Enable auto-encrypt drive at startup
Modify enablecrypto command to make the password optional. When it is
not there, default encrypt the device.
Remove a warning by making at least some parts of this file const-correct.
Bug: 11985952
Change-Id: Ie27da4c4072386d9d6519d97ff46c6dc4ed188dc
diff --git a/CommandListener.cpp b/CommandListener.cpp
index 490dd75..a91b654 100644
--- a/CommandListener.cpp
+++ b/CommandListener.cpp
@@ -546,21 +546,32 @@
dumpArgs(argc, argv, -1);
rc = cryptfs_crypto_complete();
} else if (!strcmp(argv[1], "enablecrypto")) {
- if ( (argc != 4) || (strcmp(argv[2], "wipe") && strcmp(argv[2], "inplace")) ) {
- cli->sendMsg(ResponseCode::CommandSyntaxError, "Usage: cryptfs enablecrypto <wipe|inplace> <passwd>", false);
+ if ( (argc != 4 && argc != 3)
+ || (strcmp(argv[2], "wipe") && strcmp(argv[2], "inplace")) ) {
+ cli->sendMsg(ResponseCode::CommandSyntaxError,
+ "Usage: cryptfs enablecrypto <wipe|inplace> [passwd]",
+ false);
return 0;
}
dumpArgs(argc, argv, 3);
- rc = cryptfs_enable(argv[2], argv[3], /*allow_reboot*/false);
- if (rc) {
- Process::killProcessesWithOpenFiles(DATA_MNT_POINT, 2);
- rc = cryptfs_enable(argv[2], argv[3], true);
- }
+ int tries;
+ for (tries = 0; tries < 2; ++tries) {
+ if(argc == 3)
+ rc = cryptfs_enable_default(argv[2], /*allow_reboot*/false);
+ else
+ rc = cryptfs_enable(argv[2], argv[3], /*allow_reboot*/false);
+
+ if (rc == 0) {
+ break;
+ } else if (tries == 0) {
+ Process::killProcessesWithOpenFiles(DATA_MNT_POINT, 2);
+ }
+ }
} else if (!strcmp(argv[1], "changepw")) {
const char* syntax = "Usage: cryptfs changepw "
"default|password|pin|pattern [newpasswd]";
- char* password;
+ const char* password;
if (argc == 3) {
password = "";
} else if (argc == 4) {
diff --git a/cryptfs.c b/cryptfs.c
index b320ee2..9c2b4bc 100644
--- a/cryptfs.c
+++ b/cryptfs.c
@@ -925,7 +925,7 @@
}
-static int pbkdf2(char *passwd, unsigned char *salt,
+static int pbkdf2(const char *passwd, unsigned char *salt,
unsigned char *ikey, void *params UNUSED)
{
/* Turn the password into a key and IV that can decrypt the master key */
@@ -939,7 +939,7 @@
return 0;
}
-static int scrypt(char *passwd, unsigned char *salt,
+static int scrypt(const char *passwd, unsigned char *salt,
unsigned char *ikey, void *params)
{
struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params;
@@ -959,7 +959,7 @@
return 0;
}
-static int encrypt_master_key(char *passwd, unsigned char *salt,
+static int encrypt_master_key(const char *passwd, unsigned char *salt,
unsigned char *decrypted_master_key,
unsigned char *encrypted_master_key,
struct crypt_mnt_ftr *crypt_ftr)
@@ -1903,7 +1903,8 @@
(VOL_ENCRYPTABLE | VOL_NONREMOVABLE);
}
-int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
+int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd,
+ int allow_reboot)
{
int how = 0;
char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN], sd_crypto_blkdev[MAXPATHLEN];
@@ -2083,11 +2084,7 @@
crypt_ftr.fs_size = nr_sec;
}
crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS;
-
- /** @TODO If we keep this route, must pass in crypt_type.
- * If all devices are encrypted by default, we don't need that change.
- */
- crypt_ftr.crypt_type = CRYPT_TYPE_PASSWORD;
+ crypt_ftr.crypt_type = crypt_type;
strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256");
/* Make an encrypted master key */
@@ -2244,7 +2241,22 @@
return -1;
}
-int cryptfs_changepw(int crypt_type, char *newpw)
+int cryptfs_enable(char *howarg, char *passwd, int allow_reboot)
+{
+ /** @todo If we keep this route (user selected encryption)
+ * need to take a type in and pass it to here.
+ */
+ return cryptfs_enable_internal(howarg, CRYPT_TYPE_PASSWORD,
+ passwd, allow_reboot);
+}
+
+int cryptfs_enable_default(char *howarg, int allow_reboot)
+{
+ return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT,
+ DEFAULT_PASSWORD, allow_reboot);
+}
+
+int cryptfs_changepw(int crypt_type, const char *newpw)
{
struct crypt_mnt_ftr crypt_ftr;
unsigned char decrypted_master_key[KEY_LEN_BYTES];
diff --git a/cryptfs.h b/cryptfs.h
index 0e8bd76..caa7617 100644
--- a/cryptfs.h
+++ b/cryptfs.h
@@ -148,14 +148,16 @@
extern "C" {
#endif
- typedef int (*kdf_func)(char *passwd, unsigned char *salt, unsigned char *ikey, void *params);
+ typedef int (*kdf_func)(const char *passwd, unsigned char *salt,
+ unsigned char *ikey, void *params);
int cryptfs_crypto_complete(void);
int cryptfs_check_passwd(char *pw);
int cryptfs_verify_passwd(char *newpw);
int cryptfs_restart(void);
int cryptfs_enable(char *flag, char *passwd, int allow_reboot);
- int cryptfs_changepw(int type, char *newpw);
+ int cryptfs_changepw(int type, const char *newpw);
+ int cryptfs_enable_default(char *flag, int allow_reboot);
int cryptfs_setup_volume(const char *label, int major, int minor,
char *crypto_dev_path, unsigned int max_pathlen,
int *new_major, int *new_minor);
diff --git a/vdc.c b/vdc.c
index 210ef22..0a70bf7 100644
--- a/vdc.c
+++ b/vdc.c
@@ -59,7 +59,7 @@
fprintf(stderr, "Error connecting (%s)\n", strerror(errno));
exit(4);
} else {
- sleep(1);
+ sleep(1);
}
}