240
133
if(sscanf(nameAndMode,scanpattern1, name, mode) != 2) {
241
if((r = sscanf(nameAndMode,scanpattern2,name)) == 1) {
134
if((r = sscanf(nameAndMode,scanpattern2,name)) == 1)
242
135
strncpy(mode,"cbc-plain",10);
245
set_error("no known cipher-spec pattern detected");
258
/* Select free keyslot or verifies that the one specified is empty */
259
static int keyslot_from_option(int keySlotOption, struct luks_phdr *hdr, struct crypt_options *options) {
260
if(keySlotOption >= 0) {
261
if(keySlotOption >= LUKS_NUMKEYS) {
262
logger(options,CRYPT_LOG_ERROR,"slot %d too high, please pick between 0 and %d", keySlotOption, LUKS_NUMKEYS);
264
} else if(hdr->keyblock[keySlotOption].active != LUKS_KEY_DISABLED) {
265
logger(options,CRYPT_LOG_ERROR,"slot %d full, please pick another one", keySlotOption);
268
return keySlotOption;
272
/* Find empty key slot */
273
for(i=0; i<LUKS_NUMKEYS; i++) {
274
if(hdr->keyblock[i].active == LUKS_KEY_DISABLED) break;
276
if(i==LUKS_NUMKEYS) {
277
logger(options,CRYPT_LOG_ERROR,"All slots full");
284
static int __crypt_create_device(int reload, struct setup_backend *backend,
285
struct crypt_options *options)
287
struct crypt_options tmp = {
288
.name = options->name,
148
static int isPLAIN(const char *type)
150
return (type && !strcmp(CRYPT_PLAIN, type));
153
static int isLUKS(const char *type)
155
return (type && !strcmp(CRYPT_LUKS1, type));
158
/* keyslot helpers */
159
static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
161
if (*keyslot == CRYPT_ANY_SLOT) {
162
*keyslot = LUKS_keyslot_find_empty(&cd->hdr);
164
log_err(cd, _("All key slots full.\n"));
169
switch (LUKS_keyslot_info(&cd->hdr, *keyslot)) {
171
log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
172
*keyslot, LUKS_NUMKEYS - 1);
177
log_err(cd, _("Key slot %d is full, please select another one.\n"),
185
static int verify_other_keyslot(struct crypt_device *cd,
186
const char *key_file,
190
struct luks_masterkey *mk;
191
crypt_keyslot_info ki;
193
char *password = NULL;
194
unsigned int passwordLen;
196
get_key(_("Enter any remaining LUKS passphrase: "), &password,
197
&passwordLen, 0, key_file, cd->timeout, flags, cd);
201
ki = crypt_keyslot_status(cd, keyIndex);
202
if (ki == SLOT_ACTIVE) /* Not last slot */
203
LUKS_keyslot_set(&cd->hdr, keyIndex, 0);
205
openedIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT,
206
password, passwordLen,
209
if (ki == SLOT_ACTIVE)
210
LUKS_keyslot_set(&cd->hdr, keyIndex, 1);
211
LUKS_dealloc_masterkey(mk);
217
log_std(cd, _("Key slot %d verified.\n"), openedIndex);
221
static int find_keyslot_by_passphrase(struct crypt_device *cd,
222
const char *key_file,
226
struct luks_masterkey *mk;
227
char *password = NULL;
228
unsigned int passwordLen;
231
get_key(message,&password,&passwordLen, 0, key_file,
232
cd->timeout, flags, cd);
236
keyIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
237
passwordLen, &cd->hdr, &mk, cd);
238
LUKS_dealloc_masterkey(mk);
244
static int device_check_and_adjust(struct crypt_device *cd,
246
uint64_t *size, uint64_t *offset,
290
249
struct device_infos infos;
293
char *processed_key = NULL;
296
r = backend->status(0, &tmp, NULL);
302
set_error("Device already exists");
309
if (options->key_size < 0 || options->key_size > 1024) {
310
set_error("Invalid key size");
314
if (get_device_infos(options->device, &infos) < 0)
251
if (get_device_infos(device, &infos, cd) < 0) {
252
log_err(cd, _("Cannot get info about device %s.\n"), device);
317
if (!options->size) {
318
options->size = infos.size;
319
if (!options->size) {
320
set_error("Not a block device");
259
log_err(cd, _("Device %s has zero size.\n"), device);
323
if (options->size <= options->offset) {
324
set_error("Invalid offset");
262
if (*size <= *offset) {
263
log_err(cd, _("Device %s is too small.\n"), device);
327
options->size -= options->offset;
330
269
if (infos.readonly)
331
options->flags |= CRYPT_FLAG_READONLY;
333
get_key("Enter passphrase: ", &key, &keyLen, options->key_size, options->key_file, options->passphrase_fd, options->timeout, options->flags);
335
set_error("Key reading error");
339
processed_key = process_key(options,key,keyLen);
342
if (!processed_key) {
343
const char *error=get_error();
345
char *c_error_handling_sucks;
346
asprintf(&c_error_handling_sucks,"Key processing error: %s",error);
347
set_error(c_error_handling_sucks);
348
free(c_error_handling_sucks);
350
set_error("Key processing error");
354
r = backend->create(reload, options, processed_key);
272
log_dbg("Calculated device size is %" PRIu64 " sectors (%s), offset %" PRIu64 ".",
273
*size, *read_only ? "RO" : "RW", *offset);
277
static int luks_remove_helper(struct crypt_device *cd,
279
const char *other_key_file,
280
const char *key_file,
283
crypt_keyslot_info ki;
286
if (key_slot == CRYPT_ANY_SLOT) {
287
key_slot = find_keyslot_by_passphrase(cd, key_file, 0,
288
_("Enter LUKS passphrase to be deleted: "));
294
log_std(cd, _("key slot %d selected for deletion.\n"), key_slot);
297
ki = crypt_keyslot_status(cd, key_slot);
298
if (ki == SLOT_INVALID) {
299
log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
300
key_slot, LUKS_NUMKEYS - 1);
304
if (ki <= SLOT_INACTIVE) {
305
log_err(cd, _("Key %d not active. Can't wipe.\n"), key_slot);
310
if (ki == SLOT_ACTIVE_LAST && cd->confirm &&
311
!(cd->confirm(_("This is the last keyslot."
312
" Device will become unusable after purging this key."),
313
cd->confirm_usrptr))) {
319
r = verify_other_keyslot(cd, other_key_file, 0, key_slot);
324
r = crypt_keyslot_destroy(cd, key_slot);
326
return (r < 0) ? r : 0;
329
static int create_device_helper(struct crypt_device *cd,
333
const char *cipher_mode,
334
const char *key_file,
346
crypt_status_info ci;
347
char *dm_cipher = NULL;
348
char *processed_key = NULL;
351
ci = crypt_status(cd, name);
355
if (reload && ci < ACTIVE)
358
if (!reload && ci >= ACTIVE) {
359
log_err(cd, _("Device %s already exists.\n"), name);
363
if (key_size < 0 || key_size > 1024) {
364
log_err(cd, _("Invalid key size %d.\n"), key_size);
368
r = device_check_and_adjust(cd, cd->device, &size, &offset, &read_only);
372
if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
375
processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
379
r = dm_create_device(name, cd->device, dm_cipher ?: cipher, cd->type, uuid, size, skip, offset,
380
key_size, processed_key, read_only, reload);
356
383
safe_free(processed_key);
361
static int __crypt_query_device(int details, struct setup_backend *backend,
362
struct crypt_options *options)
364
int r = backend->status(details, options, NULL);
387
static int open_from_hdr_and_mk(struct crypt_device *cd,
388
struct luks_masterkey *mk,
392
uint64_t size, offset;
394
int read_only, no_uuid, r;
397
offset = crypt_get_data_offset(cd);
398
read_only = flags & CRYPT_ACTIVATE_READONLY;
399
no_uuid = flags & CRYPT_ACTIVATE_NO_UUID;
401
r = device_check_and_adjust(cd, cd->device, &size, &offset, &read_only);
405
if (asprintf(&cipher, "%s-%s", crypt_get_cipher(cd),
406
crypt_get_cipher_mode(cd)) < 0)
409
r = dm_create_device(name, cd->device, cipher, cd->type,
410
no_uuid ? NULL : crypt_get_uuid(cd),
411
size, 0, offset, mk->keyLength, mk->key,
417
static void log_wrapper(int class, const char *msg, void *usrptr)
419
void (*xlog)(int class, char *msg) = usrptr;
420
xlog(class, (char *)msg);
423
static int yesDialog_wrapper(const char *msg, void *usrptr)
425
int (*xyesDialog)(char *msg) = usrptr;
426
return xyesDialog((char*)msg);
429
int crypt_confirm(struct crypt_device *cd, const char *msg)
431
if (!cd || !cd->confirm)
373
static int __crypt_resize_device(int details, struct setup_backend *backend,
374
struct crypt_options *options)
376
struct crypt_options tmp = {
377
.name = options->name,
379
struct device_infos infos;
383
r = backend->status(1, &tmp, &key);
387
if (get_device_infos(tmp.device, &infos) < 0)
434
return cd->confirm(msg, cd->confirm_usrptr);
437
static void key_from_terminal(struct crypt_device *cd, char *msg, char **key,
438
unsigned int *key_len, int force_verify)
443
*key = safe_alloc(MAX_TTY_PASSWORD_LEN);
446
r = cd->password(msg, *key, (size_t)key_len, cd->password_usrptr);
453
if (force_verify || cd->password_verify)
454
flags |= CRYPT_FLAG_VERIFY_IF_POSSIBLE;
455
get_key(msg, key, key_len, 0, NULL, cd->timeout, flags, cd);
459
static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslot,
460
struct luks_masterkey **mk)
462
char *prompt = NULL, *passphrase_read = NULL;
463
unsigned int passphrase_size_read;
464
int r = -EINVAL, tries = cd->tries;
466
if(asprintf(&prompt, _("Enter passphrase for %s: "), cd->device) < 0)
472
LUKS_dealloc_masterkey(*mk);
475
key_from_terminal(cd, prompt, &passphrase_read,
476
&passphrase_size_read, 0);
477
if(!passphrase_read) {
482
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
483
passphrase_size_read, &cd->hdr, mk, cd);
484
safe_free(passphrase_read);
485
passphrase_read = NULL;
486
} while (r == -EPERM && (--tries > 0));
489
LUKS_dealloc_masterkey(*mk);
498
static void key_from_file(struct crypt_device *cd, char *msg,
499
char **key, unsigned int *key_len,
500
const char *key_file, size_t key_size)
502
get_key(msg, key, key_len, key_size, key_file, cd->timeout, 0, cd);
505
static int _crypt_init(struct crypt_device **cd,
507
struct crypt_options *options,
508
int load, int need_dm)
512
/* if it is plain device and mapping table is being reloaded
513
initialize it by name*/
514
init_by_name = (type && !strcmp(type, CRYPT_PLAIN) && load);
516
/* Some of old API calls do not require DM in kernel,
517
fake initialisation by initialise it with kernel_check disabled */
519
(void)dm_init(NULL, 0);
521
r = crypt_init_by_name(cd, options->name);
523
r = crypt_init(cd, options->device);
390
if (!options->size) {
391
options->size = infos.size;
392
if (!options->size) {
393
set_error("Not a block device");
396
if (options->size <= tmp.offset) {
397
set_error("Invalid offset");
400
options->size -= tmp.offset;
402
tmp.size = options->size;
405
options->flags |= CRYPT_FLAG_READONLY;
407
r = backend->create(1, &tmp, key);
414
static int __crypt_remove_device(int arg, struct setup_backend *backend,
415
struct crypt_options *options)
419
r = backend->status(0, options, NULL);
423
set_error("Device busy");
427
return backend->remove(0, options);
430
static int __crypt_luks_format(int arg, struct setup_backend *backend, struct crypt_options *options)
434
struct luks_phdr header;
435
struct luks_masterkey *mk=NULL;
437
char cipherName[LUKS_CIPHERNAME_L];
438
char cipherMode[LUKS_CIPHERMODE_L];
439
unsigned int passwordLen;
443
if (!LUKS_device_ready(options->device, O_RDWR | O_EXCL)) {
444
set_error("Can not access device");
445
r = -ENOTBLK; goto out;
448
mk = LUKS_generate_masterkey(options->key_size);
449
if(NULL == mk) return -ENOMEM; // FIXME This may be misleading, since we don't know what went wrong
452
#define printoffset(entry) logger(options, CRYPT_LOG_ERROR, ("offset of " #entry " = %d\n", (char *)(&header.entry)-(char *)(&header))
454
logger(options, CRYPT_LOG_ERROR, "sizeof phdr %d, key slot %d\n",sizeof(struct luks_phdr),sizeof(header.keyblock[0]));
457
printoffset(version);
458
printoffset(cipherName);
459
printoffset(cipherMode);
460
printoffset(hashSpec);
461
printoffset(payloadOffset);
462
printoffset(keyBytes);
463
printoffset(mkDigest);
464
printoffset(mkDigestSalt);
465
printoffset(mkDigestIterations);
469
r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
472
r = LUKS_generate_phdr(&header,mk,cipherName, cipherMode,LUKS_STRIPES, options->align_payload);
474
set_error("Can't generate phdr");
478
keyIndex = keyslot_from_option(options->key_slot, &header, options);
479
if(keyIndex == -EINVAL) {
480
r = -EINVAL; goto out;
483
PBKDF2perSecond = LUKS_benchmarkt_iterations();
484
header.keyblock[keyIndex].passwordIterations = at_least_one(PBKDF2perSecond * ((float)options->iteration_time / 1000.0));
486
logger(options->icb->log,CRYPT_LOG_ERROR, "pitr %d\n", header.keyblock[0].passwordIterations);
488
get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->new_key_file, options->passphrase_fd, options->timeout, options->flags);
490
r = -EINVAL; goto out;
493
/* Wipe first 8 sectors - fs magic numbers etc. */
494
r = wipe_device_header(options->device, 8);
497
/* Set key, also writes phdr */
498
r = LUKS_set_key(options->device, keyIndex, password, passwordLen, &header, mk, backend);
503
LUKS_dealloc_masterkey(mk);
508
static int __crypt_luks_open(int arg, struct setup_backend *backend, struct crypt_options *options)
510
struct luks_masterkey *mk=NULL;
511
struct luks_phdr hdr;
513
unsigned int passwordLen;
514
struct device_infos infos;
515
struct crypt_options tmp = {
516
.name = options->name,
519
int r, tries = options->tries;
520
int excl = (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS) ? 0 : O_EXCL ;
522
r = backend->status(0, &tmp, NULL);
524
set_error("Device already exists");
528
if (!LUKS_device_ready(options->device, O_RDONLY | excl)) {
529
set_error("Can not access device");
533
if (get_device_infos(options->device, &infos) < 0) {
534
set_error("Can't get device information.\n");
539
options->flags |= CRYPT_FLAG_READONLY;
544
if(get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->key_file, options->passphrase_fd, options->timeout, options->flags))
550
r = -EINVAL; goto out;
553
r = LUKS_open_any_key(options->device, password, passwordLen, &hdr, &mk, backend);
555
set_error("No key available with this passphrase.\n");
559
logger(options, CRYPT_LOG_NORMAL,"key slot %d unlocked.\n", r);
562
options->offset = hdr.payloadOffset;
563
asprintf(&dmCipherSpec, "%s-%s", hdr.cipherName, hdr.cipherMode);
568
options->cipher = dmCipherSpec;
569
options->key_size = mk->keyLength;
572
options->size = infos.size;
573
if (!options->size) {
574
set_error("Not a block device.\n");
575
r = -ENOTBLK; goto out2;
577
if (options->size <= options->offset) {
578
set_error("Invalid offset");
579
r = -EINVAL; goto out2;
581
options->size -= options->offset;
582
r = backend->create(0, options, mk->key);
589
LUKS_dealloc_masterkey(mk);
590
if (r == -EPERM && tries > 0)
596
static int __crypt_luks_add_key(int arg, struct setup_backend *backend, struct crypt_options *options)
598
struct luks_masterkey *mk=NULL;
599
struct luks_phdr hdr;
600
char *password=NULL; unsigned int passwordLen;
601
unsigned int keyIndex;
602
const char *device = options->device;
605
if (!LUKS_device_ready(options->device, O_RDWR)) {
606
set_error("Can not access device");
607
r = -ENOTBLK; goto out;
610
r = LUKS_read_phdr(device, &hdr);
614
keyIndex = keyslot_from_option(options->key_slot, &hdr, options);
615
if(keyIndex == -EINVAL) {
616
r = -EINVAL; goto out;
619
get_key("Enter any LUKS passphrase: ",
624
options->passphrase_fd,
626
options->flags & ~(CRYPT_FLAG_VERIFY | CRYPT_FLAG_VERIFY_IF_POSSIBLE));
629
r = -EINVAL; goto out;
631
r = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend);
633
options->icb->log(CRYPT_LOG_ERROR,"No key available with this passphrase.\n");
634
r = -EPERM; goto out;
636
logger(options, CRYPT_LOG_NORMAL,"key slot %d unlocked.\n", r);
640
get_key("Enter new passphrase for key slot: ",
644
options->new_key_file,
645
options->passphrase_fd,
649
r = -EINVAL; goto out;
652
hdr.keyblock[keyIndex].passwordIterations = at_least_one(LUKS_benchmarkt_iterations() * ((float)options->iteration_time / 1000));
654
r = LUKS_set_key(device, keyIndex, password, passwordLen, &hdr, mk, backend);
660
LUKS_dealloc_masterkey(mk);
664
static int luks_remove_helper(int arg, struct setup_backend *backend, struct crypt_options *options, int supply_it)
666
struct luks_masterkey *mk;
667
struct luks_phdr hdr;
669
unsigned int passwordLen;
670
const char *device = options->device;
674
if (!LUKS_device_ready(options->device, O_RDWR)) {
675
set_error("Can not access device");
676
r = -ENOTBLK; goto out;
680
get_key("Enter LUKS passphrase to be deleted: ",&password,&passwordLen, 0, options->new_key_file, options->passphrase_fd, options->timeout, options->flags);
682
r = -EINVAL; goto out;
684
keyIndex = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend);
686
options->icb->log(CRYPT_LOG_ERROR,"No remaining key available with this passphrase.\n");
687
r = -EPERM; goto out;
689
logger(options, CRYPT_LOG_NORMAL,"key slot %d selected for deletion.\n", keyIndex);
692
keyIndex = options->key_slot;
695
if(LUKS_is_last_keyslot(options->device, keyIndex) &&
696
!(options->icb->yesDialog(_("This is the last keyslot. Device will become unusable after purging this key.")))) {
701
if(options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY) {
702
options->flags &= ~CRYPT_FLAG_VERIFY_ON_DELKEY;
703
get_key("Enter any remaining LUKS passphrase: ",&password,&passwordLen, 0, options->key_file, options->passphrase_fd, options->timeout, options->flags);
705
r = -EINVAL; goto out;
708
r = LUKS_read_phdr(device, &hdr);
710
options->icb->log(CRYPT_LOG_ERROR,"Failed to access device.\n");
713
hdr.keyblock[keyIndex].active = LUKS_KEY_DISABLED;
715
openedIndex = LUKS_open_any_key_with_hdr(device, password, passwordLen, &hdr, &mk, backend);
717
if (openedIndex >= 0) {
718
LUKS_dealloc_masterkey(mk);
721
if(openedIndex < 0) {
722
options->icb->log(CRYPT_LOG_ERROR,"No remaining key available with this passphrase.\n");
723
r = -EPERM; goto out;
725
logger(options, CRYPT_LOG_NORMAL,"key slot %d verified.\n", openedIndex);
727
r = LUKS_del_key(device, keyIndex);
736
static int __crypt_luks_kill_slot(int arg, struct setup_backend *backend, struct crypt_options *options) {
737
return luks_remove_helper(arg, backend, options, 0);
740
static int __crypt_luks_remove_key(int arg, struct setup_backend *backend, struct crypt_options *options) {
741
return luks_remove_helper(arg, backend, options, 1);
745
static int crypt_job(int (*job)(int arg, struct setup_backend *backend,
746
struct crypt_options *options),
747
int arg, struct crypt_options *options)
749
struct setup_backend *backend;
752
backend = get_setup_backend(default_backend);
754
if (setup_enter(backend,options->icb->log) < 0) {
760
set_error("No setup backend available");
765
r = job(arg, backend, options);
767
setup_leave(backend);
769
put_setup_backend(backend);
530
crypt_set_log_callback(*cd, log_wrapper, options->icb->log);
531
crypt_set_confirm_callback(*cd, yesDialog_wrapper, options->icb->yesDialog);
533
crypt_set_timeout(*cd, options->timeout);
534
crypt_set_password_retry(*cd, options->tries);
535
crypt_set_iterarion_time(*cd, options->iteration_time ?: 1000);
536
crypt_set_password_verify(*cd, options->flags & CRYPT_FLAG_VERIFY);
538
if (load && !init_by_name)
539
r = crypt_load(*cd, type, NULL);
541
if (!r && type && !(*cd)->type) {
542
(*cd)->type = strdup(type);
553
void crypt_set_log_callback(struct crypt_device *cd,
554
void (*log)(int class, const char *msg, void *usrptr),
561
cd->log_usrptr = usrptr;
565
void crypt_set_confirm_callback(struct crypt_device *cd,
566
int (*confirm)(const char *msg, void *usrptr),
569
cd->confirm = confirm;
570
cd->confirm_usrptr = usrptr;
573
void crypt_set_password_callback(struct crypt_device *cd,
574
int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
577
cd->password = password;
578
cd->password_usrptr = usrptr;
581
/* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
582
* offset, size, skip, timeout, tries, passphrase_fd (ignored),
777
584
int crypt_create_device(struct crypt_options *options)
779
return crypt_job(__crypt_create_device, 0, options);
586
struct crypt_device *cd = NULL;
591
r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
595
get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
596
options->key_file, cd->timeout, options->flags, cd);
600
r = create_device_helper(cd, options->name, options->hash,
601
options->cipher, NULL, options->key_file, key, keyLen,
602
options->key_size, options->size, options->skip,
603
options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
611
/* OPTIONS: same as create above */
782
612
int crypt_update_device(struct crypt_options *options)
784
return crypt_job(__crypt_create_device, 1, options);
614
struct crypt_device *cd = NULL;
619
r = _crypt_init(&cd, CRYPT_PLAIN, options, 1, 1);
623
get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
624
options->key_file, cd->timeout, options->flags, cd);
628
r = create_device_helper(cd, options->name, options->hash,
629
options->cipher, NULL, options->key_file, key, keyLen,
630
options->key_size, options->size, options->skip,
631
options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
639
/* OPTIONS: name, size, icb */
787
640
int crypt_resize_device(struct crypt_options *options)
789
return crypt_job(__crypt_resize_device, 0, options);
642
struct crypt_device *cd = NULL;
643
char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
645
uint64_t size, skip, offset;
646
int key_size, read_only, r;
648
log_dbg("Resizing device %s to %" PRIu64 " sectors.", options->name, options->size);
650
if (dm_init(NULL, 1) < 0)
653
r = dm_query_device(options->name, &device, &size, &skip, &offset,
654
&cipher, &key_size, &key, &read_only, NULL, &uuid);
656
log_err(NULL, _("Device %s is not active.\n"), options->name);
660
/* Try to determine type of device from UUID */
663
if (!strncmp(uuid, CRYPT_PLAIN, strlen(CRYPT_PLAIN))) {
667
} else if (!strncmp(uuid, CRYPT_LUKS1, strlen(CRYPT_LUKS1)))
671
if (!options->device)
672
options->device = device;
674
r = _crypt_init(&cd, type, options, 1, 1);
678
size = options->size;
679
r = device_check_and_adjust(cd, device, &size, &offset, &read_only);
683
r = dm_create_device(options->name, device, cipher, type,
684
crypt_get_uuid(cd), size, skip, offset,
685
key_size, key, read_only, 1);
689
if (options->device == device)
690
options->device = NULL;
698
/* OPTIONS: name, icb */
792
699
int crypt_query_device(struct crypt_options *options)
794
return crypt_job(__crypt_query_device, 1, options);
703
log_dbg("Query device %s.", options->name);
705
if (dm_init(NULL, 1) < 0)
708
r = dm_status_device(options->name);
714
r = dm_query_device(options->name, (char **)&options->device, &options->size,
715
&options->skip, &options->offset, (char **)&options->cipher,
716
&options->key_size, NULL, &read_only, NULL, NULL);
723
options->flags |= CRYPT_FLAG_READONLY;
725
options->flags |= CRYPT_FLAG_FREE_DEVICE;
726
options->flags |= CRYPT_FLAG_FREE_CIPHER;
731
/* OPTIONS: name, icb */
797
732
int crypt_remove_device(struct crypt_options *options)
799
return crypt_job(__crypt_remove_device, 0, options);
734
struct crypt_device *cd = NULL;
737
r = crypt_init_by_name(&cd, options->name);
741
r = crypt_deactivate(cd, options->name);
748
/* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
749
* new_key_file, iteration_time, timeout, flags, icb */
803
750
int crypt_luksFormat(struct crypt_options *options)
805
return crypt_job(__crypt_luks_format, 0, options);
752
char cipherName[LUKS_CIPHERNAME_L];
753
char cipherMode[LUKS_CIPHERMODE_L];
755
unsigned int passwordLen;
756
struct crypt_device *cd;
757
struct crypt_params_luks1 cp = {
758
.hash = options->hash,
759
.data_alignment = options->align_payload
763
r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
765
log_err(cd, _("No known cipher specification pattern detected.\n"));
769
if ((r = _crypt_init(&cd, CRYPT_LUKS1, options, 0, 1)))
772
if (options->key_slot >= LUKS_NUMKEYS && options->key_slot != CRYPT_ANY_SLOT) {
773
log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
774
options->key_slot, LUKS_NUMKEYS - 1);
779
get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, 0,
780
options->new_key_file, options->timeout, options->flags, cd);
787
r = crypt_format(cd, CRYPT_LUKS1, cipherName, cipherMode,
788
NULL, NULL, options->key_size, &cp);
792
/* Add keyslot using internally stored volume key generated during format */
793
r = crypt_keyslot_add_by_volume_key(cd, options->key_slot, NULL, 0,
794
password, passwordLen);
798
return (r < 0) ? r : 0;
801
/* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
808
802
int crypt_luksOpen(struct crypt_options *options)
810
return crypt_job(__crypt_luks_open, 0, options);
804
struct crypt_device *cd = NULL;
811
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
815
if (options->flags & CRYPT_FLAG_READONLY)
816
flags |= CRYPT_ACTIVATE_READONLY;
818
if (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS)
819
flags |= CRYPT_ACTIVATE_NO_UUID;
821
if (options->key_file)
822
r = crypt_activate_by_keyfile(cd, options->name,
823
CRYPT_ANY_SLOT, options->key_file, options->key_size,
826
r = crypt_activate_by_passphrase(cd, options->name,
827
CRYPT_ANY_SLOT, options->passphrase,
828
options->passphrase ? strlen(options->passphrase) : 0,
832
return (r < 0) ? r : 0;
835
/* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
813
836
int crypt_luksKillSlot(struct crypt_options *options)
815
return crypt_job(__crypt_luks_kill_slot, 0, options);
838
struct crypt_device *cd = NULL;
841
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
845
r = luks_remove_helper(cd, options->key_slot, options->key_file, NULL,
846
options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
849
return (r < 0) ? r : 0;
852
/* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
818
853
int crypt_luksRemoveKey(struct crypt_options *options)
820
return crypt_job(__crypt_luks_remove_key, 0, options);
855
struct crypt_device *cd = NULL;
858
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
862
r = luks_remove_helper(cd, CRYPT_ANY_SLOT, options->key_file, options->new_key_file,
863
options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
866
return (r < 0) ? r : 0;
870
/* OPTIONS: device, new_key_file, key_file, key_slot, flags,
871
iteration_time, timeout, icb */
823
872
int crypt_luksAddKey(struct crypt_options *options)
825
return crypt_job(__crypt_luks_add_key, 0, options);
874
struct crypt_device *cd = NULL;
877
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
881
if (options->key_file || options->new_key_file)
882
r = crypt_keyslot_add_by_keyfile(cd, options->key_slot,
883
options->key_file, 0,
884
options->new_key_file, 0);
886
r = crypt_keyslot_add_by_passphrase(cd, options->key_slot,
890
return (r < 0) ? r : 0;
893
/* OPTIONS: device, icb */
828
894
int crypt_luksUUID(struct crypt_options *options)
830
struct luks_phdr hdr;
896
struct crypt_device *cd = NULL;
833
r = LUKS_read_phdr(options->device,&hdr);
900
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
836
options->icb->log(CRYPT_LOG_NORMAL,hdr.uuid);
837
options->icb->log(CRYPT_LOG_NORMAL,"\n");
904
uuid = (char *)crypt_get_uuid(cd);
905
log_std(cd, uuid ?: "");
911
/* OPTIONS: device, icb */
841
912
int crypt_isLuks(struct crypt_options *options)
843
struct luks_phdr hdr;
844
return LUKS_read_phdr(options->device,&hdr);
914
struct crypt_device *cd = NULL;
917
log_dbg("Check device %s for LUKS header.", options->device);
919
r = crypt_init(&cd, options->device);
923
/* Do print fail here, no need to crypt_load() */
924
r = LUKS_read_phdr(cd->device, &cd->hdr, 0, cd) ? -EINVAL : 0;
930
/* OPTIONS: device, icb */
847
931
int crypt_luksDump(struct crypt_options *options)
849
struct luks_phdr hdr;
852
r = LUKS_read_phdr(options->device,&hdr);
855
logger(options, CRYPT_LOG_NORMAL, "LUKS header information for %s\n\n",options->device);
856
logger(options, CRYPT_LOG_NORMAL, "Version: \t%d\n",hdr.version);
857
logger(options, CRYPT_LOG_NORMAL, "Cipher name: \t%s\n",hdr.cipherName);
858
logger(options, CRYPT_LOG_NORMAL, "Cipher mode: \t%s\n",hdr.cipherMode);
859
logger(options, CRYPT_LOG_NORMAL, "Hash spec: \t%s\n",hdr.hashSpec);
860
logger(options, CRYPT_LOG_NORMAL, "Payload offset:\t%d\n",hdr.payloadOffset);
861
logger(options, CRYPT_LOG_NORMAL, "MK bits: \t%d\n",hdr.keyBytes*8);
862
logger(options, CRYPT_LOG_NORMAL, "MK digest: \t");
863
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigest,LUKS_DIGESTSIZE);
864
logger(options, CRYPT_LOG_NORMAL, "\n");
865
logger(options, CRYPT_LOG_NORMAL, "MK salt: \t");
866
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigestSalt,LUKS_SALTSIZE/2);
867
logger(options, CRYPT_LOG_NORMAL, "\n \t");
868
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigestSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
869
logger(options, CRYPT_LOG_NORMAL, "\n");
870
logger(options, CRYPT_LOG_NORMAL, "MK iterations: \t%d\n",hdr.mkDigestIterations);
871
logger(options, CRYPT_LOG_NORMAL, "UUID: \t%s\n\n",hdr.uuid);
872
for(i=0;i<LUKS_NUMKEYS;i++) {
873
if(hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
874
logger(options, CRYPT_LOG_NORMAL, "Key Slot %d: ENABLED\n",i);
875
logger(options, CRYPT_LOG_NORMAL, "\tIterations: \t%d\n",hdr.keyblock[i].passwordIterations);
876
logger(options, CRYPT_LOG_NORMAL, "\tSalt: \t");
877
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.keyblock[i].passwordSalt,LUKS_SALTSIZE/2);
878
logger(options, CRYPT_LOG_NORMAL, "\n\t \t");
879
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.keyblock[i].passwordSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
880
logger(options, CRYPT_LOG_NORMAL, "\n");
882
logger(options, CRYPT_LOG_NORMAL, "\tKey material offset:\t%d\n",hdr.keyblock[i].keyMaterialOffset);
883
logger(options, CRYPT_LOG_NORMAL, "\tAF stripes: \t%d\n",hdr.keyblock[i].stripes);
886
logger(options, CRYPT_LOG_NORMAL, "Key Slot %d: DISABLED\n",i);
933
struct crypt_device *cd = NULL;
936
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
892
946
void crypt_get_error(char *buf, size_t size)
894
948
const char *error = get_error();
920
void crypt_set_default_backend(const char *backend)
923
free(default_backend);
925
default_backend = strdup(backend);
927
default_backend = NULL;
930
974
const char *crypt_get_dir(void)
932
struct setup_backend *backend;
935
backend = get_setup_backend(default_backend);
939
dir = backend->dir();
941
put_setup_backend(backend);
948
// indent-tabs-mode: nil
979
/////////////////////////////////
984
int crypt_init(struct crypt_device **cd, const char *device)
986
struct crypt_device *h = NULL;
991
log_dbg("Allocating crypt device %s context.", device);
993
if (!device_ready(NULL, device, O_RDONLY))
996
if (!(h = malloc(sizeof(struct crypt_device))))
999
memset(h, 0, sizeof(*h));
1001
h->device = strdup(device);
1007
if (dm_init(h, 1) < 0) {
1012
h->iteration_time = 1000;
1013
h->password_verify = 0;
1019
int crypt_init_by_name(struct crypt_device **cd, const char *name)
1021
crypt_status_info ci;
1022
char *device = NULL;
1025
log_dbg("Allocating crypt device context by device %s.", name);
1027
ci = crypt_status(NULL, name);
1032
log_err(NULL, _("Device %s is not active.\n"), name);
1036
r = dm_query_device(name, &device, NULL, NULL, NULL,
1037
NULL, NULL, NULL, NULL, NULL, NULL);
1039
r = crypt_init(cd, device);
1045
static int _crypt_format_plain(struct crypt_device *cd,
1047
const char *cipher_mode,
1049
struct crypt_params_plain *params)
1051
if (!cipher || !cipher_mode || !params || !params->hash) {
1052
log_err(cd, _("Invalid plain crypt parameters.\n"));
1056
if (cd->volume_key->keyLength > 1024) {
1057
log_err(cd, _("Invalid key size.\n"));
1061
cd->plain_cipher = strdup(cipher);
1062
cd->plain_cipher_mode = strdup(cipher_mode);
1065
cd->plain_uuid = strdup(uuid);
1068
cd->plain_hdr.hash = strdup(params->hash);
1070
cd->plain_hdr.offset = params->offset;
1071
cd->plain_hdr.skip = params->skip;
1073
if ((params->hash && !cd->plain_hdr.hash) ||
1074
!cd->plain_cipher || !cd->plain_cipher_mode)
1080
static int _crypt_format_luks1(struct crypt_device *cd,
1082
const char *cipher_mode,
1084
struct crypt_params_luks1 *params)
1088
r = LUKS_generate_phdr(&cd->hdr, cd->volume_key, cipher, cipher_mode,
1089
(params && params->hash) ? params->hash : "sha1",
1091
params ? params->data_alignment: DEFAULT_ALIGNMENT, cd);
1095
/* Wipe first 8 sectors - fs magic numbers etc. */
1096
r = wipe_device_header(cd->device, 8);
1098
log_err(cd, _("Can't wipe header on device %s.\n"), cd->device);
1102
r = LUKS_write_phdr(cd->device, &cd->hdr, cd);
1107
int crypt_format(struct crypt_device *cd,
1110
const char *cipher_mode,
1112
const char *volume_key,
1113
size_t volume_key_size,
1118
log_dbg("Formatting device %s as type %s.", cd->device, cd->type ?: "(none)");
1124
cd->volume_key = LUKS_alloc_masterkey(volume_key_size,
1127
cd->volume_key = LUKS_generate_masterkey(volume_key_size);
1133
r = _crypt_format_plain(cd, cipher, cipher_mode,
1135
else if (isLUKS(type))
1136
r = _crypt_format_luks1(cd, cipher, cipher_mode,
1139
/* FIXME: allow plugins here? */
1140
log_err(cd, _("Unkown crypt device type %s requesed.\n"), type);
1144
if (!r && !(cd->type = strdup(type)))
1148
LUKS_dealloc_masterkey(cd->volume_key);
1149
cd->volume_key = NULL;
1155
int crypt_load(struct crypt_device *cd,
1156
const char *requested_type,
1159
struct luks_phdr hdr;
1162
log_dbg("Trying to load %s crypt type from device %s.",
1163
requested_type ?: "any", cd->device);
1165
if (requested_type && !isPLAIN(requested_type) && !isLUKS(requested_type))
1168
/* Some hash functions need initialized gcrypt library */
1169
if (init_crypto()) {
1170
log_err(cd, _("Cannot initialize crypto backend.\n"));
1174
r = LUKS_read_phdr(cd->device, &hdr, 0, cd);
1177
memcpy(&cd->hdr, &hdr, sizeof(hdr));
1178
cd->type = strdup(requested_type);
1186
int crypt_header_backup(struct crypt_device *cd,
1187
const char *requested_type,
1188
const char *backup_file)
1190
if ((requested_type && !isLUKS(requested_type)) || !backup_file)
1193
log_dbg("Requested header backup of device %s (%s) to "
1194
"file %s.", cd->device, requested_type, backup_file);
1196
return LUKS_hdr_backup(backup_file, cd->device, &cd->hdr, cd);
1199
int crypt_header_restore(struct crypt_device *cd,
1200
const char *requested_type,
1201
const char *backup_file)
1203
if (requested_type && !isLUKS(requested_type))
1206
log_dbg("Requested header restore to device %s (%s) from "
1207
"file %s.", cd->device, requested_type, backup_file);
1209
return LUKS_hdr_restore(backup_file, cd->device, &cd->hdr, cd);
1212
void crypt_free(struct crypt_device *cd)
1215
log_dbg("Releasing crypt device %s context.", cd->device);
1219
LUKS_dealloc_masterkey(cd->volume_key);
1224
/* used in plain device only */
1225
free((char*)cd->plain_hdr.hash);
1226
free(cd->plain_cipher);
1227
free(cd->plain_cipher_mode);
1228
free(cd->plain_uuid);
1234
int crypt_suspend(struct crypt_device *cd,
1237
crypt_status_info ci;
1238
int r, suspended = 0;
1240
log_dbg("Suspending volume %s.", name);
1242
ci = crypt_status(NULL, name);
1244
log_err(cd, _("Volume %s is not active.\n"), name);
1248
if (!cd && dm_init(NULL, 1) < 0)
1251
r = dm_query_device(name, NULL, NULL, NULL, NULL,
1252
NULL, NULL, NULL, NULL, &suspended, NULL);
1257
log_err(cd, _("Volume %s is already suspended.\n"), name);
1262
r = dm_suspend_and_wipe_key(name);
1264
log_err(cd, "Error during suspending device %s.\n", name);
1271
int crypt_resume_by_passphrase(struct crypt_device *cd,
1274
const char *passphrase,
1275
size_t passphrase_size)
1277
struct luks_masterkey *mk = NULL;
1278
int r, suspended = 0;
1280
log_dbg("Resuming volume %s.", name);
1282
if (!isLUKS(cd->type)) {
1283
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1288
r = dm_query_device(name, NULL, NULL, NULL, NULL,
1289
NULL, NULL, NULL, NULL, &suspended, NULL);
1294
log_err(cd, _("Volume %s is not suspended.\n"), name);
1299
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1300
passphrase_size, &cd->hdr, &mk, cd);
1302
r = volume_key_by_terminal_passphrase(cd, keyslot, &mk);
1306
r = dm_resume_and_reinstate_key(name, mk->keyLength, mk->key);
1308
log_err(cd, "Error during resuming device %s.\n", name);
1312
LUKS_dealloc_masterkey(mk);
1313
return r < 0 ? r : keyslot;
1316
int crypt_resume_by_keyfile(struct crypt_device *cd,
1319
const char *keyfile,
1320
size_t keyfile_size)
1322
struct luks_masterkey *mk = NULL;
1323
char *passphrase_read = NULL;
1324
unsigned int passphrase_size_read;
1325
int r, suspended = 0;
1327
log_dbg("Resuming volume %s.", name);
1329
if (!isLUKS(cd->type)) {
1330
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1335
r = dm_query_device(name, NULL, NULL, NULL, NULL,
1336
NULL, NULL, NULL, NULL, &suspended, NULL);
1341
log_err(cd, _("Volume %s is not suspended.\n"), name);
1348
key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1349
&passphrase_size_read, keyfile, keyfile_size);
1351
if(!passphrase_read)
1354
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1355
passphrase_size_read, &cd->hdr, &mk, cd);
1356
safe_free(passphrase_read);
1361
r = dm_resume_and_reinstate_key(name, mk->keyLength, mk->key);
1363
log_err(cd, "Error during resuming device %s.\n", name);
1367
LUKS_dealloc_masterkey(mk);
1368
return r < 0 ? r : keyslot;
1371
// slot manipulation
1372
int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
1373
int keyslot, // -1 any
1374
const char *passphrase, // NULL -> terminal
1375
size_t passphrase_size,
1376
const char *new_passphrase, // NULL -> terminal
1377
size_t new_passphrase_size)
1379
struct luks_masterkey *mk = NULL;
1380
char *password = NULL, *new_password = NULL;
1381
unsigned int passwordLen, new_passwordLen;
1384
log_dbg("Adding new keyslot, existing passphrase %sprovided,"
1385
"new passphrase %sprovided.",
1386
passphrase ? "" : "not ", new_passphrase ? "" : "not ");
1388
if (!isLUKS(cd->type)) {
1389
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1393
r = keyslot_verify_or_find_empty(cd, &keyslot);
1397
if (!LUKS_keyslot_active_count(&cd->hdr)) {
1398
/* No slots used, try to use pre-generated key in header */
1399
if (cd->volume_key) {
1400
mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
1401
r = mk ? 0 : -ENOMEM;
1403
log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1406
} else if (passphrase) {
1407
/* Passphrase provided, use it to unlock existing keyslot */
1408
r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, passphrase,
1409
passphrase_size, &cd->hdr, &mk, cd);
1411
/* Passphrase not provided, ask first and use it to unlock existing keyslot */
1412
key_from_terminal(cd, _("Enter any passphrase: "),
1413
&password, &passwordLen, 0);
1419
r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
1420
passwordLen, &cd->hdr, &mk, cd);
1421
safe_free(password);
1427
if (new_passphrase) {
1428
new_password = (char *)new_passphrase;
1429
new_passwordLen = new_passphrase_size;
1431
key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1432
&new_password, &new_passwordLen, 1);
1439
r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1440
&cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1445
if (!new_passphrase)
1446
safe_free(new_password);
1447
LUKS_dealloc_masterkey(mk);
1448
return r ?: keyslot;
1451
int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
1453
const char *keyfile,
1454
size_t keyfile_size,
1455
const char *new_keyfile,
1456
size_t new_keyfile_size)
1458
struct luks_masterkey *mk=NULL;
1459
char *password=NULL; unsigned int passwordLen;
1460
char *new_password = NULL; unsigned int new_passwordLen;
1463
log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
1464
keyfile ?: "[none]", new_keyfile ?: "[none]");
1466
if (!isLUKS(cd->type)) {
1467
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1471
r = keyslot_verify_or_find_empty(cd, &keyslot);
1475
if (!LUKS_keyslot_active_count(&cd->hdr)) {
1476
/* No slots used, try to use pre-generated key in header */
1477
if (cd->volume_key) {
1478
mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
1479
r = mk ? 0 : -ENOMEM;
1481
log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1485
/* Read password from file of (if NULL) from terminal */
1487
key_from_file(cd, _("Enter any passphrase: "), &password, &passwordLen,
1488
keyfile, keyfile_size);
1490
key_from_terminal(cd, _("Enter any passphrase: "),
1491
&password, &passwordLen, 1);
1496
r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password, passwordLen,
1498
safe_free(password);
1505
key_from_file(cd, _("Enter new passphrase for key slot: "),
1506
&new_password, &new_passwordLen, new_keyfile,
1509
key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1510
&new_password, &new_passwordLen, 1);
1517
r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1518
&cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1520
safe_free(new_password);
1521
LUKS_dealloc_masterkey(mk);
1522
return r < 0 ? r : keyslot;
1525
int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
1527
const char *volume_key,
1528
size_t volume_key_size,
1529
const char *passphrase,
1530
size_t passphrase_size)
1532
struct luks_masterkey *mk = NULL;
1534
char *new_password = NULL; unsigned int new_passwordLen;
1536
log_dbg("Adding new keyslot %d using volume key.", keyslot);
1538
if (!isLUKS(cd->type)) {
1539
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1544
mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
1545
else if (cd->volume_key)
1546
mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
1551
r = LUKS_verify_master_key(&cd->hdr, mk);
1553
log_err(cd, _("Volume key does not match the volume.\n"));
1557
r = keyslot_verify_or_find_empty(cd, &keyslot);
1562
key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1563
&new_password, &new_passwordLen, 1);
1564
passphrase = new_password;
1565
passphrase_size = new_passwordLen;
1568
r = LUKS_set_key(cd->device, keyslot, passphrase, passphrase_size,
1569
&cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1572
safe_free(new_password);
1573
LUKS_dealloc_masterkey(mk);
1574
return r ?: keyslot;
1577
int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
1579
crypt_keyslot_info ki;
1581
log_dbg("Destroying keyslot %d.", keyslot);
1583
if (!isLUKS(cd->type)) {
1584
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1588
ki = crypt_keyslot_status(cd, keyslot);
1589
if (ki == SLOT_INVALID) {
1590
log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
1594
if (ki == SLOT_INACTIVE) {
1595
log_err(cd, _("Key slot %d is not used.\n"), keyslot);
1599
return LUKS_del_key(cd->device, keyslot, &cd->hdr, cd);
1602
// activation/deactivation of device mapping
1603
int crypt_activate_by_passphrase(struct crypt_device *cd,
1606
const char *passphrase,
1607
size_t passphrase_size,
1610
crypt_status_info ci;
1611
struct luks_masterkey *mk = NULL;
1612
char *prompt = NULL;
1615
log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
1616
name ? "Activating" : "Checking", name ?: "",
1617
keyslot, passphrase ? "" : "[none] ");
1622
/* plain, use hashed passphrase */
1623
if (isPLAIN(cd->type))
1624
return create_device_helper(cd, name, cd->plain_hdr.hash,
1625
cd->plain_cipher, cd->plain_cipher_mode, NULL, passphrase, passphrase_size,
1626
cd->volume_key->keyLength, 0, cd->plain_hdr.skip,
1627
cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1630
ci = crypt_status(NULL, name);
1633
else if (ci >= ACTIVE) {
1634
log_err(cd, _("Device %s already exists.\n"), name);
1639
if(asprintf(&prompt, _("Enter passphrase for %s: "), cd->device) < 0)
1642
/* provided passphrase, do not retry */
1644
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1645
passphrase_size, &cd->hdr, &mk, cd);
1647
r = volume_key_by_terminal_passphrase(cd, keyslot, &mk);
1652
r = open_from_hdr_and_mk(cd, mk, name, flags);
1655
LUKS_dealloc_masterkey(mk);
1658
return r < 0 ? r : keyslot;
1661
int crypt_activate_by_keyfile(struct crypt_device *cd,
1664
const char *keyfile,
1665
size_t keyfile_size,
1668
crypt_status_info ci;
1669
struct luks_masterkey *mk = NULL;
1670
char *passphrase_read = NULL;
1671
unsigned int passphrase_size_read;
1674
log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
1675
name, keyslot, keyfile ?: "[none]");
1677
if (!isLUKS(cd->type)) {
1678
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1683
ci = crypt_status(NULL, name);
1686
else if (ci >= ACTIVE) {
1687
log_err(cd, _("Device %s already exists.\n"), name);
1695
key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1696
&passphrase_size_read, keyfile, keyfile_size);
1697
if(!passphrase_read)
1700
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1701
passphrase_size_read, &cd->hdr, &mk, cd);
1702
safe_free(passphrase_read);
1707
r = open_from_hdr_and_mk(cd, mk, name, flags);
1710
LUKS_dealloc_masterkey(mk);
1712
return r < 0 ? r : keyslot;
1715
int crypt_activate_by_volume_key(struct crypt_device *cd,
1717
const char *volume_key,
1718
size_t volume_key_size,
1721
crypt_status_info ci;
1722
struct luks_masterkey *mk;
1725
log_dbg("Activating volume %s by volume key.", name);
1727
/* use key directly, no hash */
1728
if (isPLAIN(cd->type))
1729
return create_device_helper(cd, name, NULL,
1730
cd->plain_cipher, cd->plain_cipher_mode, NULL, volume_key, volume_key_size,
1731
cd->volume_key->keyLength, 0, cd->plain_hdr.skip,
1732
cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1734
if (!isLUKS(cd->type)) {
1735
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1740
ci = crypt_status(NULL, name);
1743
else if (ci >= ACTIVE) {
1744
log_err(cd, _("Device %s already exists.\n"), name);
1749
mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
1752
r = LUKS_verify_master_key(&cd->hdr, mk);
1755
log_err(cd, _("Volume key does not match the volume.\n"));
1758
r = open_from_hdr_and_mk(cd, mk, name, flags);
1760
LUKS_dealloc_masterkey(mk);
1765
int crypt_deactivate(struct crypt_device *cd, const char *name)
1772
log_dbg("Deactivating volume %s.", name);
1774
if (!cd && dm_init(NULL, 1) < 0)
1777
switch (crypt_status(cd, name)) {
1778
case ACTIVE: r = dm_remove_device(name, 0, 0);
1780
case BUSY: log_err(cd, _("Device %s is busy.\n"), name);
1783
case INACTIVE: log_err(cd, _("Device %s is not active.\n"), name);
1786
default: log_err(cd, _("Invalid device %s.\n"), name);
1796
// misc helper functions
1797
int crypt_volume_key_get(struct crypt_device *cd,
1800
size_t *volume_key_size,
1801
const char *passphrase,
1802
size_t passphrase_size)
1804
struct luks_masterkey *mk;
1805
char *processed_key = NULL;
1808
key_len = crypt_get_volume_key_size(cd);
1809
if (key_len > *volume_key_size) {
1810
log_err(cd, _("Volume key buffer too small.\n"));
1814
if (isPLAIN(cd->type)) {
1815
processed_key = process_key(cd, cd->plain_hdr.hash, NULL, key_len,
1816
passphrase, passphrase_size);
1817
if (!processed_key) {
1818
log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
1821
memcpy(volume_key, processed_key, key_len);
1822
*volume_key_size = key_len;
1823
safe_free(processed_key);
1827
if (isLUKS(cd->type)) {
1828
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1829
passphrase_size, &cd->hdr, &mk, cd);
1832
memcpy(volume_key, mk->key, mk->keyLength);
1833
*volume_key_size = mk->keyLength;
1836
LUKS_dealloc_masterkey(mk);
1840
log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
1844
int crypt_volume_key_verify(struct crypt_device *cd,
1845
const char *volume_key,
1846
size_t volume_key_size)
1848
struct luks_masterkey *mk;
1851
if (!isLUKS(cd->type)) {
1852
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1856
mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
1860
r = LUKS_verify_master_key(&cd->hdr, mk);
1863
log_err(cd, _("Volume key does not match the volume.\n"));
1865
LUKS_dealloc_masterkey(mk);
1870
void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
1872
log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
1873
cd->timeout = timeout_sec;
1876
void crypt_set_password_retry(struct crypt_device *cd, int tries)
1878
log_dbg("Password retry count set to %d.", tries);
1882
void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
1884
log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
1885
cd->iteration_time = iteration_time_ms;
1888
void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
1890
log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
1891
cd->password_verify = password_verify ? 1 : 0;
1894
int crypt_memory_lock(struct crypt_device *cd, int lock)
1896
return lock ? memlock_inc(cd) : memlock_dec(cd);
1900
crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
1904
if (!cd && dm_init(NULL, 1) < 0)
1907
r = dm_status_device(name);
1912
if (r < 0 && r != -ENODEV)
1924
static void hexprintICB(struct crypt_device *cd, char *d, int n)
1927
for(i = 0; i < n; i++)
1928
log_std(cd, "%02hhx ", (char)d[i]);
1931
int crypt_dump(struct crypt_device *cd)
1934
if (!isLUKS(cd->type)) { //FIXME
1935
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1939
log_std(cd, "LUKS header information for %s\n\n", cd->device);
1940
log_std(cd, "Version: \t%d\n", cd->hdr.version);
1941
log_std(cd, "Cipher name: \t%s\n", cd->hdr.cipherName);
1942
log_std(cd, "Cipher mode: \t%s\n", cd->hdr.cipherMode);
1943
log_std(cd, "Hash spec: \t%s\n", cd->hdr.hashSpec);
1944
log_std(cd, "Payload offset:\t%d\n", cd->hdr.payloadOffset);
1945
log_std(cd, "MK bits: \t%d\n", cd->hdr.keyBytes * 8);
1946
log_std(cd, "MK digest: \t");
1947
hexprintICB(cd, cd->hdr.mkDigest, LUKS_DIGESTSIZE);
1949
log_std(cd, "MK salt: \t");
1950
hexprintICB(cd, cd->hdr.mkDigestSalt, LUKS_SALTSIZE/2);
1951
log_std(cd, "\n \t");
1952
hexprintICB(cd, cd->hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
1954
log_std(cd, "MK iterations: \t%d\n", cd->hdr.mkDigestIterations);
1955
log_std(cd, "UUID: \t%s\n\n", cd->hdr.uuid);
1956
for(i = 0; i < LUKS_NUMKEYS; i++) {
1957
if(cd->hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
1958
log_std(cd, "Key Slot %d: ENABLED\n",i);
1959
log_std(cd, "\tIterations: \t%d\n",
1960
cd->hdr.keyblock[i].passwordIterations);
1961
log_std(cd, "\tSalt: \t");
1962
hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt,
1964
log_std(cd, "\n\t \t");
1965
hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt +
1966
LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
1969
log_std(cd, "\tKey material offset:\t%d\n",
1970
cd->hdr.keyblock[i].keyMaterialOffset);
1971
log_std(cd, "\tAF stripes: \t%d\n",
1972
cd->hdr.keyblock[i].stripes);
1975
log_std(cd, "Key Slot %d: DISABLED\n", i);
1980
const char *crypt_get_cipher(struct crypt_device *cd)
1982
if (isPLAIN(cd->type))
1983
return cd->plain_cipher;
1985
if (isLUKS(cd->type))
1986
return cd->hdr.cipherName;
1991
const char *crypt_get_cipher_mode(struct crypt_device *cd)
1993
if (isPLAIN(cd->type))
1994
return cd->plain_cipher_mode;
1996
if (isLUKS(cd->type))
1997
return cd->hdr.cipherMode;
2002
const char *crypt_get_uuid(struct crypt_device *cd)
2004
if (isLUKS(cd->type))
2005
return cd->hdr.uuid;
2010
int crypt_get_volume_key_size(struct crypt_device *cd)
2012
if (isPLAIN(cd->type))
2013
return cd->volume_key->keyLength;
2015
if (isLUKS(cd->type))
2016
return cd->hdr.keyBytes;
2021
uint64_t crypt_get_data_offset(struct crypt_device *cd)
2023
if (isPLAIN(cd->type))
2024
return cd->plain_hdr.offset;
2026
if (isLUKS(cd->type))
2027
return cd->hdr.payloadOffset;
2032
crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
2034
if (!isLUKS(cd->type)) {
2035
log_err(cd, _("This operation is supported only for LUKS device.\n"));
2036
return SLOT_INVALID;
2039
return LUKS_keyslot_info(&cd->hdr, keyslot);