Enable auto-encrypt drive at startup

Modify enablecrypto command to make the password optional. When it is
not there, default encrypt the device.

Remove a warning by making at least some parts of this file const-correct.

Bug: 11985952
Change-Id: Ie27da4c4072386d9d6519d97ff46c6dc4ed188dc

CommandListener.cpp

@@ -546,21 +546,32 @@ int CommandListener::CryptfsCmd::runCommand(SocketClient *cli,
         dumpArgs(argc, argv, -1);
         rc = cryptfs_crypto_complete();
     } else if (!strcmp(argv[1], "enablecrypto")) {
-        if ( (argc != 4) || (strcmp(argv[2], "wipe") && strcmp(argv[2], "inplace")) ) {
-            cli->sendMsg(ResponseCode::CommandSyntaxError, "Usage: cryptfs enablecrypto <wipe|inplace> <passwd>", false);
+        if ( (argc != 4 && argc != 3)
+             || (strcmp(argv[2], "wipe") && strcmp(argv[2], "inplace")) ) {
+            cli->sendMsg(ResponseCode::CommandSyntaxError,
+                         "Usage: cryptfs enablecrypto <wipe|inplace> [passwd]",
+                         false);
             return 0;
         }
         dumpArgs(argc, argv, 3);
-        rc = cryptfs_enable(argv[2], argv[3], /*allow_reboot*/false);
-        if (rc) {
-            Process::killProcessesWithOpenFiles(DATA_MNT_POINT, 2);
-            rc = cryptfs_enable(argv[2], argv[3], true);
-        }
 
+        int tries;
+        for (tries = 0; tries < 2; ++tries) {
+            if(argc == 3)
+                rc = cryptfs_enable_default(argv[2], /*allow_reboot*/false);
+            else
+                rc = cryptfs_enable(argv[2], argv[3], /*allow_reboot*/false);
+
+            if (rc == 0) {
+                break;
+            } else if (tries == 0) {
+                Process::killProcessesWithOpenFiles(DATA_MNT_POINT, 2);
+            }
+        }
     } else if (!strcmp(argv[1], "changepw")) {
         const char* syntax = "Usage: cryptfs changepw "
                              "default|password|pin|pattern [newpasswd]";
-        char* password;
+        const char* password;
         if (argc == 3) {
             password = "";
         } else if (argc == 4) {

cryptfs.c

@@ -925,7 +925,7 @@ errout:
 
 }
 
-static int pbkdf2(char *passwd, unsigned char *salt,
+static int pbkdf2(const char *passwd, unsigned char *salt,
                   unsigned char *ikey, void *params UNUSED)
 {
     /* Turn the password into a key and IV that can decrypt the master key */
@@ -939,7 +939,7 @@ static int pbkdf2(char *passwd, unsigned char *salt,
     return 0;
 }
 
-static int scrypt(char *passwd, unsigned char *salt,
+static int scrypt(const char *passwd, unsigned char *salt,
                   unsigned char *ikey, void *params)
 {
     struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
@@ -959,7 +959,7 @@ static int scrypt(char *passwd, unsigned char *salt,
     return 0;
 }
 
-static int encrypt_master_key(char *passwd, unsigned char *salt,
+static int encrypt_master_key(const char *passwd, unsigned char *salt,
                               unsigned char *decrypted_master_key,
                               unsigned char *encrypted_master_key,
                               struct crypt_mnt_ftr *crypt_ftr)
@@ -1903,7 +1903,8 @@ static inline int should_encrypt(struct volume_info *volume)
             (VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
 }
 
-int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
+int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
+                            int allow_reboot)
 {
     int how = 0;
     char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN], sd_crypto_blkdev[MAXPATHLEN];
@@ -2083,11 +2084,7 @@ int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
         crypt_ftr.fs_size = nr_sec;
     }
     crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
-
-    /** @TODO If we keep this route, must pass in crypt_type.
-     * If all devices are encrypted by default, we don't need that change.
-     */
-    crypt_ftr.crypt_type = CRYPT_TYPE_PASSWORD;
+    crypt_ftr.crypt_type = crypt_type;
     strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
 
     /* Make an encrypted master key */
@@ -2244,7 +2241,22 @@ error_shutting_down:
     return -1;
 }
 
-int cryptfs_changepw(int crypt_type, char *newpw)
+int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
+{
+    /** @todo If we keep this route (user selected encryption)
+     *  need to take a type in and pass it to here.
+     */
+    return cryptfs_enable_internal(howarg, CRYPT_TYPE_PASSWORD,
+                                   passwd, allow_reboot);
+}
+
+int cryptfs_enable_default(char *howarg, int allow_reboot)
+{
+    return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
+                          DEFAULT_PASSWORD, allow_reboot);
+}
+
+int cryptfs_changepw(int crypt_type, const char *newpw)
 {
     struct crypt_mnt_ftr crypt_ftr;
     unsigned char decrypted_master_key[KEY_LEN_BYTES];

cryptfs.h

@@ -148,14 +148,16 @@ struct volume_info {
 extern "C" {
 #endif
 
-  typedef int (*kdf_func)(char *passwd, unsigned char *salt, unsigned char *ikey, void *params);
+  typedef int (*kdf_func)(const char *passwd, unsigned char *salt,
+                          unsigned char *ikey, void *params);
 
   int cryptfs_crypto_complete(void);
   int cryptfs_check_passwd(char *pw);
   int cryptfs_verify_passwd(char *newpw);
   int cryptfs_restart(void);
   int cryptfs_enable(char *flag, char *passwd, int allow_reboot);
-  int cryptfs_changepw(int type, char *newpw);
+  int cryptfs_changepw(int type, const char *newpw);
+  int cryptfs_enable_default(char *flag, int allow_reboot);
   int cryptfs_setup_volume(const char *label, int major, int minor,
                            char *crypto_dev_path, unsigned int max_pathlen,
                            int *new_major, int *new_minor);

vdc.c

@@ -59,7 +59,7 @@ int main(int argc, char **argv) {
             fprintf(stderr, "Error connecting (%s)\n", strerror(errno));
             exit(4);
         } else {
-          sleep(1);
+            sleep(1);
         }
     }