1*59bfda1fSAndroid Build Coastguard Worker /*
2*59bfda1fSAndroid Build Coastguard Worker * f2fscrypt.c - f2fs encryption management utility
3*59bfda1fSAndroid Build Coastguard Worker *
4*59bfda1fSAndroid Build Coastguard Worker * Authors: Kinglong Mee <[email protected]>
5*59bfda1fSAndroid Build Coastguard Worker *
6*59bfda1fSAndroid Build Coastguard Worker * Copied from e4crypt that for ext4 filesystem.
7*59bfda1fSAndroid Build Coastguard Worker * Authors: Michael Halcrow <[email protected]>,
8*59bfda1fSAndroid Build Coastguard Worker * Ildar Muslukhov <[email protected]>
9*59bfda1fSAndroid Build Coastguard Worker */
10*59bfda1fSAndroid Build Coastguard Worker #ifndef _GNU_SOURCE
11*59bfda1fSAndroid Build Coastguard Worker #define _GNU_SOURCE
12*59bfda1fSAndroid Build Coastguard Worker #endif
13*59bfda1fSAndroid Build Coastguard Worker
14*59bfda1fSAndroid Build Coastguard Worker #include <f2fs_fs.h>
15*59bfda1fSAndroid Build Coastguard Worker
16*59bfda1fSAndroid Build Coastguard Worker #include <assert.h>
17*59bfda1fSAndroid Build Coastguard Worker #include <errno.h>
18*59bfda1fSAndroid Build Coastguard Worker #include <getopt.h>
19*59bfda1fSAndroid Build Coastguard Worker #include <dirent.h>
20*59bfda1fSAndroid Build Coastguard Worker #include <errno.h>
21*59bfda1fSAndroid Build Coastguard Worker #include <stdarg.h>
22*59bfda1fSAndroid Build Coastguard Worker #include <stdio.h>
23*59bfda1fSAndroid Build Coastguard Worker #include <stdlib.h>
24*59bfda1fSAndroid Build Coastguard Worker #include <string.h>
25*59bfda1fSAndroid Build Coastguard Worker #ifdef HAVE_MNTENT_H
26*59bfda1fSAndroid Build Coastguard Worker #include <mntent.h>
27*59bfda1fSAndroid Build Coastguard Worker #endif
28*59bfda1fSAndroid Build Coastguard Worker #include <sys/ioctl.h>
29*59bfda1fSAndroid Build Coastguard Worker #include <sys/stat.h>
30*59bfda1fSAndroid Build Coastguard Worker #include <sys/types.h>
31*59bfda1fSAndroid Build Coastguard Worker #include <fcntl.h>
32*59bfda1fSAndroid Build Coastguard Worker #include <termios.h>
33*59bfda1fSAndroid Build Coastguard Worker #include <unistd.h>
34*59bfda1fSAndroid Build Coastguard Worker #include <signal.h>
35*59bfda1fSAndroid Build Coastguard Worker #ifdef __KERNEL__
36*59bfda1fSAndroid Build Coastguard Worker #include <linux/fs.h>
37*59bfda1fSAndroid Build Coastguard Worker #endif
38*59bfda1fSAndroid Build Coastguard Worker
39*59bfda1fSAndroid Build Coastguard Worker #ifdef HAVE_UUID_UUID_H
40*59bfda1fSAndroid Build Coastguard Worker #include <uuid/uuid.h>
41*59bfda1fSAndroid Build Coastguard Worker #else
42*59bfda1fSAndroid Build Coastguard Worker typedef unsigned char uuid_t[16];
43*59bfda1fSAndroid Build Coastguard Worker #endif
44*59bfda1fSAndroid Build Coastguard Worker
45*59bfda1fSAndroid Build Coastguard Worker #if !defined(HAVE_ADD_KEY) || !defined(HAVE_KEYCTL)
46*59bfda1fSAndroid Build Coastguard Worker #include <sys/syscall.h>
47*59bfda1fSAndroid Build Coastguard Worker #endif
48*59bfda1fSAndroid Build Coastguard Worker #ifdef HAVE_SYS_KEY_H
49*59bfda1fSAndroid Build Coastguard Worker #include <sys/key.h>
50*59bfda1fSAndroid Build Coastguard Worker #endif
51*59bfda1fSAndroid Build Coastguard Worker
52*59bfda1fSAndroid Build Coastguard Worker #define F2FS_MAX_KEY_SIZE 64
53*59bfda1fSAndroid Build Coastguard Worker #define F2FS_MAX_PASSPHRASE_SIZE 1024
54*59bfda1fSAndroid Build Coastguard Worker #define F2FS_MAX_SALT_SIZE 256
55*59bfda1fSAndroid Build Coastguard Worker
56*59bfda1fSAndroid Build Coastguard Worker /* Encryption algorithms, key size and key reference len */
57*59bfda1fSAndroid Build Coastguard Worker #define F2FS_ENCRYPTION_MODE_INVALID 0
58*59bfda1fSAndroid Build Coastguard Worker #define F2FS_ENCRYPTION_MODE_AES_256_XTS 1
59*59bfda1fSAndroid Build Coastguard Worker #define F2FS_ENCRYPTION_MODE_AES_256_GCM 2
60*59bfda1fSAndroid Build Coastguard Worker #define F2FS_ENCRYPTION_MODE_AES_256_CBC 3
61*59bfda1fSAndroid Build Coastguard Worker #define F2FS_ENCRYPTION_MODE_AES_256_CTS 4
62*59bfda1fSAndroid Build Coastguard Worker
63*59bfda1fSAndroid Build Coastguard Worker #define F2FS_AES_256_XTS_KEY_SIZE 64
64*59bfda1fSAndroid Build Coastguard Worker #define F2FS_AES_256_GCM_KEY_SIZE 32
65*59bfda1fSAndroid Build Coastguard Worker #define F2FS_AES_256_CBC_KEY_SIZE 32
66*59bfda1fSAndroid Build Coastguard Worker #define F2FS_AES_256_CTS_KEY_SIZE 32
67*59bfda1fSAndroid Build Coastguard Worker #define F2FS_MAX_KEY_SIZE 64
68*59bfda1fSAndroid Build Coastguard Worker
69*59bfda1fSAndroid Build Coastguard Worker /* Password derivation constants */
70*59bfda1fSAndroid Build Coastguard Worker #define F2FS_MAX_PASSPHRASE_SIZE 1024
71*59bfda1fSAndroid Build Coastguard Worker #define F2FS_MAX_SALT_SIZE 256
72*59bfda1fSAndroid Build Coastguard Worker #define F2FS_PBKDF2_ITERATIONS 0xFFFF
73*59bfda1fSAndroid Build Coastguard Worker
74*59bfda1fSAndroid Build Coastguard Worker /* special process keyring shortcut IDs */
75*59bfda1fSAndroid Build Coastguard Worker #define KEY_SPEC_THREAD_KEYRING -1
76*59bfda1fSAndroid Build Coastguard Worker #define KEY_SPEC_PROCESS_KEYRING -2
77*59bfda1fSAndroid Build Coastguard Worker #define KEY_SPEC_SESSION_KEYRING -3
78*59bfda1fSAndroid Build Coastguard Worker #define KEY_SPEC_USER_KEYRING -4
79*59bfda1fSAndroid Build Coastguard Worker #define KEY_SPEC_USER_SESSION_KEYRING -5
80*59bfda1fSAndroid Build Coastguard Worker #define KEY_SPEC_GROUP_KEYRING -6
81*59bfda1fSAndroid Build Coastguard Worker
82*59bfda1fSAndroid Build Coastguard Worker #define KEYCTL_GET_KEYRING_ID 0
83*59bfda1fSAndroid Build Coastguard Worker #define KEYCTL_JOIN_SESSION_KEYRING 1
84*59bfda1fSAndroid Build Coastguard Worker #define KEYCTL_DESCRIBE 6
85*59bfda1fSAndroid Build Coastguard Worker #define KEYCTL_SEARCH 10
86*59bfda1fSAndroid Build Coastguard Worker #define KEYCTL_SESSION_TO_PARENT 18
87*59bfda1fSAndroid Build Coastguard Worker
88*59bfda1fSAndroid Build Coastguard Worker /*
89*59bfda1fSAndroid Build Coastguard Worker * File system encryption support
90*59bfda1fSAndroid Build Coastguard Worker */
91*59bfda1fSAndroid Build Coastguard Worker /* Policy provided via an ioctl on the topmost directory */
92*59bfda1fSAndroid Build Coastguard Worker #define F2FS_KEY_DESCRIPTOR_SIZE 8
93*59bfda1fSAndroid Build Coastguard Worker #define F2FS_KEY_REF_STR_BUF_SIZE ((F2FS_KEY_DESCRIPTOR_SIZE * 2) + 1)
94*59bfda1fSAndroid Build Coastguard Worker
95*59bfda1fSAndroid Build Coastguard Worker struct f2fs_fscrypt_policy {
96*59bfda1fSAndroid Build Coastguard Worker __u8 version;
97*59bfda1fSAndroid Build Coastguard Worker __u8 contents_encryption_mode;
98*59bfda1fSAndroid Build Coastguard Worker __u8 filenames_encryption_mode;
99*59bfda1fSAndroid Build Coastguard Worker __u8 flags;
100*59bfda1fSAndroid Build Coastguard Worker __u8 master_key_descriptor[F2FS_KEY_DESCRIPTOR_SIZE];
101*59bfda1fSAndroid Build Coastguard Worker };
102*59bfda1fSAndroid Build Coastguard Worker
103*59bfda1fSAndroid Build Coastguard Worker static_assert(sizeof(struct f2fs_fscrypt_policy) == 12, "");
104*59bfda1fSAndroid Build Coastguard Worker
105*59bfda1fSAndroid Build Coastguard Worker #define F2FS_IOC_SET_ENCRYPTION_POLICY _IOR('f', 19, struct f2fs_fscrypt_policy)
106*59bfda1fSAndroid Build Coastguard Worker #define F2FS_IOC_GET_ENCRYPTION_PWSALT _IOW('f', 20, __u8[16])
107*59bfda1fSAndroid Build Coastguard Worker #define F2FS_IOC_GET_ENCRYPTION_POLICY _IOW('f', 21, struct f2fs_fscrypt_policy)
108*59bfda1fSAndroid Build Coastguard Worker
109*59bfda1fSAndroid Build Coastguard Worker typedef int32_t key_serial_t;
110*59bfda1fSAndroid Build Coastguard Worker
111*59bfda1fSAndroid Build Coastguard Worker
112*59bfda1fSAndroid Build Coastguard Worker
113*59bfda1fSAndroid Build Coastguard Worker #define OPT_VERBOSE 0x0001
114*59bfda1fSAndroid Build Coastguard Worker #define OPT_QUIET 0x0002
115*59bfda1fSAndroid Build Coastguard Worker
116*59bfda1fSAndroid Build Coastguard Worker struct f2fs_encryption_key {
117*59bfda1fSAndroid Build Coastguard Worker __u32 mode;
118*59bfda1fSAndroid Build Coastguard Worker char raw[F2FS_MAX_KEY_SIZE];
119*59bfda1fSAndroid Build Coastguard Worker __u32 size;
120*59bfda1fSAndroid Build Coastguard Worker };
121*59bfda1fSAndroid Build Coastguard Worker
122*59bfda1fSAndroid Build Coastguard Worker static_assert(sizeof(struct f2fs_encryption_key) == 72, "");
123*59bfda1fSAndroid Build Coastguard Worker
124*59bfda1fSAndroid Build Coastguard Worker int options;
125*59bfda1fSAndroid Build Coastguard Worker
126*59bfda1fSAndroid Build Coastguard Worker extern void f2fs_sha512(const unsigned char *in, unsigned long in_size,
127*59bfda1fSAndroid Build Coastguard Worker unsigned char *out);
128*59bfda1fSAndroid Build Coastguard Worker
129*59bfda1fSAndroid Build Coastguard Worker #if !defined(HAVE_KEYCTL)
keyctl(int cmd,...)130*59bfda1fSAndroid Build Coastguard Worker static long keyctl(int cmd, ...)
131*59bfda1fSAndroid Build Coastguard Worker {
132*59bfda1fSAndroid Build Coastguard Worker va_list va;
133*59bfda1fSAndroid Build Coastguard Worker unsigned long arg2, arg3, arg4, arg5;
134*59bfda1fSAndroid Build Coastguard Worker
135*59bfda1fSAndroid Build Coastguard Worker va_start(va, cmd);
136*59bfda1fSAndroid Build Coastguard Worker arg2 = va_arg(va, unsigned long);
137*59bfda1fSAndroid Build Coastguard Worker arg3 = va_arg(va, unsigned long);
138*59bfda1fSAndroid Build Coastguard Worker arg4 = va_arg(va, unsigned long);
139*59bfda1fSAndroid Build Coastguard Worker arg5 = va_arg(va, unsigned long);
140*59bfda1fSAndroid Build Coastguard Worker va_end(va);
141*59bfda1fSAndroid Build Coastguard Worker return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
142*59bfda1fSAndroid Build Coastguard Worker }
143*59bfda1fSAndroid Build Coastguard Worker #endif
144*59bfda1fSAndroid Build Coastguard Worker
145*59bfda1fSAndroid Build Coastguard Worker #if !defined(HAVE_ADD_KEY)
add_key(const char * type,const char * description,const void * payload,size_t plen,key_serial_t keyring)146*59bfda1fSAndroid Build Coastguard Worker static key_serial_t add_key(const char *type, const char *description,
147*59bfda1fSAndroid Build Coastguard Worker const void *payload, size_t plen,
148*59bfda1fSAndroid Build Coastguard Worker key_serial_t keyring)
149*59bfda1fSAndroid Build Coastguard Worker {
150*59bfda1fSAndroid Build Coastguard Worker return syscall(__NR_add_key, type, description, payload,
151*59bfda1fSAndroid Build Coastguard Worker plen, keyring);
152*59bfda1fSAndroid Build Coastguard Worker }
153*59bfda1fSAndroid Build Coastguard Worker #endif
154*59bfda1fSAndroid Build Coastguard Worker
155*59bfda1fSAndroid Build Coastguard Worker static const unsigned char *hexchars = (const unsigned char *) "0123456789abcdef";
156*59bfda1fSAndroid Build Coastguard Worker static const size_t hexchars_size = 16;
157*59bfda1fSAndroid Build Coastguard Worker
158*59bfda1fSAndroid Build Coastguard Worker #define SHA512_LENGTH 64
159*59bfda1fSAndroid Build Coastguard Worker #define F2FS_KEY_TYPE_LOGON "logon"
160*59bfda1fSAndroid Build Coastguard Worker #define F2FS_KEY_DESC_PREFIX "f2fs:"
161*59bfda1fSAndroid Build Coastguard Worker #define F2FS_KEY_DESC_PREFIX_SIZE 5
162*59bfda1fSAndroid Build Coastguard Worker
int_log2(int arg)163*59bfda1fSAndroid Build Coastguard Worker static int int_log2(int arg)
164*59bfda1fSAndroid Build Coastguard Worker {
165*59bfda1fSAndroid Build Coastguard Worker int l = 0;
166*59bfda1fSAndroid Build Coastguard Worker
167*59bfda1fSAndroid Build Coastguard Worker arg >>= 1;
168*59bfda1fSAndroid Build Coastguard Worker while (arg) {
169*59bfda1fSAndroid Build Coastguard Worker l++;
170*59bfda1fSAndroid Build Coastguard Worker arg >>= 1;
171*59bfda1fSAndroid Build Coastguard Worker }
172*59bfda1fSAndroid Build Coastguard Worker return l;
173*59bfda1fSAndroid Build Coastguard Worker }
174*59bfda1fSAndroid Build Coastguard Worker
validate_paths(int argc,char * argv[],int path_start_index)175*59bfda1fSAndroid Build Coastguard Worker static void validate_paths(int argc, char *argv[], int path_start_index)
176*59bfda1fSAndroid Build Coastguard Worker {
177*59bfda1fSAndroid Build Coastguard Worker int x;
178*59bfda1fSAndroid Build Coastguard Worker int valid = 1;
179*59bfda1fSAndroid Build Coastguard Worker struct stat st;
180*59bfda1fSAndroid Build Coastguard Worker
181*59bfda1fSAndroid Build Coastguard Worker for (x = path_start_index; x < argc; x++) {
182*59bfda1fSAndroid Build Coastguard Worker int ret = access(argv[x], W_OK);
183*59bfda1fSAndroid Build Coastguard Worker if (ret) {
184*59bfda1fSAndroid Build Coastguard Worker invalid:
185*59bfda1fSAndroid Build Coastguard Worker perror(argv[x]);
186*59bfda1fSAndroid Build Coastguard Worker valid = 0;
187*59bfda1fSAndroid Build Coastguard Worker continue;
188*59bfda1fSAndroid Build Coastguard Worker }
189*59bfda1fSAndroid Build Coastguard Worker ret = stat(argv[x], &st);
190*59bfda1fSAndroid Build Coastguard Worker if (ret < 0)
191*59bfda1fSAndroid Build Coastguard Worker goto invalid;
192*59bfda1fSAndroid Build Coastguard Worker if (!S_ISDIR(st.st_mode)) {
193*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "%s is not a directory\n", argv[x]);
194*59bfda1fSAndroid Build Coastguard Worker goto invalid;
195*59bfda1fSAndroid Build Coastguard Worker }
196*59bfda1fSAndroid Build Coastguard Worker }
197*59bfda1fSAndroid Build Coastguard Worker if (!valid)
198*59bfda1fSAndroid Build Coastguard Worker exit(1);
199*59bfda1fSAndroid Build Coastguard Worker }
200*59bfda1fSAndroid Build Coastguard Worker
hex2byte(const char * hex,size_t hex_size,unsigned char * bytes,size_t bytes_size)201*59bfda1fSAndroid Build Coastguard Worker static int hex2byte(const char *hex, size_t hex_size, unsigned char *bytes,
202*59bfda1fSAndroid Build Coastguard Worker size_t bytes_size)
203*59bfda1fSAndroid Build Coastguard Worker {
204*59bfda1fSAndroid Build Coastguard Worker size_t x;
205*59bfda1fSAndroid Build Coastguard Worker unsigned char *h, *l;
206*59bfda1fSAndroid Build Coastguard Worker
207*59bfda1fSAndroid Build Coastguard Worker if (hex_size % 2)
208*59bfda1fSAndroid Build Coastguard Worker return -EINVAL;
209*59bfda1fSAndroid Build Coastguard Worker for (x = 0; x < hex_size; x += 2) {
210*59bfda1fSAndroid Build Coastguard Worker h = memchr(hexchars, hex[x], hexchars_size);
211*59bfda1fSAndroid Build Coastguard Worker if (!h)
212*59bfda1fSAndroid Build Coastguard Worker return -EINVAL;
213*59bfda1fSAndroid Build Coastguard Worker l = memchr(hexchars, hex[x + 1], hexchars_size);
214*59bfda1fSAndroid Build Coastguard Worker if (!l)
215*59bfda1fSAndroid Build Coastguard Worker return -EINVAL;
216*59bfda1fSAndroid Build Coastguard Worker if ((x >> 1) >= bytes_size)
217*59bfda1fSAndroid Build Coastguard Worker return -EINVAL;
218*59bfda1fSAndroid Build Coastguard Worker bytes[x >> 1] = (((unsigned char)(h - hexchars) << 4) +
219*59bfda1fSAndroid Build Coastguard Worker (unsigned char)(l - hexchars));
220*59bfda1fSAndroid Build Coastguard Worker }
221*59bfda1fSAndroid Build Coastguard Worker return 0;
222*59bfda1fSAndroid Build Coastguard Worker }
223*59bfda1fSAndroid Build Coastguard Worker
224*59bfda1fSAndroid Build Coastguard Worker /*
225*59bfda1fSAndroid Build Coastguard Worker * Salt handling
226*59bfda1fSAndroid Build Coastguard Worker */
227*59bfda1fSAndroid Build Coastguard Worker struct salt {
228*59bfda1fSAndroid Build Coastguard Worker unsigned char *salt;
229*59bfda1fSAndroid Build Coastguard Worker char key_ref_str[F2FS_KEY_REF_STR_BUF_SIZE];
230*59bfda1fSAndroid Build Coastguard Worker unsigned char key_desc[F2FS_KEY_DESCRIPTOR_SIZE];
231*59bfda1fSAndroid Build Coastguard Worker unsigned char key[F2FS_MAX_KEY_SIZE];
232*59bfda1fSAndroid Build Coastguard Worker size_t salt_len;
233*59bfda1fSAndroid Build Coastguard Worker };
234*59bfda1fSAndroid Build Coastguard Worker struct salt *salt_list;
235*59bfda1fSAndroid Build Coastguard Worker unsigned num_salt;
236*59bfda1fSAndroid Build Coastguard Worker unsigned max_salt;
237*59bfda1fSAndroid Build Coastguard Worker char in_passphrase[F2FS_MAX_PASSPHRASE_SIZE];
238*59bfda1fSAndroid Build Coastguard Worker
find_by_salt(unsigned char * salt,size_t salt_len)239*59bfda1fSAndroid Build Coastguard Worker static struct salt *find_by_salt(unsigned char *salt, size_t salt_len)
240*59bfda1fSAndroid Build Coastguard Worker {
241*59bfda1fSAndroid Build Coastguard Worker unsigned int i;
242*59bfda1fSAndroid Build Coastguard Worker struct salt *p;
243*59bfda1fSAndroid Build Coastguard Worker
244*59bfda1fSAndroid Build Coastguard Worker for (i = 0, p = salt_list; i < num_salt; i++, p++)
245*59bfda1fSAndroid Build Coastguard Worker if ((p->salt_len == salt_len) &&
246*59bfda1fSAndroid Build Coastguard Worker !memcmp(p->salt, salt, salt_len))
247*59bfda1fSAndroid Build Coastguard Worker return p;
248*59bfda1fSAndroid Build Coastguard Worker return NULL;
249*59bfda1fSAndroid Build Coastguard Worker }
250*59bfda1fSAndroid Build Coastguard Worker
add_salt(unsigned char * salt,size_t salt_len)251*59bfda1fSAndroid Build Coastguard Worker static void add_salt(unsigned char *salt, size_t salt_len)
252*59bfda1fSAndroid Build Coastguard Worker {
253*59bfda1fSAndroid Build Coastguard Worker if (find_by_salt(salt, salt_len))
254*59bfda1fSAndroid Build Coastguard Worker return;
255*59bfda1fSAndroid Build Coastguard Worker if (num_salt >= max_salt) {
256*59bfda1fSAndroid Build Coastguard Worker max_salt = num_salt + 10;
257*59bfda1fSAndroid Build Coastguard Worker salt_list = realloc(salt_list, max_salt * sizeof(struct salt));
258*59bfda1fSAndroid Build Coastguard Worker if (!salt_list) {
259*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Couldn't allocate salt list\n");
260*59bfda1fSAndroid Build Coastguard Worker exit(1);
261*59bfda1fSAndroid Build Coastguard Worker }
262*59bfda1fSAndroid Build Coastguard Worker }
263*59bfda1fSAndroid Build Coastguard Worker salt_list[num_salt].salt = salt;
264*59bfda1fSAndroid Build Coastguard Worker salt_list[num_salt].salt_len = salt_len;
265*59bfda1fSAndroid Build Coastguard Worker num_salt++;
266*59bfda1fSAndroid Build Coastguard Worker }
267*59bfda1fSAndroid Build Coastguard Worker
clear_secrets(void)268*59bfda1fSAndroid Build Coastguard Worker static void clear_secrets(void)
269*59bfda1fSAndroid Build Coastguard Worker {
270*59bfda1fSAndroid Build Coastguard Worker if (salt_list) {
271*59bfda1fSAndroid Build Coastguard Worker memset(salt_list, 0, sizeof(struct salt) * max_salt);
272*59bfda1fSAndroid Build Coastguard Worker free(salt_list);
273*59bfda1fSAndroid Build Coastguard Worker salt_list = NULL;
274*59bfda1fSAndroid Build Coastguard Worker }
275*59bfda1fSAndroid Build Coastguard Worker memset(in_passphrase, 0, sizeof(in_passphrase));
276*59bfda1fSAndroid Build Coastguard Worker }
277*59bfda1fSAndroid Build Coastguard Worker
die_signal_handler(int UNUSED (signum),siginfo_t * UNUSED (siginfo),void * UNUSED (context))278*59bfda1fSAndroid Build Coastguard Worker static void die_signal_handler(int UNUSED(signum),
279*59bfda1fSAndroid Build Coastguard Worker siginfo_t *UNUSED(siginfo), void *UNUSED(context))
280*59bfda1fSAndroid Build Coastguard Worker {
281*59bfda1fSAndroid Build Coastguard Worker clear_secrets();
282*59bfda1fSAndroid Build Coastguard Worker exit(-1);
283*59bfda1fSAndroid Build Coastguard Worker }
284*59bfda1fSAndroid Build Coastguard Worker
sigcatcher_setup(void)285*59bfda1fSAndroid Build Coastguard Worker static void sigcatcher_setup(void)
286*59bfda1fSAndroid Build Coastguard Worker {
287*59bfda1fSAndroid Build Coastguard Worker struct sigaction sa;
288*59bfda1fSAndroid Build Coastguard Worker
289*59bfda1fSAndroid Build Coastguard Worker memset(&sa, 0, sizeof(struct sigaction));
290*59bfda1fSAndroid Build Coastguard Worker sa.sa_sigaction = die_signal_handler;
291*59bfda1fSAndroid Build Coastguard Worker sa.sa_flags = SA_SIGINFO;
292*59bfda1fSAndroid Build Coastguard Worker
293*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGHUP, &sa, 0);
294*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGINT, &sa, 0);
295*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGQUIT, &sa, 0);
296*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGFPE, &sa, 0);
297*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGILL, &sa, 0);
298*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGBUS, &sa, 0);
299*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGSEGV, &sa, 0);
300*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGABRT, &sa, 0);
301*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGPIPE, &sa, 0);
302*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGALRM, &sa, 0);
303*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGTERM, &sa, 0);
304*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGUSR1, &sa, 0);
305*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGUSR2, &sa, 0);
306*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGPOLL, &sa, 0);
307*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGPROF, &sa, 0);
308*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGSYS, &sa, 0);
309*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGTRAP, &sa, 0);
310*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGVTALRM, &sa, 0);
311*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGXCPU, &sa, 0);
312*59bfda1fSAndroid Build Coastguard Worker sigaction(SIGXFSZ, &sa, 0);
313*59bfda1fSAndroid Build Coastguard Worker }
314*59bfda1fSAndroid Build Coastguard Worker
315*59bfda1fSAndroid Build Coastguard Worker
316*59bfda1fSAndroid Build Coastguard Worker #define PARSE_FLAGS_NOTSUPP_OK 0x0001
317*59bfda1fSAndroid Build Coastguard Worker #define PARSE_FLAGS_FORCE_FN 0x0002
318*59bfda1fSAndroid Build Coastguard Worker
parse_salt(char * salt_str,int flags)319*59bfda1fSAndroid Build Coastguard Worker static void parse_salt(char *salt_str, int flags)
320*59bfda1fSAndroid Build Coastguard Worker {
321*59bfda1fSAndroid Build Coastguard Worker unsigned char buf[F2FS_MAX_SALT_SIZE];
322*59bfda1fSAndroid Build Coastguard Worker char *cp = salt_str;
323*59bfda1fSAndroid Build Coastguard Worker unsigned char *salt_buf;
324*59bfda1fSAndroid Build Coastguard Worker int fd, ret, salt_len = 0;
325*59bfda1fSAndroid Build Coastguard Worker
326*59bfda1fSAndroid Build Coastguard Worker if (flags & PARSE_FLAGS_FORCE_FN)
327*59bfda1fSAndroid Build Coastguard Worker goto salt_from_filename;
328*59bfda1fSAndroid Build Coastguard Worker if (strncmp(cp, "s:", 2) == 0) {
329*59bfda1fSAndroid Build Coastguard Worker cp += 2;
330*59bfda1fSAndroid Build Coastguard Worker salt_len = strlen(cp);
331*59bfda1fSAndroid Build Coastguard Worker if (salt_len >= F2FS_MAX_SALT_SIZE)
332*59bfda1fSAndroid Build Coastguard Worker goto invalid_salt;
333*59bfda1fSAndroid Build Coastguard Worker strncpy((char *) buf, cp, sizeof(buf));
334*59bfda1fSAndroid Build Coastguard Worker } else if (cp[0] == '/') {
335*59bfda1fSAndroid Build Coastguard Worker salt_from_filename:
336*59bfda1fSAndroid Build Coastguard Worker fd = open(cp, O_RDONLY | O_DIRECTORY);
337*59bfda1fSAndroid Build Coastguard Worker if (fd == -1 && errno == ENOTDIR)
338*59bfda1fSAndroid Build Coastguard Worker fd = open(cp, O_RDONLY);
339*59bfda1fSAndroid Build Coastguard Worker if (fd == -1) {
340*59bfda1fSAndroid Build Coastguard Worker perror(cp);
341*59bfda1fSAndroid Build Coastguard Worker exit(1);
342*59bfda1fSAndroid Build Coastguard Worker }
343*59bfda1fSAndroid Build Coastguard Worker ret = ioctl(fd, F2FS_IOC_GET_ENCRYPTION_PWSALT, &buf);
344*59bfda1fSAndroid Build Coastguard Worker close(fd);
345*59bfda1fSAndroid Build Coastguard Worker if (ret < 0) {
346*59bfda1fSAndroid Build Coastguard Worker if (flags & PARSE_FLAGS_NOTSUPP_OK)
347*59bfda1fSAndroid Build Coastguard Worker return;
348*59bfda1fSAndroid Build Coastguard Worker perror("F2FS_IOC_GET_ENCRYPTION_PWSALT");
349*59bfda1fSAndroid Build Coastguard Worker exit(1);
350*59bfda1fSAndroid Build Coastguard Worker }
351*59bfda1fSAndroid Build Coastguard Worker #ifdef HAVE_LIBUUID
352*59bfda1fSAndroid Build Coastguard Worker if (options & OPT_VERBOSE) {
353*59bfda1fSAndroid Build Coastguard Worker char tmp[80];
354*59bfda1fSAndroid Build Coastguard Worker uuid_unparse(buf, tmp);
355*59bfda1fSAndroid Build Coastguard Worker printf("%s has pw salt %s\n", cp, tmp);
356*59bfda1fSAndroid Build Coastguard Worker }
357*59bfda1fSAndroid Build Coastguard Worker #endif
358*59bfda1fSAndroid Build Coastguard Worker salt_len = 16;
359*59bfda1fSAndroid Build Coastguard Worker } else if (strncmp(cp, "f:", 2) == 0) {
360*59bfda1fSAndroid Build Coastguard Worker cp += 2;
361*59bfda1fSAndroid Build Coastguard Worker goto salt_from_filename;
362*59bfda1fSAndroid Build Coastguard Worker } else if (strncmp(cp, "0x", 2) == 0) {
363*59bfda1fSAndroid Build Coastguard Worker unsigned char *h, *l;
364*59bfda1fSAndroid Build Coastguard Worker
365*59bfda1fSAndroid Build Coastguard Worker cp += 2;
366*59bfda1fSAndroid Build Coastguard Worker if (strlen(cp) & 1)
367*59bfda1fSAndroid Build Coastguard Worker goto invalid_salt;
368*59bfda1fSAndroid Build Coastguard Worker while (*cp) {
369*59bfda1fSAndroid Build Coastguard Worker if (salt_len >= F2FS_MAX_SALT_SIZE)
370*59bfda1fSAndroid Build Coastguard Worker goto invalid_salt;
371*59bfda1fSAndroid Build Coastguard Worker h = memchr(hexchars, *cp++, hexchars_size);
372*59bfda1fSAndroid Build Coastguard Worker l = memchr(hexchars, *cp++, hexchars_size);
373*59bfda1fSAndroid Build Coastguard Worker if (!h || !l)
374*59bfda1fSAndroid Build Coastguard Worker goto invalid_salt;
375*59bfda1fSAndroid Build Coastguard Worker buf[salt_len++] =
376*59bfda1fSAndroid Build Coastguard Worker (((unsigned char)(h - hexchars) << 4) +
377*59bfda1fSAndroid Build Coastguard Worker (unsigned char)(l - hexchars));
378*59bfda1fSAndroid Build Coastguard Worker }
379*59bfda1fSAndroid Build Coastguard Worker #ifdef HAVE_LIBUUID
380*59bfda1fSAndroid Build Coastguard Worker } else if (uuid_parse(cp, buf) == 0) {
381*59bfda1fSAndroid Build Coastguard Worker salt_len = 16;
382*59bfda1fSAndroid Build Coastguard Worker #endif
383*59bfda1fSAndroid Build Coastguard Worker } else {
384*59bfda1fSAndroid Build Coastguard Worker invalid_salt:
385*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Invalid salt: %s\n", salt_str);
386*59bfda1fSAndroid Build Coastguard Worker exit(1);
387*59bfda1fSAndroid Build Coastguard Worker }
388*59bfda1fSAndroid Build Coastguard Worker salt_buf = malloc(salt_len);
389*59bfda1fSAndroid Build Coastguard Worker if (!salt_buf) {
390*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Couldn't allocate salt\n");
391*59bfda1fSAndroid Build Coastguard Worker exit(1);
392*59bfda1fSAndroid Build Coastguard Worker }
393*59bfda1fSAndroid Build Coastguard Worker memcpy(salt_buf, buf, salt_len);
394*59bfda1fSAndroid Build Coastguard Worker add_salt(salt_buf, salt_len);
395*59bfda1fSAndroid Build Coastguard Worker }
396*59bfda1fSAndroid Build Coastguard Worker
set_policy(struct salt * set_salt,int pad,int argc,char * argv[],int path_start_index)397*59bfda1fSAndroid Build Coastguard Worker static void set_policy(struct salt *set_salt, int pad,
398*59bfda1fSAndroid Build Coastguard Worker int argc, char *argv[], int path_start_index)
399*59bfda1fSAndroid Build Coastguard Worker {
400*59bfda1fSAndroid Build Coastguard Worker struct salt *salt;
401*59bfda1fSAndroid Build Coastguard Worker struct f2fs_fscrypt_policy policy;
402*59bfda1fSAndroid Build Coastguard Worker uuid_t uu;
403*59bfda1fSAndroid Build Coastguard Worker int fd;
404*59bfda1fSAndroid Build Coastguard Worker int x;
405*59bfda1fSAndroid Build Coastguard Worker int rc;
406*59bfda1fSAndroid Build Coastguard Worker
407*59bfda1fSAndroid Build Coastguard Worker if ((pad != 4) && (pad != 8) &&
408*59bfda1fSAndroid Build Coastguard Worker (pad != 16) && (pad != 32)) {
409*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Invalid padding %d\n", pad);
410*59bfda1fSAndroid Build Coastguard Worker exit(1);
411*59bfda1fSAndroid Build Coastguard Worker }
412*59bfda1fSAndroid Build Coastguard Worker
413*59bfda1fSAndroid Build Coastguard Worker for (x = path_start_index; x < argc; x++) {
414*59bfda1fSAndroid Build Coastguard Worker fd = open(argv[x], O_DIRECTORY);
415*59bfda1fSAndroid Build Coastguard Worker if (fd == -1) {
416*59bfda1fSAndroid Build Coastguard Worker perror(argv[x]);
417*59bfda1fSAndroid Build Coastguard Worker exit(1);
418*59bfda1fSAndroid Build Coastguard Worker }
419*59bfda1fSAndroid Build Coastguard Worker if (set_salt)
420*59bfda1fSAndroid Build Coastguard Worker salt = set_salt;
421*59bfda1fSAndroid Build Coastguard Worker else {
422*59bfda1fSAndroid Build Coastguard Worker if (ioctl(fd, F2FS_IOC_GET_ENCRYPTION_PWSALT,
423*59bfda1fSAndroid Build Coastguard Worker &uu) < 0) {
424*59bfda1fSAndroid Build Coastguard Worker perror("F2FS_IOC_GET_ENCRYPTION_PWSALT");
425*59bfda1fSAndroid Build Coastguard Worker exit(1);
426*59bfda1fSAndroid Build Coastguard Worker }
427*59bfda1fSAndroid Build Coastguard Worker salt = find_by_salt(uu, sizeof(uu));
428*59bfda1fSAndroid Build Coastguard Worker if (!salt) {
429*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Couldn't find salt!?!\n");
430*59bfda1fSAndroid Build Coastguard Worker exit(1);
431*59bfda1fSAndroid Build Coastguard Worker }
432*59bfda1fSAndroid Build Coastguard Worker }
433*59bfda1fSAndroid Build Coastguard Worker policy.version = 0;
434*59bfda1fSAndroid Build Coastguard Worker policy.contents_encryption_mode =
435*59bfda1fSAndroid Build Coastguard Worker F2FS_ENCRYPTION_MODE_AES_256_XTS;
436*59bfda1fSAndroid Build Coastguard Worker policy.filenames_encryption_mode =
437*59bfda1fSAndroid Build Coastguard Worker F2FS_ENCRYPTION_MODE_AES_256_CTS;
438*59bfda1fSAndroid Build Coastguard Worker policy.flags = int_log2(pad >> 2);
439*59bfda1fSAndroid Build Coastguard Worker memcpy(policy.master_key_descriptor, salt->key_desc,
440*59bfda1fSAndroid Build Coastguard Worker F2FS_KEY_DESCRIPTOR_SIZE);
441*59bfda1fSAndroid Build Coastguard Worker rc = ioctl(fd, F2FS_IOC_SET_ENCRYPTION_POLICY, &policy);
442*59bfda1fSAndroid Build Coastguard Worker close(fd);
443*59bfda1fSAndroid Build Coastguard Worker if (rc) {
444*59bfda1fSAndroid Build Coastguard Worker printf("Error [%s] setting policy.\nThe key descriptor "
445*59bfda1fSAndroid Build Coastguard Worker "[%s] may not match the existing encryption "
446*59bfda1fSAndroid Build Coastguard Worker "context for directory [%s].\n",
447*59bfda1fSAndroid Build Coastguard Worker strerror(errno), salt->key_ref_str, argv[x]);
448*59bfda1fSAndroid Build Coastguard Worker continue;
449*59bfda1fSAndroid Build Coastguard Worker }
450*59bfda1fSAndroid Build Coastguard Worker printf("Key with descriptor [%s] applied to %s.\n",
451*59bfda1fSAndroid Build Coastguard Worker salt->key_ref_str, argv[x]);
452*59bfda1fSAndroid Build Coastguard Worker }
453*59bfda1fSAndroid Build Coastguard Worker }
454*59bfda1fSAndroid Build Coastguard Worker
pbkdf2_sha512(const char * passphrase,struct salt * salt,unsigned int count,unsigned char derived_key[F2FS_MAX_KEY_SIZE])455*59bfda1fSAndroid Build Coastguard Worker static void pbkdf2_sha512(const char *passphrase, struct salt *salt,
456*59bfda1fSAndroid Build Coastguard Worker unsigned int count,
457*59bfda1fSAndroid Build Coastguard Worker unsigned char derived_key[F2FS_MAX_KEY_SIZE])
458*59bfda1fSAndroid Build Coastguard Worker {
459*59bfda1fSAndroid Build Coastguard Worker size_t passphrase_size = strlen(passphrase);
460*59bfda1fSAndroid Build Coastguard Worker unsigned char buf[SHA512_LENGTH + F2FS_MAX_PASSPHRASE_SIZE] = {0};
461*59bfda1fSAndroid Build Coastguard Worker unsigned char tempbuf[SHA512_LENGTH] = {0};
462*59bfda1fSAndroid Build Coastguard Worker char final[SHA512_LENGTH] = {0};
463*59bfda1fSAndroid Build Coastguard Worker unsigned char saltbuf[F2FS_MAX_SALT_SIZE + F2FS_MAX_PASSPHRASE_SIZE] = {0};
464*59bfda1fSAndroid Build Coastguard Worker int actual_buf_len = SHA512_LENGTH + passphrase_size;
465*59bfda1fSAndroid Build Coastguard Worker int actual_saltbuf_len = F2FS_MAX_SALT_SIZE + passphrase_size;
466*59bfda1fSAndroid Build Coastguard Worker unsigned int x, y;
467*59bfda1fSAndroid Build Coastguard Worker __u32 *final_u32 = (__u32 *)final;
468*59bfda1fSAndroid Build Coastguard Worker __u32 *temp_u32 = (__u32 *)tempbuf;
469*59bfda1fSAndroid Build Coastguard Worker
470*59bfda1fSAndroid Build Coastguard Worker if (passphrase_size > F2FS_MAX_PASSPHRASE_SIZE) {
471*59bfda1fSAndroid Build Coastguard Worker printf("Passphrase size is %zd; max is %d.\n", passphrase_size,
472*59bfda1fSAndroid Build Coastguard Worker F2FS_MAX_PASSPHRASE_SIZE);
473*59bfda1fSAndroid Build Coastguard Worker exit(1);
474*59bfda1fSAndroid Build Coastguard Worker }
475*59bfda1fSAndroid Build Coastguard Worker if (salt->salt_len > F2FS_MAX_SALT_SIZE) {
476*59bfda1fSAndroid Build Coastguard Worker printf("Salt size is %zd; max is %d.\n", salt->salt_len,
477*59bfda1fSAndroid Build Coastguard Worker F2FS_MAX_SALT_SIZE);
478*59bfda1fSAndroid Build Coastguard Worker exit(1);
479*59bfda1fSAndroid Build Coastguard Worker }
480*59bfda1fSAndroid Build Coastguard Worker assert(F2FS_MAX_KEY_SIZE <= SHA512_LENGTH);
481*59bfda1fSAndroid Build Coastguard Worker
482*59bfda1fSAndroid Build Coastguard Worker memcpy(saltbuf, salt->salt, salt->salt_len);
483*59bfda1fSAndroid Build Coastguard Worker memcpy(&saltbuf[F2FS_MAX_SALT_SIZE], passphrase, passphrase_size);
484*59bfda1fSAndroid Build Coastguard Worker
485*59bfda1fSAndroid Build Coastguard Worker memcpy(&buf[SHA512_LENGTH], passphrase, passphrase_size);
486*59bfda1fSAndroid Build Coastguard Worker
487*59bfda1fSAndroid Build Coastguard Worker for (x = 0; x < count; ++x) {
488*59bfda1fSAndroid Build Coastguard Worker if (x == 0) {
489*59bfda1fSAndroid Build Coastguard Worker f2fs_sha512(saltbuf, actual_saltbuf_len, tempbuf);
490*59bfda1fSAndroid Build Coastguard Worker } else {
491*59bfda1fSAndroid Build Coastguard Worker /*
492*59bfda1fSAndroid Build Coastguard Worker * buf: [previous hash || passphrase]
493*59bfda1fSAndroid Build Coastguard Worker */
494*59bfda1fSAndroid Build Coastguard Worker memcpy(buf, tempbuf, SHA512_LENGTH);
495*59bfda1fSAndroid Build Coastguard Worker f2fs_sha512(buf, actual_buf_len, tempbuf);
496*59bfda1fSAndroid Build Coastguard Worker }
497*59bfda1fSAndroid Build Coastguard Worker for (y = 0; y < (sizeof(final) / sizeof(*final_u32)); ++y)
498*59bfda1fSAndroid Build Coastguard Worker final_u32[y] = final_u32[y] ^ temp_u32[y];
499*59bfda1fSAndroid Build Coastguard Worker }
500*59bfda1fSAndroid Build Coastguard Worker memcpy(derived_key, final, F2FS_MAX_KEY_SIZE);
501*59bfda1fSAndroid Build Coastguard Worker }
502*59bfda1fSAndroid Build Coastguard Worker
disable_echo(struct termios * saved_settings)503*59bfda1fSAndroid Build Coastguard Worker static int disable_echo(struct termios *saved_settings)
504*59bfda1fSAndroid Build Coastguard Worker {
505*59bfda1fSAndroid Build Coastguard Worker struct termios current_settings;
506*59bfda1fSAndroid Build Coastguard Worker int rc = 0;
507*59bfda1fSAndroid Build Coastguard Worker
508*59bfda1fSAndroid Build Coastguard Worker rc = tcgetattr(0, ¤t_settings);
509*59bfda1fSAndroid Build Coastguard Worker if (rc)
510*59bfda1fSAndroid Build Coastguard Worker return rc;
511*59bfda1fSAndroid Build Coastguard Worker *saved_settings = current_settings;
512*59bfda1fSAndroid Build Coastguard Worker current_settings.c_lflag &= ~ECHO;
513*59bfda1fSAndroid Build Coastguard Worker rc = tcsetattr(0, TCSANOW, ¤t_settings);
514*59bfda1fSAndroid Build Coastguard Worker
515*59bfda1fSAndroid Build Coastguard Worker return rc;
516*59bfda1fSAndroid Build Coastguard Worker }
517*59bfda1fSAndroid Build Coastguard Worker
get_passphrase(char * passphrase,int len)518*59bfda1fSAndroid Build Coastguard Worker static void get_passphrase(char *passphrase, int len)
519*59bfda1fSAndroid Build Coastguard Worker {
520*59bfda1fSAndroid Build Coastguard Worker char *p;
521*59bfda1fSAndroid Build Coastguard Worker struct termios current_settings;
522*59bfda1fSAndroid Build Coastguard Worker
523*59bfda1fSAndroid Build Coastguard Worker assert(len > 0);
524*59bfda1fSAndroid Build Coastguard Worker disable_echo(¤t_settings);
525*59bfda1fSAndroid Build Coastguard Worker p = fgets(passphrase, len, stdin);
526*59bfda1fSAndroid Build Coastguard Worker tcsetattr(0, TCSANOW, ¤t_settings);
527*59bfda1fSAndroid Build Coastguard Worker printf("\n");
528*59bfda1fSAndroid Build Coastguard Worker if (!p) {
529*59bfda1fSAndroid Build Coastguard Worker printf("Aborting.\n");
530*59bfda1fSAndroid Build Coastguard Worker exit(1);
531*59bfda1fSAndroid Build Coastguard Worker }
532*59bfda1fSAndroid Build Coastguard Worker p = strrchr(passphrase, '\n');
533*59bfda1fSAndroid Build Coastguard Worker if (!p)
534*59bfda1fSAndroid Build Coastguard Worker p = passphrase + len - 1;
535*59bfda1fSAndroid Build Coastguard Worker *p = '\0';
536*59bfda1fSAndroid Build Coastguard Worker }
537*59bfda1fSAndroid Build Coastguard Worker
538*59bfda1fSAndroid Build Coastguard Worker struct keyring_map {
539*59bfda1fSAndroid Build Coastguard Worker char name[4];
540*59bfda1fSAndroid Build Coastguard Worker size_t name_len;
541*59bfda1fSAndroid Build Coastguard Worker int code;
542*59bfda1fSAndroid Build Coastguard Worker };
543*59bfda1fSAndroid Build Coastguard Worker
544*59bfda1fSAndroid Build Coastguard Worker static const struct keyring_map keyrings[] = {
545*59bfda1fSAndroid Build Coastguard Worker {"@us", 3, KEY_SPEC_USER_SESSION_KEYRING},
546*59bfda1fSAndroid Build Coastguard Worker {"@u", 2, KEY_SPEC_USER_KEYRING},
547*59bfda1fSAndroid Build Coastguard Worker {"@s", 2, KEY_SPEC_SESSION_KEYRING},
548*59bfda1fSAndroid Build Coastguard Worker {"@g", 2, KEY_SPEC_GROUP_KEYRING},
549*59bfda1fSAndroid Build Coastguard Worker {"@p", 2, KEY_SPEC_PROCESS_KEYRING},
550*59bfda1fSAndroid Build Coastguard Worker {"@t", 2, KEY_SPEC_THREAD_KEYRING},
551*59bfda1fSAndroid Build Coastguard Worker };
552*59bfda1fSAndroid Build Coastguard Worker
get_keyring_id(const char * keyring)553*59bfda1fSAndroid Build Coastguard Worker static int get_keyring_id(const char *keyring)
554*59bfda1fSAndroid Build Coastguard Worker {
555*59bfda1fSAndroid Build Coastguard Worker unsigned int x;
556*59bfda1fSAndroid Build Coastguard Worker char *end;
557*59bfda1fSAndroid Build Coastguard Worker
558*59bfda1fSAndroid Build Coastguard Worker /*
559*59bfda1fSAndroid Build Coastguard Worker * If no keyring is specified, by default use either the user
560*59bfda1fSAndroid Build Coastguard Worker * session key ring or the session keyring. Fetching the
561*59bfda1fSAndroid Build Coastguard Worker * session keyring will return the user session keyring if no
562*59bfda1fSAndroid Build Coastguard Worker * session keyring has been set.
563*59bfda1fSAndroid Build Coastguard Worker *
564*59bfda1fSAndroid Build Coastguard Worker * We need to do this instead of simply adding the key to
565*59bfda1fSAndroid Build Coastguard Worker * KEY_SPEC_SESSION_KEYRING since trying to add a key to a
566*59bfda1fSAndroid Build Coastguard Worker * session keyring that does not yet exist will cause the
567*59bfda1fSAndroid Build Coastguard Worker * kernel to create a session keyring --- which wil then get
568*59bfda1fSAndroid Build Coastguard Worker * garbage collected as soon as f2fscrypt exits.
569*59bfda1fSAndroid Build Coastguard Worker *
570*59bfda1fSAndroid Build Coastguard Worker * The fact that the keyctl system call and the add_key system
571*59bfda1fSAndroid Build Coastguard Worker * call treats KEY_SPEC_SESSION_KEYRING differently when a
572*59bfda1fSAndroid Build Coastguard Worker * session keyring does not exist is very unfortunate and
573*59bfda1fSAndroid Build Coastguard Worker * confusing, but so it goes...
574*59bfda1fSAndroid Build Coastguard Worker */
575*59bfda1fSAndroid Build Coastguard Worker if (keyring == NULL)
576*59bfda1fSAndroid Build Coastguard Worker return keyctl(KEYCTL_GET_KEYRING_ID,
577*59bfda1fSAndroid Build Coastguard Worker KEY_SPEC_SESSION_KEYRING, 0);
578*59bfda1fSAndroid Build Coastguard Worker for (x = 0; x < (sizeof(keyrings) / sizeof(keyrings[0])); ++x) {
579*59bfda1fSAndroid Build Coastguard Worker if (strcmp(keyring, keyrings[x].name) == 0) {
580*59bfda1fSAndroid Build Coastguard Worker return keyrings[x].code;
581*59bfda1fSAndroid Build Coastguard Worker }
582*59bfda1fSAndroid Build Coastguard Worker }
583*59bfda1fSAndroid Build Coastguard Worker x = strtoul(keyring, &end, 10);
584*59bfda1fSAndroid Build Coastguard Worker if (*end == '\0') {
585*59bfda1fSAndroid Build Coastguard Worker if (keyctl(KEYCTL_DESCRIBE, x, NULL, 0) < 0)
586*59bfda1fSAndroid Build Coastguard Worker return 0;
587*59bfda1fSAndroid Build Coastguard Worker return x;
588*59bfda1fSAndroid Build Coastguard Worker }
589*59bfda1fSAndroid Build Coastguard Worker return 0;
590*59bfda1fSAndroid Build Coastguard Worker }
591*59bfda1fSAndroid Build Coastguard Worker
generate_key_ref_str(struct salt * salt)592*59bfda1fSAndroid Build Coastguard Worker static void generate_key_ref_str(struct salt *salt)
593*59bfda1fSAndroid Build Coastguard Worker {
594*59bfda1fSAndroid Build Coastguard Worker unsigned char key_ref1[SHA512_LENGTH];
595*59bfda1fSAndroid Build Coastguard Worker unsigned char key_ref2[SHA512_LENGTH];
596*59bfda1fSAndroid Build Coastguard Worker int x;
597*59bfda1fSAndroid Build Coastguard Worker
598*59bfda1fSAndroid Build Coastguard Worker f2fs_sha512(salt->key, F2FS_MAX_KEY_SIZE, key_ref1);
599*59bfda1fSAndroid Build Coastguard Worker f2fs_sha512(key_ref1, SHA512_LENGTH, key_ref2);
600*59bfda1fSAndroid Build Coastguard Worker memcpy(salt->key_desc, key_ref2, F2FS_KEY_DESCRIPTOR_SIZE);
601*59bfda1fSAndroid Build Coastguard Worker for (x = 0; x < F2FS_KEY_DESCRIPTOR_SIZE; ++x) {
602*59bfda1fSAndroid Build Coastguard Worker sprintf(&salt->key_ref_str[x * 2], "%02x",
603*59bfda1fSAndroid Build Coastguard Worker salt->key_desc[x]);
604*59bfda1fSAndroid Build Coastguard Worker }
605*59bfda1fSAndroid Build Coastguard Worker salt->key_ref_str[F2FS_KEY_REF_STR_BUF_SIZE - 1] = '\0';
606*59bfda1fSAndroid Build Coastguard Worker }
607*59bfda1fSAndroid Build Coastguard Worker
insert_key_into_keyring(const char * keyring,struct salt * salt)608*59bfda1fSAndroid Build Coastguard Worker static void insert_key_into_keyring(const char *keyring, struct salt *salt)
609*59bfda1fSAndroid Build Coastguard Worker {
610*59bfda1fSAndroid Build Coastguard Worker int keyring_id = get_keyring_id(keyring);
611*59bfda1fSAndroid Build Coastguard Worker struct f2fs_encryption_key key;
612*59bfda1fSAndroid Build Coastguard Worker char key_ref_full[F2FS_KEY_DESC_PREFIX_SIZE +
613*59bfda1fSAndroid Build Coastguard Worker F2FS_KEY_REF_STR_BUF_SIZE];
614*59bfda1fSAndroid Build Coastguard Worker int rc;
615*59bfda1fSAndroid Build Coastguard Worker
616*59bfda1fSAndroid Build Coastguard Worker if (keyring_id == 0) {
617*59bfda1fSAndroid Build Coastguard Worker printf("Invalid keyring [%s].\n", keyring);
618*59bfda1fSAndroid Build Coastguard Worker exit(1);
619*59bfda1fSAndroid Build Coastguard Worker }
620*59bfda1fSAndroid Build Coastguard Worker sprintf(key_ref_full, "%s%s", F2FS_KEY_DESC_PREFIX,
621*59bfda1fSAndroid Build Coastguard Worker salt->key_ref_str);
622*59bfda1fSAndroid Build Coastguard Worker rc = keyctl(KEYCTL_SEARCH, keyring_id, F2FS_KEY_TYPE_LOGON,
623*59bfda1fSAndroid Build Coastguard Worker key_ref_full, 0);
624*59bfda1fSAndroid Build Coastguard Worker if (rc != -1) {
625*59bfda1fSAndroid Build Coastguard Worker if ((options & OPT_QUIET) == 0)
626*59bfda1fSAndroid Build Coastguard Worker printf("Key with descriptor [%s] already exists\n",
627*59bfda1fSAndroid Build Coastguard Worker salt->key_ref_str);
628*59bfda1fSAndroid Build Coastguard Worker return;
629*59bfda1fSAndroid Build Coastguard Worker } else if ((rc == -1) && (errno != ENOKEY)) {
630*59bfda1fSAndroid Build Coastguard Worker printf("keyctl_search failed: %s\n", strerror(errno));
631*59bfda1fSAndroid Build Coastguard Worker if (errno == -EINVAL)
632*59bfda1fSAndroid Build Coastguard Worker printf("Keyring [%s] is not available.\n", keyring);
633*59bfda1fSAndroid Build Coastguard Worker exit(1);
634*59bfda1fSAndroid Build Coastguard Worker }
635*59bfda1fSAndroid Build Coastguard Worker key.mode = F2FS_ENCRYPTION_MODE_AES_256_XTS;
636*59bfda1fSAndroid Build Coastguard Worker memcpy(key.raw, salt->key, F2FS_MAX_KEY_SIZE);
637*59bfda1fSAndroid Build Coastguard Worker key.size = F2FS_MAX_KEY_SIZE;
638*59bfda1fSAndroid Build Coastguard Worker rc = add_key(F2FS_KEY_TYPE_LOGON, key_ref_full, (void *)&key,
639*59bfda1fSAndroid Build Coastguard Worker sizeof(key), keyring_id);
640*59bfda1fSAndroid Build Coastguard Worker if (rc == -1) {
641*59bfda1fSAndroid Build Coastguard Worker if (errno == EDQUOT) {
642*59bfda1fSAndroid Build Coastguard Worker printf("Error adding key to keyring; quota exceeded\n");
643*59bfda1fSAndroid Build Coastguard Worker } else {
644*59bfda1fSAndroid Build Coastguard Worker printf("Error adding key with key descriptor [%s]: "
645*59bfda1fSAndroid Build Coastguard Worker "%s\n", salt->key_ref_str, strerror(errno));
646*59bfda1fSAndroid Build Coastguard Worker }
647*59bfda1fSAndroid Build Coastguard Worker exit(1);
648*59bfda1fSAndroid Build Coastguard Worker } else {
649*59bfda1fSAndroid Build Coastguard Worker if ((options & OPT_QUIET) == 0)
650*59bfda1fSAndroid Build Coastguard Worker printf("Added key with descriptor [%s]\n",
651*59bfda1fSAndroid Build Coastguard Worker salt->key_ref_str);
652*59bfda1fSAndroid Build Coastguard Worker }
653*59bfda1fSAndroid Build Coastguard Worker }
654*59bfda1fSAndroid Build Coastguard Worker
get_default_salts(void)655*59bfda1fSAndroid Build Coastguard Worker static void get_default_salts(void)
656*59bfda1fSAndroid Build Coastguard Worker {
657*59bfda1fSAndroid Build Coastguard Worker FILE *f = setmntent("/etc/mtab", "r");
658*59bfda1fSAndroid Build Coastguard Worker struct mntent *mnt;
659*59bfda1fSAndroid Build Coastguard Worker
660*59bfda1fSAndroid Build Coastguard Worker while (f && ((mnt = getmntent(f)) != NULL)) {
661*59bfda1fSAndroid Build Coastguard Worker if (strcmp(mnt->mnt_type, "f2fs") ||
662*59bfda1fSAndroid Build Coastguard Worker access(mnt->mnt_dir, R_OK))
663*59bfda1fSAndroid Build Coastguard Worker continue;
664*59bfda1fSAndroid Build Coastguard Worker parse_salt(mnt->mnt_dir, PARSE_FLAGS_NOTSUPP_OK);
665*59bfda1fSAndroid Build Coastguard Worker }
666*59bfda1fSAndroid Build Coastguard Worker endmntent(f);
667*59bfda1fSAndroid Build Coastguard Worker }
668*59bfda1fSAndroid Build Coastguard Worker
669*59bfda1fSAndroid Build Coastguard Worker /* Functions which implement user commands */
670*59bfda1fSAndroid Build Coastguard Worker
671*59bfda1fSAndroid Build Coastguard Worker struct cmd_desc {
672*59bfda1fSAndroid Build Coastguard Worker const char *cmd_name;
673*59bfda1fSAndroid Build Coastguard Worker void (*cmd_func)(int, char **, const struct cmd_desc *);
674*59bfda1fSAndroid Build Coastguard Worker const char *cmd_desc;
675*59bfda1fSAndroid Build Coastguard Worker const char *cmd_help;
676*59bfda1fSAndroid Build Coastguard Worker int cmd_flags;
677*59bfda1fSAndroid Build Coastguard Worker };
678*59bfda1fSAndroid Build Coastguard Worker
679*59bfda1fSAndroid Build Coastguard Worker #define CMD_HIDDEN 0x0001
680*59bfda1fSAndroid Build Coastguard Worker
681*59bfda1fSAndroid Build Coastguard Worker static void do_help(int argc, char **argv, const struct cmd_desc *cmd);
682*59bfda1fSAndroid Build Coastguard Worker
683*59bfda1fSAndroid Build Coastguard Worker #define add_key_desc "adds a key to the user's keyring"
684*59bfda1fSAndroid Build Coastguard Worker #define add_key_help \
685*59bfda1fSAndroid Build Coastguard Worker "f2fscrypt add_key -S salt [ -k keyring ] [-v] [-q] [ path ... ]\n\n" \
686*59bfda1fSAndroid Build Coastguard Worker "Prompts the user for a passphrase and inserts it into the specified\n" \
687*59bfda1fSAndroid Build Coastguard Worker "keyring. If no keyring is specified, f2fscrypt will use the session\n" \
688*59bfda1fSAndroid Build Coastguard Worker "keyring if it exists or the user session keyring if it does not.\n\n" \
689*59bfda1fSAndroid Build Coastguard Worker "If one or more directory paths are specified, f2fscrypt will try to\n" \
690*59bfda1fSAndroid Build Coastguard Worker "set the policy of those directories to use the key just entered by\n" \
691*59bfda1fSAndroid Build Coastguard Worker "the user.\n"
692*59bfda1fSAndroid Build Coastguard Worker
do_add_key(int argc,char ** argv,const struct cmd_desc * cmd)693*59bfda1fSAndroid Build Coastguard Worker static void do_add_key(int argc, char **argv, const struct cmd_desc *cmd)
694*59bfda1fSAndroid Build Coastguard Worker {
695*59bfda1fSAndroid Build Coastguard Worker struct salt *salt;
696*59bfda1fSAndroid Build Coastguard Worker char *keyring = NULL;
697*59bfda1fSAndroid Build Coastguard Worker int i, opt, pad = 4;
698*59bfda1fSAndroid Build Coastguard Worker unsigned j;
699*59bfda1fSAndroid Build Coastguard Worker
700*59bfda1fSAndroid Build Coastguard Worker while ((opt = getopt(argc, argv, "k:S:p:vq")) != -1) {
701*59bfda1fSAndroid Build Coastguard Worker switch (opt) {
702*59bfda1fSAndroid Build Coastguard Worker case 'k':
703*59bfda1fSAndroid Build Coastguard Worker /* Specify a keyring. */
704*59bfda1fSAndroid Build Coastguard Worker keyring = optarg;
705*59bfda1fSAndroid Build Coastguard Worker break;
706*59bfda1fSAndroid Build Coastguard Worker case 'p':
707*59bfda1fSAndroid Build Coastguard Worker pad = atoi(optarg);
708*59bfda1fSAndroid Build Coastguard Worker break;
709*59bfda1fSAndroid Build Coastguard Worker case 'S':
710*59bfda1fSAndroid Build Coastguard Worker /* Salt value for passphrase. */
711*59bfda1fSAndroid Build Coastguard Worker parse_salt(optarg, 0);
712*59bfda1fSAndroid Build Coastguard Worker break;
713*59bfda1fSAndroid Build Coastguard Worker case 'v':
714*59bfda1fSAndroid Build Coastguard Worker options |= OPT_VERBOSE;
715*59bfda1fSAndroid Build Coastguard Worker break;
716*59bfda1fSAndroid Build Coastguard Worker case 'q':
717*59bfda1fSAndroid Build Coastguard Worker options |= OPT_QUIET;
718*59bfda1fSAndroid Build Coastguard Worker break;
719*59bfda1fSAndroid Build Coastguard Worker default:
720*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Unrecognized option: %c\n", opt);
721*59bfda1fSAndroid Build Coastguard Worker fallthrough;
722*59bfda1fSAndroid Build Coastguard Worker case '?':
723*59bfda1fSAndroid Build Coastguard Worker fputs("USAGE:\n ", stderr);
724*59bfda1fSAndroid Build Coastguard Worker fputs(cmd->cmd_help, stderr);
725*59bfda1fSAndroid Build Coastguard Worker exit(1);
726*59bfda1fSAndroid Build Coastguard Worker }
727*59bfda1fSAndroid Build Coastguard Worker }
728*59bfda1fSAndroid Build Coastguard Worker if (num_salt == 0)
729*59bfda1fSAndroid Build Coastguard Worker get_default_salts();
730*59bfda1fSAndroid Build Coastguard Worker if (num_salt == 0) {
731*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "No salt values available\n");
732*59bfda1fSAndroid Build Coastguard Worker exit(1);
733*59bfda1fSAndroid Build Coastguard Worker }
734*59bfda1fSAndroid Build Coastguard Worker validate_paths(argc, argv, optind);
735*59bfda1fSAndroid Build Coastguard Worker for (i = optind; i < argc; i++)
736*59bfda1fSAndroid Build Coastguard Worker parse_salt(argv[i], PARSE_FLAGS_FORCE_FN);
737*59bfda1fSAndroid Build Coastguard Worker printf("Enter passphrase (echo disabled): ");
738*59bfda1fSAndroid Build Coastguard Worker get_passphrase(in_passphrase, sizeof(in_passphrase));
739*59bfda1fSAndroid Build Coastguard Worker for (j = 0, salt = salt_list; j < num_salt; j++, salt++) {
740*59bfda1fSAndroid Build Coastguard Worker pbkdf2_sha512(in_passphrase, salt,
741*59bfda1fSAndroid Build Coastguard Worker F2FS_PBKDF2_ITERATIONS, salt->key);
742*59bfda1fSAndroid Build Coastguard Worker generate_key_ref_str(salt);
743*59bfda1fSAndroid Build Coastguard Worker insert_key_into_keyring(keyring, salt);
744*59bfda1fSAndroid Build Coastguard Worker }
745*59bfda1fSAndroid Build Coastguard Worker if (optind != argc)
746*59bfda1fSAndroid Build Coastguard Worker set_policy(NULL, pad, argc, argv, optind);
747*59bfda1fSAndroid Build Coastguard Worker clear_secrets();
748*59bfda1fSAndroid Build Coastguard Worker exit(0);
749*59bfda1fSAndroid Build Coastguard Worker }
750*59bfda1fSAndroid Build Coastguard Worker
751*59bfda1fSAndroid Build Coastguard Worker #define set_policy_desc "sets a policy for directories"
752*59bfda1fSAndroid Build Coastguard Worker #define set_policy_help \
753*59bfda1fSAndroid Build Coastguard Worker "f2fscrypt set_policy policy path ... \n\n" \
754*59bfda1fSAndroid Build Coastguard Worker "Sets the policy for the directories specified on the command line.\n" \
755*59bfda1fSAndroid Build Coastguard Worker "All directories must be empty to set the policy; if the directory\n" \
756*59bfda1fSAndroid Build Coastguard Worker "already has a policy established, f2fscrypt will validate that it the\n" \
757*59bfda1fSAndroid Build Coastguard Worker "policy matches what was specified. A policy is an encryption key\n" \
758*59bfda1fSAndroid Build Coastguard Worker "identifier consisting of 16 hexadecimal characters.\n"
759*59bfda1fSAndroid Build Coastguard Worker
do_set_policy(int argc,char ** argv,const struct cmd_desc * cmd)760*59bfda1fSAndroid Build Coastguard Worker static void do_set_policy(int argc, char **argv, const struct cmd_desc *cmd)
761*59bfda1fSAndroid Build Coastguard Worker {
762*59bfda1fSAndroid Build Coastguard Worker struct salt saltbuf;
763*59bfda1fSAndroid Build Coastguard Worker int c, pad = 4;
764*59bfda1fSAndroid Build Coastguard Worker
765*59bfda1fSAndroid Build Coastguard Worker while ((c = getopt (argc, argv, "p:")) != EOF) {
766*59bfda1fSAndroid Build Coastguard Worker switch (c) {
767*59bfda1fSAndroid Build Coastguard Worker case 'p':
768*59bfda1fSAndroid Build Coastguard Worker pad = atoi(optarg);
769*59bfda1fSAndroid Build Coastguard Worker break;
770*59bfda1fSAndroid Build Coastguard Worker }
771*59bfda1fSAndroid Build Coastguard Worker }
772*59bfda1fSAndroid Build Coastguard Worker
773*59bfda1fSAndroid Build Coastguard Worker if (argc < optind + 2) {
774*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Missing required argument(s).\n\n");
775*59bfda1fSAndroid Build Coastguard Worker fputs("USAGE:\n ", stderr);
776*59bfda1fSAndroid Build Coastguard Worker fputs(cmd->cmd_help, stderr);
777*59bfda1fSAndroid Build Coastguard Worker exit(1);
778*59bfda1fSAndroid Build Coastguard Worker }
779*59bfda1fSAndroid Build Coastguard Worker
780*59bfda1fSAndroid Build Coastguard Worker if ((strlen(argv[optind]) != (F2FS_KEY_DESCRIPTOR_SIZE * 2)) ||
781*59bfda1fSAndroid Build Coastguard Worker hex2byte(argv[optind], (F2FS_KEY_DESCRIPTOR_SIZE * 2),
782*59bfda1fSAndroid Build Coastguard Worker saltbuf.key_desc, F2FS_KEY_DESCRIPTOR_SIZE)) {
783*59bfda1fSAndroid Build Coastguard Worker printf("Invalid key descriptor [%s]. Valid characters "
784*59bfda1fSAndroid Build Coastguard Worker "are 0-9 and a-f, lower case. "
785*59bfda1fSAndroid Build Coastguard Worker "Length must be %d.\n",
786*59bfda1fSAndroid Build Coastguard Worker argv[optind], (F2FS_KEY_DESCRIPTOR_SIZE * 2));
787*59bfda1fSAndroid Build Coastguard Worker exit(1);
788*59bfda1fSAndroid Build Coastguard Worker }
789*59bfda1fSAndroid Build Coastguard Worker validate_paths(argc, argv, optind+1);
790*59bfda1fSAndroid Build Coastguard Worker strcpy(saltbuf.key_ref_str, argv[optind]);
791*59bfda1fSAndroid Build Coastguard Worker set_policy(&saltbuf, pad, argc, argv, optind+1);
792*59bfda1fSAndroid Build Coastguard Worker exit(0);
793*59bfda1fSAndroid Build Coastguard Worker }
794*59bfda1fSAndroid Build Coastguard Worker
795*59bfda1fSAndroid Build Coastguard Worker #define get_policy_desc "get the encryption for directories"
796*59bfda1fSAndroid Build Coastguard Worker #define get_policy_help \
797*59bfda1fSAndroid Build Coastguard Worker "f2fscrypt get_policy path ... \n\n" \
798*59bfda1fSAndroid Build Coastguard Worker "Gets the policy for the directories specified on the command line.\n"
799*59bfda1fSAndroid Build Coastguard Worker
do_get_policy(int argc,char ** argv,const struct cmd_desc * cmd)800*59bfda1fSAndroid Build Coastguard Worker static void do_get_policy(int argc, char **argv, const struct cmd_desc *cmd)
801*59bfda1fSAndroid Build Coastguard Worker {
802*59bfda1fSAndroid Build Coastguard Worker struct f2fs_fscrypt_policy policy;
803*59bfda1fSAndroid Build Coastguard Worker struct stat st;
804*59bfda1fSAndroid Build Coastguard Worker int i, j, fd, rc;
805*59bfda1fSAndroid Build Coastguard Worker
806*59bfda1fSAndroid Build Coastguard Worker if (argc < 2) {
807*59bfda1fSAndroid Build Coastguard Worker fprintf(stderr, "Missing required argument(s).\n\n");
808*59bfda1fSAndroid Build Coastguard Worker fputs("USAGE:\n ", stderr);
809*59bfda1fSAndroid Build Coastguard Worker fputs(cmd->cmd_help, stderr);
810*59bfda1fSAndroid Build Coastguard Worker exit(1);
811*59bfda1fSAndroid Build Coastguard Worker }
812*59bfda1fSAndroid Build Coastguard Worker
813*59bfda1fSAndroid Build Coastguard Worker for (i = 1; i < argc; i++) {
814*59bfda1fSAndroid Build Coastguard Worker if (stat(argv[i], &st) < 0) {
815*59bfda1fSAndroid Build Coastguard Worker perror(argv[i]);
816*59bfda1fSAndroid Build Coastguard Worker continue;
817*59bfda1fSAndroid Build Coastguard Worker }
818*59bfda1fSAndroid Build Coastguard Worker fd = open(argv[i],
819*59bfda1fSAndroid Build Coastguard Worker S_ISDIR(st.st_mode) ? O_DIRECTORY : O_RDONLY);
820*59bfda1fSAndroid Build Coastguard Worker if (fd == -1) {
821*59bfda1fSAndroid Build Coastguard Worker perror(argv[i]);
822*59bfda1fSAndroid Build Coastguard Worker exit(1);
823*59bfda1fSAndroid Build Coastguard Worker }
824*59bfda1fSAndroid Build Coastguard Worker rc = ioctl(fd, F2FS_IOC_GET_ENCRYPTION_POLICY, &policy);
825*59bfda1fSAndroid Build Coastguard Worker close(fd);
826*59bfda1fSAndroid Build Coastguard Worker if (rc) {
827*59bfda1fSAndroid Build Coastguard Worker printf("Error getting policy for %s: %s\n",
828*59bfda1fSAndroid Build Coastguard Worker argv[i], strerror(errno));
829*59bfda1fSAndroid Build Coastguard Worker continue;
830*59bfda1fSAndroid Build Coastguard Worker }
831*59bfda1fSAndroid Build Coastguard Worker printf("%s: ", argv[i]);
832*59bfda1fSAndroid Build Coastguard Worker for (j = 0; j < F2FS_KEY_DESCRIPTOR_SIZE; j++) {
833*59bfda1fSAndroid Build Coastguard Worker printf("%02x", (unsigned char) policy.master_key_descriptor[j]);
834*59bfda1fSAndroid Build Coastguard Worker }
835*59bfda1fSAndroid Build Coastguard Worker fputc('\n', stdout);
836*59bfda1fSAndroid Build Coastguard Worker }
837*59bfda1fSAndroid Build Coastguard Worker exit(0);
838*59bfda1fSAndroid Build Coastguard Worker }
839*59bfda1fSAndroid Build Coastguard Worker
840*59bfda1fSAndroid Build Coastguard Worker #define new_session_desc "give the invoking process a new session keyring"
841*59bfda1fSAndroid Build Coastguard Worker #define new_session_help \
842*59bfda1fSAndroid Build Coastguard Worker "f2fscrypt new_session\n\n" \
843*59bfda1fSAndroid Build Coastguard Worker "Give the invoking process (typically a shell) a new session keyring,\n" \
844*59bfda1fSAndroid Build Coastguard Worker "discarding its old session keyring.\n"
845*59bfda1fSAndroid Build Coastguard Worker
do_new_session(int argc,char ** UNUSED (argv),const struct cmd_desc * cmd)846*59bfda1fSAndroid Build Coastguard Worker static void do_new_session(int argc, char **UNUSED(argv),
847*59bfda1fSAndroid Build Coastguard Worker const struct cmd_desc *cmd)
848*59bfda1fSAndroid Build Coastguard Worker {
849*59bfda1fSAndroid Build Coastguard Worker long keyid, ret;
850*59bfda1fSAndroid Build Coastguard Worker
851*59bfda1fSAndroid Build Coastguard Worker if (argc > 1) {
852*59bfda1fSAndroid Build Coastguard Worker fputs("Excess arguments\n\n", stderr);
853*59bfda1fSAndroid Build Coastguard Worker fputs(cmd->cmd_help, stderr);
854*59bfda1fSAndroid Build Coastguard Worker exit(1);
855*59bfda1fSAndroid Build Coastguard Worker }
856*59bfda1fSAndroid Build Coastguard Worker keyid = keyctl(KEYCTL_JOIN_SESSION_KEYRING, NULL);
857*59bfda1fSAndroid Build Coastguard Worker if (keyid < 0) {
858*59bfda1fSAndroid Build Coastguard Worker perror("KEYCTL_JOIN_SESSION_KEYRING");
859*59bfda1fSAndroid Build Coastguard Worker exit(1);
860*59bfda1fSAndroid Build Coastguard Worker }
861*59bfda1fSAndroid Build Coastguard Worker ret = keyctl(KEYCTL_SESSION_TO_PARENT, NULL);
862*59bfda1fSAndroid Build Coastguard Worker if (ret < 0) {
863*59bfda1fSAndroid Build Coastguard Worker perror("KEYCTL_SESSION_TO_PARENT");
864*59bfda1fSAndroid Build Coastguard Worker exit(1);
865*59bfda1fSAndroid Build Coastguard Worker }
866*59bfda1fSAndroid Build Coastguard Worker printf("Switched invoking process to new session keyring %ld\n", keyid);
867*59bfda1fSAndroid Build Coastguard Worker exit(0);
868*59bfda1fSAndroid Build Coastguard Worker }
869*59bfda1fSAndroid Build Coastguard Worker
870*59bfda1fSAndroid Build Coastguard Worker #define CMD(name) { #name, do_##name, name##_desc, name##_help, 0 }
871*59bfda1fSAndroid Build Coastguard Worker #define _CMD(name) { #name, do_##name, NULL, NULL, CMD_HIDDEN }
872*59bfda1fSAndroid Build Coastguard Worker
873*59bfda1fSAndroid Build Coastguard Worker const struct cmd_desc cmd_list[] = {
874*59bfda1fSAndroid Build Coastguard Worker _CMD(help),
875*59bfda1fSAndroid Build Coastguard Worker CMD(add_key),
876*59bfda1fSAndroid Build Coastguard Worker CMD(get_policy),
877*59bfda1fSAndroid Build Coastguard Worker CMD(new_session),
878*59bfda1fSAndroid Build Coastguard Worker CMD(set_policy),
879*59bfda1fSAndroid Build Coastguard Worker { NULL, NULL, NULL, NULL, 0 }
880*59bfda1fSAndroid Build Coastguard Worker };
881*59bfda1fSAndroid Build Coastguard Worker
do_help(int argc,char ** argv,const struct cmd_desc * UNUSED (cmd))882*59bfda1fSAndroid Build Coastguard Worker static void do_help(int argc, char **argv, const struct cmd_desc *UNUSED(cmd))
883*59bfda1fSAndroid Build Coastguard Worker {
884*59bfda1fSAndroid Build Coastguard Worker const struct cmd_desc *p;
885*59bfda1fSAndroid Build Coastguard Worker
886*59bfda1fSAndroid Build Coastguard Worker if (argc > 1) {
887*59bfda1fSAndroid Build Coastguard Worker for (p = cmd_list; p->cmd_name; p++) {
888*59bfda1fSAndroid Build Coastguard Worker if (p->cmd_flags & CMD_HIDDEN)
889*59bfda1fSAndroid Build Coastguard Worker continue;
890*59bfda1fSAndroid Build Coastguard Worker if (strcmp(p->cmd_name, argv[1]) == 0) {
891*59bfda1fSAndroid Build Coastguard Worker putc('\n', stdout);
892*59bfda1fSAndroid Build Coastguard Worker fputs("USAGE:\n ", stdout);
893*59bfda1fSAndroid Build Coastguard Worker fputs(p->cmd_help, stdout);
894*59bfda1fSAndroid Build Coastguard Worker exit(0);
895*59bfda1fSAndroid Build Coastguard Worker }
896*59bfda1fSAndroid Build Coastguard Worker }
897*59bfda1fSAndroid Build Coastguard Worker printf("Unknown command: %s\n\n", argv[1]);
898*59bfda1fSAndroid Build Coastguard Worker }
899*59bfda1fSAndroid Build Coastguard Worker
900*59bfda1fSAndroid Build Coastguard Worker fputs("Available commands:\n", stdout);
901*59bfda1fSAndroid Build Coastguard Worker for (p = cmd_list; p->cmd_name; p++) {
902*59bfda1fSAndroid Build Coastguard Worker if (p->cmd_flags & CMD_HIDDEN)
903*59bfda1fSAndroid Build Coastguard Worker continue;
904*59bfda1fSAndroid Build Coastguard Worker printf(" %-20s %s\n", p->cmd_name, p->cmd_desc);
905*59bfda1fSAndroid Build Coastguard Worker }
906*59bfda1fSAndroid Build Coastguard Worker printf("\nTo get more information on a command, "
907*59bfda1fSAndroid Build Coastguard Worker "type 'f2fscrypt help cmd'\n");
908*59bfda1fSAndroid Build Coastguard Worker exit(0);
909*59bfda1fSAndroid Build Coastguard Worker }
910*59bfda1fSAndroid Build Coastguard Worker
main(int argc,char * argv[])911*59bfda1fSAndroid Build Coastguard Worker int main(int argc, char *argv[])
912*59bfda1fSAndroid Build Coastguard Worker {
913*59bfda1fSAndroid Build Coastguard Worker const struct cmd_desc *cmd;
914*59bfda1fSAndroid Build Coastguard Worker
915*59bfda1fSAndroid Build Coastguard Worker if (argc < 2)
916*59bfda1fSAndroid Build Coastguard Worker do_help(argc, argv, cmd_list);
917*59bfda1fSAndroid Build Coastguard Worker
918*59bfda1fSAndroid Build Coastguard Worker sigcatcher_setup();
919*59bfda1fSAndroid Build Coastguard Worker for (cmd = cmd_list; cmd->cmd_name; cmd++) {
920*59bfda1fSAndroid Build Coastguard Worker if (strcmp(cmd->cmd_name, argv[1]) == 0) {
921*59bfda1fSAndroid Build Coastguard Worker cmd->cmd_func(argc-1, argv+1, cmd);
922*59bfda1fSAndroid Build Coastguard Worker exit(0);
923*59bfda1fSAndroid Build Coastguard Worker }
924*59bfda1fSAndroid Build Coastguard Worker }
925*59bfda1fSAndroid Build Coastguard Worker printf("Unknown command: %s\n\n", argv[1]);
926*59bfda1fSAndroid Build Coastguard Worker do_help(1, argv, cmd_list);
927*59bfda1fSAndroid Build Coastguard Worker return 0;
928*59bfda1fSAndroid Build Coastguard Worker }
929