Support File Based Encryption

    LOCAL_CFLAGS += -DTW_INCLUDE_CRYPTO

    LOCAL_SHARED_LIBRARIES += libcryptfslollipop libgpt_twrp

    LOCAL_C_INCLUDES += external/boringssl/src/include

    ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 24; echo $$?),0)

        TW_INCLUDE_CRYPTO_FBE := true

        LOCAL_CFLAGS += -DTW_INCLUDE_FBE

        LOCAL_SHARED_LIBRARIES += libe4crypt

    endif

endif

ifeq ($(TW_USE_MODEL_HARDWARE_ID_FOR_DEVICE_ID), true)

    LOCAL_CFLAGS += -DTW_USE_MODEL_HARDWARE_ID_FOR_DEVICE_ID

ifeq ($(TW_INCLUDE_CRYPTO), true)

    include $(commands_recovery_local_path)/crypto/lollipop/Android.mk

    include $(commands_recovery_local_path)/crypto/scrypt/Android.mk

    ifeq ($(TW_INCLUDE_CRYPTO_FBE), true)

        include $(commands_recovery_local_path)/crypto/ext4crypt/Android.mk

    endif

    include $(commands_recovery_local_path)/gpt/Android.mk

endif

ifeq ($(BUILD_ID), GINGERBREAD)

LOCAL_PATH := $(call my-dir)

ifeq ($(TW_INCLUDE_CRYPTO), true)

include $(CLEAR_VARS)

LOCAL_MODULE := libe4crypt

LOCAL_MODULE_TAGS := eng optional

LOCAL_CFLAGS :=

LOCAL_SRC_FILES := Decrypt.cpp Ext4Crypt.cpp Keymaster.cpp KeyStorage.cpp ScryptParameters.cpp Utils.cpp HashPassword.cpp

LOCAL_SHARED_LIBRARIES := libselinux libc libc++ libext4_utils libsoftkeymaster libbase libcrypto libcutils libkeymaster_messages libhardware libprotobuf-cpp-lite

LOCAL_STATIC_LIBRARIES := libscrypt_static

LOCAL_C_INCLUDES := system/extras/ext4_utils external/scrypt/lib/crypto system/security/keystore hardware/libhardware/include/hardware system/security/softkeymaster/include/keymaster system/keymaster/include

ifneq ($(wildcard hardware/libhardware/include/hardware/keymaster0.h),)

    LOCAL_CFLAGS += -DTW_CRYPTO_HAVE_KEYMASTERX

    LOCAL_C_INCLUDES +=  external/boringssl/src/include

endif

include $(BUILD_SHARED_LIBRARY)

include $(CLEAR_VARS)

LOCAL_MODULE := twrpfbe

LOCAL_MODULE_TAGS := optional

LOCAL_MODULE_CLASS := RECOVERY_EXECUTABLES

LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/sbin

LOCAL_SRC_FILES := main.cpp

LOCAL_SHARED_LIBRARIES := libe4crypt

#LOCAL_LDFLAGS += -Wl,-dynamic-linker,/sbin/linker64

include $(BUILD_EXECUTABLE)

endif

/*

 * Copyright (C) 2016 The Team Win Recovery Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include "Decrypt.h"

#include "Ext4Crypt.h"

#include <string>

#include <errno.h>

#include <stdio.h>

#include <sys/stat.h>

#include <sys/types.h>

#include "ext4_crypt.h"

#include "key_control.h"

#include <hardware/gatekeeper.h>

#include "HashPassword.h"

#include <android-base/file.h>

int gatekeeper_device_initialize(gatekeeper_device_t **dev) {

	int ret;

	const hw_module_t *mod;

	ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &mod);

	if (ret!=0) {

		printf("failed to get hw module\n");

		return ret;

	}

	ret = gatekeeper_open(mod, dev);

	if (ret!=0)

		printf("failed to open gatekeeper\n");

	return ret;

}

int Get_Password_Type(const userid_t user_id, std::string& filename) {

	std::string path;

    if (user_id == 0) {

		path = "/data/system/";

	} else {

		char user_id_str[5];

		sprintf(user_id_str, "%i", user_id);

		path = "/data/system/users/";

		path += user_id_str;

		path += "/";

	}

	filename = path + "gatekeeper.password.key";

	struct stat st;

	if (stat(filename.c_str(), &st) == 0 && st.st_size > 0)

		return 1;

	filename = path + "gatekeeper.pattern.key";

	if (stat(filename.c_str(), &st) == 0 && st.st_size > 0)

		return 2;

	printf("Unable to locate gatekeeper password file '%s'\n", filename.c_str());

	filename = "";

	return 0;

}

bool Decrypt_DE() {

	if (!e4crypt_initialize_global_de()) { // this deals with the overarching device encryption

		printf("e4crypt_initialize_global_de returned fail\n");

		return false;

	}

	if (!e4crypt_init_user0()) {

		printf("e4crypt_init_user0 returned fail\n");

		return false;

	}

	return true;

}

bool Decrypt_User(const userid_t user_id, const std::string& Password) {

    uint8_t *auth_token;

    uint32_t auth_token_len;

    int ret;

    struct stat st;

    if (user_id > 9999) {

		printf("user_id is too big\n");

		return false;

	}

    std::string filename;

    bool Default_Password = (Password == "!");

    if (Get_Password_Type(user_id, filename) == 0 && !Default_Password) {

		printf("Unknown password type\n");

		return false;

	}

    int flags = FLAG_STORAGE_DE;

    if (user_id == 0)

		flags = FLAG_STORAGE_DE;

	else

		flags = FLAG_STORAGE_CE;

	gatekeeper_device_t *device;

	ret = gatekeeper_device_initialize(&device);

	if (Default_Password) {

		if (!e4crypt_unlock_user_key(user_id, 0, "!", "!")) {

			printf("e4crypt_unlock_user_key returned fail\n");

			return false;

		}

		if (!e4crypt_prepare_user_storage(nullptr, user_id, 0, flags)) {

			printf("failed to e4crypt_prepare_user_storage\n");

			return false;

		}

		printf("Decrypted Successfully!\n");

		return true;

	}

    if (ret!=0)

		return false;

	printf("password filename is '%s'\n", filename.c_str());

	if (stat(filename.c_str(), &st) != 0) {

		printf("error stat'ing key file: %s\n", strerror(errno));

		return false;

	}

	std::string handle;

    if (!android::base::ReadFileToString(filename, &handle)) {

		printf("Failed to read '%s'\n", filename.c_str());

		return false;

	}

    bool should_reenroll;

    ret = device->verify(device, user_id, 0, (const uint8_t *)handle.c_str(), st.st_size,

                (const uint8_t *)Password.c_str(), (uint32_t)Password.size(), &auth_token, &auth_token_len,

                &should_reenroll);

    if (ret !=0) {

		printf("failed to verify\n");

		return false;

	}

	char token_hex[(auth_token_len*2)+1];

	token_hex[(auth_token_len*2)] = 0;

	uint32_t i;

	for (i=0;i<auth_token_len;i++) {

		sprintf(&token_hex[2*i], "%02X", auth_token[i]);

	}

	// The secret is "Android FBE credential hash" plus appended 0x00 to reach 128 bytes then append the user's password then feed that to sha512sum

	std::string secret = HashPassword(Password);

	if (!e4crypt_unlock_user_key(user_id, 0, token_hex, secret.c_str())) {

		printf("e4crypt_unlock_user_key returned fail\n");

		return false;

	}

	if (!e4crypt_prepare_user_storage(nullptr, user_id, 0, flags)) {

		printf("failed to e4crypt_prepare_user_storage\n");

		return false;

	}

	printf("Decrypted Successfully!\n");

	return true;

}

/*

 * Copyright (C) 2015 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <stdbool.h>

#include <sys/cdefs.h>

#include <cutils/multiuser.h>

#include <string>

__BEGIN_DECLS

// NOTE: keep in sync with StorageManager

static constexpr int FLAG_STORAGE_DE = 1 << 0;

static constexpr int FLAG_STORAGE_CE = 1 << 1;

int Get_Password_Type(const userid_t user_id, std::string& filename);

bool Decrypt_DE();

bool Decrypt_User(const userid_t user_id, const std::string& Password);

__END_DECLS