From 0cc166385a7e1d3026bbcb62f094e419f779e872 Mon Sep 17 00:00:00 2001
From: Ken Sumrall <ksumrall@android.com>
Date: Tue, 18 Jan 2011 20:32:26 -0800
Subject: [PATCH] Verify that it's OK to run the various cryptfs commands

Maintain and query some internal state to know if it's OK to run
the various cryptfs commands.  Do not allow enablecrypto to run if
the device is already encrypted.  Do no allow restart to run if
we have already run it before or if the password has not been
validated.  Do not allow checkpw to run if not encrypted, or it
has already validated the password.

This is an extra layer of safety on top of the checks up in the
UI code agains possible DoS attacks on the device.

Change-Id: I9afc8d42773020e82a512e6b637feede101d1362
---
 cryptfs.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/cryptfs.c b/cryptfs.c
index a6f5b4b..5df9cb0 100644
--- a/cryptfs.c
+++ b/cryptfs.c
@@ -528,6 +528,18 @@ int cryptfs_restart(void)
     unsigned long mnt_flags;
     struct stat statbuf;
     int rc = -1, i;
+    static int restart_successful = 0;
+
+    /* Validate that it's OK to call this routine */
+    if (! key_sha1_saved) {
+        SLOGE("Encrypted filesystem not validated, aborting");
+        return -1;
+    }
+
+    if (restart_successful) {
+        SLOGE("System already restarted with encrypted disk, aborting");
+        return -1;
+    }
 
     /* Here is where we shut down the framework.  The init scripts
      * start all services in one of three classes: core, main or late_start.
@@ -580,6 +592,10 @@ int cryptfs_restart(void)
         }
     }
 
+    if (rc == 0) {
+        restart_successful = 1;
+    }
+
     return rc;
 }
 
@@ -595,8 +611,15 @@ static int test_mount_encrypted_fs(char *passwd, char *mount_point)
   char tmp_mount_point[64];
   unsigned long mnt_flags;
   unsigned int orig_failed_decrypt_count;
+  char encrypted_state[32];
   int rc;
 
+  property_get("ro.crypto.state", encrypted_state, "");
+  if ( key_sha1_saved || strcmp(encrypted_state, "encrypted") ) {
+    SLOGE("encrypted fs already validated or not running with encryption, aborting");
+    return -1;
+  }
+
   if (get_orig_mount_parms(mount_point, fs_type, real_blkdev, &mnt_flags, fs_options)) {
     SLOGE("Error reading original mount parms for mount point %s\n", mount_point);
     return -1;
@@ -816,6 +839,13 @@ int cryptfs_enable(char *howarg, char *passwd)
     int rc=-1, fd, i;
     struct crypt_mnt_ftr crypt_ftr;
     char tmpfs_options[80];
+    char encrypted_state[32];
+
+    property_get("ro.crypto.state", encrypted_state, "");
+    if (strcmp(encrypted_state, "unencrypted")) {
+        SLOGE("Device is already running encrypted, aborting");
+        return -1;
+    }
 
     if (!strcmp(howarg, "wipe")) {
       how = CRYPTO_ENABLE_WIPE;
@@ -932,7 +962,7 @@ int cryptfs_changepw(char *oldpw, char *newpw)
 
     /* This is only allowed after we've successfully decrypted the master key */
     if (! key_sha1_saved) {
-        SLOGE("Key not saved");
+        SLOGE("Key not saved, aborting");
         return -1;
     }