From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Date: Fri, 8 Sep 2017 11:57:01 +0000 (+0200)
Subject: ExtensionEncryption: add set_mount_password API call
X-Git-Tag: submit/tizen/20170918.080130
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f048245494b38f2f9688a57e7e5b5aa1b8f4eec2;p=platform%2Fcore%2Fsecurity%2Fode.git

ExtensionEncryption: add set_mount_password API call

Make this API be more like InternalEncryption where this call might be
required in the same way it is required in InternalEncryption.

Change-Id: I5e3c6fd661d899844a4a5aceaf2a91117c622d2b
---

diff --git a/lib/extension-encryption.cpp b/lib/extension-encryption.cpp
index 637324e..b71fcb6 100644
--- a/lib/extension-encryption.cpp
+++ b/lib/extension-encryption.cpp
@@ -27,10 +27,19 @@ ExtensionEncryption::~ExtensionEncryption()
 {
 }
 
-int ExtensionEncryption::mount(const std::string& password)
+int ExtensionEncryption::setMountPassword(const std::string& password)
 {
 	try {
-		return context->methodCall<int>("ExtensionEncryption::mount", password);
+		return context->methodCall<int>("ExtensionEncryption::setMountPassword", password);
+	} catch (runtime::Exception& e) {
+		return -1;
+	}
+}
+
+int ExtensionEncryption::mount()
+{
+	try {
+		return context->methodCall<int>("ExtensionEncryption::mount");
 	} catch (runtime::Exception& e) {
 		return -1;
 	}
diff --git a/lib/ode/extension-encryption.cpp b/lib/ode/extension-encryption.cpp
index 9fc132d..65a091e 100644
--- a/lib/ode/extension-encryption.cpp
+++ b/lib/ode/extension-encryption.cpp
@@ -22,13 +22,24 @@
 
 using namespace ode;
 
-int ode_extension_encryption_mount(const char* password)
+int ode_extension_encryption_set_mount_password(const char* password)
+{
+	RET_ON_FAILURE(password, ODE_ERROR_INVALID_PARAMETER);
+
+	ODEContext client;
+	RET_ON_FAILURE(client.connect() == 0, ODE_ERROR_CONNECTION_REFUSED);
+	ExtensionEncryption extension = client.createInterface<ExtensionEncryption>();
+
+	return extension.setMountPassword(password);
+}
+
+int ode_extension_encryption_mount()
 {
 	ODEContext client;
 	RET_ON_FAILURE(client.connect() == 0, ODE_ERROR_CONNECTION_REFUSED);
 	ExtensionEncryption extension = client.createInterface<ExtensionEncryption>();
 
-	return extension.mount(password);
+	return extension.mount();
 }
 
 int ode_extension_encryption_umount()
diff --git a/lib/ode/extension-encryption.h b/lib/ode/extension-encryption.h
index b86af25..d2e35c4 100644
--- a/lib/ode/extension-encryption.h
+++ b/lib/ode/extension-encryption.h
@@ -31,7 +31,27 @@ extern "C" {
 #endif
 
 /**
- * @brief       Mount extension storage encrypted with a given password
+ * @brief       Set a password to be used by mount of encrypted extension storage
+ * @details     Administrator can use this API to set a password for encrypted
+ *              extension mount.
+ * @since_tizen 4.0
+ * @param[in]   password The password to mount extension storage
+ * @return      #ODE_ERROR_NONE on success, otherwise a negative value
+ * @retval      #ODE_ERROR_NONE Successful
+ * @retval      #ODE_ERROR_INVALID_PARAMETER Invalid parameter
+ * @retval      #ODE_ERROR_TIMED_OUT Time out
+ * @retval      #ODE_ERROR_KEY_REJECTED Password doen't match
+ * @retval      #ODE_ERROR_PERMISSION_DENIED The application does not have
+ *              the privilege to call this API
+ * @pre         The password set before must match with what is set by
+ *              ode_extension_encryption_init_password().
+ * @see         ode_extension_encryption_init_password()
+ * @see         ode_extension_encryption_mount()
+ */
+ODE_API int ode_extension_encryption_set_mount_password(const char* password);
+
+/**
+ * @brief       Mount encrypted extension storage
  * @details     Administrator can use this API to mount encrypted extension
  *              storage.
  * @since_tizen 4.0
@@ -39,16 +59,15 @@ extern "C" {
  * @retval      #ODE_ERROR_NONE Successful
  * @retval      #ODE_ERROR_INVALID_PARAMETER Invalid parameter
  * @retval      #ODE_ERROR_TIMED_OUT Time out
- * @retval      #ODE_ERROR_KEY_REJECTED Password doesn't match
  * @retval      #ODE_ERROR_NOT_PERMITTED Operation not permitted
  * @retval      #ODE_ERROR_PERMISSION_DENIED The application does not have
  *              the privilege to call this API
- * @pre         The password must match with what is set by
- *              ode_extension_encryption_init_password().
- * @see         ode_extension_encryption_init_password()
+ * @pre         A password must be set by
+ *              ode_extension_encryption_set_mount_password().
+ * @see         ode_extension_encryption_set_mount_password()
  * @see         ode_extension_encryption_umount()
  */
-ODE_API int ode_extension_encryption_mount(const char* password);
+ODE_API int ode_extension_encryption_mount();
 
 /**
  * @brief       Umount extension storage
@@ -232,7 +251,6 @@ ODE_API int ode_extension_encryption_set_mount_event_cb(ode_mount_event_cb callb
  * @return      #ODE_ERROR_NONE on success, otherwise a negative value
  * @retval      #ODE_ERROR_NONE Successful
  * @retval      #ODE_ERROR_TIMED_OUT Time out
- *              the privilege to call this API
  * @see         ode_extension_encryption_mount()
  * @see         ode_extension_encryption_set_mount_event_cb()
  */
diff --git a/rmi/extension-encryption.h b/rmi/extension-encryption.h
index 7fdac84..31f366a 100644
--- a/rmi/extension-encryption.h
+++ b/rmi/extension-encryption.h
@@ -36,7 +36,9 @@ public:
 	ExtensionEncryption(ODEControlContext& ctxt);
 	~ExtensionEncryption();
 
-	int mount(const std::string& password);
+	int setMountPassword(const std::string& password);
+
+	int mount();
 	int umount();
 
 	int format(const std::string& password);
diff --git a/server/extension-encryption.cpp b/server/extension-encryption.cpp
index f23698f..587f1b7 100644
--- a/server/extension-encryption.cpp
+++ b/server/extension-encryption.cpp
@@ -54,6 +54,7 @@ const char *STORAGED_DBUS_OBJECT	= "/Org/Tizen/System/Storage/Block/Manager";
 const char *STORAGED_DBUS_INTERFACE	= "org.tizen.system.storage.BlockManager";
 
 std::unique_ptr<EXTENSION_ENGINE> engine;
+KeyManager::data mountKey;
 
 std::mutex apiGuard;
 std::mutex stateGuard;
@@ -108,7 +109,8 @@ ExtensionEncryption::ExtensionEncryption(ODEControlContext &ctx) :
 	context(ctx),
 	currentReq(Request::NONE)
 {
-	context.expose(this, PRIVILEGE_PLATFORM, (int)(ExtensionEncryption::mount)(std::string));
+	context.expose(this, PRIVILEGE_PLATFORM, (int)(ExtensionEncryption::setMountPassword)(std::string));
+	context.expose(this, PRIVILEGE_PLATFORM, (int)(ExtensionEncryption::mount)());
 	context.expose(this, PRIVILEGE_PLATFORM, (int)(ExtensionEncryption::umount)());
 	context.expose(this, PRIVILEGE_PLATFORM, (int)(ExtensionEncryption::format)(std::string));
 	context.expose(this, "", (int)(ExtensionEncryption::isPasswordInitialized)());
@@ -133,15 +135,9 @@ ExtensionEncryption::~ExtensionEncryption()
 	unsubscribeFromStoraged();
 }
 
-int ExtensionEncryption::mount(const std::string& password)
+int ExtensionEncryption::setMountPassword(const std::string& password)
 {
 	std::lock_guard<std::mutex> guardLock(apiGuard);
-	std::unique_lock<std::mutex> stateLock(stateGuard);
-
-	if (getStatePriv() != State::Encrypted) {
-		ERROR(SINK, "Cannot mount, card not inserted or corrupted");
-		return -1;
-	}
 
 	KeyManager::data pwData(password.begin(), password.end());
 	KeyManager keyManager(engine->getKeyMeta());
@@ -151,12 +147,26 @@ int ExtensionEncryption::mount(const std::string& password)
 		return -2;
 	}
 
+	mountKey = keyManager.getMasterKey(pwData);
+
+	return 0;
+}
+
+int ExtensionEncryption::mount()
+{
+	std::lock_guard<std::mutex> guardLock(apiGuard);
+	std::unique_lock<std::mutex> stateLock(stateGuard);
+
+	if (getStatePriv() != State::Encrypted) {
+		ERROR(SINK, "Cannot mount, card not inserted or corrupted");
+		return -1;
+	}
+
 	if (isMounted()) {
 		INFO(SINK, "Already mounted");
 		return 0;
 	}
 
-	KeyManager::data mountKey = keyManager.getMasterKey(pwData);
 
 	INFO(SINK, "Mount extension storage...");
 
@@ -167,6 +177,7 @@ int ExtensionEncryption::mount(const std::string& password)
 		try {
 			INFO(SINK, "Open the MAP of an extension storage...");
 			engine->open(CryptsetupEngine::DeviceType::LUKS, EXTENSION_NAME, mountKey);
+			mountKey.clear();
 		} catch (runtime::Exception &e) {
 			ERROR(SINK, "Open failed: " + std::string(e.what()));
 			return -3;
diff --git a/tools/cli/ode-admin-cli.cpp b/tools/cli/ode-admin-cli.cpp
index 0487c41..ae9a6f9 100644
--- a/tools/cli/ode-admin-cli.cpp
+++ b/tools/cli/ode-admin-cli.cpp
@@ -127,7 +127,12 @@ static inline int mount(const std::string name)
 		}
 	} else if (name == "extension") {
 		std::string password = getPassword();
-		ret = ode_extension_encryption_mount(password.c_str());
+		ret = ode_extension_encryption_set_mount_password(password.c_str());
+		if (ret == 0) {
+			ret = ode_extension_encryption_mount();
+		} else {
+			std::cerr << "Password setting failed" << std::endl;
+		}
 	} else {
 		printSelectableStorage();
 		return -1;