diff --git a/common/src/protected_files/protected_files.c b/common/src/protected_files/protected_files.c index 40ad501c75..3fc9914281 100644 --- a/common/src/protected_files/protected_files.c +++ b/common/src/protected_files/protected_files.c @@ -1184,16 +1184,21 @@ void pf_set_callbacks(pf_read_f read_f, pf_write_f write_f, pf_fsync_f fsync_f, } pf_status_t pf_open(pf_handle_t handle, const char* path, uint64_t underlying_size, - pf_file_mode_t mode, bool create, const pf_key_t* key, pf_context_t** context) { + pf_file_mode_t mode, bool create, const pf_key_t* key, + pf_mac_t* opening_root_gmac, pf_context_t** context) { if (!g_initialized) return PF_STATUS_UNINITIALIZED; pf_status_t status; *context = ipf_open(path, mode, create, handle, underlying_size, key, &status); + if (opening_root_gmac != NULL) { + memcpy(opening_root_gmac, (*context)->file_metadata.plain_part.metadata_gmac, + sizeof(pf_mac_t)); + } return status; } -pf_status_t pf_close(pf_context_t* pf) { +pf_status_t pf_close(pf_context_t* pf, pf_mac_t* closing_root_gmac) { if (!g_initialized) return PF_STATUS_UNINITIALIZED; @@ -1201,6 +1206,9 @@ pf_status_t pf_close(pf_context_t* pf) { free(pf); return PF_STATUS_SUCCESS; } + if (closing_root_gmac != NULL) { + memcpy(closing_root_gmac, pf->file_metadata.plain_part.metadata_gmac, sizeof(pf_mac_t)); + } pf_status_t ret = pf->last_error; free(pf); @@ -1267,7 +1275,7 @@ pf_status_t pf_set_size(pf_context_t* pf, uint64_t size) { return PF_STATUS_SUCCESS; } -pf_status_t pf_rename(pf_context_t* pf, const char* new_path) { +pf_status_t pf_rename(pf_context_t* pf, const char* new_path, pf_mac_t* new_root_gmac) { if (!g_initialized) return PF_STATUS_UNINITIALIZED; @@ -1283,6 +1291,9 @@ pf_status_t pf_rename(pf_context_t* pf, const char* new_path) { pf->need_writing = true; if (!ipf_internal_flush(pf)) return pf->last_error; + if (new_root_gmac != NULL) { + memcpy(new_root_gmac, pf->file_metadata.plain_part.metadata_gmac, sizeof(pf_mac_t)); + } return PF_STATUS_SUCCESS; } diff --git a/common/src/protected_files/protected_files.h b/common/src/protected_files/protected_files.h index 4354f3e6fe..49cbe2aea5 100644 --- a/common/src/protected_files/protected_files.h +++ b/common/src/protected_files/protected_files.h @@ -214,28 +214,31 @@ const char* pf_strerror(int err); /*! * \brief Open a protected file. * - * \param handle Open underlying file handle. - * \param path Path to the file. If NULL and \p create is false, don't check path - * for validity. - * \param underlying_size Underlying file size. - * \param mode Access mode. - * \param create Overwrite file contents if true. - * \param key Wrap key. - * \param[out] context PF context for later calls. + * \param handle Open underlying file handle. + * \param path Path to the file. If NULL and \p create is false, don't check path + * for validity. + * \param underlying_size Underlying file size. + * \param mode Access mode. + * \param create Overwrite file contents if true. + * \param key Wrap key. + * \param opening_root_gmac If non-NULL, !create & successfull open, returns root-hash of file + * \param[out] context PF context for later calls. * * \returns PF status. */ pf_status_t pf_open(pf_handle_t handle, const char* path, uint64_t underlying_size, - pf_file_mode_t mode, bool create, const pf_key_t* key, pf_context_t** context); + pf_file_mode_t mode, bool create, const pf_key_t* key, + pf_mac_t* opening_root_gmac, pf_context_t** context); /*! * \brief Close a protected file and commit all changes to disk. * - * \param pf PF context. + * \param pf PF context. + * \param closing_root_gmac If non-NULL, returns root-hash of file at closing time * * \returns PF status. */ -pf_status_t pf_close(pf_context_t* pf); +pf_status_t pf_close(pf_context_t* pf, pf_mac_t* closing_root_gmac); /*! * \brief Read from a protected file. @@ -288,13 +291,14 @@ pf_status_t pf_set_size(pf_context_t* pf, uint64_t size); /*! * \brief Rename a PF. * - * \param pf PF context. - * \param new_path New file path. + * \param pf PF context. + * \param new_path New file path. + * \param new_root_gmac if non-NULL, returns new root-hash of file * * Updates the path inside protected file header, and flushes all changes. The caller is responsible * for renaming the underlying file. */ -pf_status_t pf_rename(pf_context_t* pf, const char* new_path); +pf_status_t pf_rename(pf_context_t* pf, const char* new_path, pf_mac_t* new_root_gmac); /*! * \brief Get underlying handle of a PF. diff --git a/libos/include/libos_fs.h b/libos/include/libos_fs.h index 116d17c628..6dd070ad9d 100644 --- a/libos/include/libos_fs.h +++ b/libos/include/libos_fs.h @@ -35,6 +35,9 @@ struct libos_mount_params { /* Key name (used by `chroot_encrypted` filesystem), or NULL if not applicable */ const char* key_name; + + /* Enforcement type (used by `chroot_encrypted` filesystem), or NULL if not applicable */ + const char* protection_mode; }; struct libos_fs_ops { diff --git a/libos/include/libos_fs_encrypted.h b/libos/include/libos_fs_encrypted.h index 9890058c51..b03bc34307 100644 --- a/libos/include/libos_fs_encrypted.h +++ b/libos/include/libos_fs_encrypted.h @@ -14,6 +14,7 @@ #include +#include "libos_checkpoint.h" // ofr include of uthash.h _and_ consistent uthash_fatal macros #include "libos_types.h" #include "list.h" #include "pal.h" @@ -34,6 +35,40 @@ struct libos_encrypted_files_key { LIST_TYPE(libos_encrypted_files_key) list; }; +typedef enum { + PF_FILE_IN_USE_NEW = 0, // file is currently in-use but did not exist at open time + PF_FILE_IN_USE_EXISTING = 1, // file is currently in-use and existed at open time + PF_FILE_CLOSED = 2, // file was provisously seend with known (good committed) state + PF_FILE_DELETED = 3, // the old path of renames is also considered deleted + PF_FILE_ERROR = 4, // file is in non-determined state due to some errors +} libos_encrypted_file_state_t; + +/* + * Map mapping file URIs to state providing information on files, in particular whether we have seen + * them before and what the last seen root-hash is. This is necessary to provide rollback + */ +struct libos_encrypted_volume_state_map { + char* uri; // assumptions: all paths canonicalized, symlinks are resolved & no hard links + libos_encrypted_file_state_t state; + pf_mac_t last_seen_root_gmac; + UT_hash_handle hh; +}; + +typedef enum { + PF_ENCLAVE_LIFE_RB_PROTECTION_NONE = 0, + PF_ENCLAVE_LIFE_RB_PROTECTION_NON_STRICT = 1, + PF_ENCLAVE_LIFE_RB_PROTECTION_STRICT = 2, +} libos_encrypted_files_mode_t; + +struct libos_encrypted_volume { + libos_encrypted_files_mode_t protection_mode; + + struct libos_encrypted_volume_state_map* files_state_map; + struct libos_lock files_state_map_lock; + + struct libos_encrypted_files_key* key; +}; + /* * Represents a specific encrypted file. The file is open as long as `use_count` is greater than 0. * Note that the file can be open and closed multiple times before it's destroyed. @@ -44,7 +79,7 @@ struct libos_encrypted_files_key { struct libos_encrypted_file { size_t use_count; char* uri; - struct libos_encrypted_files_key* key; + struct libos_encrypted_volume* volume; /* `pf` and `pal_handle` are non-null as long as `use_count` is greater than 0 */ pf_context_t* pf; @@ -110,14 +145,14 @@ void update_encrypted_files_key(struct libos_encrypted_files_key* key, const pf_ * \brief Open an existing encrypted file. * * \param uri PAL URI to open, has to begin with "file:". - * \param key Key, has to be already set. + * \param volume Volume assocated with file, has to be already set. * \param[out] out_enc On success, set to a newly created `libos_encrypted_file` object. * * `uri` has to correspond to an existing file that can be decrypted with `key`. * * The newly created `libos_encrypted_file` object will have `use_count` set to 1. */ -int encrypted_file_open(const char* uri, struct libos_encrypted_files_key* key, +int encrypted_file_open(const char* uri, struct libos_encrypted_volume* volume, struct libos_encrypted_file** out_enc); /* @@ -125,14 +160,14 @@ int encrypted_file_open(const char* uri, struct libos_encrypted_files_key* key, * * \param uri PAL URI to open, has to begin with "file:". * \param perm Permissions for the new file. - * \param key Key, has to be already set. + * \param volume Volume assocated with file, has to be already set. * \param[out] out_enc On success, set to a newly created `libos_encrypted_file` object. * * `uri` must not correspond to an existing file. * * The newly created `libos_encrypted_file` object will have `use_count` set to 1. */ -int encrypted_file_create(const char* uri, mode_t perm, struct libos_encrypted_files_key* key, +int encrypted_file_create(const char* uri, mode_t perm, struct libos_encrypted_volume* volume, struct libos_encrypted_file** out_enc); /* diff --git a/libos/src/fs/chroot/encrypted.c b/libos/src/fs/chroot/encrypted.c index ac500cae33..1c6d4e1dd0 100644 --- a/libos/src/fs/chroot/encrypted.c +++ b/libos/src/fs/chroot/encrypted.c @@ -68,27 +68,64 @@ static int chroot_encrypted_mount(struct libos_mount_params* params, void** moun if (ret < 0) return ret; - *mount_data = key; + libos_encrypted_files_mode_t protection_mode = + PF_ENCLAVE_LIFE_RB_PROTECTION_STRICT; // default mode + if (params->protection_mode) { + if (strncmp(params->protection_mode, "strict", strlen("strict")) == 0) + protection_mode = PF_ENCLAVE_LIFE_RB_PROTECTION_STRICT; + else if (strncmp(params->protection_mode, "non-strict", strlen("non-strict")) == 0) + protection_mode = PF_ENCLAVE_LIFE_RB_PROTECTION_NON_STRICT; + else if (strncmp(params->protection_mode, "none", strlen("none")) == 0) + protection_mode = PF_ENCLAVE_LIFE_RB_PROTECTION_NONE; + else { + log_error("Invalid enforcement type: %s", params->protection_mode); + return -EINVAL; + } + protection_mode = PF_ENCLAVE_LIFE_RB_PROTECTION_STRICT; + protection_mode = PF_ENCLAVE_LIFE_RB_PROTECTION_NON_STRICT; + protection_mode = PF_ENCLAVE_LIFE_RB_PROTECTION_NONE; + } + + struct libos_encrypted_volume* volume = malloc(sizeof(struct libos_encrypted_volume)); + if (!volume) + return -ENOMEM; + volume->protection_mode = protection_mode; + volume->key = key; + if (!create_lock(&volume->files_state_map_lock)) { + free(volume); + return -ENOMEM; + } + volume->files_state_map = NULL; + + *mount_data = volume; return 0; } static ssize_t chroot_encrypted_checkpoint(void** checkpoint, void* mount_data) { - struct libos_encrypted_files_key* key = mount_data; + struct libos_encrypted_volume* volume = mount_data; - *checkpoint = strdup(key->name); + // TODO (MST): fix below, doesn't really makes sense: i guess i have to duplicate something + // about volume? + *checkpoint = strdup(volume->key->name); if (!*checkpoint) return -ENOMEM; - return strlen(key->name) + 1; + return strlen(volume->key->name) + 1; } static int chroot_encrypted_migrate(void* checkpoint, void** mount_data) { const char* name = checkpoint; - struct libos_encrypted_files_key* key; - int ret = get_or_create_encrypted_files_key(name, &key); + struct libos_encrypted_volume* volume = malloc(sizeof(struct libos_encrypted_volume)); + if (!volume) + return -ENOMEM; + + if (!create_lock(&volume->files_state_map_lock)) + return -ENOMEM; + // TODO (MST): initialize map + int ret = get_or_create_encrypted_files_key(name, &(volume->key)); if (ret < 0) return ret; - *mount_data = key; + *mount_data = volume; return 0; } @@ -153,8 +190,8 @@ static int chroot_encrypted_lookup(struct libos_dentry* dent) { struct libos_encrypted_file* enc; file_off_t size; - struct libos_encrypted_files_key* key = dent->mount->data; - ret = encrypted_file_open(uri, key, &enc); + struct libos_encrypted_volume* volume = dent->mount->data; + ret = encrypted_file_open(uri, volume, &enc); if (ret < 0) { if (ret == -EACCES) { /* allow the inode to be created even if the underlying encrypted file is corrupted; @@ -210,7 +247,7 @@ static int chroot_encrypted_open(struct libos_handle* hdl, struct libos_dentry* get_inode(dent->inode); hdl->type = TYPE_CHROOT_ENCRYPTED; hdl->seekable = true; - hdl->pos = 0; + hdl->pos = 0; return 0; } @@ -231,9 +268,9 @@ static int chroot_encrypted_creat(struct libos_handle* hdl, struct libos_dentry* goto out; } - struct libos_encrypted_files_key* key = dent->mount->data; + struct libos_encrypted_volume* volume = dent->mount->data; struct libos_encrypted_file* enc; - ret = encrypted_file_create(uri, HOST_PERM(perm), key, &enc); + ret = encrypted_file_create(uri, HOST_PERM(perm), volume, &enc); if (ret < 0) goto out; diff --git a/libos/src/fs/libos_fs.c b/libos/src/fs/libos_fs.c index 5a29a36d6d..8733cd444d 100644 --- a/libos/src/fs/libos_fs.c +++ b/libos/src/fs/libos_fs.c @@ -195,10 +195,11 @@ static int mount_one_nonroot(toml_table_t* mount, const char* prefix) { int ret; - char* mount_type = NULL; - char* mount_path = NULL; - char* mount_uri = NULL; - char* mount_key_name = NULL; + char* mount_type = NULL; + char* mount_path = NULL; + char* mount_uri = NULL; + char* mount_key_name = NULL; + char* mount_protection_mode = NULL; ret = toml_string_in(mount, "type", &mount_type); if (ret < 0) { @@ -228,6 +229,13 @@ static int mount_one_nonroot(toml_table_t* mount, const char* prefix) { goto out; } + ret = toml_string_in(mount, "protection_mode", &mount_protection_mode); + if (ret < 0) { + log_error("Cannot parse '%s.key_name'", prefix); + ret = -EINVAL; + goto out; + } + if (!mount_path) { log_error("No value provided for '%s.path'", prefix); ret = -EINVAL; @@ -269,10 +277,11 @@ static int mount_one_nonroot(toml_table_t* mount, const char* prefix) { } struct libos_mount_params params = { - .type = mount_type ?: "chroot", - .path = mount_path, - .uri = mount_uri, - .key_name = mount_key_name, + .type = mount_type ?: "chroot", + .path = mount_path, + .uri = mount_uri, + .key_name = mount_key_name, + .protection_mode = mount_protection_mode, }; ret = mount_fs(¶ms); diff --git a/libos/src/fs/libos_fs_encrypted.c b/libos/src/fs/libos_fs_encrypted.c index 3926bb780a..ccdec7c35b 100644 --- a/libos/src/fs/libos_fs_encrypted.c +++ b/libos/src/fs/libos_fs_encrypted.c @@ -202,20 +202,31 @@ static int encrypted_file_internal_open(struct libos_encrypted_file* enc, PAL_HA pf_context_t* pf; lock(&g_keys_lock); - if (!enc->key->is_set) { - log_warning("key '%s' is not set", enc->key->name); + if (!enc->volume->key->is_set) { + log_warning("key '%s' is not set", enc->volume->key->name); unlock(&g_keys_lock); ret = -EACCES; goto out; } + pf_mac_t opening_root_gmac; pf_status_t pfs = pf_open(pal_handle, normpath, size, PF_FILE_MODE_READ | PF_FILE_MODE_WRITE, - create, &enc->key->pf_key, &pf); + create, &enc->volume->key->pf_key, &opening_root_gmac, &pf); unlock(&g_keys_lock); if (PF_FAILURE(pfs)) { log_warning("pf_open failed: %s", pf_strerror(pfs)); ret = -EACCES; goto out; } + // TODO (MST): + // if !create & !disable, + // check opening_root_gmac against volume map + // if in map, + // abort if opening_root_gmac != last_seen_root_gmac || state-in-map in {file-in-use, + // deleted} + // // above assumes we already have a file received from untrusted! + // else + // abort if protection_mode=strict + // create/update entry in map with mac-in-file & state-in-map=file-in-use enc->pf = pf; enc->pal_handle = pal_handle; @@ -248,11 +259,16 @@ int parse_pf_key(const char* key_str, pf_key_t* pf_key) { static void encrypted_file_internal_close(struct libos_encrypted_file* enc) { assert(enc->pf); - pf_status_t pfs = pf_close(enc->pf); + pf_mac_t closing_root_gmac; + pf_status_t pfs = pf_close(enc->pf, &closing_root_gmac); if (PF_FAILURE(pfs)) { log_warning("pf_close failed: %s", pf_strerror(pfs)); + // TODOD (MST): put file state to PF_FILE_ERROR (also correspondingly set pf->file_status = + // PF_STATUS_CORRUPTED?) + } else { + // TODO (MST): update volume map for enc->uri with closing_root_gmac & + // state to PF_FILE_DELETED } - enc->pf = NULL; PalObjectDestroy(enc->pal_handle); enc->pal_handle = NULL; @@ -445,12 +461,12 @@ void update_encrypted_files_key(struct libos_encrypted_files_key* key, const pf_ unlock(&g_keys_lock); } -static int encrypted_file_alloc(const char* uri, struct libos_encrypted_files_key* key, +static int encrypted_file_alloc(const char* uri, struct libos_encrypted_volume* volume, struct libos_encrypted_file** out_enc) { assert(strstartswith(uri, URI_PREFIX_FILE)); - if (!key) { - log_debug("trying to open a file (%s) before key is set", uri); + if (!volume) { + log_debug("trying to open a file (%s) before volume is set", uri); return -EACCES; } @@ -463,7 +479,7 @@ static int encrypted_file_alloc(const char* uri, struct libos_encrypted_files_ke free(enc); return -ENOMEM; } - enc->key = key; + enc->volume = volume; enc->use_count = 0; enc->pf = NULL; enc->pal_handle = NULL; @@ -471,10 +487,10 @@ static int encrypted_file_alloc(const char* uri, struct libos_encrypted_files_ke return 0; } -int encrypted_file_open(const char* uri, struct libos_encrypted_files_key* key, +int encrypted_file_open(const char* uri, struct libos_encrypted_volume* volume, struct libos_encrypted_file** out_enc) { struct libos_encrypted_file* enc; - int ret = encrypted_file_alloc(uri, key, &enc); + int ret = encrypted_file_alloc(uri, volume, &enc); if (ret < 0) return ret; @@ -489,10 +505,10 @@ int encrypted_file_open(const char* uri, struct libos_encrypted_files_key* key, return 0; } -int encrypted_file_create(const char* uri, mode_t perm, struct libos_encrypted_files_key* key, +int encrypted_file_create(const char* uri, mode_t perm, struct libos_encrypted_volume* volume, struct libos_encrypted_file** out_enc) { struct libos_encrypted_file* enc; - int ret = encrypted_file_alloc(uri, key, &enc); + int ret = encrypted_file_alloc(uri, volume, &enc); if (ret < 0) return ret; @@ -646,7 +662,8 @@ int encrypted_file_rename(struct libos_encrypted_file* enc, const char* new_uri) goto out; } - pf_status_t pfs = pf_rename(enc->pf, new_normpath); + pf_mac_t new_root_gmac; + pf_status_t pfs = pf_rename(enc->pf, new_normpath, &new_root_gmac); if (PF_FAILURE(pfs)) { log_warning("pf_rename failed: %s", pf_strerror(pfs)); ret = -EACCES; @@ -658,7 +675,7 @@ int encrypted_file_rename(struct libos_encrypted_file* enc, const char* new_uri) log_warning("PalStreamChangeName failed: %s", pal_strerror(ret)); /* We failed to rename the file. Try to restore the name in header. */ - pfs = pf_rename(enc->pf, old_path); + pfs = pf_rename(enc->pf, old_path, &new_root_gmac); if (PF_FAILURE(pfs)) { log_warning("pf_rename (during cleanup) failed, the file might be unusable: %s", pf_strerror(pfs)); @@ -667,6 +684,12 @@ int encrypted_file_rename(struct libos_encrypted_file* enc, const char* new_uri) ret = pal_to_unix_errno(ret); goto out; } + // TODO (MST): everything worked fine, so + // - get state for old_path + // abort if it doesn't exist and we are in strict protection_mode + // - add new_path together with new_root_gmac and copy state from old_path entry (should be + // either PF_FILE_IN_USE_EXISTING, PF_FILE_IN_USE_NEW or PF_FILE_CLOSED) + // - remove old_path from map & set its state to PF_FILE_DELETED. free(enc->uri); enc->uri = new_uri_copy; @@ -674,6 +697,10 @@ int encrypted_file_rename(struct libos_encrypted_file* enc, const char* new_uri) ret = 0; out: + // TODO (MST): in case of error + // - set state for old_path to PF_FILE_ERROR (even when restore rename worked? or just update + // hash in that case?) Also correspondingly set pf->file_status = + // PF_STATUS_CORRUPTED?) free(new_normpath); free(new_uri_copy); return ret; @@ -746,6 +773,40 @@ BEGIN_RS_FUNC(encrypted_files_key) { } END_RS_FUNC(encrypted_files_key) +// TODO (MST): revisit below, probably not correct?! +BEGIN_CP_FUNC(encrypted_volume) { + __UNUSED(size); + + struct libos_encrypted_volume* volume = obj; + struct libos_encrypted_volume* new_volume = NULL; + + size_t off = ADD_CP_OFFSET(sizeof(struct libos_encrypted_volume)); + new_volume = (struct libos_encrypted_volume*)(base + off); + + lock(&g_keys_lock); + DO_CP_MEMBER(encrypted_files_key, volume, new_volume, key); + unlock(&g_keys_lock); + + // TODO (MST): do something with remaining fields of struct + + ADD_CP_FUNC_ENTRY(off); + + if (objp) + *objp = (void*)new_volume; +} +END_CP_FUNC(encrypted_volume) + +// TODO (MST): revisit below, probably not correct?! +BEGIN_RS_FUNC(encrypted_volume) { + struct libos_encrypted_volume* volume = (void*)(base + GET_CP_FUNC_ENTRY()); + __UNUSED(offset); + + CP_REBASE(volume->key); + + // TODO (MST): do something with remaining fields of struct +} +END_CP_FUNC(encrypted_volume) + BEGIN_CP_FUNC(encrypted_file) { __UNUSED(size); @@ -764,9 +825,7 @@ BEGIN_CP_FUNC(encrypted_file) { new_enc->use_count = enc->use_count; DO_CP_MEMBER(str, enc, new_enc, uri); - lock(&g_keys_lock); - DO_CP_MEMBER(encrypted_files_key, enc, new_enc, key); - unlock(&g_keys_lock); + DO_CP_MEMBER(encrypted_volume, enc, new_enc, volume); /* `enc->pf` will be recreated during restore */ new_enc->pf = NULL; @@ -788,7 +847,7 @@ BEGIN_RS_FUNC(encrypted_file) { __UNUSED(offset); CP_REBASE(enc->uri); - CP_REBASE(enc->key); + CP_REBASE(enc->volume); /* If the file was used, recreate `enc->pf` based on the PAL handle */ assert(!enc->pf); diff --git a/tools/sgx/common/pf_util.c b/tools/sgx/common/pf_util.c index eadd0323c3..1a1fe7b8d8 100644 --- a/tools/sgx/common/pf_util.c +++ b/tools/sgx/common/pf_util.c @@ -329,8 +329,8 @@ int pf_encrypt_file(const char* input_path, const char* output_path, const pf_ke norm_output_path); pf_handle_t handle = (pf_handle_t)&output; - pf_status_t pfs = pf_open(handle, norm_output_path, /*size=*/0, PF_FILE_MODE_WRITE, - /*create=*/true, wrap_key, &pf); + pf_status_t pfs = pf_open(handle, norm_output_path, /*size=*/0, PF_FILE_MODE_WRITE, + /*create=*/true, wrap_key, NULL, &pf); if (PF_FAILURE(pfs)) { ERROR("Failed to open output PF: %s\n", pf_strerror(pfs)); goto out; @@ -371,7 +371,7 @@ int pf_encrypt_file(const char* input_path, const char* output_path, const pf_ke out: if (pf) { - if (PF_FAILURE(pf_close(pf))) { + if (PF_FAILURE(pf_close(pf, NULL))) { ERROR("failed to close PF\n"); ret = -1; } @@ -438,7 +438,7 @@ int pf_decrypt_file(const char* input_path, const char* output_path, bool verify } pf_status_t pfs = pf_open((pf_handle_t)&input, norm_input_path, input_size, PF_FILE_MODE_READ, - /*create=*/false, wrap_key, &pf); + /*create=*/false, wrap_key, NULL, &pf); if (PF_FAILURE(pfs)) { ERROR("Opening protected input file failed: %s\n", pf_strerror(pfs)); goto out; @@ -495,7 +495,7 @@ int pf_decrypt_file(const char* input_path, const char* output_path, bool verify free(norm_input_path); free(chunk); if (pf) - pf_close(pf); + pf_close(pf, NULL); if (input >= 0) close(input); if (output >= 0)