diff options
Diffstat (limited to 'libfscrypt')
-rw-r--r-- | libfscrypt/fscrypt.cpp | 66 | ||||
-rw-r--r-- | libfscrypt/include/fscrypt/fscrypt.h | 3 | ||||
-rw-r--r-- | libfscrypt/tests/fscrypt_test.cpp | 80 |
3 files changed, 59 insertions, 90 deletions
diff --git a/libfscrypt/fscrypt.cpp b/libfscrypt/fscrypt.cpp index b76f0b17..a1f1fc4c 100644 --- a/libfscrypt/fscrypt.cpp +++ b/libfscrypt/fscrypt.cpp @@ -24,7 +24,7 @@ #include <cutils/properties.h> #include <errno.h> #include <fcntl.h> -#include <linux/fs.h> +#include <linux/fscrypt.h> #include <logwrap/logwrap.h> #include <string.h> #include <sys/stat.h> @@ -38,37 +38,9 @@ using namespace std::string_literals; -// TODO: switch to <linux/fscrypt.h> once it's in Bionic -#ifndef FSCRYPT_POLICY_V1 - -// Careful: due to an API quirk this is actually 0, not 1. We use 1 everywhere -// else, so make sure to only use this constant in the ioctl itself. -#define FSCRYPT_POLICY_V1 0 -#define FSCRYPT_KEY_DESCRIPTOR_SIZE 8 -struct fscrypt_policy_v1 { - __u8 version; - __u8 contents_encryption_mode; - __u8 filenames_encryption_mode; - __u8 flags; - __u8 master_key_descriptor[FSCRYPT_KEY_DESCRIPTOR_SIZE]; -}; - -#define FSCRYPT_POLICY_V2 2 -#define FSCRYPT_KEY_IDENTIFIER_SIZE 16 -struct fscrypt_policy_v2 { - __u8 version; - __u8 contents_encryption_mode; - __u8 filenames_encryption_mode; - __u8 flags; - __u8 __reserved[4]; - __u8 master_key_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]; -}; - -#endif /* FSCRYPT_POLICY_V1 */ - -/* modes not supported by upstream kernel, so not in <linux/fs.h> */ -#define FS_ENCRYPTION_MODE_AES_256_HEH 126 -#define FS_ENCRYPTION_MODE_PRIVATE 127 +/* modes not supported by upstream kernel, so not in <linux/fscrypt.h> */ +#define FSCRYPT_MODE_AES_256_HEH 126 +#define FSCRYPT_MODE_PRIVATE 127 #define HEX_LOOKUP "0123456789abcdef" @@ -78,16 +50,16 @@ struct ModeLookupEntry { }; static const auto contents_modes = std::vector<ModeLookupEntry>{ - {"aes-256-xts"s, FS_ENCRYPTION_MODE_AES_256_XTS}, - {"software"s, FS_ENCRYPTION_MODE_AES_256_XTS}, - {"adiantum"s, FS_ENCRYPTION_MODE_ADIANTUM}, - {"ice"s, FS_ENCRYPTION_MODE_PRIVATE}, + {"aes-256-xts"s, FSCRYPT_MODE_AES_256_XTS}, + {"software"s, FSCRYPT_MODE_AES_256_XTS}, + {"adiantum"s, FSCRYPT_MODE_ADIANTUM}, + {"ice"s, FSCRYPT_MODE_PRIVATE}, }; static const auto filenames_modes = std::vector<ModeLookupEntry>{ - {"aes-256-cts"s, FS_ENCRYPTION_MODE_AES_256_CTS}, - {"aes-256-heh"s, FS_ENCRYPTION_MODE_AES_256_HEH}, - {"adiantum"s, FS_ENCRYPTION_MODE_ADIANTUM}, + {"aes-256-cts"s, FSCRYPT_MODE_AES_256_CTS}, + {"aes-256-heh"s, FSCRYPT_MODE_AES_256_HEH}, + {"adiantum"s, FSCRYPT_MODE_ADIANTUM}, }; static bool LookupModeByName(const std::vector<struct ModeLookupEntry>& modes, @@ -199,10 +171,10 @@ bool ParseOptions(const std::string& options_string, EncryptionOptions* options) LOG(ERROR) << "Invalid file names encryption mode: " << parts[1]; return false; } - } else if (options->contents_mode == FS_ENCRYPTION_MODE_ADIANTUM) { - options->filenames_mode = FS_ENCRYPTION_MODE_ADIANTUM; + } else if (options->contents_mode == FSCRYPT_MODE_ADIANTUM) { + options->filenames_mode = FSCRYPT_MODE_ADIANTUM; } else { - options->filenames_mode = FS_ENCRYPTION_MODE_AES_256_CTS; + options->filenames_mode = FSCRYPT_MODE_AES_256_CTS; } options->version = 1; options->flags = 0; @@ -228,17 +200,17 @@ bool ParseOptions(const std::string& options_string, EncryptionOptions* options) // For everything else, use 16-byte padding. This is more secure (it helps // hide the length of filenames), and it makes the inputs evenly divisible // into cipher blocks which is more efficient for encryption and decryption. - if (options->version == 1 && options->filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS) { - options->flags |= FS_POLICY_FLAGS_PAD_4; + if (options->version == 1 && options->filenames_mode == FSCRYPT_MODE_AES_256_CTS) { + options->flags |= FSCRYPT_POLICY_FLAGS_PAD_4; } else { - options->flags |= FS_POLICY_FLAGS_PAD_16; + options->flags |= FSCRYPT_POLICY_FLAGS_PAD_16; } // Use DIRECT_KEY for Adiantum, since it's much more efficient but just as // secure since Android doesn't reuse the same master key for multiple // encryption modes. - if (options->filenames_mode == FS_ENCRYPTION_MODE_ADIANTUM) { - options->flags |= FS_POLICY_FLAG_DIRECT_KEY; + if (options->filenames_mode == FSCRYPT_MODE_ADIANTUM) { + options->flags |= FSCRYPT_POLICY_FLAG_DIRECT_KEY; } return true; } diff --git a/libfscrypt/include/fscrypt/fscrypt.h b/libfscrypt/include/fscrypt/fscrypt.h index 2b809866..ca051f4a 100644 --- a/libfscrypt/include/fscrypt/fscrypt.h +++ b/libfscrypt/include/fscrypt/fscrypt.h @@ -19,9 +19,6 @@ #include <string> -// TODO: switch to <linux/fscrypt.h> once it's in Bionic -#define FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 0x08 - bool fscrypt_is_native(); static const char* fscrypt_unencrypted_folder = "/unencrypted"; diff --git a/libfscrypt/tests/fscrypt_test.cpp b/libfscrypt/tests/fscrypt_test.cpp index 677f0f22..379e827b 100644 --- a/libfscrypt/tests/fscrypt_test.cpp +++ b/libfscrypt/tests/fscrypt_test.cpp @@ -14,7 +14,7 @@ * limitations under the License. */ -#include <linux/fs.h> +#include <linux/fscrypt.h> #include <fscrypt/fscrypt.h> @@ -22,9 +22,9 @@ using namespace android::fscrypt; -/* modes not supported by upstream kernel, so not in <linux/fs.h> */ -#define FS_ENCRYPTION_MODE_AES_256_HEH 126 -#define FS_ENCRYPTION_MODE_PRIVATE 127 +/* modes not supported by upstream kernel, so not in <linux/fscrypt.h> */ +#define FSCRYPT_MODE_AES_256_HEH 126 +#define FSCRYPT_MODE_PRIVATE 127 TEST(fscrypt, ParseOptions) { EncryptionOptions options; @@ -35,41 +35,41 @@ TEST(fscrypt, ParseOptions) { EXPECT_TRUE(ParseOptions("software", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_XTS, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_4, options.flags); + EXPECT_EQ(FSCRYPT_MODE_AES_256_XTS, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_4, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("aes-256-xts:aes-256-cts:v1", options_string); EXPECT_TRUE(ParseOptions("aes-256-xts", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_XTS, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_4, options.flags); + EXPECT_EQ(FSCRYPT_MODE_AES_256_XTS, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_4, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("aes-256-xts:aes-256-cts:v1", options_string); EXPECT_TRUE(ParseOptions("adiantum", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_ADIANTUM, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_ADIANTUM, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_16 | FS_POLICY_FLAG_DIRECT_KEY, options.flags); + EXPECT_EQ(FSCRYPT_MODE_ADIANTUM, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_ADIANTUM, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_16 | FSCRYPT_POLICY_FLAG_DIRECT_KEY, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("adiantum:adiantum:v1", options_string); EXPECT_TRUE(ParseOptions("adiantum:aes-256-heh", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_ADIANTUM, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_HEH, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_16, options.flags); + EXPECT_EQ(FSCRYPT_MODE_ADIANTUM, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_HEH, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_16, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("adiantum:aes-256-heh:v1", options_string); EXPECT_TRUE(ParseOptions("ice", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_PRIVATE, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_4, options.flags); + EXPECT_EQ(FSCRYPT_MODE_PRIVATE, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_4, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("ice:aes-256-cts:v1", options_string); @@ -77,57 +77,57 @@ TEST(fscrypt, ParseOptions) { EXPECT_TRUE(ParseOptions("ice:aes-256-cts", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_PRIVATE, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_4, options.flags); + EXPECT_EQ(FSCRYPT_MODE_PRIVATE, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_4, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("ice:aes-256-cts:v1", options_string); EXPECT_TRUE(ParseOptions("ice:aes-256-heh", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_PRIVATE, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_HEH, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_16, options.flags); + EXPECT_EQ(FSCRYPT_MODE_PRIVATE, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_HEH, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_16, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("ice:aes-256-heh:v1", options_string); EXPECT_TRUE(ParseOptions("ice:adiantum", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_PRIVATE, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_ADIANTUM, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_16 | FS_POLICY_FLAG_DIRECT_KEY, options.flags); + EXPECT_EQ(FSCRYPT_MODE_PRIVATE, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_ADIANTUM, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_16 | FSCRYPT_POLICY_FLAG_DIRECT_KEY, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("ice:adiantum:v1", options_string); EXPECT_TRUE(ParseOptions("aes-256-xts:aes-256-cts", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_XTS, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_4, options.flags); + EXPECT_EQ(FSCRYPT_MODE_AES_256_XTS, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_4, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("aes-256-xts:aes-256-cts:v1", options_string); EXPECT_TRUE(ParseOptions("aes-256-xts:aes-256-cts:v1", &options)); EXPECT_EQ(1, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_XTS, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_4, options.flags); + EXPECT_EQ(FSCRYPT_MODE_AES_256_XTS, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_4, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("aes-256-xts:aes-256-cts:v1", options_string); EXPECT_TRUE(ParseOptions("aes-256-xts:aes-256-cts:v2", &options)); EXPECT_EQ(2, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_XTS, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_16, options.flags); + EXPECT_EQ(FSCRYPT_MODE_AES_256_XTS, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_16, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("aes-256-xts:aes-256-cts:v2", options_string); EXPECT_TRUE(ParseOptions("aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized", &options)); EXPECT_EQ(2, options.version); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_XTS, options.contents_mode); - EXPECT_EQ(FS_ENCRYPTION_MODE_AES_256_CTS, options.filenames_mode); - EXPECT_EQ(FS_POLICY_FLAGS_PAD_16 | FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64, options.flags); + EXPECT_EQ(FSCRYPT_MODE_AES_256_XTS, options.contents_mode); + EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, options.filenames_mode); + EXPECT_EQ(FSCRYPT_POLICY_FLAGS_PAD_16 | FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64, options.flags); EXPECT_TRUE(OptionsToString(options, &options_string)); EXPECT_EQ("aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized", options_string); |