~siretart/cryptsetup/debian

« back to all changes in this revision

Viewing changes to lib/setup.c

  • Committer: Reinhard Tartler
  • Date: 2008-05-25 17:39:22 UTC
  • mfrom: (1.1.2 upstream)
  • Revision ID: siretart@tauware.de-20080525173922-popbnh1gtbt3rxis
merge new upstream

Show diffs side-by-side

added added

removed removed

Lines of Context:
7
7
#include <sys/mman.h>
8
8
#include <fcntl.h>
9
9
#include <unistd.h>
10
 
#include <termios.h>
11
10
#include <errno.h>
12
11
#include <signal.h>
13
12
#include <assert.h>
27
26
 
28
27
#define at_least_one(a) ({ __typeof__(a) __at_least_one=(a); (__at_least_one)?__at_least_one:1; })
29
28
 
30
 
static int setup_enter(struct setup_backend *backend)
 
29
static void logger(struct crypt_options *options, int class, char *format, ...) {
 
30
        va_list argp;
 
31
        char *target;
 
32
 
 
33
        va_start(argp, format);
 
34
        vasprintf(&target, format, argp);
 
35
        options->icb->log(class, target);
 
36
 
 
37
        va_end(argp);
 
38
        free(target);
 
39
}
 
40
 
 
41
static void hexprintICB(struct crypt_options *options, int class, char *d, int n)
 
42
{
 
43
        int i;
 
44
        for(i = 0; i < n; i++)
 
45
                logger(options, class, "%02hhx ", (char)d[i]);
 
46
}
 
47
 
 
48
static int setup_enter(struct setup_backend *backend, void (*log)(int, char *))
31
49
{
32
50
        int r;
33
51
 
38
56
        r = mlockall(MCL_CURRENT | MCL_FUTURE);
39
57
        if (r < 0) {
40
58
                perror("mlockall failed");
41
 
                fprintf(stderr, "WARNING!!! Possibly insecure memory. Are you root?\n");
 
59
                log(CRYPT_LOG_ERROR, "WARNING!!! Possibly insecure memory. Are you root?\n");
42
60
                memory_unsafe = 1;
43
61
        }
44
62
 
57
75
 
58
76
static int setup_leave(struct setup_backend *backend)
59
77
{
60
 
        const char *error;
61
 
 
62
78
        if (backend)
63
79
                backend->exit();
64
80
 
69
85
        return 0;
70
86
}
71
87
 
72
 
static int untimed_read(int fd, char *pass, size_t maxlen)
73
 
{
74
 
        ssize_t i;
75
 
 
76
 
        i = read(fd, pass, maxlen);
77
 
        if (i > 0) {
78
 
                pass[i-1] = '\0';
79
 
                i = 0;
80
 
        } else if (i == 0) { /* EOF */
81
 
                *pass = 0;
82
 
                i = -1;
83
 
        }
84
 
        return i;
85
 
}
86
 
 
87
 
static int timed_read(int fd, char *pass, size_t maxlen, long timeout)
88
 
{
89
 
        struct timeval t;
90
 
        fd_set fds;
91
 
        int failed = -1;
92
 
 
93
 
        FD_ZERO(&fds);
94
 
        FD_SET(fd, &fds);
95
 
        t.tv_sec = timeout;
96
 
        t.tv_usec = 0;
97
 
 
98
 
        if (select(fd+1, &fds, NULL, NULL, &t) > 0)
99
 
                failed = untimed_read(fd, pass, maxlen);
100
 
        else
101
 
                fprintf(stderr, "Operation timed out.\n");
102
 
        return failed;
103
 
}
104
 
 
105
 
static int interactive_pass(const char *prompt, char *pass, size_t maxlen,
106
 
                long timeout)
107
 
{
108
 
        struct termios orig, tmp;
109
 
        int failed = -1;
110
 
        int infd, outfd;
111
 
 
112
 
        if (maxlen < 1)
113
 
                goto out_err;
114
 
 
115
 
        /* Read and write to /dev/tty if available */
116
 
        if ((infd = outfd = open("/dev/tty", O_RDWR)) == -1) {
117
 
                infd = STDIN_FILENO;
118
 
                outfd = STDERR_FILENO;
119
 
        }
120
 
 
121
 
        if (tcgetattr(infd, &orig)) {
122
 
                set_error("Unable to get terminal");
123
 
                goto out_err;
124
 
        }
125
 
        memcpy(&tmp, &orig, sizeof(tmp));
126
 
        tmp.c_lflag &= ~ECHO;
127
 
 
128
 
        write(outfd, prompt, strlen(prompt));
129
 
        tcsetattr(infd, TCSAFLUSH, &tmp);
130
 
        if (timeout)
131
 
                failed = timed_read(infd, pass, maxlen, timeout);
132
 
        else
133
 
                failed = untimed_read(infd, pass, maxlen);
134
 
        tcsetattr(infd, TCSAFLUSH, &orig);
135
 
 
136
 
out_err:
137
 
        if (!failed)
138
 
                write(outfd, "\n", 1);
139
 
        if (infd != STDIN_FILENO)
140
 
                close(infd);
141
 
        return failed;
142
 
}
143
 
 
144
 
/*
145
 
 * Password reading behaviour matrix of get_key
146
 
 * 
147
 
 *                    p   v   n   h
148
 
 * -----------------+---+---+---+---
149
 
 * interactive      | Y | Y | Y | Inf
150
 
 * from fd          | N | N | Y | Inf
151
 
 * from binary file | N | N | N | Inf or options->key_size
152
 
 *
153
 
 * Legend: p..prompt, v..can verify, n..newline-stop, h..read horizon
154
 
 *
155
 
 * Note: --key-file=- is interpreted as a read from a binary file (stdin)
156
 
 *
157
 
 * Returns true when more keys are available (that is when password
158
 
 * reading can be retried as for interactive terminals).
159
 
 */
160
 
 
161
 
static int get_key(struct crypt_options *options, char *prompt, char **key, int *passLen)
162
 
{
163
 
        int fd;
164
 
        const int verify = options->flags & CRYPT_FLAG_VERIFY;
165
 
        const int verify_if_possible = options->flags & CRYPT_FLAG_VERIFY_IF_POSSIBLE;
166
 
        char *pass = NULL;
167
 
        int newline_stop;
168
 
        int read_horizon;
169
 
        
170
 
        if(options->key_file && !strcmp(options->key_file, "-")) {
171
 
                /* Allow binary reading from stdin */
172
 
                fd = options->passphrase_fd;
173
 
                newline_stop = 0;
174
 
                read_horizon = 0;
175
 
        } else if (options->key_file) {
176
 
                fd = open(options->key_file, O_RDONLY);
177
 
                if (fd < 0) {
178
 
                        char buf[128];
179
 
                        set_error("Error opening key file: %s",
180
 
                                  strerror_r(errno, buf, 128));
181
 
                        goto out_err;
182
 
                }
183
 
                newline_stop = 0;
184
 
 
185
 
                /* This can either be 0 (LUKS) or the actually number
186
 
                 * of key bytes (default or passed by -s) */
187
 
                read_horizon = options->key_size;
188
 
        } else {
189
 
                fd = options->passphrase_fd;
190
 
                newline_stop = 1;
191
 
                read_horizon = 0;   /* Infinite, if read from terminal or fd */
192
 
        }       
193
 
 
194
 
        /* Interactive case */
195
 
        if(isatty(fd)) {
196
 
                int i;
197
 
 
198
 
                pass = safe_alloc(512);
199
 
                if (!pass || (i = interactive_pass(prompt, pass, 512, options->timeout))) {
200
 
                        set_error("Error reading passphrase");
201
 
                        goto out_err;
202
 
                }
203
 
                if (verify || verify_if_possible) {
204
 
                        char pass_verify[512];
205
 
                        i = interactive_pass("Verify passphrase: ", pass_verify, sizeof(pass_verify), options->timeout);
206
 
                        if (i || strcmp(pass, pass_verify) != 0) {
207
 
                                set_error("Passphrases do not match");
208
 
                                goto out_err;
209
 
                        }
210
 
                        memset(pass_verify, 0, sizeof(pass_verify));
211
 
                }
212
 
                *passLen = strlen(pass);
213
 
                *key = pass;
214
 
        } else {
215
 
                /* 
216
 
                 * This is either a fd-input or a file, in neither case we can verify the input,
217
 
                 * however we don't stop on new lines if it's a binary file.
218
 
                 */
219
 
                int buflen, i;
220
 
 
221
 
                if(verify) {
222
 
                        set_error("Can't do passphrase verification on non-tty inputs");
223
 
                        goto out_err;
224
 
                }
225
 
                /* The following for control loop does an exhausting
226
 
                 * read on the key material file, if requested with
227
 
                 * key_size == 0, as it's done by LUKS. However, we
228
 
                 * should warn the user, if it's a non-regular file,
229
 
                 * such as /dev/random, because in this case, the loop
230
 
                 * will read forever.
231
 
                 */ 
232
 
                if(options->key_file && strcmp(options->key_file, "-") && read_horizon == 0) {
233
 
                        struct stat st;
234
 
                        if(stat(options->key_file, &st) < 0) {
235
 
                                set_error("Can't stat key file");
236
 
                                goto out_err;
237
 
                        }
238
 
                        if(!S_ISREG(st.st_mode)) {
239
 
                                //                              set_error("Can't do exhausting read on non regular files");
240
 
                                // goto out_err;
241
 
                                fprintf(stderr,"Warning: exhausting read requested, but key file is not a regular file, function might never return.\n");
242
 
                        }
243
 
                }
244
 
                buflen = 0;
245
 
                for(i = 0; read_horizon == 0 || i < read_horizon; i++) {
246
 
                        if(i >= buflen - 1) {
247
 
                                buflen += 128;
248
 
                                pass = safe_realloc(pass, buflen);
249
 
                                if (!pass) {
250
 
                                        set_error("Not enough memory while "
251
 
                                                  "reading passphrase");
252
 
                                        goto out_err;
253
 
                                }
254
 
                        }
255
 
                        if(read(fd, pass + i, 1) != 1 || (newline_stop && pass[i] == '\n'))
256
 
                                break;
257
 
                }
258
 
                if(options->key_file)
259
 
                        close(fd);
260
 
                pass[i] = 0;
261
 
                *key = pass;
262
 
                *passLen = i;
263
 
        }
264
 
 
265
 
        return isatty(fd); /* Return true, when password reading can be tried on interactive fds */
266
 
 
267
 
out_err:
268
 
        if(pass)
269
 
                safe_free(pass);
270
 
        *key = NULL;
271
 
        *passLen = 0;
272
 
        return 0;
273
 
}
274
 
 
275
88
/*
276
89
 * Password processing behaviour matrix of process_key
277
90
 * 
305
118
                        return NULL;
306
119
                }
307
120
        } else if (passLen > options->key_size) {
308
 
                        memcpy(key, pass, options->key_size);
 
121
                memcpy(key, pass, options->key_size);
309
122
        } else {
310
 
                        memcpy(key, pass, passLen);
 
123
                memcpy(key, pass, passLen);
311
124
        }
312
125
 
313
126
        return key;
318
131
        char buf[128];
319
132
        uint64_t size;
320
133
        unsigned long size_small;
321
 
        int readonly;
 
134
        int readonly = 0;
322
135
        int ret = -1;
323
136
        int fd;
324
137
 
325
 
        fd = open(device, O_RDONLY);
 
138
        /* Try to open read-write to check whether it is a read-only device */
 
139
        fd = open(device, O_RDWR);
 
140
        if (fd < 0) {
 
141
                if (errno == EROFS) {
 
142
                        readonly = 1;
 
143
                        fd = open(device, O_RDONLY);
 
144
                }
 
145
        } else {
 
146
                close(fd);
 
147
                fd = open(device, O_RDONLY);
 
148
        }
326
149
        if (fd < 0) {
327
150
                set_error("Error opening device: %s",
328
151
                          strerror_r(errno, buf, 128));
330
153
        }
331
154
 
332
155
#ifdef BLKROGET
333
 
        if (ioctl(fd, BLKROGET, &readonly) < 0) {
334
 
                set_error("BLKROGET failed on device: %s",
335
 
                          strerror_r(errno, buf, 128));
336
 
                return -1;
 
156
        /* If the device can be opened read-write, i.e. readonly is still 0, then
 
157
         * check whether BKROGET says that it is read-only. E.g. read-only loop
 
158
         * devices may be openend read-write but are read-only according to BLKROGET
 
159
         */
 
160
        if (readonly == 0) {
 
161
                if (ioctl(fd, BLKROGET, &readonly) < 0) {
 
162
                        set_error("BLKROGET failed on device: %s",
 
163
                                  strerror_r(errno, buf, 128));
 
164
                        return -1;
 
165
                }
337
166
        }
338
167
#else
339
 
#       error BLKROGET not available
 
168
#error BLKROGET not available
340
169
#endif
341
170
 
342
171
#ifdef BLKGETSIZE64
372
201
static int parse_into_name_and_mode(const char *nameAndMode, char *name,
373
202
                                    char *mode)
374
203
{
375
 
        // Token content stringification, see info cpp/stringification
 
204
/* Token content stringification, see info cpp/stringification */
376
205
#define str(s) #s
377
206
#define xstr(s) str(s)
378
207
#define scanpattern1 "%" xstr(LUKS_CIPHERNAME_L) "[^-]-%" xstr(LUKS_CIPHERMODE_L)  "s"
385
214
                        strncpy(mode,"cbc-plain",10);
386
215
                } 
387
216
                else {
388
 
                        fprintf(stderr, "no known cipher-spec pattern detected\n");
 
217
                        set_error("no known cipher-spec pattern detected");
389
218
                        return -EINVAL;
390
219
                }
391
220
        }
446
275
        if (infos.readonly)
447
276
                options->flags |= CRYPT_FLAG_READONLY;
448
277
 
449
 
        get_key(options, "Enter passphrase: ", &key, &keyLen);
 
278
        get_key("Enter passphrase: ", &key, &keyLen, options->key_size, options->key_file, options->passphrase_fd, options->timeout, options->flags);
450
279
        if (!key) {
451
280
                set_error("Key reading error");
452
281
                return -ENOENT;
549
378
        
550
379
        struct luks_phdr header;
551
380
        struct luks_masterkey *mk=NULL;
552
 
        char *password; 
 
381
        char *password=NULL; 
553
382
        char cipherName[LUKS_CIPHERNAME_L];
554
383
        char cipherMode[LUKS_CIPHERMODE_L];
555
384
        int passwordLen;
556
385
        int PBKDF2perSecond;
557
386
        
 
387
        if (!LUKS_device_ready(options->device, O_RDWR | O_EXCL)) {
 
388
                set_error("Can not access device");
 
389
                r = -ENOTBLK; goto out;
 
390
        }
 
391
 
558
392
        mk = LUKS_generate_masterkey(options->key_size);
559
393
        if(NULL == mk) return -ENOMEM; 
560
394
 
561
395
#ifdef LUKS_DEBUG
562
 
#define printoffset(entry) printf("offset of " #entry " = %d\n", (char *)(&header.entry)-(char *)(&header))
 
396
#define printoffset(entry) logger(options, CRYPT_LOG_ERROR, ("offset of " #entry " = %d\n", (char *)(&header.entry)-(char *)(&header))
563
397
 
564
 
        printf("sizeof phdr %d, key slot %d\n",sizeof(struct luks_phdr),sizeof(header.keyblock[0]));
 
398
        logger(options, CRYPT_LOG_ERROR, "sizeof phdr %d, key slot %d\n",sizeof(struct luks_phdr),sizeof(header.keyblock[0]));
565
399
 
566
400
        printoffset(magic);
567
401
        printoffset(version);
575
409
        printoffset(mkDigestIterations);
576
410
        printoffset(uuid);
577
411
#endif
 
412
 
578
413
        r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
579
414
        if(r < 0) return r;
580
415
 
581
416
        r = LUKS_generate_phdr(&header,mk,cipherName, cipherMode,LUKS_STRIPES, options->align_payload);
582
 
        if(r < 0) { 
583
 
                set_error("Can't write phdr");
 
417
        if(r < 0) {
 
418
                set_error("Can't generate phdr");
584
419
                return r; 
585
420
        }
586
421
 
587
422
        PBKDF2perSecond = LUKS_benchmarkt_iterations();
588
423
        header.keyblock[0].passwordIterations = at_least_one(PBKDF2perSecond * ((float)options->iteration_time / 1000.0));
589
424
#ifdef LUKS_DEBUG
590
 
        fprintf(stderr, "pitr %d\n", header.keyblock[0].passwordIterations);
 
425
        logger(options->icb->log,CRYPT_LOG_ERROR, "pitr %d\n", header.keyblock[0].passwordIterations);
591
426
#endif
592
 
        options->key_size = 0; // FIXME, define a clean interface some day.
593
 
        options->key_file = options->new_key_file;
594
 
        options->new_key_file = NULL;
595
 
        get_key(options,"Enter LUKS passphrase: ",&password,&passwordLen);
 
427
        get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->new_key_file, options->passphrase_fd, options->timeout, options->flags);
596
428
        if(!password) {
597
429
                r = -EINVAL; goto out;
598
430
        }
599
 
        r = LUKS_set_key(options->device, 0, password, passwordLen, &header, mk, backend);
 
431
 
 
432
        /* Set key, also writes phdr */
 
433
        r = LUKS_set_key(options->device, 0, password, passwordLen, &header, mk, backend); 
600
434
        if(r < 0) goto out; 
601
435
 
602
436
        r = 0;
608
442
 
609
443
static int __crypt_luks_open(int arg, struct setup_backend *backend, struct crypt_options *options)
610
444
{
611
 
        struct luks_masterkey *mk;
 
445
        struct luks_masterkey *mk=NULL;
612
446
        struct luks_phdr hdr;
613
447
        char *password; int passwordLen;
614
448
        struct device_infos infos;
624
458
                return -EEXIST;
625
459
        }
626
460
 
 
461
        if (!LUKS_device_ready(options->device, O_RDONLY | O_EXCL)) {
 
462
                set_error("Can not access device");
 
463
                return -ENOTBLK;
 
464
        }
 
465
 
627
466
        if (get_device_infos(options->device, &infos) < 0) {
628
467
                set_error("Can't get device information.\n");
629
 
                r = -ENOTBLK; goto out;
 
468
                return -ENOTBLK;
630
469
        }
 
470
 
631
471
        if (infos.readonly)
632
472
                options->flags |= CRYPT_FLAG_READONLY;
633
473
 
634
474
start:
635
475
        mk=NULL;
636
 
        options->key_size = 0; // FIXME, define a clean interface some day.
637
476
 
638
 
        if(get_key(options,"Enter LUKS passphrase: ",&password,&passwordLen))
 
477
        if(get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->key_file,  options->passphrase_fd, options->timeout, options->flags))
639
478
                tries--;
640
479
        else
641
480
                tries = 0;
643
482
        if(!password) {
644
483
                r = -EINVAL; goto out;
645
484
        }
646
 
        if((r = LUKS_open_any_key(options->device, password, passwordLen, &hdr, &mk, backend)) < 0) {
 
485
        
 
486
        r = LUKS_open_any_key(options->device, password, passwordLen, &hdr, &mk, backend);
 
487
        if(r < 0) {
647
488
                set_error("No key available with this passphrase.\n");
648
489
                goto out1;
649
 
        }
 
490
        } else
 
491
                logger(options, CRYPT_LOG_NORMAL,"key slot %d unlocked.\n", r);
 
492
 
650
493
        
651
494
        options->offset = hdr.payloadOffset;
652
495
        asprintf(&dmCipherSpec, "%s-%s", hdr.cipherName, hdr.cipherMode);
686
529
{
687
530
        struct luks_masterkey *mk=NULL;
688
531
        struct luks_phdr hdr;
689
 
        char *password; unsigned int passwordLen;
 
532
        char *password=NULL; unsigned int passwordLen;
690
533
        unsigned int i; unsigned int keyIndex;
691
534
        const char *device = options->device;
692
535
        struct crypt_options optionsCheck = { 
699
542
        };
700
543
        int r;
701
544
        
 
545
        if (!LUKS_device_ready(options->device, O_RDWR | O_EXCL)) {
 
546
                set_error("Can not access device");
 
547
                r = -ENOTBLK; goto out;
 
548
        }
 
549
 
702
550
        r = LUKS_read_phdr(device, &hdr);
703
551
        if(r < 0) return r;
704
552
 
713
561
        keyIndex = i;
714
562
        
715
563
        optionsCheck.key_size = 0; // FIXME, define a clean interface some day.
716
 
        get_key(&optionsCheck,"Enter any LUKS passphrase: ",&password,&passwordLen);
 
564
        get_key("Enter any LUKS passphrase: ",&password,&passwordLen, options->key_size, options->key_file, options->passphrase_fd, options->timeout, options->flags & ~(CRYPT_FLAG_VERIFY | CRYPT_FLAG_VERIFY_IF_POSSIBLE));
717
565
        if(!password) {
718
566
                r = -EINVAL; goto out;
719
567
        }
720
 
        if(LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend) < 0) {
721
 
                printf("No key available with this passphrase.\n");
 
568
        r = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend);
 
569
        if(r < 0) {
 
570
                options->icb->log(CRYPT_LOG_ERROR,"No key available with this passphrase.\n");
722
571
                r = -EPERM; goto out;
723
 
        }
 
572
        } else
 
573
                logger(options, CRYPT_LOG_NORMAL,"key slot %d unlocked.\n",i);
 
574
 
724
575
        safe_free(password);
725
576
        
726
577
        optionsSet.key_size = 0; // FIXME, define a clean interface some day.
727
 
        get_key(&optionsSet,"Enter new passphrase for key slot: ",&password,&passwordLen);
 
578
        get_key("Enter new passphrase for key slot: ",&password,&passwordLen, options->key_size, options->new_key_file, options->passphrase_fd, options->timeout, options->flags);
728
579
        if(!password) {
729
580
                r = -EINVAL; goto out;
730
581
        }
741
592
        return r;
742
593
}
743
594
 
744
 
static int __crypt_luks_del_key(int arg, struct setup_backend *backend, struct crypt_options *options)
 
595
static int luks_remove_helper(int arg, struct setup_backend *backend, struct crypt_options *options, int supply_it)
745
596
{
746
597
        struct luks_masterkey *mk;
747
598
        struct luks_phdr hdr;
748
599
        char *password=NULL; 
749
600
        unsigned int passwordLen;
750
601
        const char *device = options->device;
751
 
        int keyIndex = options->key_slot;
 
602
        int keyIndex;
752
603
        int openedIndex;
753
604
        int r;
754
 
        
 
605
        if (!LUKS_device_ready(options->device, O_RDWR | O_EXCL)) {
 
606
            set_error("Can not access device");
 
607
            r = -ENOTBLK; goto out;
 
608
        }
 
609
 
 
610
        if(supply_it) {
 
611
            get_key("Enter LUKS passphrase to be deleted: ",&password,&passwordLen, 0, options->new_key_file, options->passphrase_fd, options->timeout, options->flags);
 
612
            if(!password) {
 
613
                    r = -EINVAL; goto out;
 
614
            }
 
615
            keyIndex = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend);
 
616
            if(keyIndex < 0) {
 
617
                    options->icb->log(CRYPT_LOG_ERROR,"No remaining key available with this passphrase.\n");
 
618
                    r = -EPERM; goto out;
 
619
            } else
 
620
                logger(options, CRYPT_LOG_NORMAL,"key slot %d selected for deletion.\n", keyIndex);
 
621
            safe_free(password);
 
622
        } else {
 
623
            keyIndex = options->key_slot;
 
624
        }
 
625
 
 
626
        if(LUKS_is_last_keyslot(options->device, keyIndex) && 
 
627
           !(options->icb->yesDialog(_("This is the last keyslot. Device will become unusable after purging this key.")))) {
 
628
                r = -EINVAL;
 
629
                goto out;
 
630
        } 
 
631
 
755
632
        if(options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY) {
756
633
                options->flags &= ~CRYPT_FLAG_VERIFY_ON_DELKEY;
757
 
                options->key_size = 0; // FIXME, define a clean interface some day.
758
 
                get_key(options,"Enter any remaining LUKS passphrase: ",&password,&passwordLen);
 
634
                get_key("Enter any remaining LUKS passphrase: ",&password,&passwordLen, 0, options->key_file, options->passphrase_fd, options->timeout, options->flags);
759
635
                if(!password) {
760
636
                        r = -EINVAL; goto out;
761
637
                }
762
638
                openedIndex = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend);
763
639
                if(openedIndex < 0 || keyIndex == openedIndex) {
764
 
                        printf("No remaining key available with this passphrase.\n");
765
 
                        r = -EPERM; goto out;
766
 
                }
 
640
                            options->icb->log(CRYPT_LOG_ERROR,"No remaining key available with this passphrase.\n");
 
641
                            r = -EPERM; goto out;
 
642
                } else
 
643
                        logger(options, CRYPT_LOG_NORMAL,"key slot %d verified.\n", keyIndex);
767
644
        }
768
645
        r = LUKS_del_key(device, keyIndex);
769
646
        if(r < 0) goto out;
774
651
        return r;
775
652
}
776
653
 
 
654
static int __crypt_luks_kill_slot(int arg, struct setup_backend *backend, struct crypt_options *options) {
 
655
        return luks_remove_helper(arg, backend, options, 0);
 
656
}
 
657
 
 
658
static int __crypt_luks_remove_key(int arg, struct setup_backend *backend, struct crypt_options *options) {
 
659
        return luks_remove_helper(arg, backend, options, 1);
 
660
}
 
661
 
777
662
 
778
663
static int crypt_job(int (*job)(int arg, struct setup_backend *backend,
779
664
                                struct crypt_options *options),
784
669
 
785
670
        backend = get_setup_backend(default_backend);
786
671
 
787
 
        setup_enter(backend);
 
672
        setup_enter(backend,options->icb->log);
788
673
 
789
674
        if (!backend) {
790
675
                set_error("No setup backend available");
840
725
        return crypt_job(__crypt_luks_open, 0, options);
841
726
}
842
727
 
843
 
int crypt_luksDelKey(struct crypt_options *options)
844
 
{
845
 
        return crypt_job(__crypt_luks_del_key, 0, options);
 
728
int crypt_luksKillSlot(struct crypt_options *options)
 
729
{
 
730
        return crypt_job(__crypt_luks_kill_slot, 0, options);
 
731
}
 
732
 
 
733
int crypt_luksRemoveKey(struct crypt_options *options)
 
734
{
 
735
        return crypt_job(__crypt_luks_remove_key, 0, options);
846
736
}
847
737
 
848
738
int crypt_luksAddKey(struct crypt_options *options)
858
748
        r = LUKS_read_phdr(options->device,&hdr);
859
749
        if(r < 0) return r;
860
750
 
861
 
        printf("%s\n",hdr.uuid);
 
751
        options->icb->log(CRYPT_LOG_NORMAL,hdr.uuid);
 
752
        options->icb->log(CRYPT_LOG_NORMAL,"\n");
862
753
        return 0;
863
754
}
864
755
 
876
767
        r = LUKS_read_phdr(options->device,&hdr);
877
768
        if(r < 0) return r;
878
769
 
879
 
        printf("LUKS header information for %s\n\n",options->device);
880
 
        printf("Version:       \t%d\n",hdr.version);
881
 
        printf("Cipher name:   \t%s\n",hdr.cipherName);
882
 
        printf("Cipher mode:   \t%s\n",hdr.cipherMode);
883
 
        printf("Hash spec:     \t%s\n",hdr.hashSpec);
884
 
        printf("Payload offset:\t%d\n",hdr.payloadOffset);
885
 
        printf("MK bits:       \t%d\n",hdr.keyBytes*8);
886
 
        printf("MK digest:     \t");
887
 
        hexprint(hdr.mkDigest,LUKS_DIGESTSIZE);
888
 
        printf("\n");
889
 
        printf("MK salt:       \t");
890
 
        hexprint(hdr.mkDigestSalt,LUKS_SALTSIZE/2);
891
 
        printf("\n               \t");
892
 
        hexprint(hdr.mkDigestSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
893
 
        printf("\n");
894
 
        printf("MK iterations: \t%d\n",hdr.mkDigestIterations);
895
 
        printf("UUID:          \t%s\n\n",hdr.uuid);
 
770
        logger(options, CRYPT_LOG_NORMAL, "LUKS header information for %s\n\n",options->device);
 
771
        logger(options, CRYPT_LOG_NORMAL, "Version:       \t%d\n",hdr.version);
 
772
        logger(options, CRYPT_LOG_NORMAL, "Cipher name:   \t%s\n",hdr.cipherName);
 
773
        logger(options, CRYPT_LOG_NORMAL, "Cipher mode:   \t%s\n",hdr.cipherMode);
 
774
        logger(options, CRYPT_LOG_NORMAL, "Hash spec:     \t%s\n",hdr.hashSpec);
 
775
        logger(options, CRYPT_LOG_NORMAL, "Payload offset:\t%d\n",hdr.payloadOffset);
 
776
        logger(options, CRYPT_LOG_NORMAL, "MK bits:       \t%d\n",hdr.keyBytes*8);
 
777
        logger(options, CRYPT_LOG_NORMAL, "MK digest:     \t");
 
778
        hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigest,LUKS_DIGESTSIZE);
 
779
        logger(options, CRYPT_LOG_NORMAL, "\n");
 
780
        logger(options, CRYPT_LOG_NORMAL, "MK salt:       \t");
 
781
        hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigestSalt,LUKS_SALTSIZE/2);
 
782
        logger(options, CRYPT_LOG_NORMAL, "\n               \t");
 
783
        hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigestSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
 
784
        logger(options, CRYPT_LOG_NORMAL, "\n");
 
785
        logger(options, CRYPT_LOG_NORMAL, "MK iterations: \t%d\n",hdr.mkDigestIterations);
 
786
        logger(options, CRYPT_LOG_NORMAL, "UUID:          \t%s\n\n",hdr.uuid);
896
787
        for(i=0;i<LUKS_NUMKEYS;i++) {
897
788
                if(hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
898
 
                        printf("Key Slot %d: ENABLED\n",i);
899
 
                        printf("\tIterations:         \t%d\n",hdr.keyblock[i].passwordIterations);
900
 
                        printf("\tSalt:               \t");
901
 
                        hexprint(hdr.keyblock[i].passwordSalt,LUKS_SALTSIZE/2);
902
 
                        printf("\n\t                      \t");
903
 
                        hexprint(hdr.keyblock[i].passwordSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
904
 
                        printf("\n");
 
789
                        logger(options, CRYPT_LOG_NORMAL, "Key Slot %d: ENABLED\n",i);
 
790
                        logger(options, CRYPT_LOG_NORMAL, "\tIterations:         \t%d\n",hdr.keyblock[i].passwordIterations);
 
791
                        logger(options, CRYPT_LOG_NORMAL, "\tSalt:               \t");
 
792
                        hexprintICB(options, CRYPT_LOG_NORMAL, hdr.keyblock[i].passwordSalt,LUKS_SALTSIZE/2);
 
793
                        logger(options, CRYPT_LOG_NORMAL, "\n\t                      \t");
 
794
                        hexprintICB(options, CRYPT_LOG_NORMAL, hdr.keyblock[i].passwordSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
 
795
                        logger(options, CRYPT_LOG_NORMAL, "\n");
905
796
 
906
 
                        printf("\tKey material offset:\t%d\n",hdr.keyblock[i].keyMaterialOffset);
907
 
                        printf("\tAF stripes:            \t%d\n",hdr.keyblock[i].stripes);
 
797
                        logger(options, CRYPT_LOG_NORMAL, "\tKey material offset:\t%d\n",hdr.keyblock[i].keyMaterialOffset);
 
798
                        logger(options, CRYPT_LOG_NORMAL, "\tAF stripes:            \t%d\n",hdr.keyblock[i].stripes);
908
799
                }               
909
800
                else 
910
 
                        printf("Key Slot %d: DISABLED\n",i);
 
801
                        logger(options, CRYPT_LOG_NORMAL, "Key Slot %d: DISABLED\n",i);
911
802
        }
912
803
        return 0;
913
804
}
966
857
 
967
858
        return dir;
968
859
}
 
860
 
 
861
// Local Variables:
 
862
// c-basic-offset: 8
 
863
// indent-tabs-mode: nil
 
864
// End: