Enable auto-encrypt drive at startup
Modify enablecrypto command to make the password optional. When it is not there, default encrypt the device. Remove a warning by making at least some parts of this file const-correct. Bug: 11985952 Change-Id: Ie27da4c4072386d9d6519d97ff46c6dc4ed188dc
This commit is contained in:
parent
931f15d050
commit
1348603357
4 changed files with 46 additions and 21 deletions
|
@ -546,21 +546,32 @@ int CommandListener::CryptfsCmd::runCommand(SocketClient *cli,
|
|||
dumpArgs(argc, argv, -1);
|
||||
rc = cryptfs_crypto_complete();
|
||||
} else if (!strcmp(argv[1], "enablecrypto")) {
|
||||
if ( (argc != 4) || (strcmp(argv[2], "wipe") && strcmp(argv[2], "inplace")) ) {
|
||||
cli->sendMsg(ResponseCode::CommandSyntaxError, "Usage: cryptfs enablecrypto <wipe|inplace> <passwd>", false);
|
||||
if ( (argc != 4 && argc != 3)
|
||||
|| (strcmp(argv[2], "wipe") && strcmp(argv[2], "inplace")) ) {
|
||||
cli->sendMsg(ResponseCode::CommandSyntaxError,
|
||||
"Usage: cryptfs enablecrypto <wipe|inplace> [passwd]",
|
||||
false);
|
||||
return 0;
|
||||
}
|
||||
dumpArgs(argc, argv, 3);
|
||||
rc = cryptfs_enable(argv[2], argv[3], /*allow_reboot*/false);
|
||||
if (rc) {
|
||||
Process::killProcessesWithOpenFiles(DATA_MNT_POINT, 2);
|
||||
rc = cryptfs_enable(argv[2], argv[3], true);
|
||||
}
|
||||
|
||||
int tries;
|
||||
for (tries = 0; tries < 2; ++tries) {
|
||||
if(argc == 3)
|
||||
rc = cryptfs_enable_default(argv[2], /*allow_reboot*/false);
|
||||
else
|
||||
rc = cryptfs_enable(argv[2], argv[3], /*allow_reboot*/false);
|
||||
|
||||
if (rc == 0) {
|
||||
break;
|
||||
} else if (tries == 0) {
|
||||
Process::killProcessesWithOpenFiles(DATA_MNT_POINT, 2);
|
||||
}
|
||||
}
|
||||
} else if (!strcmp(argv[1], "changepw")) {
|
||||
const char* syntax = "Usage: cryptfs changepw "
|
||||
"default|password|pin|pattern [newpasswd]";
|
||||
char* password;
|
||||
const char* password;
|
||||
if (argc == 3) {
|
||||
password = "";
|
||||
} else if (argc == 4) {
|
||||
|
|
32
cryptfs.c
32
cryptfs.c
|
@ -925,7 +925,7 @@ errout:
|
|||
|
||||
}
|
||||
|
||||
static int pbkdf2(char *passwd, unsigned char *salt,
|
||||
static int pbkdf2(const char *passwd, unsigned char *salt,
|
||||
unsigned char *ikey, void *params UNUSED)
|
||||
{
|
||||
/* Turn the password into a key and IV that can decrypt the master key */
|
||||
|
@ -939,7 +939,7 @@ static int pbkdf2(char *passwd, unsigned char *salt,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int scrypt(char *passwd, unsigned char *salt,
|
||||
static int scrypt(const char *passwd, unsigned char *salt,
|
||||
unsigned char *ikey, void *params)
|
||||
{
|
||||
struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
|
||||
|
@ -959,7 +959,7 @@ static int scrypt(char *passwd, unsigned char *salt,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int encrypt_master_key(char *passwd, unsigned char *salt,
|
||||
static int encrypt_master_key(const char *passwd, unsigned char *salt,
|
||||
unsigned char *decrypted_master_key,
|
||||
unsigned char *encrypted_master_key,
|
||||
struct crypt_mnt_ftr *crypt_ftr)
|
||||
|
@ -1903,7 +1903,8 @@ static inline int should_encrypt(struct volume_info *volume)
|
|||
(VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
|
||||
}
|
||||
|
||||
int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
|
||||
int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
|
||||
int allow_reboot)
|
||||
{
|
||||
int how = 0;
|
||||
char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN], sd_crypto_blkdev[MAXPATHLEN];
|
||||
|
@ -2083,11 +2084,7 @@ int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
|
|||
crypt_ftr.fs_size = nr_sec;
|
||||
}
|
||||
crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
|
||||
|
||||
/** @TODO If we keep this route, must pass in crypt_type.
|
||||
* If all devices are encrypted by default, we don't need that change.
|
||||
*/
|
||||
crypt_ftr.crypt_type = CRYPT_TYPE_PASSWORD;
|
||||
crypt_ftr.crypt_type = crypt_type;
|
||||
strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
|
||||
|
||||
/* Make an encrypted master key */
|
||||
|
@ -2244,7 +2241,22 @@ error_shutting_down:
|
|||
return -1;
|
||||
}
|
||||
|
||||
int cryptfs_changepw(int crypt_type, char *newpw)
|
||||
int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
|
||||
{
|
||||
/** @todo If we keep this route (user selected encryption)
|
||||
* need to take a type in and pass it to here.
|
||||
*/
|
||||
return cryptfs_enable_internal(howarg, CRYPT_TYPE_PASSWORD,
|
||||
passwd, allow_reboot);
|
||||
}
|
||||
|
||||
int cryptfs_enable_default(char *howarg, int allow_reboot)
|
||||
{
|
||||
return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
|
||||
DEFAULT_PASSWORD, allow_reboot);
|
||||
}
|
||||
|
||||
int cryptfs_changepw(int crypt_type, const char *newpw)
|
||||
{
|
||||
struct crypt_mnt_ftr crypt_ftr;
|
||||
unsigned char decrypted_master_key[KEY_LEN_BYTES];
|
||||
|
|
|
@ -148,14 +148,16 @@ struct volume_info {
|
|||
extern "C" {
|
||||
#endif
|
||||
|
||||
typedef int (*kdf_func)(char *passwd, unsigned char *salt, unsigned char *ikey, void *params);
|
||||
typedef int (*kdf_func)(const char *passwd, unsigned char *salt,
|
||||
unsigned char *ikey, void *params);
|
||||
|
||||
int cryptfs_crypto_complete(void);
|
||||
int cryptfs_check_passwd(char *pw);
|
||||
int cryptfs_verify_passwd(char *newpw);
|
||||
int cryptfs_restart(void);
|
||||
int cryptfs_enable(char *flag, char *passwd, int allow_reboot);
|
||||
int cryptfs_changepw(int type, char *newpw);
|
||||
int cryptfs_changepw(int type, const char *newpw);
|
||||
int cryptfs_enable_default(char *flag, int allow_reboot);
|
||||
int cryptfs_setup_volume(const char *label, int major, int minor,
|
||||
char *crypto_dev_path, unsigned int max_pathlen,
|
||||
int *new_major, int *new_minor);
|
||||
|
|
Loading…
Reference in a new issue