From 9eb17250563c6cbc9a51ee4e8cc8725a53bcf688 Mon Sep 17 00:00:00 2001
From: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Date: Thu, 18 Oct 2018 16:37:02 +0200
Subject: mkfs.ubifs: Initial support for encryption command lines

Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 39 ++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 9935fce..707758a 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -186,6 +186,7 @@ int yes;
 static char *root;
 static int root_len;
 static struct fscrypt_context *root_fctx;
+static struct cipher *fscrypt_cipher;
 static struct stat root_st;
 static char *output;
 static int out_fd;
@@ -217,7 +218,7 @@ static struct inum_mapping **hash_table;
 /* Inode creation sequence number */
 static unsigned long long creat_sqnum;
 
-static const char *optstring = "d:r:m:o:D:yh?vVe:c:g:f:Fp:k:x:X:j:R:l:j:UQqaK:b:P:";
+static const char *optstring = "d:r:m:o:D:yh?vVe:c:g:f:Fp:k:x:X:j:R:l:j:UQqaK:b:P:C:";
 
 static const struct option longopts[] = {
 	{"root",               1, NULL, 'r'},
@@ -246,6 +247,7 @@ static const struct option longopts[] = {
 	{"key",                1, NULL, 'K'},
 	{"key-descriptor",     1, NULL, 'b'},
 	{"padding",            1, NULL, 'P'},
+	{"cipher",             1, NULL, 'C'},
 	{NULL, 0, NULL, 0}
 };
 
@@ -294,6 +296,8 @@ static const char *helptext =
 "-b, --key-descriptor=HEX specify the key descriptor as a hex string.\n"
 "-P, --padding=NUM        specify padding policy for encrypting filenames\n"
 "                         (default = 4).\n"
+"-C, --cipher=NAME        Specify cipher to use for file level encryption\n"
+"                         (default is \"AES-128-CBC\").\n"
 "-h, --help               display this help text\n\n"
 "Note, SIZE is specified in bytes, but it may also be specified in Kilobytes,\n"
 "Megabytes, and Gigabytes if a KiB, MiB, or GiB suffix is used.\n\n"
@@ -718,7 +722,7 @@ static int get_options(int argc, char**argv)
 {
 	int opt, i, fscrypt_flags = FS_POLICY_FLAGS_PAD_4;
 	const char *key_file = NULL, *key_desc = NULL;
-	const char *tbl_file = NULL;
+	const char *tbl_file = NULL, *cipher_name = "AES-128-CBC";
 	struct stat st;
 	char *endp;
 
@@ -797,6 +801,8 @@ static int get_options(int argc, char**argv)
 			exit(EXIT_SUCCESS);
 		case '?':
 			printf("%s", helptext);
+			printf("\n\nSupported ciphers:\n");
+			list_ciphers(stdout);
 			exit(-1);
 		case 'v':
 			verbose = 1;
@@ -936,6 +942,9 @@ static int get_options(int argc, char**argv)
 			}
 			break;
 		}
+		case 'C':
+			cipher_name = optarg;
+			break;
 		}
 	}
 
@@ -967,6 +976,15 @@ static int get_options(int argc, char**argv)
 						key_file, key_desc);
 		if (!root_fctx)
 			return -1;
+
+		fscrypt_cipher = get_cipher(cipher_name);
+		if (!fscrypt_cipher) {
+			fprintf(stderr, "Cannot find cipher '%s'\n"
+				"Try `%s --help' for more information\n",
+				cipher_name, PROGRAM_NAME);
+			return -1;
+		}
+
 		print_fscrypt_master_key_descriptor(root_fctx);
 	}
 
@@ -1604,6 +1622,7 @@ static int encrypt_path(void **outbuf, void *data, unsigned int data_len,
 	void *inbuf, *crypt_key;
 	unsigned int padding = 4 << (fctx->flags & FS_POLICY_FLAGS_PAD_MASK);
 	unsigned int cryptlen;
+	int ret;
 
 	cryptlen = max_t(unsigned int, data_len, FS_CRYPTO_BLOCK_SIZE);
 	cryptlen = round_up(cryptlen, padding);
@@ -1619,7 +1638,10 @@ static int encrypt_path(void **outbuf, void *data, unsigned int data_len,
 	crypt_key = calc_fscrypt_subkey(fctx);
 	if (!crypt_key)
 		return err_msg("could not compute subkey");
-	if (encrypt_aes128_cbc_cts(inbuf, cryptlen, crypt_key, *outbuf) < 0)
+
+	ret = fscrypt_cipher->encrypt_fname(inbuf, cryptlen,
+					    crypt_key, *outbuf);
+	if (ret < 0)
 		return err_msg("could not encrypt filename");
 
 	free(crypt_key);
@@ -2003,10 +2025,13 @@ static int add_file(const char *path_name, struct stat *st, ino_t inum,
 			if (!crypt_key)
 				return err_msg("could not compute subkey");
 
-			ret = encrypt_block_aes128_cbc(inbuf, pad_len, crypt_key, block_no,
-						       outbuf);
-			if (ret != pad_len)
-				return err_msg("encrypt_block_aes128_cbc returned %zi instead of %zi", ret, pad_len);
+			ret = fscrypt_cipher->encrypt_block(inbuf, pad_len,
+							    crypt_key, block_no,
+							    outbuf);
+			if (ret != pad_len) {
+				return err_msg("encrypt_block returned %zi "
+						"instead of %zi", ret, pad_len);
+			}
 
 			memcpy(&dn->data, outbuf, pad_len);
 
-- 
cgit v1.2.3