   1274     /* Turn the password into an intermediate key and IV that can decrypt the master key */
   1275     get_device_scrypt_params(crypt_ftr);
   1276 
   1277     switch (crypt_ftr->kdf_type) {
   1278     case KDF_SCRYPT_KEYMASTER_UNPADDED:
   1279     case KDF_SCRYPT_KEYMASTER_BADLY_PADDED:
   1280     case KDF_SCRYPT_KEYMASTER:
   1281         if (keymaster_create_key(crypt_ftr)) {
   1282             SLOGE("keymaster_create_key failed");
   1283             return -1;
   1284         }
   1285 
   1286         if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
   1287             SLOGE("scrypt failed");
   1288             return -1;
   1289         }
   1290         break;
   1291 
   1292     case KDF_SCRYPT:
   1293         if (scrypt(passwd, salt, ikey, crypt_ftr)) {
   1294             SLOGE("scrypt failed");
   1295             return -1;
   1296         }
   1297         break;
   1298 
   1299     default:
   1300         SLOGE("Invalid kdf_type");
   1301         return -1;
   1302     }
   1303 
   1304     /* Initialize the decryption engine */
   1305     if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
   1306         SLOGE("EVP_EncryptInit failed\n");
   1307         return -1;
   1308     }
   1309     EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
   1310 
   1311     /* Encrypt the master key */
   1312     if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
   1313                               decrypted_master_key, KEY_LEN_BYTES)) {
   1314         SLOGE("EVP_EncryptUpdate failed\n");
   1315         return -1;
   1316     }
   1317     if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
   1318         SLOGE("EVP_EncryptFinal failed\n");
   1319         return -1;
   1320     }
   1321 
   1322     if (encrypted_len + final_len != KEY_LEN_BYTES) {
   1323         SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
   1324         return -1;
   1325     }
   1326 
   1327     /* Store the scrypt of the intermediate key, so we can validate if it's a
   1328        password error or mount error when things go wrong.
   1329        Note there's no need to check for errors, since if this is incorrect, we
   1330        simply won't wipe userdata, which is the correct default behavior
   1331     */
   1332     int N = 1 << crypt_ftr->N_factor;
   1333     int r = 1 << crypt_ftr->r_factor;
   1334     int p = 1 << crypt_ftr->p_factor;
   1335 
   1336     rc = crypto_scrypt(ikey, KEY_LEN_BYTES,
   1337                        crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p,
   1338                        crypt_ftr->scrypted_intermediate_key,
   1339                        sizeof(crypt_ftr->scrypted_intermediate_key));
   1340 
   1341     if (rc) {
   1342       SLOGE("encrypt_master_key: crypto_scrypt failed");
   1343     }
   1344 
   1345     return 0;
   1346 }
   1347 
   1348 static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
   1349                                   unsigned char *encrypted_master_key,
   1350                                   unsigned char *decrypted_master_key,
   1351                                   kdf_func kdf, void *kdf_params,
   1352                                   unsigned char** intermediate_key,
   1353                                   size_t* intermediate_key_size)
   1354 {
   1355   unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */
   1356   EVP_CIPHER_CTX d_ctx;
   1357   int decrypted_len, final_len;
   1358 
   1359   /* Turn the password into an intermediate key and IV that can decrypt the
   1360      master key */
   1361   if (kdf(passwd, salt, ikey, kdf_params)) {
   1362     SLOGE("kdf failed");
   1363     return -1;
   1364   }
   1365 
   1366   /* Initialize the decryption engine */
   1367   if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) {
   1368     return -1;
   1369   }
   1370   EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
   1371   /* Decrypt the master key */
   1372   if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len,
   1373                             encrypted_master_key, KEY_LEN_BYTES)) {
   1374     return -1;
   1375   }
   1376   if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
   1377     return -1;
   1378   }
   1379 
   1380   if (decrypted_len + final_len != KEY_LEN_BYTES) {
   1381     return -1;
   1382   }
   1383 
   1384   /* Copy intermediate key if needed by params */
   1385   if (intermediate_key && intermediate_key_size) {
   1386     *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES);
   1387     if (intermediate_key) {
   1388       memcpy(*intermediate_key, ikey, KEY_LEN_BYTES);
   1389       *intermediate_key_size = KEY_LEN_BYTES;
   1390     }
   1391   }
   1392 
   1393   return 0;
   1394 }
   1395 
   1396 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params)
   1397 {
   1398     if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED ||
   1399         ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED ||
   1400         ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
   1401         *kdf = scrypt_keymaster;
   1402         *kdf_params = ftr;
   1403     } else if (ftr->kdf_type == KDF_SCRYPT) {
   1404         *kdf = scrypt;
   1405         *kdf_params = ftr;
   1406     } else {
   1407         *kdf = pbkdf2;
   1408         *kdf_params = NULL;
   1409     }
   1410 }
   1411 
   1412 static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
   1413                               struct crypt_mnt_ftr *crypt_ftr,
   1414                               unsigned char** intermediate_key,
   1415                               size_t* intermediate_key_size)
   1416 {
   1417     kdf_func kdf;
   1418     void *kdf_params;
   1419     int ret;
   1420 
   1421     get_kdf_func(crypt_ftr, &kdf, &kdf_params);
   1422     ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key,
   1423                                  decrypted_master_key, kdf, kdf_params,
   1424                                  intermediate_key, intermediate_key_size);
   1425     if (ret != 0) {
   1426         SLOGW("failure decrypting master key");
   1427     }
   1428 
   1429     return ret;
   1430 }
   1431 
   1432 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt,
   1433         struct crypt_mnt_ftr *crypt_ftr) {
   1434     int fd;
   1435     unsigned char key_buf[KEY_LEN_BYTES];
   1436     EVP_CIPHER_CTX e_ctx;
   1437     int encrypted_len, final_len;
   1438 
   1439     /* Get some random bits for a key */
   1440     fd = open("/dev/urandom", O_RDONLY);
   1441     read(fd, key_buf, sizeof(key_buf));
   1442     read(fd, salt, SALT_LEN);
   1443     close(fd);
   1444 
   1445     /* Now encrypt it with the password */
   1446     return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
   1447 }
   1448 
   1449 static int wait_and_unmount(char *mountpoint, bool kill)
   1450 {
   1451     int i, err, rc;
   1452 #define WAIT_UNMOUNT_COUNT 20
   1453 
   1454     /*  Now umount the tmpfs filesystem */
   1455     for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
   1456         if (umount(mountpoint) == 0) {
   1457             break;
   1458         }
   1459 
   1460         if (errno == EINVAL) {
   1461             /* EINVAL is returned if the directory is not a mountpoint,
   1462              * i.e. there is no filesystem mounted there.  So just get out.
   1463              */
   1464             break;
   1465         }
   1466 
   1467         err = errno;
   1468 
   1469         /* If allowed, be increasingly aggressive before the last two retries */
   1470         if (kill) {
   1471             if (i == (WAIT_UNMOUNT_COUNT - 3)) {
   1472                 SLOGW("sending SIGHUP to processes with open files\n");
   1473                 vold_killProcessesWithOpenFiles(mountpoint, 1);
   1474             } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
   1475                 SLOGW("sending SIGKILL to processes with open files\n");
   1476                 vold_killProcessesWithOpenFiles(mountpoint, 2);
   1477             }
   1478         }
   1479 
   1480         sleep(1);
   1481     }
   1482 
   1483     if (i < WAIT_UNMOUNT_COUNT) {
   1484       SLOGD("unmounting %s succeeded\n", mountpoint);
   1485       rc = 0;
   1486     } else {
   1487       vold_killProcessesWithOpenFiles(mountpoint, 0);
   1488       SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
   1489       rc = -1;
   1490     }
   1491 
   1492     return rc;
   1493 }
   1494 
   1495 #define DATA_PREP_TIMEOUT 200
   1496 static int prep_data_fs(void)
   1497 {
   1498     int i;
   1499 
   1500     /* Do the prep of the /data filesystem */
   1501     property_set("vold.post_fs_data_done", "0");
   1502     property_set("vold.decrypt", "trigger_post_fs_data");
   1503     SLOGD("Just triggered post_fs_data\n");
   1504 
   1505     /* Wait a max of 50 seconds, hopefully it takes much less */
   1506     for (i=0; i<DATA_PREP_TIMEOUT; i++) {
   1507         char p[PROPERTY_VALUE_MAX];
   1508 
   1509         property_get("vold.post_fs_data_done", p, "0");
   1510         if (*p == '1') {
   1511             break;
   1512         } else {
   1513             usleep(250000);
   1514         }
   1515     }
   1516     if (i == DATA_PREP_TIMEOUT) {
   1517         /* Ugh, we failed to prep /data in time.  Bail. */
   1518         SLOGE("post_fs_data timed out!\n");
   1519         return -1;
   1520     } else {
   1521         SLOGD("post_fs_data done\n");
   1522         return 0;
   1523     }
   1524 }
   1525 
   1526 static void cryptfs_set_corrupt()
   1527 {
   1528     // Mark the footer as bad
   1529     struct crypt_mnt_ftr crypt_ftr;
   1530     if (get_crypt_ftr_and_key(&crypt_ftr)) {
   1531         SLOGE("Failed to get crypto footer - panic");
   1532         return;
   1533     }
   1534 
   1535     crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
   1536     if (put_crypt_ftr_and_key(&crypt_ftr)) {
   1537         SLOGE("Failed to set crypto footer - panic");
   1538         return;
   1539     }
   1540 }
   1541 
   1542 static void cryptfs_trigger_restart_min_framework()
   1543 {
   1544     if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
   1545       SLOGE("Failed to mount tmpfs on data - panic");
   1546       return;
   1547     }
   1548 
   1549     if (property_set("vold.decrypt", "trigger_post_fs_data")) {
   1550         SLOGE("Failed to trigger post fs data - panic");
   1551         return;
   1552     }
   1553 
   1554     if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
   1555         SLOGE("Failed to trigger restart min framework - panic");
   1556         return;
   1557     }
   1558 }
   1559 
   1560 /* returns < 0 on failure */
   1561 static int cryptfs_restart_internal(int restart_main)
   1562 {
   1563     char fs_type[32];
   1564     char real_blkdev[MAXPATHLEN];
   1565     char crypto_blkdev[MAXPATHLEN];
   1566     char fs_options[256];
   1567     unsigned long mnt_flags;
   1568     struct stat statbuf;
   1569     int rc = -1, i;
   1570     static int restart_successful = 0;
   1571 
   1572     /* Validate that it's OK to call this routine */
   1573     if (! master_key_saved) {
   1574         SLOGE("Encrypted filesystem not validated, aborting");
   1575         return -1;
   1576     }
   1577 
   1578     if (restart_successful) {
   1579         SLOGE("System already restarted with encrypted disk, aborting");
   1580         return -1;
   1581     }
   1582 
   1583     if (restart_main) {
   1584         /* Here is where we shut down the framework.  The init scripts
   1585          * start all services in one of three classes: core, main or late_start.
   1586          * On boot, we start core and main.  Now, we stop main, but not core,
   1587          * as core includes vold and a few other really important things that
   1588          * we need to keep running.  Once main has stopped, we should be able
   1589          * to umount the tmpfs /data, then mount the encrypted /data.
   1590          * We then restart the class main, and also the class late_start.
   1591          * At the moment, I've only put a few things in late_start that I know
   1592          * are not needed to bring up the framework, and that also cause problems
   1593          * with unmounting the tmpfs /data, but I hope to add add more services
   1594          * to the late_start class as we optimize this to decrease the delay
   1595          * till the user is asked for the password to the filesystem.
   1596          */
   1597 
   1598         /* The init files are setup to stop the class main when vold.decrypt is
   1599          * set to trigger_reset_main.
   1600          */
   1601         property_set("vold.decrypt", "trigger_reset_main");
   1602         SLOGD("Just asked init to shut down class main\n");
   1603 
   1604         /* Ugh, shutting down the framework is not synchronous, so until it
   1605          * can be fixed, this horrible hack will wait a moment for it all to
   1606          * shut down before proceeding.  Without it, some devices cannot
   1607          * restart the graphics services.
   1608          */
   1609         sleep(2);
   1610     }
   1611 
   1612     /* Now that the framework is shutdown, we should be able to umount()
   1613      * the tmpfs filesystem, and mount the real one.
   1614      */
   1615 
   1616     property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
   1617     if (strlen(crypto_blkdev) == 0) {
   1618         SLOGE("fs_crypto_blkdev not set\n");
   1619         return -1;
   1620     }
   1621 
   1622     if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) {
   1623         /* If ro.crypto.readonly is set to 1, mount the decrypted
   1624          * filesystem readonly.  This is used when /data is mounted by
   1625          * recovery mode.
   1626          */
   1627         char ro_prop[PROPERTY_VALUE_MAX];
   1628         property_get("ro.crypto.readonly", ro_prop, "");
   1629         if (strlen(ro_prop) > 0 && atoi(ro_prop)) {
   1630             struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
   1631             rec->flags |= MS_RDONLY;
   1632         }
   1633 
   1634         /* If that succeeded, then mount the decrypted filesystem */
   1635         int retries = RETRY_MOUNT_ATTEMPTS;
   1636         int mount_rc;
   1637         while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT,
   1638                                            crypto_blkdev, 0))
   1639                != 0) {
   1640             if (mount_rc == FS_MGR_DOMNT_BUSY) {
   1641                 /* TODO: invoke something similar to
   1642                    Process::killProcessWithOpenFiles(DATA_MNT_POINT,
   1643                                    retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
   1644                 SLOGI("Failed to mount %s because it is busy - waiting",
   1645                       crypto_blkdev);
   1646                 if (--retries) {
   1647                     sleep(RETRY_MOUNT_DELAY_SECONDS);
   1648                 } else {
   1649                     /* Let's hope that a reboot clears away whatever is keeping
   1650                        the mount busy */
   1651                     cryptfs_reboot(reboot);
   1652                 }
   1653             } else {
   1654                 SLOGE("Failed to mount decrypted data");
   1655                 cryptfs_set_corrupt();
   1656                 cryptfs_trigger_restart_min_framework();
   1657                 SLOGI("Started framework to offer wipe");
   1658                 return -1;
   1659             }
   1660         }
   1661 
   1662         property_set("vold.decrypt", "trigger_load_persist_props");
   1663         /* Create necessary paths on /data */
   1664         if (prep_data_fs()) {
   1665             return -1;
   1666         }
   1667 
   1668         /* startup service classes main and late_start */
   1669         property_set("vold.decrypt", "trigger_restart_framework");
   1670         SLOGD("Just triggered restart_framework\n");
   1671 
   1672         /* Give it a few moments to get started */
   1673         sleep(1);
   1674     }
   1675 
   1676     if (rc == 0) {
   1677         restart_successful = 1;
   1678     }
   1679 
   1680     return rc;
   1681 }
   1682 
   1683 int cryptfs_restart(void)
   1684 {
   1685     /* Call internal implementation forcing a restart of main service group */
   1686     return cryptfs_restart_internal(1);
   1687 }
   1688 
   1689 static int do_crypto_complete(char *mount_point UNUSED)
   1690 {
   1691   struct crypt_mnt_ftr crypt_ftr;
   1692   char encrypted_state[PROPERTY_VALUE_MAX];
   1693   char key_loc[PROPERTY_VALUE_MAX];
   1694 
   1695   property_get("ro.crypto.state", encrypted_state, "");
   1696   if (strcmp(encrypted_state, "encrypted") ) {
   1697     SLOGE("not running with encryption, aborting");
   1698     return CRYPTO_COMPLETE_NOT_ENCRYPTED;
   1699   }
   1700 
   1701   if (get_crypt_ftr_and_key(&crypt_ftr)) {
   1702     fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
   1703 
   1704     /*
   1705      * Only report this error if key_loc is a file and it exists.
   1706      * If the device was never encrypted, and /data is not mountable for
   1707      * some reason, returning 1 should prevent the UI from presenting the
   1708      * a "enter password" screen, or worse, a "press button to wipe the
   1709      * device" screen.
   1710      */
   1711     if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) {
   1712       SLOGE("master key file does not exist, aborting");
   1713       return CRYPTO_COMPLETE_NOT_ENCRYPTED;
   1714     } else {
   1715       SLOGE("Error getting crypt footer and key\n");
   1716       return CRYPTO_COMPLETE_BAD_METADATA;
   1717     }
   1718   }
   1719 
   1720   // Test for possible error flags
   1721   if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){
   1722     SLOGE("Encryption process is partway completed\n");
   1723     return CRYPTO_COMPLETE_PARTIAL;
   1724   }
   1725 
   1726   if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){
   1727     SLOGE("Encryption process was interrupted but cannot continue\n");
   1728     return CRYPTO_COMPLETE_INCONSISTENT;
   1729   }
   1730 
   1731   if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){
   1732     SLOGE("Encryption is successful but data is corrupt\n");
   1733     return CRYPTO_COMPLETE_CORRUPT;
   1734   }
   1735 
   1736   /* We passed the test! We shall diminish, and return to the west */
   1737   return CRYPTO_COMPLETE_ENCRYPTED;
   1738 }
   1739 
   1740 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
   1741                                    char *passwd, char *mount_point, char *label)
   1742 {
   1743   /* Allocate enough space for a 256 bit key, but we may use less */
   1744   unsigned char decrypted_master_key[32];
   1745   char crypto_blkdev[MAXPATHLEN];
   1746   char real_blkdev[MAXPATHLEN];
   1747   char tmp_mount_point[64];
   1748   unsigned int orig_failed_decrypt_count;
   1749   int rc;
   1750   kdf_func kdf;
   1751   void *kdf_params;
   1752   int use_keymaster = 0;
   1753   int upgrade = 0;
   1754   unsigned char* intermediate_key = 0;
   1755   size_t intermediate_key_size = 0;
   1756 
   1757   SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
   1758   orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
   1759 
   1760   if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) {
   1761     if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr,
   1762                            &intermediate_key, &intermediate_key_size)) {
   1763       SLOGE("Failed to decrypt master key\n");
   1764       rc = -1;
   1765       goto errout;
   1766     }
   1767   }
   1768 
   1769   fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
   1770 
   1771 #ifdef CONFIG_HW_DISK_ENCRYPTION
   1772   if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) {
   1773     if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) {
   1774       SLOGE("Hardware encryption key does not match");
   1775     }
   1776   }
   1777 #endif
   1778 
   1779   // Create crypto block device - all (non fatal) code paths
   1780   // need it
   1781   if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
   1782                             real_blkdev, crypto_blkdev, label)) {
   1783      SLOGE("Error creating decrypted block device\n");
   1784      rc = -1;
   1785      goto errout;
   1786   }
   1787 
   1788   /* Work out if the problem is the password or the data */
   1789   unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->
   1790                                                  scrypted_intermediate_key)];
   1791   int N = 1 << crypt_ftr->N_factor;
   1792   int r = 1 << crypt_ftr->r_factor;
   1793   int p = 1 << crypt_ftr->p_factor;
   1794 
   1795   rc = crypto_scrypt(intermediate_key, intermediate_key_size,
   1796                      crypt_ftr->salt, sizeof(crypt_ftr->salt),
   1797                      N, r, p, scrypted_intermediate_key,
   1798                      sizeof(scrypted_intermediate_key));
   1799 
   1800   // Does the key match the crypto footer?
   1801   if (rc == 0 && memcmp(scrypted_intermediate_key,
   1802                         crypt_ftr->scrypted_intermediate_key,
   1803                         sizeof(scrypted_intermediate_key)) == 0) {
   1804     SLOGI("Password matches");
   1805     rc = 0;
   1806   } else {
   1807     /* Try mounting the file system anyway, just in case the problem's with
   1808      * the footer, not the key. */
   1809     sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point);
   1810     mkdir(tmp_mount_point, 0755);
   1811     if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) {
   1812       SLOGE("Error temp mounting decrypted block device\n");
   1813       delete_crypto_blk_dev(label);
   1814 
   1815       rc = ++crypt_ftr->failed_decrypt_count;
   1816       put_crypt_ftr_and_key(crypt_ftr);
   1817     } else {
   1818       /* Success! */
   1819       SLOGI("Password did not match but decrypted drive mounted - continue");
   1820       umount(tmp_mount_point);
   1821       rc = 0;
   1822     }
   1823   }
   1824 
   1825   if (rc == 0) {
   1826     crypt_ftr->failed_decrypt_count = 0;
   1827     if (orig_failed_decrypt_count != 0) {
   1828       put_crypt_ftr_and_key(crypt_ftr);
   1829     }
   1830 
   1831     /* Save the name of the crypto block device
   1832      * so we can mount it when restarting the framework. */
   1833     property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
   1834 
   1835     /* Also save a the master key so we can reencrypted the key
   1836      * the key when we want to change the password on it. */
   1837     memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES);
   1838     saved_mount_point = strdup(mount_point);
   1839     master_key_saved = 1;
   1840     SLOGD("%s(): Master key saved\n", __FUNCTION__);
   1841     rc = 0;
   1842 
   1843     // Upgrade if we're not using the latest KDF.
   1844     use_keymaster = keymaster_check_compatibility();
   1845     if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
   1846         // Don't allow downgrade
   1847     } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
   1848         crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
   1849         upgrade = 1;
   1850     } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
   1851         crypt_ftr->kdf_type = KDF_SCRYPT;
   1852         upgrade = 1;
   1853     }
   1854 
   1855     if (upgrade) {
   1856         rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
   1857                                 crypt_ftr->master_key, crypt_ftr);
   1858         if (!rc) {
   1859             rc = put_crypt_ftr_and_key(crypt_ftr);
   1860         }
   1861         SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
   1862 
   1863         // Do not fail even if upgrade failed - machine is bootable
   1864         // Note that if this code is ever hit, there is a *serious* problem
   1865         // since KDFs should never fail. You *must* fix the kdf before
   1866         // proceeding!
   1867         if (rc) {
   1868           SLOGW("Upgrade failed with error %d,"
   1869                 " but continuing with previous state",
   1870                 rc);
   1871           rc = 0;
   1872         }
   1873     }
   1874   }
   1875 
   1876  errout:
   1877   if (intermediate_key) {
   1878     memset(intermediate_key, 0, intermediate_key_size);
   1879     free(intermediate_key);
   1880   }
   1881   return rc;
   1882 }
   1883 
   1884 /* Called by vold when it wants to undo the crypto mapping of a volume it
   1885  * manages.  This is usually in response to a factory reset, when we want
   1886  * to undo the crypto mapping so the volume is formatted in the clear.
   1887  */
   1888 int cryptfs_revert_volume(const char *label)
   1889 {
   1890     return delete_crypto_blk_dev((char *)label);
   1891 }
   1892 
   1893 /*
   1894  * Called by vold when it's asked to mount an encrypted, nonremovable volume.
   1895  * Setup a dm-crypt mapping, use the saved master key from
   1896  * setting up the /data mapping, and return the new device path.
   1897  */
   1898 int cryptfs_setup_volume(const char *label, int major, int minor,
   1899                          char *crypto_sys_path, unsigned int max_path,
   1900                          int *new_major, int *new_minor)
   1901 {
   1902     char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN];
   1903     struct crypt_mnt_ftr sd_crypt_ftr;
   1904     struct stat statbuf;
   1905     int nr_sec, fd;
   1906 
   1907     sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor);
   1908 
   1909     get_crypt_ftr_and_key(&sd_crypt_ftr);
   1910 
   1911     /* Update the fs_size field to be the size of the volume */
   1912     fd = open(real_blkdev, O_RDONLY);
   1913     nr_sec = get_blkdev_size(fd);
   1914     close(fd);
   1915     if (nr_sec == 0) {
   1916         SLOGE("Cannot get size of volume %s\n", real_blkdev);
   1917         return -1;
   1918     }
   1919 
   1920     sd_crypt_ftr.fs_size = nr_sec;
   1921     create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev,
   1922                           crypto_blkdev, label);
   1923 
   1924     if (stat(crypto_blkdev, &statbuf) < 0) {
   1925         SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n",
   1926               crypto_blkdev, errno, strerror(errno));
   1927     }
   1928     *new_major = MAJOR(statbuf.st_rdev);
   1929     *new_minor = MINOR(statbuf.st_rdev);
   1930 
   1931     /* Create path to sys entry for this block device */
   1932     snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1);
   1933 
   1934     return 0;
   1935 }
   1936 
   1937 int cryptfs_crypto_complete(void)
   1938 {
   1939   return do_crypto_complete("/data");
   1940 }
   1941 
   1942 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
   1943 {
   1944     char encrypted_state[PROPERTY_VALUE_MAX];
   1945     property_get("ro.crypto.state", encrypted_state, "");
   1946     if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) {
   1947         SLOGE("encrypted fs already validated or not running with encryption,"
   1948               " aborting");
   1949         return -1;
   1950     }
   1951 
   1952     if (get_crypt_ftr_and_key(crypt_ftr)) {
   1953         SLOGE("Error getting crypt footer and key");
   1954         return -1;
   1955     }
   1956 
   1957     return 0;
   1958 }
   1959 
   1960 /*
   1961  * TODO - transition patterns to new format in calling code
   1962  *        and remove this vile hack, and the use of hex in
   1963  *        the password passing code.
   1964  *
   1965  * Patterns are passed in zero based (i.e. the top left dot
   1966  * is represented by zero, the top middle one etc), but we want
   1967  * to store them '1' based.
   1968  * This is to allow us to migrate the calling code to use this
   1969  * convention. It also solves a nasty problem whereby scrypt ignores
   1970  * trailing zeros, so patterns ending at the top left could be
   1971  * truncated, and similarly, you could add the top left to any
   1972  * pattern and still match.
   1973  * adjust_passwd is a hack function that returns the alternate representation
   1974  * if the password appears to be a pattern (hex numbers all less than 09)
   1975  * If it succeeds we need to try both, and in particular try the alternate
   1976  * first. If the original matches, then we need to update the footer
   1977  * with the alternate.
   1978  * All code that accepts passwords must adjust them first. Since
   1979  * cryptfs_check_passwd is always the first function called after a migration
   1980  * (and indeed on any boot) we only need to do the double try in this
   1981  * function.
   1982  */
   1983 char* adjust_passwd(const char* passwd)
   1984 {
   1985     size_t index, length;
   1986 
   1987     if (!passwd) {
   1988         return 0;
   1989     }
   1990 
   1991     // Check even length. Hex encoded passwords are always
   1992     // an even length, since each character encodes to two characters.
   1993     length = strlen(passwd);
   1994     if (length % 2) {
   1995         SLOGW("Password not correctly hex encoded.");
   1996         return 0;
   1997     }
   1998 
   1999     // Check password is old-style pattern - a collection of hex
   2000     // encoded bytes less than 9 (00 through 08)
   2001     for (index = 0; index < length; index +=2) {
   2002         if (passwd[index] != '0'
   2003             || passwd[index + 1] < '0' || passwd[index + 1] > '8') {
   2004             return 0;
   2005         }
   2006     }
   2007 
   2008     // Allocate room for adjusted passwd and null terminate
   2009     char* adjusted = malloc(length + 1);
   2010     adjusted[length] = 0;
   2011 
   2012     // Add 0x31 ('1') to each character
   2013     for (index = 0; index < length; index += 2) {
   2014         // output is 31 through 39 so set first byte to three, second to src + 1
   2015         adjusted[index] = '3';
   2016         adjusted[index + 1] = passwd[index + 1] + 1;
   2017     }
   2018 
   2019     return adjusted;
   2020 }
   2021 
   2022 int cryptfs_check_passwd(char *passwd)
   2023 {
   2024     struct crypt_mnt_ftr crypt_ftr;
   2025     int rc;
   2026 
   2027     rc = check_unmounted_and_get_ftr(&crypt_ftr);
   2028     if (rc)
   2029         return rc;
   2030 
   2031     char* adjusted_passwd = adjust_passwd(passwd);
   2032     if (adjusted_passwd) {
   2033         int failed_decrypt_count = crypt_ftr.failed_decrypt_count;
   2034         rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd,
   2035                                      DATA_MNT_POINT, "userdata");
   2036 
   2037         // Maybe the original one still works?
   2038         if (rc) {
   2039             // Don't double count this failure
   2040             crypt_ftr.failed_decrypt_count = failed_decrypt_count;
   2041             rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
   2042                                          DATA_MNT_POINT, "userdata");
   2043             if (!rc) {
   2044                 // cryptfs_changepw also adjusts so pass original
   2045                 // Note that adjust_passwd only recognises patterns
   2046                 // so we can safely use CRYPT_TYPE_PATTERN
   2047                 SLOGI("Updating pattern to new format");
   2048                 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd);
   2049             }
   2050         }
   2051         free(adjusted_passwd);
   2052     } else {
   2053         rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
   2054                                      DATA_MNT_POINT, "userdata");
   2055     }
   2056 
   2057     if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
   2058         cryptfs_clear_password();
   2059         password = strdup(passwd);
   2060         struct timespec now;
   2061         clock_gettime(CLOCK_BOOTTIME, &now);
   2062         password_expiry_time = now.tv_sec + password_max_age_seconds;
   2063     }
   2064 
   2065     return rc;
   2066 }
   2067 
   2068 int cryptfs_verify_passwd(char *passwd)
   2069 {
   2070     struct crypt_mnt_ftr crypt_ftr;
   2071     /* Allocate enough space for a 256 bit key, but we may use less */
   2072     unsigned char decrypted_master_key[32];
   2073     char encrypted_state[PROPERTY_VALUE_MAX];
   2074     int rc;
   2075 
   2076     property_get("ro.crypto.state", encrypted_state, "");
   2077     if (strcmp(encrypted_state, "encrypted") ) {
   2078         SLOGE("device not encrypted, aborting");
   2079         return -2;
   2080     }
   2081 
   2082     if (!master_key_saved) {
   2083         SLOGE("encrypted fs not yet mounted, aborting");
   2084         return -1;
   2085     }
   2086 
   2087     if (!saved_mount_point) {
   2088         SLOGE("encrypted fs failed to save mount point, aborting");
   2089         return -1;
   2090     }
   2091 
   2092     if (get_crypt_ftr_and_key(&crypt_ftr)) {
   2093         SLOGE("Error getting crypt footer and key\n");
   2094         return -1;
   2095     }
   2096 
   2097     if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
   2098         /* If the device has no password, then just say the password is valid */
   2099         rc = 0;
   2100     } else {
   2101         char* adjusted_passwd = adjust_passwd(passwd);
   2102         if (adjusted_passwd) {
   2103             passwd = adjusted_passwd;
   2104         }
   2105 
   2106         decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
   2107         if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
   2108             /* They match, the password is correct */
   2109             rc = 0;
   2110         } else {
   2111             /* If incorrect, sleep for a bit to prevent dictionary attacks */
   2112             sleep(1);
   2113             rc = 1;
   2114         }
   2115 
   2116         free(adjusted_passwd);
   2117     }
   2118 
   2119     return rc;
   2120 }
   2121 
   2122 /* Initialize a crypt_mnt_ftr structure.  The keysize is
   2123  * defaulted to 16 bytes, and the filesystem size to 0.
   2124  * Presumably, at a minimum, the caller will update the
   2125  * filesystem size and crypto_type_name after calling this function.
   2126  */
   2127 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr)
   2128 {
   2129     off64_t off;
   2130 
   2131     memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
   2132     ftr->magic = CRYPT_MNT_MAGIC;
   2133     ftr->major_version = CURRENT_MAJOR_VERSION;
   2134     ftr->minor_version = CURRENT_MINOR_VERSION;
   2135     ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
   2136     ftr->keysize = KEY_LEN_BYTES;
   2137 
   2138     switch (keymaster_check_compatibility()) {
   2139     case 1:
   2140         ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
   2141         break;
   2142 
   2143     case 0:
   2144         ftr->kdf_type = KDF_SCRYPT;
   2145         break;
   2146 
   2147     default:
   2148         SLOGE("keymaster_check_compatibility failed");
   2149         return -1;
   2150     }
   2151 
   2152     get_device_scrypt_params(ftr);
   2153 
   2154     ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
   2155     if (get_crypt_ftr_info(NULL, &off) == 0) {
   2156         ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
   2157         ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET +
   2158                                     ftr->persist_data_size;
   2159     }
   2160 
   2161     return 0;
   2162 }
   2163 
   2164 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type)
   2165 {
   2166     const char *args[10];
   2167     char size_str[32]; /* Must be large enough to hold a %lld and null byte */
   2168     int num_args;
   2169     int status;
   2170     int tmp;
   2171     int rc = -1;
   2172 
   2173     if (type == EXT4_FS) {
   2174         args[0] = "/system/bin/make_ext4fs";
   2175         args[1] = "-a";
   2176         args[2] = "/data";
   2177         args[3] = "-l";
   2178         snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512);
   2179         args[4] = size_str;
   2180         args[5] = crypto_blkdev;
   2181         num_args = 6;
   2182         SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n",
   2183               args[0], args[1], args[2], args[3], args[4], args[5]);
   2184     } else if (type == F2FS_FS) {
   2185         args[0] = "/system/bin/mkfs.f2fs";
   2186         args[1] = "-t";
   2187         args[2] = "-d1";
   2188         args[3] = crypto_blkdev;
   2189         snprintf(size_str, sizeof(size_str), "%" PRId64, size);
   2190         args[4] = size_str;
   2191         num_args = 5;
   2192         SLOGI("Making empty filesystem with command %s %s %s %s %s\n",
   2193               args[0], args[1], args[2], args[3], args[4]);
   2194     } else {
   2195         SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type);
   2196         return -1;
   2197     }
   2198 
   2199     tmp = android_fork_execvp(num_args, (char **)args, &status, false, true);
   2200 
   2201     if (tmp != 0) {
   2202       SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev);
   2203     } else {
   2204         if (WIFEXITED(status)) {
   2205             if (WEXITSTATUS(status)) {
   2206                 SLOGE("Error creating filesystem on %s, exit status %d ",
   2207                       crypto_blkdev, WEXITSTATUS(status));
   2208             } else {
   2209                 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev);
   2210                 rc = 0;
   2211             }
   2212         } else {
   2213             SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev);
   2214        }
   2215     }
   2216 
   2217     return rc;
   2218 }
   2219 
   2220 #define CRYPT_INPLACE_BUFSIZE 4096
   2221 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE)
   2222 #define CRYPT_SECTOR_SIZE 512
   2223 
   2224 /* aligned 32K writes tends to make flash happy.
   2225  * SD card association recommends it.
   2226  */
   2227 #ifndef CONFIG_HW_DISK_ENCRYPTION
   2228 #define BLOCKS_AT_A_TIME 8
   2229 #else
   2230 #define BLOCKS_AT_A_TIME 1024
   2231 #endif
   2232 
   2233 struct encryptGroupsData
   2234 {
   2235     int realfd;
   2236     int cryptofd;
   2237     off64_t numblocks;
   2238     off64_t one_pct, cur_pct, new_pct;
   2239     off64_t blocks_already_done, tot_numblocks;
   2240     off64_t used_blocks_already_done, tot_used_blocks;
   2241     char* real_blkdev, * crypto_blkdev;
   2242     int count;
   2243     off64_t offset;
   2244     char* buffer;
   2245     off64_t last_written_sector;
   2246     int completed;
   2247     time_t time_started;
   2248     int remaining_time;
   2249 };
   2250 
   2251 static void update_progress(struct encryptGroupsData* data, int is_used)
   2252 {
   2253     data->blocks_already_done++;
   2254 
   2255     if (is_used) {
   2256         data->used_blocks_already_done++;
   2257     }
   2258     if (data->tot_used_blocks) {
   2259         data->new_pct = data->used_blocks_already_done / data->one_pct;
   2260     } else {
   2261         data->new_pct = data->blocks_already_done / data->one_pct;
   2262     }
   2263 
   2264     if (data->new_pct > data->cur_pct) {
   2265         char buf[8];
   2266         data->cur_pct = data->new_pct;
   2267         snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct);
   2268         property_set("vold.encrypt_progress", buf);
   2269     }
   2270 
   2271     if (data->cur_pct >= 5) {
   2272         struct timespec time_now;
   2273         if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
   2274             SLOGW("Error getting time");
   2275         } else {
   2276             double elapsed_time = difftime(time_now.tv_sec, data->time_started);
   2277             off64_t remaining_blocks = data->tot_used_blocks
   2278                                        - data->used_blocks_already_done;
   2279             int remaining_time = (int)(elapsed_time * remaining_blocks
   2280                                        / data->used_blocks_already_done);
   2281 
   2282             // Change time only if not yet set, lower, or a lot higher for
   2283             // best user experience
   2284             if (data->remaining_time == -1
   2285                 || remaining_time < data->remaining_time
   2286                 || remaining_time > data->remaining_time + 60) {
   2287                 char buf[8];
   2288                 snprintf(buf, sizeof(buf), "%d", remaining_time);
   2289                 property_set("vold.encrypt_time_remaining", buf);
   2290                 data->remaining_time = remaining_time;
   2291             }
   2292         }
   2293     }
   2294 }
   2295 
   2296 static void log_progress(struct encryptGroupsData const* data, bool completed)
   2297 {
   2298     // Precondition - if completed data = 0 else data != 0
   2299 
   2300     // Track progress so we can skip logging blocks
   2301     static off64_t offset = -1;
   2302 
   2303     // Need to close existing 'Encrypting from' log?
   2304     if (completed || (offset != -1 && data->offset != offset)) {
   2305         SLOGI("Encrypted to sector %" PRId64,
   2306               offset / info.block_size * CRYPT_SECTOR_SIZE);
   2307         offset = -1;
   2308     }
   2309 
   2310     // Need to start new 'Encrypting from' log?
   2311     if (!completed && offset != data->offset) {
   2312         SLOGI("Encrypting from sector %" PRId64,
   2313               data->offset / info.block_size * CRYPT_SECTOR_SIZE);
   2314     }
   2315 
   2316     // Update offset
   2317     if (!completed) {
   2318         offset = data->offset + (off64_t)data->count * info.block_size;
   2319     }
   2320 }
   2321 
   2322 static int flush_outstanding_data(struct encryptGroupsData* data)
   2323 {
   2324     if (data->count == 0) {
   2325         return 0;
   2326     }
   2327 
   2328     SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset);
   2329 
   2330     if (pread64(data->realfd, data->buffer,
   2331                 info.block_size * data->count, data->offset)
   2332         <= 0) {
   2333         SLOGE("Error reading real_blkdev %s for inplace encrypt",
   2334               data->real_blkdev);
   2335         return -1;
   2336     }
   2337 
   2338     if (pwrite64(data->cryptofd, data->buffer,
   2339                  info.block_size * data->count, data->offset)
   2340         <= 0) {
   2341         SLOGE("Error writing crypto_blkdev %s for inplace encrypt",
   2342               data->crypto_blkdev);
   2343         return -1;
   2344     } else {
   2345       log_progress(data, false);
   2346     }
   2347 
   2348     data->count = 0;
   2349     data->last_written_sector = (data->offset + data->count)
   2350                                 / info.block_size * CRYPT_SECTOR_SIZE - 1;
   2351     return 0;
   2352 }
   2353 
   2354 static int encrypt_groups(struct encryptGroupsData* data)
   2355 {
   2356     unsigned int i;
   2357     u8 *block_bitmap = 0;
   2358     unsigned int block;
   2359     off64_t ret;
   2360     int rc = -1;
   2361 
   2362     data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME);
   2363     if (!data->buffer) {
   2364         SLOGE("Failed to allocate crypto buffer");
   2365         goto errout;
   2366     }
   2367 
   2368     block_bitmap = malloc(info.block_size);
   2369     if (!block_bitmap) {
   2370         SLOGE("failed to allocate block bitmap");
   2371         goto errout;
   2372     }
   2373 
   2374     for (i = 0; i < aux_info.groups; ++i) {
   2375         SLOGI("Encrypting group %d", i);
   2376 
   2377         u32 first_block = aux_info.first_data_block + i * info.blocks_per_group;
   2378         u32 block_count = min(info.blocks_per_group,
   2379                              aux_info.len_blocks - first_block);
   2380 
   2381         off64_t offset = (u64)info.block_size
   2382                          * aux_info.bg_desc[i].bg_block_bitmap;
   2383 
   2384         ret = pread64(data->realfd, block_bitmap, info.block_size, offset);
   2385         if (ret != (int)info.block_size) {
   2386             SLOGE("failed to read all of block group bitmap %d", i);
   2387             goto errout;
   2388         }
   2389 
   2390         offset = (u64)info.block_size * first_block;
   2391 
   2392         data->count = 0;
   2393 
   2394         for (block = 0; block < block_count; block++) {
   2395             int used = bitmap_get_bit(block_bitmap, block);
   2396             update_progress(data, used);
   2397             if (used) {
   2398                 if (data->count == 0) {
   2399                     data->offset = offset;
   2400                 }
   2401                 data->count++;
   2402             } else {
   2403                 if (flush_outstanding_data(data)) {
   2404                     goto errout;
   2405                 }
   2406             }
   2407 
   2408             offset += info.block_size;
   2409 
   2410             /* Write data if we are aligned or buffer size reached */
   2411             if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0
   2412                 || data->count == BLOCKS_AT_A_TIME) {
   2413                 if (flush_outstanding_data(data)) {
   2414                     goto errout;
   2415                 }
   2416             }
   2417 
   2418             if (!is_battery_ok_to_continue()) {
   2419                 SLOGE("Stopping encryption due to low battery");
   2420                 rc = 0;
   2421                 goto errout;
   2422             }
   2423 
   2424         }
   2425         if (flush_outstanding_data(data)) {
   2426             goto errout;
   2427         }
   2428     }
   2429 
   2430     data->completed = 1;
   2431     rc = 0;
   2432 
   2433 errout:
   2434     log_progress(0, true);
   2435     free(data->buffer);
   2436     free(block_bitmap);
   2437     return rc;
   2438 }
   2439 
   2440 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev,
   2441                                        char *real_blkdev,
   2442                                        off64_t size,
   2443                                        off64_t *size_already_done,
   2444                                        off64_t tot_size,
   2445                                        off64_t previously_encrypted_upto)
   2446 {
   2447     u32 i;
   2448     struct encryptGroupsData data;
   2449     int rc; // Can't initialize without causing warning -Wclobbered
   2450 
   2451     if (previously_encrypted_upto > *size_already_done) {
   2452         SLOGD("Not fast encrypting since resuming part way through");
   2453         return -1;
   2454     }
   2455 
   2456     memset(&data, 0, sizeof(data));
   2457     data.real_blkdev = real_blkdev;
   2458     data.crypto_blkdev = crypto_blkdev;
   2459 
   2460     if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) {
   2461         SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n",
   2462               real_blkdev, errno, strerror(errno));
   2463         rc = -1;
   2464         goto errout;
   2465     }
   2466 
   2467     if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
   2468         SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n",
   2469               crypto_blkdev, errno, strerror(errno));
   2470         rc = ENABLE_INPLACE_ERR_DEV;
   2471         goto errout;
   2472     }
   2473 
   2474     if (setjmp(setjmp_env)) {
   2475         SLOGE("Reading ext4 extent caused an exception\n");
   2476         rc = -1;
   2477         goto errout;
   2478     }
   2479 
   2480     if (read_ext(data.realfd, 0) != 0) {
   2481         SLOGE("Failed to read ext4 extent\n");
   2482         rc = -1;
   2483         goto errout;
   2484     }
   2485 
   2486     data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
   2487     data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
   2488     data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
   2489 
   2490     SLOGI("Encrypting ext4 filesystem in place...");
   2491 
   2492     data.tot_used_blocks = data.numblocks;
   2493     for (i = 0; i < aux_info.groups; ++i) {
   2494       data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count;
   2495     }
   2496 
   2497     data.one_pct = data.tot_used_blocks / 100;
   2498     data.cur_pct = 0;
   2499 
   2500     struct timespec time_started = {0};
   2501     if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
   2502         SLOGW("Error getting time at start");
   2503         // Note - continue anyway - we'll run with 0
   2504     }
   2505     data.time_started = time_started.tv_sec;
   2506     data.remaining_time = -1;
   2507 
   2508     rc = encrypt_groups(&data);
   2509     if (rc) {
   2510         SLOGE("Error encrypting groups");
   2511         goto errout;
   2512     }
   2513 
   2514     *size_already_done += data.completed ? size : data.last_written_sector;
   2515     rc = 0;
   2516 
   2517 errout:
   2518     close(data.realfd);
   2519     close(data.cryptofd);
   2520 
   2521     return rc;
   2522 }
   2523 
   2524 static void log_progress_f2fs(u64 block, bool completed)
   2525 {
   2526     // Precondition - if completed data = 0 else data != 0
   2527 
   2528     // Track progress so we can skip logging blocks
   2529     static u64 last_block = (u64)-1;
   2530 
   2531     // Need to close existing 'Encrypting from' log?
   2532     if (completed || (last_block != (u64)-1 && block != last_block + 1)) {
   2533         SLOGI("Encrypted to block %" PRId64, last_block);
   2534         last_block = -1;
   2535     }
   2536 
   2537     // Need to start new 'Encrypting from' log?
   2538     if (!completed && (last_block == (u64)-1 || block != last_block + 1)) {
   2539         SLOGI("Encrypting from block %" PRId64, block);
   2540     }
   2541 
   2542     // Update offset
   2543     if (!completed) {
   2544         last_block = block;
   2545     }
   2546 }
   2547 
   2548 static int encrypt_one_block_f2fs(u64 pos, void *data)
   2549 {
   2550     struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data;
   2551 
   2552     priv_dat->blocks_already_done = pos - 1;
   2553     update_progress(priv_dat, 1);
   2554 
   2555     off64_t offset = pos * CRYPT_INPLACE_BUFSIZE;
   2556 
   2557     if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
   2558         SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
   2559         return -1;
   2560     }
   2561 
   2562     if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) {
   2563         SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev);
   2564         return -1;
   2565     } else {
   2566         log_progress_f2fs(pos, false);
   2567     }
   2568 
   2569     return 0;
   2570 }
   2571 
   2572 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev,
   2573                                        char *real_blkdev,
   2574                                        off64_t size,
   2575                                        off64_t *size_already_done,
   2576                                        off64_t tot_size,
   2577                                        off64_t previously_encrypted_upto)
   2578 {
   2579     u32 i;
   2580     struct encryptGroupsData data;
   2581     struct f2fs_info *f2fs_info = NULL;
   2582     int rc = ENABLE_INPLACE_ERR_OTHER;
   2583     if (previously_encrypted_upto > *size_already_done) {
   2584         SLOGD("Not fast encrypting since resuming part way through");
   2585         return ENABLE_INPLACE_ERR_OTHER;
   2586     }
   2587     memset(&data, 0, sizeof(data));
   2588     data.real_blkdev = real_blkdev;
   2589     data.crypto_blkdev = crypto_blkdev;
   2590     data.realfd = -1;
   2591     data.cryptofd = -1;
   2592     if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) {
   2593         SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n",
   2594               real_blkdev);
   2595         goto errout;
   2596     }
   2597     if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) {
   2598         SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n",
   2599               crypto_blkdev, errno, strerror(errno));
   2600         rc = ENABLE_INPLACE_ERR_DEV;
   2601         goto errout;
   2602     }
   2603 
   2604     f2fs_info = generate_f2fs_info(data.realfd);
   2605     if (!f2fs_info)
   2606       goto errout;
   2607 
   2608     data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
   2609     data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
   2610     data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
   2611 
   2612     data.tot_used_blocks = get_num_blocks_used(f2fs_info);
   2613 
   2614     data.one_pct = data.tot_used_blocks / 100;
   2615     data.cur_pct = 0;
   2616     data.time_started = time(NULL);
   2617     data.remaining_time = -1;
   2618 
   2619     data.buffer = malloc(f2fs_info->block_size);
   2620     if (!data.buffer) {
   2621         SLOGE("Failed to allocate crypto buffer");
   2622         goto errout;
   2623     }
   2624 
   2625     data.count = 0;
   2626 
   2627     /* Currently, this either runs to completion, or hits a nonrecoverable error */
   2628     rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data);
   2629 
   2630     if (rc) {
   2631         SLOGE("Error in running over f2fs blocks");
   2632         rc = ENABLE_INPLACE_ERR_OTHER;
   2633         goto errout;
   2634     }
   2635 
   2636     *size_already_done += size;
   2637     rc = 0;
   2638 
   2639 errout:
   2640     if (rc)
   2641         SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev);
   2642 
   2643     log_progress_f2fs(0, true);
   2644     free(f2fs_info);
   2645     free(data.buffer);
   2646     close(data.realfd);
   2647     close(data.cryptofd);
   2648 
   2649     return rc;
   2650 }
   2651 
   2652 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev,
   2653                                        off64_t size, off64_t *size_already_done,
   2654                                        off64_t tot_size,
   2655                                        off64_t previously_encrypted_upto)
   2656 {
   2657     int realfd, cryptofd;
   2658     char *buf[CRYPT_INPLACE_BUFSIZE];
   2659     int rc = ENABLE_INPLACE_ERR_OTHER;
   2660     off64_t numblocks, i, remainder;
   2661     off64_t one_pct, cur_pct, new_pct;
   2662     off64_t blocks_already_done, tot_numblocks;
   2663 
   2664     if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) {
   2665         SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev);
   2666         return ENABLE_INPLACE_ERR_OTHER;
   2667     }
   2668 
   2669     if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) {
   2670         SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n",
   2671               crypto_blkdev, errno, strerror(errno));
   2672         close(realfd);
   2673         return ENABLE_INPLACE_ERR_DEV;
   2674     }
   2675 
   2676     /* This is pretty much a simple loop of reading 4K, and writing 4K.
   2677      * The size passed in is the number of 512 byte sectors in the filesystem.
   2678      * So compute the number of whole 4K blocks we should read/write,
   2679      * and the remainder.
   2680      */
   2681     numblocks = size / CRYPT_SECTORS_PER_BUFSIZE;
   2682     remainder = size % CRYPT_SECTORS_PER_BUFSIZE;
   2683     tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE;
   2684     blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE;
   2685 
   2686     SLOGE("Encrypting filesystem in place...");
   2687 
   2688     i = previously_encrypted_upto + 1 - *size_already_done;
   2689 
   2690     if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
   2691         SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev);
   2692         goto errout;
   2693     }
   2694 
   2695     if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) {
   2696         SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev);
   2697         goto errout;
   2698     }
   2699 
   2700     for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) {
   2701         if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
   2702             SLOGE("Error reading initial sectors from real_blkdev %s for "
   2703                   "inplace encrypt\n", crypto_blkdev);
   2704             goto errout;
   2705         }
   2706         if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
   2707             SLOGE("Error writing initial sectors to crypto_blkdev %s for "
   2708                   "inplace encrypt\n", crypto_blkdev);
   2709             goto errout;
   2710         } else {
   2711             SLOGI("Encrypted 1 block at %" PRId64, i);
   2712         }
   2713     }
   2714 
   2715     one_pct = tot_numblocks / 100;
   2716     cur_pct = 0;
   2717     /* process the majority of the filesystem in blocks */
   2718     for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) {
   2719         new_pct = (i + blocks_already_done) / one_pct;
   2720         if (new_pct > cur_pct) {
   2721             char buf[8];
   2722 
   2723             cur_pct = new_pct;
   2724             snprintf(buf, sizeof(buf), "%" PRId64, cur_pct);
   2725             property_set("vold.encrypt_progress", buf);
   2726         }
   2727         if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
   2728             SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev);
   2729             goto errout;
   2730         }
   2731         if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) {
   2732             SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev);
   2733             goto errout;
   2734         } else {
   2735             SLOGD("Encrypted %d block at %" PRId64,
   2736                   CRYPT_SECTORS_PER_BUFSIZE,
   2737                   i * CRYPT_SECTORS_PER_BUFSIZE);
   2738         }
   2739 
   2740        if (!is_battery_ok_to_continue()) {
   2741             SLOGE("Stopping encryption due to low battery");
   2742             *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1;
   2743             rc = 0;
   2744             goto errout;
   2745         }
   2746     }
   2747 
   2748     /* Do any remaining sectors */
   2749     for (i=0; i<remainder; i++) {
   2750         if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) {
   2751             SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev);
   2752             goto errout;
   2753         }
   2754         if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) {
   2755             SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev);
   2756             goto errout;
   2757         } else {
   2758             SLOGI("Encrypted 1 block at next location");
   2759         }
   2760     }
   2761 
   2762     *size_already_done += size;
   2763     rc = 0;
   2764 
   2765 errout:
   2766     close(realfd);
   2767     close(cryptofd);
   2768 
   2769     return rc;
   2770 }
   2771 
   2772 /* returns on of the ENABLE_INPLACE_* return codes */
   2773 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev,
   2774                                   off64_t size, off64_t *size_already_done,
   2775                                   off64_t tot_size,
   2776                                   off64_t previously_encrypted_upto)
   2777 {
   2778     int rc_ext4, rc_f2fs, rc_full;
   2779     if (previously_encrypted_upto) {
   2780         SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto);
   2781     }
   2782 
   2783     if (*size_already_done + size < previously_encrypted_upto) {
   2784         *size_already_done += size;
   2785         return 0;
   2786     }
   2787 
   2788     /* TODO: identify filesystem type.
   2789      * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and
   2790      * then we will drop down to cryptfs_enable_inplace_f2fs.
   2791      * */
   2792     if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev,
   2793                                 size, size_already_done,
   2794                                 tot_size, previously_encrypted_upto)) == 0) {
   2795       return 0;
   2796     }
   2797     SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4);
   2798 
   2799     if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev,
   2800                                 size, size_already_done,
   2801                                 tot_size, previously_encrypted_upto)) == 0) {
   2802       return 0;
   2803     }
   2804     SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs);
   2805 
   2806     rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev,
   2807                                        size, size_already_done, tot_size,
   2808                                        previously_encrypted_upto);
   2809     SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full);
   2810 
   2811     /* Hack for b/17898962, the following is the symptom... */
   2812     if (rc_ext4 == ENABLE_INPLACE_ERR_DEV
   2813         && rc_f2fs == ENABLE_INPLACE_ERR_DEV
   2814         && rc_full == ENABLE_INPLACE_ERR_DEV) {
   2815             return ENABLE_INPLACE_ERR_DEV;
   2816     }
   2817     return rc_full;
   2818 }
   2819 
   2820 #define CRYPTO_ENABLE_WIPE 1
   2821 #define CRYPTO_ENABLE_INPLACE 2
   2822 
   2823 #define FRAMEWORK_BOOT_WAIT 60
   2824 
   2825 static inline int should_encrypt(struct volume_info *volume)
   2826 {
   2827     return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) ==
   2828             (VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
   2829 }
   2830 
   2831 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf)
   2832 {
   2833     int fd = open(filename, O_RDONLY);
   2834     if (fd == -1) {
   2835         SLOGE("Error opening file %s", filename);
   2836         return -1;
   2837     }
   2838 
   2839     char block[CRYPT_INPLACE_BUFSIZE];
   2840     memset(block, 0, sizeof(block));
   2841     if (unix_read(fd, block, sizeof(block)) < 0) {
   2842         SLOGE("Error reading file %s", filename);
   2843         close(fd);
   2844         return -1;
   2845     }
   2846 
   2847     close(fd);
   2848 
   2849     SHA256_CTX c;
   2850     SHA256_Init(&c);
   2851     SHA256_Update(&c, block, sizeof(block));
   2852     SHA256_Final(buf, &c);
   2853 
   2854     return 0;
   2855 }
   2856 
   2857 static int get_fs_type(struct fstab_rec *rec)
   2858 {
   2859     if (!strcmp(rec->fs_type, "ext4")) {
   2860         return EXT4_FS;
   2861     } else if (!strcmp(rec->fs_type, "f2fs")) {
   2862         return F2FS_FS;
   2863     } else {
   2864         return -1;
   2865     }
   2866 }
   2867 
   2868 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how,
   2869                                       char *crypto_blkdev, char *real_blkdev,
   2870                                       int previously_encrypted_upto)
   2871 {
   2872     off64_t cur_encryption_done=0, tot_encryption_size=0;
   2873     int i, rc = -1;
   2874 
   2875     if (!is_battery_ok_to_start()) {
   2876         SLOGW("Not starting encryption due to low battery");
   2877         return 0;
   2878     }
   2879 
   2880     /* The size of the userdata partition, and add in the vold volumes below */
   2881     tot_encryption_size = crypt_ftr->fs_size;
   2882 
   2883     if (how == CRYPTO_ENABLE_WIPE) {
   2884         struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT);
   2885         int fs_type = get_fs_type(rec);
   2886         if (fs_type < 0) {
   2887             SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type);
   2888             return -1;
   2889         }
   2890         rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type);
   2891     } else if (how == CRYPTO_ENABLE_INPLACE) {
   2892         rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev,
   2893                                     crypt_ftr->fs_size, &cur_encryption_done,
   2894                                     tot_encryption_size,
   2895                                     previously_encrypted_upto);
   2896 
   2897         if (rc == ENABLE_INPLACE_ERR_DEV) {
   2898             /* Hack for b/17898962 */
   2899             SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n");
   2900             cryptfs_reboot(reboot);
   2901         }
   2902 
   2903         if (!rc) {
   2904             crypt_ftr->encrypted_upto = cur_encryption_done;
   2905         }
   2906 
   2907         if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) {
   2908             /* The inplace routine never actually sets the progress to 100% due
   2909              * to the round down nature of integer division, so set it here */
   2910             property_set("vold.encrypt_progress", "100");
   2911         }
   2912     } else {
   2913         /* Shouldn't happen */
   2914         SLOGE("cryptfs_enable: internal error, unknown option\n");
   2915         rc = -1;
   2916     }
   2917 
   2918     return rc;
   2919 }
   2920 
   2921 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
   2922                             int allow_reboot)
   2923 {
   2924     int how = 0;
   2925     char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN];
   2926     unsigned long nr_sec;
   2927     unsigned char decrypted_master_key[KEY_LEN_BYTES];
   2928     int rc=-1, fd, i, ret;
   2929     struct crypt_mnt_ftr crypt_ftr;
   2930     struct crypt_persist_data *pdata;
   2931     char encrypted_state[PROPERTY_VALUE_MAX];
   2932     char lockid[32] = { 0 };
   2933     char key_loc[PROPERTY_VALUE_MAX];
   2934     char fuse_sdcard[PROPERTY_VALUE_MAX];
   2935     char *sd_mnt_point;
   2936     int num_vols;
   2937     struct volume_info *vol_list = 0;
   2938     off64_t previously_encrypted_upto = 0;
   2939 
   2940     if (!strcmp(howarg, "wipe")) {
   2941       how = CRYPTO_ENABLE_WIPE;
   2942     } else if (! strcmp(howarg, "inplace")) {
   2943       how = CRYPTO_ENABLE_INPLACE;
   2944     } else {
   2945       /* Shouldn't happen, as CommandListener vets the args */
   2946       goto error_unencrypted;
   2947     }
   2948 
   2949     /* See if an encryption was underway and interrupted */
   2950     if (how == CRYPTO_ENABLE_INPLACE
   2951           && get_crypt_ftr_and_key(&crypt_ftr) == 0
   2952           && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) {
   2953         previously_encrypted_upto = crypt_ftr.encrypted_upto;
   2954         crypt_ftr.encrypted_upto = 0;
   2955         crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS;
   2956 
   2957         /* At this point, we are in an inconsistent state. Until we successfully
   2958            complete encryption, a reboot will leave us broken. So mark the
   2959            encryption failed in case that happens.
   2960            On successfully completing encryption, remove this flag */
   2961         crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
   2962 
   2963         put_crypt_ftr_and_key(&crypt_ftr);
   2964     }
   2965 
   2966     property_get("ro.crypto.state", encrypted_state, "");
   2967     if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) {
   2968         SLOGE("Device is already running encrypted, aborting");
   2969         goto error_unencrypted;
   2970     }
   2971 
   2972     // TODO refactor fs_mgr_get_crypt_info to get both in one call
   2973     fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc));
   2974     fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev));
   2975 
   2976     /* Get the size of the real block device */
   2977     fd = open(real_blkdev, O_RDONLY);
   2978     if ( (nr_sec = get_blkdev_size(fd)) == 0) {
   2979         SLOGE("Cannot get size of block device %s\n", real_blkdev);
   2980         goto error_unencrypted;
   2981     }
   2982     close(fd);
   2983 
   2984     /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
   2985     if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) {
   2986         unsigned int fs_size_sec, max_fs_size_sec;
   2987         fs_size_sec = get_fs_size(real_blkdev);
   2988         if (fs_size_sec == 0)
   2989             fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev);
   2990 
   2991         max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
   2992 
   2993         if (fs_size_sec > max_fs_size_sec) {
   2994             SLOGE("Orig filesystem overlaps crypto footer region.  Cannot encrypt in place.");
   2995             goto error_unencrypted;
   2996         }
   2997     }
   2998 
   2999     /* Get a wakelock as this may take a while, and we don't want the
   3000      * device to sleep on us.  We'll grab a partial wakelock, and if the UI
   3001      * wants to keep the screen on, it can grab a full wakelock.
   3002      */
   3003     snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid());
   3004     acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid);
   3005 
   3006     /* Get the sdcard mount point */
   3007     sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE");
   3008     if (!sd_mnt_point) {
   3009        sd_mnt_point = getenv("EXTERNAL_STORAGE");
   3010     }
   3011     if (!sd_mnt_point) {
   3012         sd_mnt_point = "/mnt/sdcard";
   3013     }
   3014 
   3015     /* TODO
   3016      * Currently do not have test devices with multiple encryptable volumes.
   3017      * When we acquire some, re-add support.
   3018      */
   3019     num_vols=vold_getNumDirectVolumes();
   3020     vol_list = malloc(sizeof(struct volume_info) * num_vols);
   3021     vold_getDirectVolumeList(vol_list);
   3022 
   3023     for (i=0; i<num_vols; i++) {
   3024         if (should_encrypt(&vol_list[i])) {
   3025             SLOGE("Cannot encrypt if there are multiple encryptable volumes"
   3026                   "%s\n", vol_list[i].label);
   3027             goto error_unencrypted;
   3028         }
   3029     }
   3030 
   3031     /* The init files are setup to stop the class main and late start when
   3032      * vold sets trigger_shutdown_framework.
   3033      */
   3034     property_set("vold.decrypt", "trigger_shutdown_framework");
   3035     SLOGD("Just asked init to shut down class main\n");
   3036 
   3037     if (vold_unmountAllAsecs()) {
   3038         /* Just report the error.  If any are left mounted,
   3039          * umounting /data below will fail and handle the error.
   3040          */
   3041         SLOGE("Error unmounting internal asecs");
   3042     }
   3043 
   3044     property_get("ro.crypto.fuse_sdcard", fuse_sdcard, "");
   3045     if (!strcmp(fuse_sdcard, "true")) {
   3046         /* This is a device using the fuse layer to emulate the sdcard semantics
   3047          * on top of the userdata partition.  vold does not manage it, it is managed
   3048          * by the sdcard service.  The sdcard service was killed by the property trigger
   3049          * above, so just unmount it now.  We must do this _AFTER_ killing the framework,
   3050          * unlike the case for vold managed devices above.
   3051          */
   3052         if (wait_and_unmount(sd_mnt_point, false)) {
   3053             goto error_shutting_down;
   3054         }
   3055     }
   3056 
   3057     /* Now unmount the /data partition. */
   3058     if (wait_and_unmount(DATA_MNT_POINT, false)) {
   3059         if (allow_reboot) {
   3060             goto error_shutting_down;
   3061         } else {
   3062             goto error_unencrypted;
   3063         }
   3064     }
   3065 
   3066     /* Do extra work for a better UX when doing the long inplace encryption */
   3067     if (how == CRYPTO_ENABLE_INPLACE) {
   3068         /* Now that /data is unmounted, we need to mount a tmpfs
   3069          * /data, set a property saying we're doing inplace encryption,
   3070          * and restart the framework.
   3071          */
   3072         if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
   3073             goto error_shutting_down;
   3074         }
   3075         /* Tells the framework that inplace encryption is starting */
   3076         property_set("vold.encrypt_progress", "0");
   3077 
   3078         /* restart the framework. */
   3079         /* Create necessary paths on /data */
   3080         if (prep_data_fs()) {
   3081             goto error_shutting_down;
   3082         }
   3083 
   3084         /* Ugh, shutting down the framework is not synchronous, so until it
   3085          * can be fixed, this horrible hack will wait a moment for it all to
   3086          * shut down before proceeding.  Without it, some devices cannot
   3087          * restart the graphics services.
   3088          */
   3089         sleep(2);
   3090     }
   3091 
   3092     /* Start the actual work of making an encrypted filesystem */
   3093     /* Initialize a crypt_mnt_ftr for the partition */
   3094     if (previously_encrypted_upto == 0) {
   3095         if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
   3096             goto error_shutting_down;
   3097         }
   3098 
   3099         if (!strcmp(key_loc, KEY_IN_FOOTER)) {
   3100             crypt_ftr.fs_size = nr_sec
   3101               - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
   3102         } else {
   3103             crypt_ftr.fs_size = nr_sec;
   3104         }
   3105         /* At this point, we are in an inconsistent state. Until we successfully
   3106            complete encryption, a reboot will leave us broken. So mark the
   3107            encryption failed in case that happens.
   3108            On successfully completing encryption, remove this flag */
   3109         crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
   3110         crypt_ftr.crypt_type = crypt_type;
   3111 #ifndef CONFIG_HW_DISK_ENCRYPTION
   3112         strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);
   3113 #else
   3114         strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
   3115 
   3116         rc = clear_hw_device_encryption_key();
   3117         if (!rc) {
   3118           SLOGE("Error clearing device encryption hardware key. rc = %d", rc);
   3119         }
   3120 
   3121         rc = set_hw_device_encryption_key(passwd,
   3122                                           (char*) crypt_ftr.crypto_type_name);
   3123         if (!rc) {
   3124           SLOGE("Error initializing device encryption hardware key. rc = %d", rc);
   3125           goto error_shutting_down;
   3126         }
   3127 #endif
   3128 
   3129         /* Make an encrypted master key */
   3130         if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
   3131             SLOGE("Cannot create encrypted master key\n");
   3132             goto error_shutting_down;
   3133         }
   3134 
   3135         /* Write the key to the end of the partition */
   3136         put_crypt_ftr_and_key(&crypt_ftr);
   3137 
   3138         /* If any persistent data has been remembered, save it.
   3139          * If none, create a valid empty table and save that.
   3140          */
   3141         if (!persist_data) {
   3142            pdata = malloc(CRYPT_PERSIST_DATA_SIZE);
   3143            if (pdata) {
   3144                init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
   3145                persist_data = pdata;
   3146            }
   3147         }
   3148         if (persist_data) {
   3149             save_persistent_data();
   3150         }
   3151     }
   3152 
   3153     if (how == CRYPTO_ENABLE_INPLACE) {
   3154         /* startup service classes main and late_start */
   3155         property_set("vold.decrypt", "trigger_restart_min_framework");
   3156         SLOGD("Just triggered restart_min_framework\n");
   3157 
   3158         /* OK, the framework is restarted and will soon be showing a
   3159          * progress bar.  Time to setup an encrypted mapping, and
   3160          * either write a new filesystem, or encrypt in place updating
   3161          * the progress bar as we work.
   3162          */
   3163     }
   3164 
   3165     decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
   3166     create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
   3167                           "userdata");
   3168 
   3169     /* If we are continuing, check checksums match */
   3170     rc = 0;
   3171     if (previously_encrypted_upto) {
   3172         __le8 hash_first_block[SHA256_DIGEST_LENGTH];
   3173         rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block);
   3174 
   3175         if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block,
   3176                           sizeof(hash_first_block)) != 0) {
   3177             SLOGE("Checksums do not match - trigger wipe");
   3178             rc = -1;
   3179         }
   3180     }
   3181 
   3182     if (!rc) {
   3183         rc = cryptfs_enable_all_volumes(&crypt_ftr, how,
   3184                                         crypto_blkdev, real_blkdev,
   3185                                         previously_encrypted_upto);
   3186     }
   3187 
   3188     /* Calculate checksum if we are not finished */
   3189     if (!rc && how == CRYPTO_ENABLE_INPLACE
   3190             && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
   3191         rc = cryptfs_SHA256_fileblock(crypto_blkdev,
   3192                                       crypt_ftr.hash_first_block);
   3193         if (rc) {
   3194             SLOGE("Error calculating checksum for continuing encryption");
   3195             rc = -1;
   3196         }
   3197     }
   3198 
   3199     /* Undo the dm-crypt mapping whether we succeed or not */
   3200     delete_crypto_blk_dev("userdata");
   3201 
   3202     free(vol_list);
   3203 
   3204     if (! rc) {
   3205         /* Success */
   3206         crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
   3207 
   3208         if (how == CRYPTO_ENABLE_INPLACE
   3209               && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) {
   3210             SLOGD("Encrypted up to sector %lld - will continue after reboot",
   3211                   crypt_ftr.encrypted_upto);
   3212             crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
   3213         }
   3214 
   3215         put_crypt_ftr_and_key(&crypt_ftr);
   3216 
   3217         if (how == CRYPTO_ENABLE_WIPE
   3218               || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) {
   3219           char value[PROPERTY_VALUE_MAX];
   3220           property_get("ro.crypto.state", value, "");
   3221           if (!strcmp(value, "")) {
   3222             /* default encryption - continue first boot sequence */
   3223             property_set("ro.crypto.state", "encrypted");
   3224             release_wake_lock(lockid);
   3225             cryptfs_check_passwd(DEFAULT_PASSWORD);
   3226             cryptfs_restart_internal(1);
   3227             return 0;
   3228           } else {
   3229             sleep(2); /* Give the UI a chance to show 100% progress */
   3230             cryptfs_reboot(reboot);
   3231           }
   3232         } else {
   3233             sleep(2); /* Partially encrypted, ensure writes flushed to ssd */
   3234             cryptfs_reboot(shutdown);
   3235         }
   3236     } else {
   3237         char value[PROPERTY_VALUE_MAX];
   3238 
   3239         property_get("ro.vold.wipe_on_crypt_fail", value, "0");
   3240         if (!strcmp(value, "1")) {
   3241             /* wipe data if encryption failed */
   3242             SLOGE("encryption failed - rebooting into recovery to wipe data\n");
   3243             mkdir("/cache/recovery", 0700);
   3244             int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600);
   3245             if (fd >= 0) {
   3246                 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1);
   3247                 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1);
   3248                 close(fd);
   3249             } else {
   3250                 SLOGE("could not open /cache/recovery/command\n");
   3251             }
   3252             cryptfs_reboot(recovery);
   3253         } else {
   3254             /* set property to trigger dialog */
   3255             property_set("vold.encrypt_progress", "error_partially_encrypted");
   3256             release_wake_lock(lockid);
   3257         }
   3258         return -1;
   3259     }
   3260 
   3261     /* hrm, the encrypt step claims success, but the reboot failed.
   3262      * This should not happen.
   3263      * Set the property and return.  Hope the framework can deal with it.
   3264      */
   3265     property_set("vold.encrypt_progress", "error_reboot_failed");
   3266     release_wake_lock(lockid);
   3267     return rc;
   3268 
   3269 error_unencrypted:
   3270     free(vol_list);
   3271     property_set("vold.encrypt_progress", "error_not_encrypted");
   3272     if (lockid[0]) {
   3273         release_wake_lock(lockid);
   3274     }
   3275     return -1;
   3276 
   3277 error_shutting_down:
   3278     /* we failed, and have not encrypted anthing, so the users's data is still intact,
   3279      * but the framework is stopped and not restarted to show the error, so it's up to
   3280      * vold to restart the system.
   3281      */
   3282     SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system");
   3283     cryptfs_reboot(reboot);
   3284 
   3285     /* shouldn't get here */
   3286     property_set("vold.encrypt_progress", "error_shutting_down");
   3287     free(vol_list);
   3288     if (lockid[0]) {
   3289         release_wake_lock(lockid);
   3290     }
   3291     return -1;
   3292 }
   3293 
   3294 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot)
   3295 {
   3296     char* adjusted_passwd = adjust_passwd(passwd);
   3297     if (adjusted_passwd) {
   3298         passwd = adjusted_passwd;
   3299     }
   3300 
   3301     int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot);
   3302 
   3303     free(adjusted_passwd);
   3304     return rc;
   3305 }
   3306 
   3307 int cryptfs_enable_default(char *howarg, int allow_reboot)
   3308 {
   3309     return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
   3310                           DEFAULT_PASSWORD, allow_reboot);
   3311 }
   3312 
   3313 int cryptfs_changepw(int crypt_type, const char *newpw)
   3314 {
   3315     struct crypt_mnt_ftr crypt_ftr;
   3316     unsigned char decrypted_master_key[KEY_LEN_BYTES];
   3317 
   3318     /* This is only allowed after we've successfully decrypted the master key */
   3319     if (!master_key_saved) {
   3320         SLOGE("Key not saved, aborting");
   3321         return -1;
   3322     }
   3323 
   3324     if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
   3325         SLOGE("Invalid crypt_type %d", crypt_type);
   3326         return -1;
   3327     }
   3328 
   3329     /* get key */
   3330     if (get_crypt_ftr_and_key(&crypt_ftr)) {
   3331         SLOGE("Error getting crypt footer and key");
   3332         return -1;
   3333     }
   3334 
   3335     crypt_ftr.crypt_type = crypt_type;
   3336 
   3337     char* adjusted_passwd = adjust_passwd(newpw);
   3338     if (adjusted_passwd) {
   3339         newpw = adjusted_passwd;
   3340     }
   3341 
   3342     encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
   3343                                                         : newpw,
   3344                        crypt_ftr.salt,
   3345                        saved_master_key,
   3346                        crypt_ftr.master_key,
   3347                        &crypt_ftr);
   3348 
   3349     /* save the key */
   3350     put_crypt_ftr_and_key(&crypt_ftr);
   3351 
   3352     free(adjusted_passwd);
   3353 
   3354 #ifdef CONFIG_HW_DISK_ENCRYPTION
   3355     if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
   3356         if (crypt_type == CRYPT_TYPE_DEFAULT) {
   3357             int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name);
   3358             SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc);
   3359             if (!rc)
   3360                 return -1;
   3361         } else {
   3362             int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name);
   3363             SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc);
   3364             if (!rc)
   3365                 return -1;
   3366         }
   3367     }
   3368 #endif
   3369     return 0;
   3370 }
   3371 
   3372 static unsigned int persist_get_max_entries(int encrypted) {
   3373     struct crypt_mnt_ftr crypt_ftr;
   3374     unsigned int dsize;
   3375     unsigned int max_persistent_entries;
   3376 
   3377     /* If encrypted, use the values from the crypt_ftr, otherwise
   3378      * use the values for the current spec.
   3379      */
   3380     if (encrypted) {
   3381         if (get_crypt_ftr_and_key(&crypt_ftr)) {
   3382             return -1;
   3383         }
   3384         dsize = crypt_ftr.persist_data_size;
   3385     } else {
   3386         dsize = CRYPT_PERSIST_DATA_SIZE;
   3387     }
   3388 
   3389     max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) /
   3390         sizeof(struct crypt_persist_entry);
   3391 
   3392     return max_persistent_entries;
   3393 }
   3394 
   3395 static int persist_get_key(const char *fieldname, char *value)
   3396 {
   3397     unsigned int i;
   3398 
   3399     if (persist_data == NULL) {
   3400         return -1;
   3401     }
   3402     for (i = 0; i < persist_data->persist_valid_entries; i++) {
   3403         if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
   3404             /* We found it! */
   3405             strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
   3406             return 0;
   3407         }
   3408     }
   3409 
   3410     return -1;
   3411 }
   3412 
   3413 static int persist_set_key(const char *fieldname, const char *value, int encrypted)
   3414 {
   3415     unsigned int i;
   3416     unsigned int num;
   3417     unsigned int max_persistent_entries;
   3418 
   3419     if (persist_data == NULL) {
   3420         return -1;
   3421     }
   3422 
   3423     max_persistent_entries = persist_get_max_entries(encrypted);
   3424 
   3425     num = persist_data->persist_valid_entries;
   3426 
   3427     for (i = 0; i < num; i++) {
   3428         if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
   3429             /* We found an existing entry, update it! */
   3430             memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
   3431             strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
   3432             return 0;
   3433         }
   3434     }
   3435 
   3436     /* We didn't find it, add it to the end, if there is room */
   3437     if (persist_data->persist_valid_entries < max_persistent_entries) {
   3438         memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
   3439         strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
   3440         strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
   3441         persist_data->persist_valid_entries++;
   3442         return 0;
   3443     }
   3444 
   3445     return -1;
   3446 }
   3447 
   3448 /**
   3449  * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
   3450  * sequence and its index is greater than or equal to index. Return 0 otherwise.
   3451  */
   3452 static int match_multi_entry(const char *key, const char *field, unsigned index) {
   3453     unsigned int i;
   3454     unsigned int field_len;
   3455     unsigned int key_index;
   3456     field_len = strlen(field);
   3457 
   3458     if (index == 0) {
   3459         // The first key in a multi-entry field is just the filedname itself.
   3460         if (!strcmp(key, field)) {
   3461             return 1;
   3462         }
   3463     }
   3464     // Match key against "%s_%d" % (field, index)
   3465     if (strlen(key) < field_len + 1 + 1) {
   3466         // Need at least a '_' and a digit.
   3467         return 0;
   3468     }
   3469     if (strncmp(key, field, field_len)) {
   3470         // If the key does not begin with field, it's not a match.
   3471         return 0;
   3472     }
   3473     if (1 != sscanf(&key[field_len],"_%d", &key_index)) {
   3474         return 0;
   3475     }
   3476     return key_index >= index;
   3477 }
   3478 
   3479 /*
   3480  * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
   3481  * remaining entries starting from index will be deleted.
   3482  * returns PERSIST_DEL_KEY_OK if deletion succeeds,
   3483  * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
   3484  * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
   3485  *
   3486  */
   3487 static int persist_del_keys(const char *fieldname, unsigned index)
   3488 {
   3489     unsigned int i;
   3490     unsigned int j;
   3491     unsigned int num;
   3492 
   3493     if (persist_data == NULL) {
   3494         return PERSIST_DEL_KEY_ERROR_OTHER;
   3495     }
   3496 
   3497     num = persist_data->persist_valid_entries;
   3498 
   3499     j = 0; // points to the end of non-deleted entries.
   3500     // Filter out to-be-deleted entries in place.
   3501     for (i = 0; i < num; i++) {
   3502         if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
   3503             persist_data->persist_entry[j] = persist_data->persist_entry[i];
   3504             j++;
   3505         }
   3506     }
   3507 
   3508     if (j < num) {
   3509         persist_data->persist_valid_entries = j;
   3510         // Zeroise the remaining entries
   3511         memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
   3512         return PERSIST_DEL_KEY_OK;
   3513     } else {
   3514         // Did not find an entry matching the given fieldname
   3515         return PERSIST_DEL_KEY_ERROR_NO_FIELD;
   3516     }
   3517 }
   3518 
   3519 static int persist_count_keys(const char *fieldname)
   3520 {
   3521     unsigned int i;
   3522     unsigned int count;
   3523 
   3524     if (persist_data == NULL) {
   3525         return -1;
   3526     }
   3527 
   3528     count = 0;
   3529     for (i = 0; i < persist_data->persist_valid_entries; i++) {
   3530         if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
   3531             count++;
   3532         }
   3533     }
   3534 
   3535     return count;
   3536 }
   3537 
   3538 /* Return the value of the specified field. */
   3539 int cryptfs_getfield(const char *fieldname, char *value, int len)
   3540 {
   3541     char temp_value[PROPERTY_VALUE_MAX];
   3542     char real_blkdev[MAXPATHLEN];
   3543     /* CRYPTO_GETFIELD_OK is success,
   3544      * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
   3545      * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
   3546      * CRYPTO_GETFIELD_ERROR_OTHER is any other error
   3547      */
   3548     int rc = CRYPTO_GETFIELD_ERROR_OTHER;
   3549     int i;
   3550     char temp_field[PROPERTY_KEY_MAX];
   3551 
   3552     if (persist_data == NULL) {
   3553         load_persistent_data();
   3554         if (persist_data == NULL) {
   3555             SLOGE("Getfield error, cannot load persistent data");
   3556             goto out;
   3557         }
   3558     }
   3559 
   3560     // Read value from persistent entries. If the original value is split into multiple entries,
   3561     // stitch them back together.
   3562     if (!persist_get_key(fieldname, temp_value)) {
   3563         // We found it, copy it to the caller's buffer and keep going until all entries are read.
   3564         if (strlcpy(value, temp_value, len) >= (unsigned) len) {
   3565             // value too small
   3566             rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
   3567             goto out;
   3568         }
   3569         rc = CRYPTO_GETFIELD_OK;
   3570 
   3571         for (i = 1; /* break explicitly */; i++) {
   3572             if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
   3573                     (int) sizeof(temp_field)) {
   3574                 // If the fieldname is very long, we stop as soon as it begins to overflow the
   3575                 // maximum field length. At this point we have in fact fully read out the original
   3576                 // value because cryptfs_setfield would not allow fields with longer names to be
   3577                 // written in the first place.
   3578                 break;
   3579             }
   3580             if (!persist_get_key(temp_field, temp_value)) {
   3581                   if (strlcat(value, temp_value, len) >= (unsigned)len) {
   3582                       // value too small.
   3583                       rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
   3584                       goto out;
   3585                   }
   3586             } else {
   3587                 // Exhaust all entries.
   3588                 break;
   3589             }
   3590         }
   3591     } else {
   3592         /* Sadness, it's not there.  Return the error */
   3593         rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
   3594     }
   3595 
   3596 out:
   3597     return rc;
   3598 }
   3599 
   3600 /* Set the value of the specified field. */
   3601 int cryptfs_setfield(const char *fieldname, const char *value)
   3602 {
   3603     struct crypt_persist_data stored_pdata;
   3604     struct crypt_persist_data *pdata_p;
   3605     struct crypt_mnt_ftr crypt_ftr;
   3606     char encrypted_state[PROPERTY_VALUE_MAX];
   3607     /* 0 is success, negative values are error */
   3608     int rc = CRYPTO_SETFIELD_ERROR_OTHER;
   3609     int encrypted = 0;
   3610     unsigned int field_id;
   3611     char temp_field[PROPERTY_KEY_MAX];
   3612     unsigned int num_entries;
   3613     unsigned int max_keylen;
   3614 
   3615     if (persist_data == NULL) {
   3616         load_persistent_data();
   3617         if (persist_data == NULL) {
   3618             SLOGE("Setfield error, cannot load persistent data");
   3619             goto out;
   3620         }
   3621     }
   3622 
   3623     property_get("ro.crypto.state", encrypted_state, "");
   3624     if (!strcmp(encrypted_state, "encrypted") ) {
   3625         encrypted = 1;
   3626     }
   3627 
   3628     // Compute the number of entries required to store value, each entry can store up to
   3629     // (PROPERTY_VALUE_MAX - 1) chars
   3630     if (strlen(value) == 0) {
   3631         // Empty value also needs one entry to store.
   3632         num_entries = 1;
   3633     } else {
   3634         num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
   3635     }
   3636 
   3637     max_keylen = strlen(fieldname);
   3638     if (num_entries > 1) {
   3639         // Need an extra "_%d" suffix.
   3640         max_keylen += 1 + log10(num_entries);
   3641     }
   3642     if (max_keylen > PROPERTY_KEY_MAX - 1) {
   3643         rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
   3644         goto out;
   3645     }
   3646 
   3647     // Make sure we have enough space to write the new value
   3648     if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
   3649         persist_get_max_entries(encrypted)) {
   3650         rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
   3651         goto out;
   3652     }
   3653 
   3654     // Now that we know persist_data has enough space for value, let's delete the old field first
   3655     // to make up space.
   3656     persist_del_keys(fieldname, 0);
   3657 
   3658     if (persist_set_key(fieldname, value, encrypted)) {
   3659         // fail to set key, should not happen as we have already checked the available space
   3660         SLOGE("persist_set_key() error during setfield()");
   3661         goto out;
   3662     }
   3663 
   3664     for (field_id = 1; field_id < num_entries; field_id++) {
   3665         snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id);
   3666 
   3667         if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
   3668             // fail to set key, should not happen as we have already checked the available space.
   3669             SLOGE("persist_set_key() error during setfield()");
   3670             goto out;
   3671         }
   3672     }
   3673 
   3674     /* If we are running encrypted, save the persistent data now */
   3675     if (encrypted) {
   3676         if (save_persistent_data()) {
   3677             SLOGE("Setfield error, cannot save persistent data");
   3678             goto out;
   3679         }
   3680     }
   3681 
   3682     rc = CRYPTO_SETFIELD_OK;
   3683 
   3684 out:
   3685     return rc;
   3686 }
   3687 
   3688 /* Checks userdata. Attempt to mount the volume if default-
   3689  * encrypted.
   3690  * On success trigger next init phase and return 0.
   3691  * Currently do not handle failure - see TODO below.
   3692  */
   3693 int cryptfs_mount_default_encrypted(void)
   3694 {
   3695     char decrypt_state[PROPERTY_VALUE_MAX];
   3696     property_get("vold.decrypt", decrypt_state, "0");
   3697     if (!strcmp(decrypt_state, "0")) {
   3698         SLOGE("Not encrypted - should not call here");
   3699     } else {
   3700         int crypt_type = cryptfs_get_password_type();
   3701         if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
   3702             SLOGE("Bad crypt type - error");
   3703         } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
   3704             SLOGD("Password is not default - "
   3705                   "starting min framework to prompt");
   3706             property_set("vold.decrypt", "trigger_restart_min_framework");
   3707             return 0;
   3708         } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
   3709             SLOGD("Password is default - restarting filesystem");
   3710             cryptfs_restart_internal(0);
   3711             return 0;
   3712         } else {
   3713             SLOGE("Encrypted, default crypt type but can't decrypt");
   3714         }
   3715     }
   3716 
   3717     /** Corrupt. Allow us to boot into framework, which will detect bad
   3718         crypto when it calls do_crypto_complete, then do a factory reset
   3719      */
   3720     property_set("vold.decrypt", "trigger_restart_min_framework");
   3721     return 0;
   3722 }
   3723 
   3724 /* Returns type of the password, default, pattern, pin or password.
   3725  */
   3726 int cryptfs_get_password_type(void)
   3727 {
   3728     struct crypt_mnt_ftr crypt_ftr;
   3729 
   3730     if (get_crypt_ftr_and_key(&crypt_ftr)) {
   3731         SLOGE("Error getting crypt footer and key\n");
   3732         return -1;
   3733     }
   3734 
   3735     if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
   3736         return -1;
   3737     }
   3738 
   3739     return crypt_ftr.crypt_type;
   3740 }
   3741 
   3742 char* cryptfs_get_password()
   3743 {
   3744     struct timespec now;
   3745     clock_gettime(CLOCK_BOOTTIME, &now);
   3746     if (now.tv_sec < password_expiry_time) {
   3747         return password;
   3748     } else {
   3749         cryptfs_clear_password();
   3750         return 0;
   3751     }
   3752 }
   3753 
   3754 void cryptfs_clear_password()
   3755 {
   3756     if (password) {
   3757         size_t len = strlen(password);
   3758         memset(password, 0, len);
   3759         free(password);
   3760         password = 0;
   3761         password_expiry_time = 0;
   3762     }
   3763 }
   3764