commit 731a7a242df6cc3441ac82b4f9521546fac5ac2d
author Paul Lawrence <paullawrence@google.com> Tue Apr 28 22:14:15 2015 +0000
committer Paul Lawrence <paullawrence@google.com> Fri May 29 17:25:54 2015 +0000
tree 316654e8073f1a491fec7801d0f1c1cf7ddf21d2
parent 65427f1a805ed2b8ee65a30ecf6ea8b14fe1e02b

DO NOT MERGE Securely encrypt the master key

(cherry-picked from commit 707fd6c7cccc31c0ab0ec1a6ac8b6077c632fc35)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3c68691717a61b5e1df76423ca0c02baff0dab98

cryptfs.c

diff --git a/cryptfs.c b/cryptfs.c
index f6bad74..79d2052 100644
--- a/cryptfs.c
+++ b/cryptfs.c
@@ -53,7 +53,8 @@
 #include "VolumeManager.h"
 #include "VoldUtil.h"
 #include "crypto_scrypt.h"
-#include "ext4_crypt.h"
+#include "Ext4Crypt.h"
+#include "ext4_crypt_init_extensions.h"
 #include "ext4_utils.h"
 #include "f2fs_sparseblock.h"
 #include "CheckBattery.h"
@@ -1292,7 +1293,7 @@
 
     /* Encrypt the master key */
     if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len,
-                              decrypted_master_key, KEY_LEN_BYTES)) {
+                            decrypted_master_key, KEY_LEN_BYTES)) {
         SLOGE("EVP_EncryptUpdate failed\n");
         return -1;
     }
@@ -1327,7 +1328,7 @@
     return 0;
 }
 
-static int decrypt_master_key_aux(char *passwd, unsigned char *salt,
+static int decrypt_master_key_aux(const char *passwd, unsigned char *salt,
                                   unsigned char *encrypted_master_key,
                                   unsigned char *decrypted_master_key,
                                   kdf_func kdf, void *kdf_params,
@@ -1390,7 +1391,7 @@
     }
 }
 
-static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key,
+static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key,
                               struct crypt_mnt_ftr *crypt_ftr,
                               unsigned char** intermediate_key,
                               size_t* intermediate_key_size)
@@ -3717,3 +3718,46 @@
         password_expiry_time = 0;
     }
 }
+
+int cryptfs_enable_file()
+{
+    return e4crypt_enable(DATA_MNT_POINT);
+}
+
+int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
+{
+    if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
+        SLOGE("Failed to initialize crypt_ftr");
+        return -1;
+    }
+
+    if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
+                                    crypt_ftr->salt, crypt_ftr)) {
+        SLOGE("Cannot create encrypted master key\n");
+        return -1;
+    }
+
+    //crypt_ftr->keysize = key_length / 8;
+    return 0;
+}
+
+int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
+                           unsigned char* master_key)
+{
+    int rc;
+
+    // ext4enc:TODO check intermediate_key to see if this is valid key
+    unsigned char* intermediate_key = 0;
+    size_t intermediate_key_size = 0;
+    rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
+                            &intermediate_key_size);
+
+    return rc;
+}
+
+int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password,
+                         const unsigned char* master_key)
+{
+    return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key,
+                              ftr);
+}