« back to all changes in this revision
Viewing changes to lib/setup.c
- browse files at revision 65
- compare with another revision
- download diff
- download tarball
- view history from revision 65
- Committer: Bazaar Package Importer
- Author(s): Martin Pitt
- Date: 2009-11-11 15:04:27 UTC
- mfrom: (0.1.7 squeeze)
- Revision ID: james.westby@ubuntu.com-20091111150427-elb822l63lnihaue
Tags: 2:1.1.0~rc2-1ubuntu1
* Merge with Debian testing. Remaining Ubuntu changes:
- debian/rules: cryptsetup is linked dynamically against libgcrypt and
libgpg-error.
- Upstart migration:
+ Add debian/cryptdisks-enable.upstart.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job.
(LP #473615)
+ debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
+ debian/rules: Do not install start symlinks for those two, and install
debian/cryptdisks-enable.upstart scripts.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules, and create dir in debian/cryptsetup.dirs.
- Start usplash in initramfs, since we need it for fancy passphrase input:
+ debian/initramfs/cryptroot-conf, debian/initramfs-conf.d: USPLASH=y
+ debian/control: Bump initramfs-tools Suggests to Depends:.
- debian/rules: cryptsetup is linked dynamically against libgcrypt and
libgpg-error.
- Upstart migration:
+ Add debian/cryptdisks-enable.upstart.
+ debian/cryptdisks{,-early}.init: Make the 'start' action of the init
script a no-op, this should be handled entirely by the upstart job.
(LP #473615)
+ debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on
upgrade.
+ debian/rules: Do not install start symlinks for those two, and install
debian/cryptdisks-enable.upstart scripts.
- Add debian/cryptsetup.apport: Apport package hook. Install in
debian/rules, and create dir in debian/cryptsetup.dirs.
- Start usplash in initramfs, since we need it for fancy passphrase input:
+ debian/initramfs/cryptroot-conf, debian/initramfs-conf.d: USPLASH=y
+ debian/control: Bump initramfs-tools Suggests to Depends:.
- files added:
- debian/README.opensc
- tests
- files removed:
- autogen.sh
- luks/sha
- luks/testing
- m4
- files modified:
- ChangeLog
- compile *
- config.rpath *
- depcomp *
- missing *
added
removed
lib/setup.c
1
1
#include <string.h>
2
2
#include <stdio.h>
3
3
#include <stdlib.h>
4
#include <inttypes.h>
5
#include <sys/types.h>
6
#include <sys/ioctl.h>
7
#include <sys/mman.h>
4
#include <stdarg.h>
8
5
#include <fcntl.h>
9
#include <unistd.h>
10
6
#include <errno.h>
11
#include <signal.h>
12
#include <assert.h>
13
7
14
8
#include "libcryptsetup.h"
9
#include "luks.h"
15
10
#include "internal.h"
16
#include "blockdev.h"
17
#include "luks.h"
18
19
struct device_infos {
20
uint64_t size;
21
int readonly;
11
12
struct crypt_device {
13
char *type;
14
15
char *device;
16
struct luks_masterkey *volume_key;
17
uint64_t timeout;
18
uint64_t iteration_time;
19
int tries;
20
int password_verify;
21
22
/* used in CRYPT_LUKS1 */
23
struct luks_phdr hdr;
24
uint64_t PBKDF2_per_sec;
25
26
/* used in CRYPT_PLAIN */
27
struct crypt_params_plain plain_hdr;
28
char *plain_cipher;
29
char *plain_cipher_mode;
30
char *plain_uuid;
31
32
/* callbacks definitions */
33
void (*log)(int class, const char *msg, void *usrptr);
34
void *log_usrptr;
35
int (*confirm)(const char *msg, void *usrptr);
36
void *confirm_usrptr;
37
int (*password)(const char *msg, char *buf, size_t length, void *usrptr);
38
void *password_usrptr;
22
39
};
23
40
24
static int memory_unsafe = 0;
25
static char *default_backend = NULL;
26
27
#define at_least_one(a) ({ __typeof__(a) __at_least_one=(a); (__at_least_one)?__at_least_one:1; })
28
29
static void logger(struct crypt_options *options, int class, char *format, ...) {
30
va_list argp;
31
char *target;
32
33
va_start(argp, format);
34
vasprintf(&target, format, argp);
35
options->icb->log(class, target);
36
37
va_end(argp);
38
free(target);
39
}
40
41
static void hexprintICB(struct crypt_options *options, int class, char *d, int n)
42
{
43
int i;
44
for(i = 0; i < n; i++)
45
logger(options, class, "%02hhx ", (char)d[i]);
46
}
47
48
static int setup_enter(struct setup_backend *backend, void (*log)(int, char *))
49
{
50
int r;
51
52
/*
53
* from here we could have sensible data in memory
54
* so protect it from being swapped out
55
*/
56
r = mlockall(MCL_CURRENT | MCL_FUTURE);
57
if (r < 0) {
58
perror("mlockall failed");
59
log(CRYPT_LOG_ERROR, "WARNING!!! Possibly insecure memory. Are you root?\n");
60
memory_unsafe = 1;
61
}
62
63
set_error(NULL);
64
65
if (backend) {
66
r = backend->init();
67
if (r < 0)
68
return r;
69
if (r > 0)
70
memory_unsafe = 1;
71
}
72
73
return 0;
74
}
75
76
static int setup_leave(struct setup_backend *backend)
77
{
78
if (backend)
79
backend->exit();
80
81
/* dangerous, we can't wipe all the memory */
82
if (!memory_unsafe)
83
munlockall();
84
85
return 0;
41
/* Log helper */
42
static void (*_default_log)(int class, const char *msg, void *usrptr) = NULL;
43
static int _debug_level = 0;
44
45
void crypt_set_debug_level(int level)
46
{
47
_debug_level = level;
48
}
49
50
void crypt_log(struct crypt_device *cd, int class, const char *msg)
51
{
52
if (cd && cd->log)
53
cd->log(class, msg, cd->log_usrptr);
54
else if (_default_log)
55
_default_log(class, msg, NULL);
56
}
57
58
void logger(struct crypt_device *cd, int class, const char *file,
59
int line, const char *format, ...)
60
{
61
va_list argp;
62
char *target = NULL;
63
64
va_start(argp, format);
65
66
if (vasprintf(&target, format, argp) > 0) {
67
if (class >= 0) {
68
crypt_log(cd, class, target);
69
#ifdef CRYPT_DEBUG
70
} else if (_debug_level)
71
printf("# %s:%d %s\n", file ?: "?", line, target);
72
#else
73
} else if (_debug_level)
74
printf("# %s\n", target);
75
#endif
76
}
77
78
va_end(argp);
79
free(target);
86
80
}
87
81
88
82
/*
89
83
* Password processing behaviour matrix of process_key
90
*
84
*
91
85
* from binary file: check if there is sufficently large key material
92
86
* interactive & from fd: hash if requested, otherwise crop or pad with '0'
93
87
*/
94
95
static char *process_key(struct crypt_options *options, char *pass, int passLen) {
96
char *key = safe_alloc(options->key_size);
97
memset(key, 0, options->key_size);
88
static char *process_key(struct crypt_device *cd, const char *hash_name,
89
const char *key_file, size_t key_size,
90
const char *pass, size_t passLen)
91
{
92
char *key = safe_alloc(key_size);
93
memset(key, 0, key_size);
98
94
99
95
/* key is coming from binary file */
100
if (options->key_file && strcmp(options->key_file, "-")) {
101
if(passLen < options->key_size) {
102
set_error("Could not read %d bytes from key file",
103
options->key_size);
96
if (key_file && strcmp(key_file, "-")) {
97
if(passLen < key_size) {
98
log_err(cd, _("Cannot not read %d bytes from key file %s.\n"),
99
key_size, key_file);
104
100
safe_free(key);
105
101
return NULL;
106
}
107
memcpy(key,pass,options->key_size);
102
}
103
memcpy(key, pass, key_size);
108
104
return key;
109
105
}
110
106
111
107
/* key is coming from tty, fd or binary stdin */
112
if (options->hash) {
113
if (hash(NULL, options->hash,
114
key, options->key_size,
115
pass, passLen) < 0)
116
{
108
if (hash_name) {
109
if (hash(NULL, hash_name, key, key_size, pass, passLen) < 0) {
110
log_err(cd, _("Key processing error.\n"));
117
111
safe_free(key);
118
112
return NULL;
119
113
}
120
} else if (passLen > options->key_size) {
121
memcpy(key, pass, options->key_size);
114
} else if (passLen > key_size) {
115
memcpy(key, pass, key_size);
122
116
} else {
123
117
memcpy(key, pass, passLen);
124
118
}
126
120
return key;
127
121
}
128
122
129
static int get_device_infos(const char *device, struct device_infos *infos)
130
{
131
char buf[128];
132
uint64_t size;
133
unsigned long size_small;
134
int readonly = 0;
135
int ret = -1;
136
int fd;
137
138
/* Try to open read-write to check whether it is a read-only device */
139
fd = open(device, O_RDWR);
140
if (fd < 0) {
141
if (errno == EROFS) {
142
readonly = 1;
143
fd = open(device, O_RDONLY);
144
}
145
} else {
146
close(fd);
147
fd = open(device, O_RDONLY);
148
}
149
if (fd < 0) {
150
set_error("Error opening device: %s",
151
strerror_r(errno, buf, 128));
152
return -1;
153
}
154
155
#ifdef BLKROGET
156
/* If the device can be opened read-write, i.e. readonly is still 0, then
157
* check whether BKROGET says that it is read-only. E.g. read-only loop
158
* devices may be openend read-write but are read-only according to BLKROGET
159
*/
160
if (readonly == 0) {
161
if (ioctl(fd, BLKROGET, &readonly) < 0) {
162
set_error("BLKROGET failed on device: %s",
163
strerror_r(errno, buf, 128));
164
return -1;
165
}
166
}
167
#else
168
#error BLKROGET not available
169
#endif
170
171
#ifdef BLKGETSIZE64
172
if (ioctl(fd, BLKGETSIZE64, &size) >= 0) {
173
size >>= SECTOR_SHIFT;
174
ret = 0;
175
goto out;
176
}
177
#endif
178
179
#ifdef BLKGETSIZE
180
if (ioctl(fd, BLKGETSIZE, &size_small) >= 0) {
181
size = (uint64_t)size_small;
182
ret = 0;
183
goto out;
184
}
185
#else
186
# error Need at least the BLKGETSIZE ioctl!
187
#endif
188
189
set_error("BLKGETSIZE ioctl failed on device: %s",
190
strerror_r(errno, buf, 128));
191
192
out:
193
if (ret == 0) {
194
infos->size = size;
195
infos->readonly = readonly;
196
}
197
close(fd);
198
return ret;
199
}
200
201
static int wipe_device_header(const char *device, int sectors)
202
{
203
char *buffer;
204
int size = sectors * SECTOR_SIZE;
205
int r = -1;
206
int devfd;
207
208
devfd = open(device, O_RDWR | O_DIRECT | O_SYNC);
209
if(devfd == -1) {
210
set_error("Can't wipe header on device %s", device);
211
return -EINVAL;
212
}
213
214
buffer = malloc(size);
215
if (!buffer) {
216
close(devfd);
217
return -ENOMEM;
218
}
219
memset(buffer, 0, size);
220
221
r = write_blockwise(devfd, buffer, size) < size ? -EIO : 0;
222
223
free(buffer);
224
close(devfd);
225
226
return r;
227
}
228
229
static int parse_into_name_and_mode(const char *nameAndMode, char *name,
230
char *mode)
123
int parse_into_name_and_mode(const char *nameAndMode, char *name, char *mode)
231
124
{
232
125
/* Token content stringification, see info cpp/stringification */
233
126
#define str(s) #s
238
131
int r;
239
132
240
133
if(sscanf(nameAndMode,scanpattern1, name, mode) != 2) {
241
if((r = sscanf(nameAndMode,scanpattern2,name)) == 1) {
134
if((r = sscanf(nameAndMode,scanpattern2,name)) == 1)
242
135
strncpy(mode,"cbc-plain",10);
243
}
244
else {
245
set_error("no known cipher-spec pattern detected");
136
else
246
137
return -EINVAL;
247
}
248
138
}
249
139
250
140
return 0;
251
141
252
#undef sp1
253
#undef sp2
142
#undef scanpattern1
143
#undef scanpattern2
254
144
#undef str
255
145
#undef xstr
256
146
}
257
147
258
/* Select free keyslot or verifies that the one specified is empty */
259
static int keyslot_from_option(int keySlotOption, struct luks_phdr *hdr, struct crypt_options *options) {
260
if(keySlotOption >= 0) {
261
if(keySlotOption >= LUKS_NUMKEYS) {
262
logger(options,CRYPT_LOG_ERROR,"slot %d too high, please pick between 0 and %d", keySlotOption, LUKS_NUMKEYS);
263
return -EINVAL;
264
} else if(hdr->keyblock[keySlotOption].active != LUKS_KEY_DISABLED) {
265
logger(options,CRYPT_LOG_ERROR,"slot %d full, please pick another one", keySlotOption);
266
return -EINVAL;
267
} else {
268
return keySlotOption;
269
}
270
} else {
271
int i;
272
/* Find empty key slot */
273
for(i=0; i<LUKS_NUMKEYS; i++) {
274
if(hdr->keyblock[i].active == LUKS_KEY_DISABLED) break;
275
}
276
if(i==LUKS_NUMKEYS) {
277
logger(options,CRYPT_LOG_ERROR,"All slots full");
278
return -EINVAL;
279
}
280
return i;
281
}
282
}
283
284
static int __crypt_create_device(int reload, struct setup_backend *backend,
285
struct crypt_options *options)
286
{
287
struct crypt_options tmp = {
288
.name = options->name,
289
};
148
static int isPLAIN(const char *type)
149
{
150
return (type && !strcmp(CRYPT_PLAIN, type));
151
}
152
153
static int isLUKS(const char *type)
154
{
155
return (type && !strcmp(CRYPT_LUKS1, type));
156
}
157
158
/* keyslot helpers */
159
static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
160
{
161
if (*keyslot == CRYPT_ANY_SLOT) {
162
*keyslot = LUKS_keyslot_find_empty(&cd->hdr);
163
if (*keyslot < 0) {
164
log_err(cd, _("All key slots full.\n"));
165
return -EINVAL;
166
}
167
}
168
169
switch (LUKS_keyslot_info(&cd->hdr, *keyslot)) {
170
case SLOT_INVALID:
171
log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
172
*keyslot, LUKS_NUMKEYS - 1);
173
return -EINVAL;
174
case SLOT_INACTIVE:
175
break;
176
default:
177
log_err(cd, _("Key slot %d is full, please select another one.\n"),
178
*keyslot);
179
return -EINVAL;
180
}
181
182
return 0;
183
}
184
185
static int verify_other_keyslot(struct crypt_device *cd,
186
const char *key_file,
187
unsigned int flags,
188
int keyIndex)
189
{
190
struct luks_masterkey *mk;
191
crypt_keyslot_info ki;
192
int openedIndex;
193
char *password = NULL;
194
unsigned int passwordLen;
195
196
get_key(_("Enter any remaining LUKS passphrase: "), &password,
197
&passwordLen, 0, key_file, cd->timeout, flags, cd);
198
if(!password)
199
return -EINVAL;
200
201
ki = crypt_keyslot_status(cd, keyIndex);
202
if (ki == SLOT_ACTIVE) /* Not last slot */
203
LUKS_keyslot_set(&cd->hdr, keyIndex, 0);
204
205
openedIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT,
206
password, passwordLen,
207
&cd->hdr, &mk, cd);
208
209
if (ki == SLOT_ACTIVE)
210
LUKS_keyslot_set(&cd->hdr, keyIndex, 1);
211
LUKS_dealloc_masterkey(mk);
212
safe_free(password);
213
214
if (openedIndex < 0)
215
return -EPERM;
216
217
log_std(cd, _("Key slot %d verified.\n"), openedIndex);
218
return 0;
219
}
220
221
static int find_keyslot_by_passphrase(struct crypt_device *cd,
222
const char *key_file,
223
unsigned int flags,
224
char *message)
225
{
226
struct luks_masterkey *mk;
227
char *password = NULL;
228
unsigned int passwordLen;
229
int keyIndex;
230
231
get_key(message,&password,&passwordLen, 0, key_file,
232
cd->timeout, flags, cd);
233
if(!password)
234
return -EINVAL;
235
236
keyIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
237
passwordLen, &cd->hdr, &mk, cd);
238
LUKS_dealloc_masterkey(mk);
239
safe_free(password);
240
241
return keyIndex;
242
}
243
244
static int device_check_and_adjust(struct crypt_device *cd,
245
const char *device,
246
uint64_t *size, uint64_t *offset,
247
int *read_only)
248
{
290
249
struct device_infos infos;
291
char *key = NULL;
292
unsigned int keyLen;
293
char *processed_key = NULL;
294
int r;
295
296
r = backend->status(0, &tmp, NULL);
297
if (reload) {
298
if (r < 0)
299
return r;
300
} else {
301
if (r >= 0) {
302
set_error("Device already exists");
303
return -EEXIST;
304
}
305
if (r != -ENODEV)
306
return r;
307
}
308
309
if (options->key_size < 0 || options->key_size > 1024) {
310
set_error("Invalid key size");
311
return -EINVAL;
312
}
313
314
if (get_device_infos(options->device, &infos) < 0)
250
251
if (get_device_infos(device, &infos, cd) < 0) {
252
log_err(cd, _("Cannot get info about device %s.\n"), device);
315
253
return -ENOTBLK;
254
}
316
255
317
if (!options->size) {
318
options->size = infos.size;
319
if (!options->size) {
320
set_error("Not a block device");
256
if (!*size) {
257
*size = infos.size;
258
if (!*size) {
259
log_err(cd, _("Device %s has zero size.\n"), device);
321
260
return -ENOTBLK;
322
261
}
323
if (options->size <= options->offset) {
324
set_error("Invalid offset");
262
if (*size <= *offset) {
263
log_err(cd, _("Device %s is too small.\n"), device);
325
264
return -EINVAL;
326
265
}
327
options->size -= options->offset;
266
*size -= *offset;
328
267
}
329
268
330
269
if (infos.readonly)
331
options->flags |= CRYPT_FLAG_READONLY;
332
333
get_key("Enter passphrase: ", &key, &keyLen, options->key_size, options->key_file, options->passphrase_fd, options->timeout, options->flags);
334
if (!key) {
335
set_error("Key reading error");
336
return -ENOENT;
337
}
338
339
processed_key = process_key(options,key,keyLen);
340
safe_free(key);
341
342
if (!processed_key) {
343
const char *error=get_error();
344
if(error) {
345
char *c_error_handling_sucks;
346
asprintf(&c_error_handling_sucks,"Key processing error: %s",error);
347
set_error(c_error_handling_sucks);
348
free(c_error_handling_sucks);
349
} else
350
set_error("Key processing error");
351
return -ENOENT;
352
}
353
354
r = backend->create(reload, options, processed_key);
355
270
*read_only = 1;
271
272
log_dbg("Calculated device size is %" PRIu64 " sectors (%s), offset %" PRIu64 ".",
273
*size, *read_only ? "RO" : "RW", *offset);
274
return 0;
275
}
276
277
static int luks_remove_helper(struct crypt_device *cd,
278
int key_slot,
279
const char *other_key_file,
280
const char *key_file,
281
int verify)
282
{
283
crypt_keyslot_info ki;
284
int r = -EINVAL;
285
286
if (key_slot == CRYPT_ANY_SLOT) {
287
key_slot = find_keyslot_by_passphrase(cd, key_file, 0,
288
_("Enter LUKS passphrase to be deleted: "));
289
if(key_slot < 0) {
290
r = -EPERM;
291
goto out;
292
}
293
294
log_std(cd, _("key slot %d selected for deletion.\n"), key_slot);
295
}
296
297
ki = crypt_keyslot_status(cd, key_slot);
298
if (ki == SLOT_INVALID) {
299
log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
300
key_slot, LUKS_NUMKEYS - 1);
301
r = -EINVAL;
302
goto out;
303
}
304
if (ki <= SLOT_INACTIVE) {
305
log_err(cd, _("Key %d not active. Can't wipe.\n"), key_slot);
306
r = -EINVAL;
307
goto out;
308
}
309
310
if (ki == SLOT_ACTIVE_LAST && cd->confirm &&
311
!(cd->confirm(_("This is the last keyslot."
312
" Device will become unusable after purging this key."),
313
cd->confirm_usrptr))) {
314
r = -EINVAL;
315
goto out;
316
}
317
318
if(verify)
319
r = verify_other_keyslot(cd, other_key_file, 0, key_slot);
320
else
321
r = 0;
322
323
if (!r)
324
r = crypt_keyslot_destroy(cd, key_slot);
325
out:
326
return (r < 0) ? r : 0;
327
}
328
329
static int create_device_helper(struct crypt_device *cd,
330
const char *name,
331
const char *hash,
332
const char *cipher,
333
const char *cipher_mode,
334
const char *key_file,
335
const char *key,
336
unsigned int keyLen,
337
int key_size,
338
uint64_t size,
339
uint64_t skip,
340
uint64_t offset,
341
const char *uuid,
342
int read_only,
343
unsigned int flags,
344
int reload)
345
{
346
crypt_status_info ci;
347
char *dm_cipher = NULL;
348
char *processed_key = NULL;
349
int r;
350
351
ci = crypt_status(cd, name);
352
if (ci == INVALID)
353
return -EINVAL;
354
355
if (reload && ci < ACTIVE)
356
return -EINVAL;
357
358
if (!reload && ci >= ACTIVE) {
359
log_err(cd, _("Device %s already exists.\n"), name);
360
return -EEXIST;
361
}
362
363
if (key_size < 0 || key_size > 1024) {
364
log_err(cd, _("Invalid key size %d.\n"), key_size);
365
return -EINVAL;
366
}
367
368
r = device_check_and_adjust(cd, cd->device, &size, &offset, &read_only);
369
if (r)
370
return r;
371
372
if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
373
return -ENOMEM;
374
375
processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
376
if (!processed_key)
377
return -ENOENT;
378
379
r = dm_create_device(name, cd->device, dm_cipher ?: cipher, cd->type, uuid, size, skip, offset,
380
key_size, processed_key, read_only, reload);
381
382
free(dm_cipher);
356
383
safe_free(processed_key);
357
358
return r;
359
}
360
361
static int __crypt_query_device(int details, struct setup_backend *backend,
362
struct crypt_options *options)
363
{
364
int r = backend->status(details, options, NULL);
365
if (r == -ENODEV)
366
return 0;
367
else if (r >= 0)
384
return r;
385
}
386
387
static int open_from_hdr_and_mk(struct crypt_device *cd,
388
struct luks_masterkey *mk,
389
const char *name,
390
uint32_t flags)
391
{
392
uint64_t size, offset;
393
char *cipher;
394
int read_only, no_uuid, r;
395
396
size = 0;
397
offset = crypt_get_data_offset(cd);
398
read_only = flags & CRYPT_ACTIVATE_READONLY;
399
no_uuid = flags & CRYPT_ACTIVATE_NO_UUID;
400
401
r = device_check_and_adjust(cd, cd->device, &size, &offset, &read_only);
402
if (r)
403
return r;
404
405
if (asprintf(&cipher, "%s-%s", crypt_get_cipher(cd),
406
crypt_get_cipher_mode(cd)) < 0)
407
r = -ENOMEM;
408
else
409
r = dm_create_device(name, cd->device, cipher, cd->type,
410
no_uuid ? NULL : crypt_get_uuid(cd),
411
size, 0, offset, mk->keyLength, mk->key,
412
read_only, 0);
413
free(cipher);
414
return r;
415
}
416
417
static void log_wrapper(int class, const char *msg, void *usrptr)
418
{
419
void (*xlog)(int class, char *msg) = usrptr;
420
xlog(class, (char *)msg);
421
}
422
423
static int yesDialog_wrapper(const char *msg, void *usrptr)
424
{
425
int (*xyesDialog)(char *msg) = usrptr;
426
return xyesDialog((char*)msg);
427
}
428
429
int crypt_confirm(struct crypt_device *cd, const char *msg)
430
{
431
if (!cd || !cd->confirm)
368
432
return 1;
369
433
else
370
return r;
371
}
372
373
static int __crypt_resize_device(int details, struct setup_backend *backend,
374
struct crypt_options *options)
375
{
376
struct crypt_options tmp = {
377
.name = options->name,
378
};
379
struct device_infos infos;
380
char *key = NULL;
381
int r;
382
383
r = backend->status(1, &tmp, &key);
384
if (r < 0)
385
return r;
386
387
if (get_device_infos(tmp.device, &infos) < 0)
434
return cd->confirm(msg, cd->confirm_usrptr);
435
}
436
437
static void key_from_terminal(struct crypt_device *cd, char *msg, char **key,
438
unsigned int *key_len, int force_verify)
439
{
440
int r, flags = 0;
441
442
if (cd->password) {
443
*key = safe_alloc(MAX_TTY_PASSWORD_LEN);
444
if (*key)
445
return;
446
r = cd->password(msg, *key, (size_t)key_len, cd->password_usrptr);
447
if (r < 0) {
448
safe_free(*key);
449
*key = NULL;
450
} else
451
*key_len = r;
452
} else {
453
if (force_verify || cd->password_verify)
454
flags |= CRYPT_FLAG_VERIFY_IF_POSSIBLE;
455
get_key(msg, key, key_len, 0, NULL, cd->timeout, flags, cd);
456
}
457
}
458
459
static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslot,
460
struct luks_masterkey **mk)
461
{
462
char *prompt = NULL, *passphrase_read = NULL;
463
unsigned int passphrase_size_read;
464
int r = -EINVAL, tries = cd->tries;
465
466
if(asprintf(&prompt, _("Enter passphrase for %s: "), cd->device) < 0)
467
return -ENOMEM;
468
469
*mk = NULL;
470
do {
471
if (*mk)
472
LUKS_dealloc_masterkey(*mk);
473
*mk = NULL;
474
475
key_from_terminal(cd, prompt, &passphrase_read,
476
&passphrase_size_read, 0);
477
if(!passphrase_read) {
478
r = -EINVAL;
479
break;
480
}
481
482
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
483
passphrase_size_read, &cd->hdr, mk, cd);
484
safe_free(passphrase_read);
485
passphrase_read = NULL;
486
} while (r == -EPERM && (--tries > 0));
487
488
if (r < 0 && *mk) {
489
LUKS_dealloc_masterkey(*mk);
490
*mk = NULL;
491
}
492
free(prompt);
493
494
return r;
495
496
}
497
498
static void key_from_file(struct crypt_device *cd, char *msg,
499
char **key, unsigned int *key_len,
500
const char *key_file, size_t key_size)
501
{
502
get_key(msg, key, key_len, key_size, key_file, cd->timeout, 0, cd);
503
}
504
505
static int _crypt_init(struct crypt_device **cd,
506
const char *type,
507
struct crypt_options *options,
508
int load, int need_dm)
509
{
510
int init_by_name, r;
511
512
/* if it is plain device and mapping table is being reloaded
513
initialize it by name*/
514
init_by_name = (type && !strcmp(type, CRYPT_PLAIN) && load);
515
516
/* Some of old API calls do not require DM in kernel,
517
fake initialisation by initialise it with kernel_check disabled */
518
if (!need_dm)
519
(void)dm_init(NULL, 0);
520
if (init_by_name)
521
r = crypt_init_by_name(cd, options->name);
522
else
523
r = crypt_init(cd, options->device);
524
if (!need_dm)
525
dm_exit();
526
527
if (r)
388
528
return -EINVAL;
389
529
390
if (!options->size) {
391
options->size = infos.size;
392
if (!options->size) {
393
set_error("Not a block device");
394
return -ENOTBLK;
395
}
396
if (options->size <= tmp.offset) {
397
set_error("Invalid offset");
398
return -EINVAL;
399
}
400
options->size -= tmp.offset;
401
}
402
tmp.size = options->size;
403
404
if (infos.readonly)
405
options->flags |= CRYPT_FLAG_READONLY;
406
407
r = backend->create(1, &tmp, key);
408
409
safe_free(key);
410
411
return r;
412
}
413
414
static int __crypt_remove_device(int arg, struct setup_backend *backend,
415
struct crypt_options *options)
416
{
417
int r;
418
419
r = backend->status(0, options, NULL);
420
if (r < 0)
421
return r;
422
if (r > 0) {
423
set_error("Device busy");
424
return -EBUSY;
425
}
426
427
return backend->remove(0, options);
428
}
429
430
static int __crypt_luks_format(int arg, struct setup_backend *backend, struct crypt_options *options)
431
{
432
int r;
433
434
struct luks_phdr header;
435
struct luks_masterkey *mk=NULL;
436
char *password=NULL;
437
char cipherName[LUKS_CIPHERNAME_L];
438
char cipherMode[LUKS_CIPHERMODE_L];
439
unsigned int passwordLen;
440
int PBKDF2perSecond;
441
int keyIndex;
442
443
if (!LUKS_device_ready(options->device, O_RDWR | O_EXCL)) {
444
set_error("Can not access device");
445
r = -ENOTBLK; goto out;
446
}
447
448
mk = LUKS_generate_masterkey(options->key_size);
449
if(NULL == mk) return -ENOMEM; // FIXME This may be misleading, since we don't know what went wrong
450
451
#ifdef LUKS_DEBUG
452
#define printoffset(entry) logger(options, CRYPT_LOG_ERROR, ("offset of " #entry " = %d\n", (char *)(&header.entry)-(char *)(&header))
453
454
logger(options, CRYPT_LOG_ERROR, "sizeof phdr %d, key slot %d\n",sizeof(struct luks_phdr),sizeof(header.keyblock[0]));
455
456
printoffset(magic);
457
printoffset(version);
458
printoffset(cipherName);
459
printoffset(cipherMode);
460
printoffset(hashSpec);
461
printoffset(payloadOffset);
462
printoffset(keyBytes);
463
printoffset(mkDigest);
464
printoffset(mkDigestSalt);
465
printoffset(mkDigestIterations);
466
printoffset(uuid);
467
#endif
468
469
r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
470
if(r < 0) return r;
471
472
r = LUKS_generate_phdr(&header,mk,cipherName, cipherMode,LUKS_STRIPES, options->align_payload);
473
if(r < 0) {
474
set_error("Can't generate phdr");
475
return r;
476
}
477
478
keyIndex = keyslot_from_option(options->key_slot, &header, options);
479
if(keyIndex == -EINVAL) {
480
r = -EINVAL; goto out;
481
}
482
483
PBKDF2perSecond = LUKS_benchmarkt_iterations();
484
header.keyblock[keyIndex].passwordIterations = at_least_one(PBKDF2perSecond * ((float)options->iteration_time / 1000.0));
485
#ifdef LUKS_DEBUG
486
logger(options->icb->log,CRYPT_LOG_ERROR, "pitr %d\n", header.keyblock[0].passwordIterations);
487
#endif
488
get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->new_key_file, options->passphrase_fd, options->timeout, options->flags);
489
if(!password) {
490
r = -EINVAL; goto out;
491
}
492
493
/* Wipe first 8 sectors - fs magic numbers etc. */
494
r = wipe_device_header(options->device, 8);
495
if(r < 0) goto out;
496
497
/* Set key, also writes phdr */
498
r = LUKS_set_key(options->device, keyIndex, password, passwordLen, &header, mk, backend);
499
if(r < 0) goto out;
500
501
r = 0;
502
out:
503
LUKS_dealloc_masterkey(mk);
504
safe_free(password);
505
return r;
506
}
507
508
static int __crypt_luks_open(int arg, struct setup_backend *backend, struct crypt_options *options)
509
{
510
struct luks_masterkey *mk=NULL;
511
struct luks_phdr hdr;
512
char *password;
513
unsigned int passwordLen;
514
struct device_infos infos;
515
struct crypt_options tmp = {
516
.name = options->name,
517
};
518
char *dmCipherSpec;
519
int r, tries = options->tries;
520
int excl = (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS) ? 0 : O_EXCL ;
521
522
r = backend->status(0, &tmp, NULL);
523
if (r >= 0) {
524
set_error("Device already exists");
525
return -EEXIST;
526
}
527
528
if (!LUKS_device_ready(options->device, O_RDONLY | excl)) {
529
set_error("Can not access device");
530
return -ENOTBLK;
531
}
532
533
if (get_device_infos(options->device, &infos) < 0) {
534
set_error("Can't get device information.\n");
535
return -ENOTBLK;
536
}
537
538
if (infos.readonly)
539
options->flags |= CRYPT_FLAG_READONLY;
540
541
start:
542
mk=NULL;
543
544
if(get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->key_file, options->passphrase_fd, options->timeout, options->flags))
545
tries--;
546
else
547
tries = 0;
548
549
if(!password) {
550
r = -EINVAL; goto out;
551
}
552
553
r = LUKS_open_any_key(options->device, password, passwordLen, &hdr, &mk, backend);
554
if (r == -EPERM)
555
set_error("No key available with this passphrase.\n");
556
if (r < 0)
557
goto out1;
558
559
logger(options, CRYPT_LOG_NORMAL,"key slot %d unlocked.\n", r);
560
561
562
options->offset = hdr.payloadOffset;
563
asprintf(&dmCipherSpec, "%s-%s", hdr.cipherName, hdr.cipherMode);
564
if(!dmCipherSpec) {
565
r = -ENOMEM;
566
goto out2;
567
}
568
options->cipher = dmCipherSpec;
569
options->key_size = mk->keyLength;
570
options->skip = 0;
571
572
options->size = infos.size;
573
if (!options->size) {
574
set_error("Not a block device.\n");
575
r = -ENOTBLK; goto out2;
576
}
577
if (options->size <= options->offset) {
578
set_error("Invalid offset");
579
r = -EINVAL; goto out2;
580
}
581
options->size -= options->offset;
582
r = backend->create(0, options, mk->key);
583
584
out2:
585
free(dmCipherSpec);
586
out1:
587
safe_free(password);
588
out:
589
LUKS_dealloc_masterkey(mk);
590
if (r == -EPERM && tries > 0)
591
goto start;
592
593
return r;
594
}
595
596
static int __crypt_luks_add_key(int arg, struct setup_backend *backend, struct crypt_options *options)
597
{
598
struct luks_masterkey *mk=NULL;
599
struct luks_phdr hdr;
600
char *password=NULL; unsigned int passwordLen;
601
unsigned int keyIndex;
602
const char *device = options->device;
603
int r;
604
605
if (!LUKS_device_ready(options->device, O_RDWR)) {
606
set_error("Can not access device");
607
r = -ENOTBLK; goto out;
608
}
609
610
r = LUKS_read_phdr(device, &hdr);
611
if(r < 0) return r;
612
613
614
keyIndex = keyslot_from_option(options->key_slot, &hdr, options);
615
if(keyIndex == -EINVAL) {
616
r = -EINVAL; goto out;
617
}
618
619
get_key("Enter any LUKS passphrase: ",
620
&password,
621
&passwordLen,
622
0,
623
options->key_file,
624
options->passphrase_fd,
625
options->timeout,
626
options->flags & ~(CRYPT_FLAG_VERIFY | CRYPT_FLAG_VERIFY_IF_POSSIBLE));
627
628
if(!password) {
629
r = -EINVAL; goto out;
630
}
631
r = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend);
632
if(r < 0) {
633
options->icb->log(CRYPT_LOG_ERROR,"No key available with this passphrase.\n");
634
r = -EPERM; goto out;
635
} else
636
logger(options, CRYPT_LOG_NORMAL,"key slot %d unlocked.\n", r);
637
638
safe_free(password);
639
640
get_key("Enter new passphrase for key slot: ",
641
&password,
642
&passwordLen,
643
0,
644
options->new_key_file,
645
options->passphrase_fd,
646
options->timeout,
647
options->flags);
648
if(!password) {
649
r = -EINVAL; goto out;
650
}
651
652
hdr.keyblock[keyIndex].passwordIterations = at_least_one(LUKS_benchmarkt_iterations() * ((float)options->iteration_time / 1000));
653
654
r = LUKS_set_key(device, keyIndex, password, passwordLen, &hdr, mk, backend);
655
if(r < 0) goto out;
656
657
r = 0;
658
out:
659
safe_free(password);
660
LUKS_dealloc_masterkey(mk);
661
return r;
662
}
663
664
static int luks_remove_helper(int arg, struct setup_backend *backend, struct crypt_options *options, int supply_it)
665
{
666
struct luks_masterkey *mk;
667
struct luks_phdr hdr;
668
char *password=NULL;
669
unsigned int passwordLen;
670
const char *device = options->device;
671
int keyIndex;
672
int openedIndex;
673
int r;
674
if (!LUKS_device_ready(options->device, O_RDWR)) {
675
set_error("Can not access device");
676
r = -ENOTBLK; goto out;
677
}
678
679
if(supply_it) {
680
get_key("Enter LUKS passphrase to be deleted: ",&password,&passwordLen, 0, options->new_key_file, options->passphrase_fd, options->timeout, options->flags);
681
if(!password) {
682
r = -EINVAL; goto out;
683
}
684
keyIndex = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend);
685
if(keyIndex < 0) {
686
options->icb->log(CRYPT_LOG_ERROR,"No remaining key available with this passphrase.\n");
687
r = -EPERM; goto out;
688
} else
689
logger(options, CRYPT_LOG_NORMAL,"key slot %d selected for deletion.\n", keyIndex);
690
safe_free(password);
691
} else {
692
keyIndex = options->key_slot;
693
}
694
695
if(LUKS_is_last_keyslot(options->device, keyIndex) &&
696
!(options->icb->yesDialog(_("This is the last keyslot. Device will become unusable after purging this key.")))) {
697
r = -EINVAL;
698
goto out;
699
}
700
701
if(options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY) {
702
options->flags &= ~CRYPT_FLAG_VERIFY_ON_DELKEY;
703
get_key("Enter any remaining LUKS passphrase: ",&password,&passwordLen, 0, options->key_file, options->passphrase_fd, options->timeout, options->flags);
704
if(!password) {
705
r = -EINVAL; goto out;
706
}
707
708
r = LUKS_read_phdr(device, &hdr);
709
if(r < 0) {
710
options->icb->log(CRYPT_LOG_ERROR,"Failed to access device.\n");
711
r = -EIO; goto out;
712
}
713
hdr.keyblock[keyIndex].active = LUKS_KEY_DISABLED;
714
715
openedIndex = LUKS_open_any_key_with_hdr(device, password, passwordLen, &hdr, &mk, backend);
716
/* Clean up */
717
if (openedIndex >= 0) {
718
LUKS_dealloc_masterkey(mk);
719
mk = NULL;
720
}
721
if(openedIndex < 0) {
722
options->icb->log(CRYPT_LOG_ERROR,"No remaining key available with this passphrase.\n");
723
r = -EPERM; goto out;
724
} else
725
logger(options, CRYPT_LOG_NORMAL,"key slot %d verified.\n", openedIndex);
726
}
727
r = LUKS_del_key(device, keyIndex);
728
if(r < 0) goto out;
729
730
r = 0;
731
out:
732
safe_free(password);
733
return r;
734
}
735
736
static int __crypt_luks_kill_slot(int arg, struct setup_backend *backend, struct crypt_options *options) {
737
return luks_remove_helper(arg, backend, options, 0);
738
}
739
740
static int __crypt_luks_remove_key(int arg, struct setup_backend *backend, struct crypt_options *options) {
741
return luks_remove_helper(arg, backend, options, 1);
742
}
743
744
745
static int crypt_job(int (*job)(int arg, struct setup_backend *backend,
746
struct crypt_options *options),
747
int arg, struct crypt_options *options)
748
{
749
struct setup_backend *backend;
750
int r;
751
752
backend = get_setup_backend(default_backend);
753
754
if (setup_enter(backend,options->icb->log) < 0) {
755
r = -ENOSYS;
756
goto out;
757
}
758
759
if (!backend) {
760
set_error("No setup backend available");
761
r = -ENOSYS;
762
goto out;
763
}
764
765
r = job(arg, backend, options);
766
out:
767
setup_leave(backend);
768
if (backend)
769
put_setup_backend(backend);
770
771
if (r >= 0)
772
set_error(NULL);
773
774
return r;
775
}
776
530
crypt_set_log_callback(*cd, log_wrapper, options->icb->log);
531
crypt_set_confirm_callback(*cd, yesDialog_wrapper, options->icb->yesDialog);
532
533
crypt_set_timeout(*cd, options->timeout);
534
crypt_set_password_retry(*cd, options->tries);
535
crypt_set_iterarion_time(*cd, options->iteration_time ?: 1000);
536
crypt_set_password_verify(*cd, options->flags & CRYPT_FLAG_VERIFY);
537
538
if (load && !init_by_name)
539
r = crypt_load(*cd, type, NULL);
540
541
if (!r && type && !(*cd)->type) {
542
(*cd)->type = strdup(type);
543
if (!(*cd)->type)
544
r = -ENOMEM;
545
}
546
547
if (r)
548
crypt_free(*cd);
549
550
return r;
551
}
552
553
void crypt_set_log_callback(struct crypt_device *cd,
554
void (*log)(int class, const char *msg, void *usrptr),
555
void *usrptr)
556
{
557
if (!cd)
558
_default_log = log;
559
else {
560
cd->log = log;
561
cd->log_usrptr = usrptr;
562
}
563
}
564
565
void crypt_set_confirm_callback(struct crypt_device *cd,
566
int (*confirm)(const char *msg, void *usrptr),
567
void *usrptr)
568
{
569
cd->confirm = confirm;
570
cd->confirm_usrptr = usrptr;
571
}
572
573
void crypt_set_password_callback(struct crypt_device *cd,
574
int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
575
void *usrptr)
576
{
577
cd->password = password;
578
cd->password_usrptr = usrptr;
579
}
580
581
/* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
582
* offset, size, skip, timeout, tries, passphrase_fd (ignored),
583
* flags, icb */
777
584
int crypt_create_device(struct crypt_options *options)
778
585
{
779
return crypt_job(__crypt_create_device, 0, options);
586
struct crypt_device *cd = NULL;
587
char *key = NULL;
588
unsigned int keyLen;
589
int r;
590
591
r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
592
if (r)
593
return r;
594
595
get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
596
options->key_file, cd->timeout, options->flags, cd);
597
if (!key)
598
r = -ENOENT;
599
else
600
r = create_device_helper(cd, options->name, options->hash,
601
options->cipher, NULL, options->key_file, key, keyLen,
602
options->key_size, options->size, options->skip,
603
options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
604
options->flags, 0);
605
606
safe_free(key);
607
crypt_free(cd);
608
return r;
780
609
}
781
610
611
/* OPTIONS: same as create above */
782
612
int crypt_update_device(struct crypt_options *options)
783
613
{
784
return crypt_job(__crypt_create_device, 1, options);
614
struct crypt_device *cd = NULL;
615
char *key = NULL;
616
unsigned int keyLen;
617
int r;
618
619
r = _crypt_init(&cd, CRYPT_PLAIN, options, 1, 1);
620
if (r)
621
return r;
622
623
get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
624
options->key_file, cd->timeout, options->flags, cd);
625
if (!key)
626
r = -ENOENT;
627
else
628
r = create_device_helper(cd, options->name, options->hash,
629
options->cipher, NULL, options->key_file, key, keyLen,
630
options->key_size, options->size, options->skip,
631
options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
632
options->flags, 1);
633
634
safe_free(key);
635
crypt_free(cd);
636
return r;
785
637
}
786
638
639
/* OPTIONS: name, size, icb */
787
640
int crypt_resize_device(struct crypt_options *options)
788
641
{
789
return crypt_job(__crypt_resize_device, 0, options);
642
struct crypt_device *cd = NULL;
643
char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
644
char *type = NULL;
645
uint64_t size, skip, offset;
646
int key_size, read_only, r;
647
648
log_dbg("Resizing device %s to %" PRIu64 " sectors.", options->name, options->size);
649
650
if (dm_init(NULL, 1) < 0)
651
return -ENOSYS;
652
653
r = dm_query_device(options->name, &device, &size, &skip, &offset,
654
&cipher, &key_size, &key, &read_only, NULL, &uuid);
655
if (r < 0) {
656
log_err(NULL, _("Device %s is not active.\n"), options->name);
657
goto out;
658
}
659
660
/* Try to determine type of device from UUID */
661
type = CRYPT_PLAIN;
662
if (uuid) {
663
if (!strncmp(uuid, CRYPT_PLAIN, strlen(CRYPT_PLAIN))) {
664
type = CRYPT_PLAIN;
665
free (uuid);
666
uuid = NULL;
667
} else if (!strncmp(uuid, CRYPT_LUKS1, strlen(CRYPT_LUKS1)))
668
type = CRYPT_LUKS1;
669
}
670
671
if (!options->device)
672
options->device = device;
673
674
r = _crypt_init(&cd, type, options, 1, 1);
675
if (r)
676
goto out;
677
678
size = options->size;
679
r = device_check_and_adjust(cd, device, &size, &offset, &read_only);
680
if (r)
681
goto out;
682
683
r = dm_create_device(options->name, device, cipher, type,
684
crypt_get_uuid(cd), size, skip, offset,
685
key_size, key, read_only, 1);
686
out:
687
safe_free(key);
688
free(cipher);
689
if (options->device == device)
690
options->device = NULL;
691
free(device);
692
free(uuid);
693
crypt_free(cd);
694
dm_exit();
695
return r;
790
696
}
791
697
698
/* OPTIONS: name, icb */
792
699
int crypt_query_device(struct crypt_options *options)
793
700
{
794
return crypt_job(__crypt_query_device, 1, options);
701
int read_only, r;
702
703
log_dbg("Query device %s.", options->name);
704
705
if (dm_init(NULL, 1) < 0)
706
return -ENOSYS;
707
708
r = dm_status_device(options->name);
709
if (r == -ENODEV) {
710
dm_exit();
711
return 0;
712
}
713
714
r = dm_query_device(options->name, (char **)&options->device, &options->size,
715
&options->skip, &options->offset, (char **)&options->cipher,
716
&options->key_size, NULL, &read_only, NULL, NULL);
717
718
dm_exit();
719
if (r < 0)
720
return r;
721
722
if (read_only)
723
options->flags |= CRYPT_FLAG_READONLY;
724
725
options->flags |= CRYPT_FLAG_FREE_DEVICE;
726
options->flags |= CRYPT_FLAG_FREE_CIPHER;
727
728
return 1;
795
729
}
796
730
731
/* OPTIONS: name, icb */
797
732
int crypt_remove_device(struct crypt_options *options)
798
733
{
799
return crypt_job(__crypt_remove_device, 0, options);
734
struct crypt_device *cd = NULL;
735
int r;
736
737
r = crypt_init_by_name(&cd, options->name);
738
if (r)
739
return r;
740
741
r = crypt_deactivate(cd, options->name);
742
743
crypt_free(cd);
744
return r;
800
745
801
746
}
802
747
748
/* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
749
* new_key_file, iteration_time, timeout, flags, icb */
803
750
int crypt_luksFormat(struct crypt_options *options)
804
751
{
805
return crypt_job(__crypt_luks_format, 0, options);
752
char cipherName[LUKS_CIPHERNAME_L];
753
char cipherMode[LUKS_CIPHERMODE_L];
754
char *password=NULL;
755
unsigned int passwordLen;
756
struct crypt_device *cd;
757
struct crypt_params_luks1 cp = {
758
.hash = options->hash,
759
.data_alignment = options->align_payload
760
};
761
int r;
762
763
r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
764
if(r < 0) {
765
log_err(cd, _("No known cipher specification pattern detected.\n"));
766
return r;
767
}
768
769
if ((r = _crypt_init(&cd, CRYPT_LUKS1, options, 0, 1)))
770
return r;
771
772
if (options->key_slot >= LUKS_NUMKEYS && options->key_slot != CRYPT_ANY_SLOT) {
773
log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
774
options->key_slot, LUKS_NUMKEYS - 1);
775
r = -EINVAL;
776
goto out;
777
}
778
779
get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, 0,
780
options->new_key_file, options->timeout, options->flags, cd);
781
782
if(!password) {
783
r = -EINVAL;
784
goto out;
785
}
786
787
r = crypt_format(cd, CRYPT_LUKS1, cipherName, cipherMode,
788
NULL, NULL, options->key_size, &cp);
789
if (r < 0)
790
goto out;
791
792
/* Add keyslot using internally stored volume key generated during format */
793
r = crypt_keyslot_add_by_volume_key(cd, options->key_slot, NULL, 0,
794
password, passwordLen);
795
out:
796
crypt_free(cd);
797
safe_free(password);
798
return (r < 0) ? r : 0;
806
799
}
807
800
801
/* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
808
802
int crypt_luksOpen(struct crypt_options *options)
809
803
{
810
return crypt_job(__crypt_luks_open, 0, options);
804
struct crypt_device *cd = NULL;
805
uint32_t flags = 0;
806
int r;
807
808
if (!options->name)
809
return -EINVAL;
810
811
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
812
if (r)
813
return r;
814
815
if (options->flags & CRYPT_FLAG_READONLY)
816
flags |= CRYPT_ACTIVATE_READONLY;
817
818
if (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS)
819
flags |= CRYPT_ACTIVATE_NO_UUID;
820
821
if (options->key_file)
822
r = crypt_activate_by_keyfile(cd, options->name,
823
CRYPT_ANY_SLOT, options->key_file, options->key_size,
824
flags);
825
else
826
r = crypt_activate_by_passphrase(cd, options->name,
827
CRYPT_ANY_SLOT, options->passphrase,
828
options->passphrase ? strlen(options->passphrase) : 0,
829
flags);
830
831
crypt_free(cd);
832
return (r < 0) ? r : 0;
811
833
}
812
834
835
/* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
813
836
int crypt_luksKillSlot(struct crypt_options *options)
814
837
{
815
return crypt_job(__crypt_luks_kill_slot, 0, options);
838
struct crypt_device *cd = NULL;
839
int r;
840
841
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
842
if (r)
843
return r;
844
845
r = luks_remove_helper(cd, options->key_slot, options->key_file, NULL,
846
options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
847
848
crypt_free(cd);
849
return (r < 0) ? r : 0;
816
850
}
817
851
852
/* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
818
853
int crypt_luksRemoveKey(struct crypt_options *options)
819
854
{
820
return crypt_job(__crypt_luks_remove_key, 0, options);
855
struct crypt_device *cd = NULL;
856
int r;
857
858
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
859
if (r)
860
return r;
861
862
r = luks_remove_helper(cd, CRYPT_ANY_SLOT, options->key_file, options->new_key_file,
863
options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
864
865
crypt_free(cd);
866
return (r < 0) ? r : 0;
821
867
}
822
868
869
870
/* OPTIONS: device, new_key_file, key_file, key_slot, flags,
871
iteration_time, timeout, icb */
823
872
int crypt_luksAddKey(struct crypt_options *options)
824
873
{
825
return crypt_job(__crypt_luks_add_key, 0, options);
874
struct crypt_device *cd = NULL;
875
int r = -EINVAL;
876
877
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
878
if (r)
879
return r;
880
881
if (options->key_file || options->new_key_file)
882
r = crypt_keyslot_add_by_keyfile(cd, options->key_slot,
883
options->key_file, 0,
884
options->new_key_file, 0);
885
else
886
r = crypt_keyslot_add_by_passphrase(cd, options->key_slot,
887
NULL, 0, NULL, 0);
888
889
crypt_free(cd);
890
return (r < 0) ? r : 0;
826
891
}
827
892
893
/* OPTIONS: device, icb */
828
894
int crypt_luksUUID(struct crypt_options *options)
829
895
{
830
struct luks_phdr hdr;
896
struct crypt_device *cd = NULL;
897
char *uuid;
831
898
int r;
832
899
833
r = LUKS_read_phdr(options->device,&hdr);
834
if(r < 0) return r;
900
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
901
if (r)
902
return r;
835
903
836
options->icb->log(CRYPT_LOG_NORMAL,hdr.uuid);
837
options->icb->log(CRYPT_LOG_NORMAL,"\n");
904
uuid = (char *)crypt_get_uuid(cd);
905
log_std(cd, uuid ?: "");
906
log_std(cd, "\n");
907
crypt_free(cd);
838
908
return 0;
839
909
}
840
910
911
/* OPTIONS: device, icb */
841
912
int crypt_isLuks(struct crypt_options *options)
842
913
{
843
struct luks_phdr hdr;
844
return LUKS_read_phdr(options->device,&hdr);
914
struct crypt_device *cd = NULL;
915
int r;
916
917
log_dbg("Check device %s for LUKS header.", options->device);
918
919
r = crypt_init(&cd, options->device);
920
if (r < 0)
921
return -EINVAL;
922
923
/* Do print fail here, no need to crypt_load() */
924
r = LUKS_read_phdr(cd->device, &cd->hdr, 0, cd) ? -EINVAL : 0;
925
926
crypt_free(cd);
927
return r;
845
928
}
846
929
930
/* OPTIONS: device, icb */
847
931
int crypt_luksDump(struct crypt_options *options)
848
932
{
849
struct luks_phdr hdr;
850
int r,i;
851
852
r = LUKS_read_phdr(options->device,&hdr);
853
if(r < 0) return r;
854
855
logger(options, CRYPT_LOG_NORMAL, "LUKS header information for %s\n\n",options->device);
856
logger(options, CRYPT_LOG_NORMAL, "Version: \t%d\n",hdr.version);
857
logger(options, CRYPT_LOG_NORMAL, "Cipher name: \t%s\n",hdr.cipherName);
858
logger(options, CRYPT_LOG_NORMAL, "Cipher mode: \t%s\n",hdr.cipherMode);
859
logger(options, CRYPT_LOG_NORMAL, "Hash spec: \t%s\n",hdr.hashSpec);
860
logger(options, CRYPT_LOG_NORMAL, "Payload offset:\t%d\n",hdr.payloadOffset);
861
logger(options, CRYPT_LOG_NORMAL, "MK bits: \t%d\n",hdr.keyBytes*8);
862
logger(options, CRYPT_LOG_NORMAL, "MK digest: \t");
863
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigest,LUKS_DIGESTSIZE);
864
logger(options, CRYPT_LOG_NORMAL, "\n");
865
logger(options, CRYPT_LOG_NORMAL, "MK salt: \t");
866
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigestSalt,LUKS_SALTSIZE/2);
867
logger(options, CRYPT_LOG_NORMAL, "\n \t");
868
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.mkDigestSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
869
logger(options, CRYPT_LOG_NORMAL, "\n");
870
logger(options, CRYPT_LOG_NORMAL, "MK iterations: \t%d\n",hdr.mkDigestIterations);
871
logger(options, CRYPT_LOG_NORMAL, "UUID: \t%s\n\n",hdr.uuid);
872
for(i=0;i<LUKS_NUMKEYS;i++) {
873
if(hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
874
logger(options, CRYPT_LOG_NORMAL, "Key Slot %d: ENABLED\n",i);
875
logger(options, CRYPT_LOG_NORMAL, "\tIterations: \t%d\n",hdr.keyblock[i].passwordIterations);
876
logger(options, CRYPT_LOG_NORMAL, "\tSalt: \t");
877
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.keyblock[i].passwordSalt,LUKS_SALTSIZE/2);
878
logger(options, CRYPT_LOG_NORMAL, "\n\t \t");
879
hexprintICB(options, CRYPT_LOG_NORMAL, hdr.keyblock[i].passwordSalt+LUKS_SALTSIZE/2,LUKS_SALTSIZE/2);
880
logger(options, CRYPT_LOG_NORMAL, "\n");
881
882
logger(options, CRYPT_LOG_NORMAL, "\tKey material offset:\t%d\n",hdr.keyblock[i].keyMaterialOffset);
883
logger(options, CRYPT_LOG_NORMAL, "\tAF stripes: \t%d\n",hdr.keyblock[i].stripes);
884
}
885
else
886
logger(options, CRYPT_LOG_NORMAL, "Key Slot %d: DISABLED\n",i);
887
}
933
struct crypt_device *cd = NULL;
934
int r;
935
936
r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
937
if(r < 0)
938
return r;
939
940
r = crypt_dump(cd);
941
942
crypt_free(cd);
888
943
return 0;
889
944
}
890
945
891
892
946
void crypt_get_error(char *buf, size_t size)
893
947
{
894
948
const char *error = get_error();
917
971
}
918
972
}
919
973
920
void crypt_set_default_backend(const char *backend)
921
{
922
if (default_backend)
923
free(default_backend);
924
if (backend)
925
default_backend = strdup(backend);
926
else
927
default_backend = NULL;
928
}
929
930
974
const char *crypt_get_dir(void)
931
975
{
932
struct setup_backend *backend;
933
const char *dir;
934
935
backend = get_setup_backend(default_backend);
936
if (!backend)
937
return NULL;
938
939
dir = backend->dir();
940
941
put_setup_backend(backend);
942
943
return dir;
944
}
945
946
// Local Variables:
947
// c-basic-offset: 8
948
// indent-tabs-mode: nil
949
// End:
976
return dm_get_dir();
977
}
978
979
/////////////////////////////////
980
//
981
// New API
982
//
983
984
int crypt_init(struct crypt_device **cd, const char *device)
985
{
986
struct crypt_device *h = NULL;
987
988
if (!cd)
989
return -EINVAL;
990
991
log_dbg("Allocating crypt device %s context.", device);
992
993
if (!device_ready(NULL, device, O_RDONLY))
994
return -ENOTBLK;
995
996
if (!(h = malloc(sizeof(struct crypt_device))))
997
return -ENOMEM;
998
999
memset(h, 0, sizeof(*h));
1000
1001
h->device = strdup(device);
1002
if (!h->device) {
1003
free(h);
1004
return -ENOMEM;
1005
}
1006
1007
if (dm_init(h, 1) < 0) {
1008
free(h);
1009
return -ENOSYS;
1010
}
1011
1012
h->iteration_time = 1000;
1013
h->password_verify = 0;
1014
h->tries = 3;
1015
*cd = h;
1016
return 0;
1017
}
1018
1019
int crypt_init_by_name(struct crypt_device **cd, const char *name)
1020
{
1021
crypt_status_info ci;
1022
char *device = NULL;
1023
int r;
1024
1025
log_dbg("Allocating crypt device context by device %s.", name);
1026
1027
ci = crypt_status(NULL, name);
1028
if (ci == INVALID)
1029
return -ENODEV;
1030
1031
if (ci < ACTIVE) {
1032
log_err(NULL, _("Device %s is not active.\n"), name);
1033
return -ENODEV;
1034
}
1035
1036
r = dm_query_device(name, &device, NULL, NULL, NULL,
1037
NULL, NULL, NULL, NULL, NULL, NULL);
1038
if (r >= 0)
1039
r = crypt_init(cd, device);
1040
1041
free(device);
1042
return r;
1043
}
1044
1045
static int _crypt_format_plain(struct crypt_device *cd,
1046
const char *cipher,
1047
const char *cipher_mode,
1048
const char *uuid,
1049
struct crypt_params_plain *params)
1050
{
1051
if (!cipher || !cipher_mode || !params || !params->hash) {
1052
log_err(cd, _("Invalid plain crypt parameters.\n"));
1053
return -EINVAL;
1054
}
1055
1056
if (cd->volume_key->keyLength > 1024) {
1057
log_err(cd, _("Invalid key size.\n"));
1058
return -EINVAL;
1059
}
1060
1061
cd->plain_cipher = strdup(cipher);
1062
cd->plain_cipher_mode = strdup(cipher_mode);
1063
1064
if (uuid)
1065
cd->plain_uuid = strdup(uuid);
1066
1067
if (params->hash)
1068
cd->plain_hdr.hash = strdup(params->hash);
1069
1070
cd->plain_hdr.offset = params->offset;
1071
cd->plain_hdr.skip = params->skip;
1072
1073
if ((params->hash && !cd->plain_hdr.hash) ||
1074
!cd->plain_cipher || !cd->plain_cipher_mode)
1075
return -ENOMEM;
1076
1077
return 0;
1078
}
1079
1080
static int _crypt_format_luks1(struct crypt_device *cd,
1081
const char *cipher,
1082
const char *cipher_mode,
1083
const char *uuid,
1084
struct crypt_params_luks1 *params)
1085
{
1086
int r;
1087
1088
r = LUKS_generate_phdr(&cd->hdr, cd->volume_key, cipher, cipher_mode,
1089
(params && params->hash) ? params->hash : "sha1",
1090
uuid, LUKS_STRIPES,
1091
params ? params->data_alignment: DEFAULT_ALIGNMENT, cd);
1092
if(r < 0)
1093
return r;
1094
1095
/* Wipe first 8 sectors - fs magic numbers etc. */
1096
r = wipe_device_header(cd->device, 8);
1097
if(r < 0) {
1098
log_err(cd, _("Can't wipe header on device %s.\n"), cd->device);
1099
return r;
1100
}
1101
1102
r = LUKS_write_phdr(cd->device, &cd->hdr, cd);
1103
1104
return r;
1105
}
1106
1107
int crypt_format(struct crypt_device *cd,
1108
const char *type,
1109
const char *cipher,
1110
const char *cipher_mode,
1111
const char *uuid,
1112
const char *volume_key,
1113
size_t volume_key_size,
1114
void *params)
1115
{
1116
int r;
1117
1118
log_dbg("Formatting device %s as type %s.", cd->device, cd->type ?: "(none)");
1119
1120
if (!type)
1121
return -EINVAL;
1122
1123
if (volume_key)
1124
cd->volume_key = LUKS_alloc_masterkey(volume_key_size,
1125
volume_key);
1126
else
1127
cd->volume_key = LUKS_generate_masterkey(volume_key_size);
1128
1129
if(!cd->volume_key)
1130
return -ENOMEM;
1131
1132
if (isPLAIN(type))
1133
r = _crypt_format_plain(cd, cipher, cipher_mode,
1134
uuid, params);
1135
else if (isLUKS(type))
1136
r = _crypt_format_luks1(cd, cipher, cipher_mode,
1137
uuid, params);
1138
else {
1139
/* FIXME: allow plugins here? */
1140
log_err(cd, _("Unkown crypt device type %s requesed.\n"), type);
1141
r = -EINVAL;
1142
}
1143
1144
if (!r && !(cd->type = strdup(type)))
1145
r = -ENOMEM;
1146
1147
if (r < 0) {
1148
LUKS_dealloc_masterkey(cd->volume_key);
1149
cd->volume_key = NULL;
1150
}
1151
1152
return r;
1153
}
1154
1155
int crypt_load(struct crypt_device *cd,
1156
const char *requested_type,
1157
void *params)
1158
{
1159
struct luks_phdr hdr;
1160
int r;
1161
1162
log_dbg("Trying to load %s crypt type from device %s.",
1163
requested_type ?: "any", cd->device);
1164
1165
if (requested_type && !isPLAIN(requested_type) && !isLUKS(requested_type))
1166
return -EINVAL;
1167
1168
/* Some hash functions need initialized gcrypt library */
1169
if (init_crypto()) {
1170
log_err(cd, _("Cannot initialize crypto backend.\n"));
1171
return -ENOSYS;
1172
}
1173
1174
r = LUKS_read_phdr(cd->device, &hdr, 0, cd);
1175
1176
if (!r) {
1177
memcpy(&cd->hdr, &hdr, sizeof(hdr));
1178
cd->type = strdup(requested_type);
1179
if (!cd->type)
1180
r = -ENOMEM;
1181
}
1182
1183
return r;
1184
}
1185
1186
int crypt_header_backup(struct crypt_device *cd,
1187
const char *requested_type,
1188
const char *backup_file)
1189
{
1190
if ((requested_type && !isLUKS(requested_type)) || !backup_file)
1191
return -EINVAL;
1192
1193
log_dbg("Requested header backup of device %s (%s) to "
1194
"file %s.", cd->device, requested_type, backup_file);
1195
1196
return LUKS_hdr_backup(backup_file, cd->device, &cd->hdr, cd);
1197
}
1198
1199
int crypt_header_restore(struct crypt_device *cd,
1200
const char *requested_type,
1201
const char *backup_file)
1202
{
1203
if (requested_type && !isLUKS(requested_type))
1204
return -EINVAL;
1205
1206
log_dbg("Requested header restore to device %s (%s) from "
1207
"file %s.", cd->device, requested_type, backup_file);
1208
1209
return LUKS_hdr_restore(backup_file, cd->device, &cd->hdr, cd);
1210
}
1211
1212
void crypt_free(struct crypt_device *cd)
1213
{
1214
if (cd) {
1215
log_dbg("Releasing crypt device %s context.", cd->device);
1216
1217
dm_exit();
1218
if (cd->volume_key)
1219
LUKS_dealloc_masterkey(cd->volume_key);
1220
1221
free(cd->device);
1222
free(cd->type);
1223
1224
/* used in plain device only */
1225
free((char*)cd->plain_hdr.hash);
1226
free(cd->plain_cipher);
1227
free(cd->plain_cipher_mode);
1228
free(cd->plain_uuid);
1229
1230
free(cd);
1231
}
1232
}
1233
1234
int crypt_suspend(struct crypt_device *cd,
1235
const char *name)
1236
{
1237
crypt_status_info ci;
1238
int r, suspended = 0;
1239
1240
log_dbg("Suspending volume %s.", name);
1241
1242
ci = crypt_status(NULL, name);
1243
if (ci < ACTIVE) {
1244
log_err(cd, _("Volume %s is not active.\n"), name);
1245
return -EINVAL;
1246
}
1247
1248
if (!cd && dm_init(NULL, 1) < 0)
1249
return -ENOSYS;
1250
1251
r = dm_query_device(name, NULL, NULL, NULL, NULL,
1252
NULL, NULL, NULL, NULL, &suspended, NULL);
1253
if (r < 0)
1254
goto out;
1255
1256
if (suspended) {
1257
log_err(cd, _("Volume %s is already suspended.\n"), name);
1258
r = -EINVAL;
1259
goto out;
1260
}
1261
1262
r = dm_suspend_and_wipe_key(name);
1263
if (r)
1264
log_err(cd, "Error during suspending device %s.\n", name);
1265
out:
1266
if (!cd)
1267
dm_exit();
1268
return r;
1269
}
1270
1271
int crypt_resume_by_passphrase(struct crypt_device *cd,
1272
const char *name,
1273
int keyslot,
1274
const char *passphrase,
1275
size_t passphrase_size)
1276
{
1277
struct luks_masterkey *mk = NULL;
1278
int r, suspended = 0;
1279
1280
log_dbg("Resuming volume %s.", name);
1281
1282
if (!isLUKS(cd->type)) {
1283
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1284
r = -EINVAL;
1285
goto out;
1286
}
1287
1288
r = dm_query_device(name, NULL, NULL, NULL, NULL,
1289
NULL, NULL, NULL, NULL, &suspended, NULL);
1290
if (r < 0)
1291
return r;
1292
1293
if (!suspended) {
1294
log_err(cd, _("Volume %s is not suspended.\n"), name);
1295
return -EINVAL;
1296
}
1297
1298
if (passphrase) {
1299
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1300
passphrase_size, &cd->hdr, &mk, cd);
1301
} else
1302
r = volume_key_by_terminal_passphrase(cd, keyslot, &mk);
1303
1304
if (r >= 0) {
1305
keyslot = r;
1306
r = dm_resume_and_reinstate_key(name, mk->keyLength, mk->key);
1307
if (r)
1308
log_err(cd, "Error during resuming device %s.\n", name);
1309
} else
1310
r = keyslot;
1311
out:
1312
LUKS_dealloc_masterkey(mk);
1313
return r < 0 ? r : keyslot;
1314
}
1315
1316
int crypt_resume_by_keyfile(struct crypt_device *cd,
1317
const char *name,
1318
int keyslot,
1319
const char *keyfile,
1320
size_t keyfile_size)
1321
{
1322
struct luks_masterkey *mk = NULL;
1323
char *passphrase_read = NULL;
1324
unsigned int passphrase_size_read;
1325
int r, suspended = 0;
1326
1327
log_dbg("Resuming volume %s.", name);
1328
1329
if (!isLUKS(cd->type)) {
1330
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1331
r = -EINVAL;
1332
goto out;
1333
}
1334
1335
r = dm_query_device(name, NULL, NULL, NULL, NULL,
1336
NULL, NULL, NULL, NULL, &suspended, NULL);
1337
if (r < 0)
1338
return r;
1339
1340
if (!suspended) {
1341
log_err(cd, _("Volume %s is not suspended.\n"), name);
1342
return -EINVAL;
1343
}
1344
1345
if (!keyfile)
1346
return -EINVAL;
1347
1348
key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1349
&passphrase_size_read, keyfile, keyfile_size);
1350
1351
if(!passphrase_read)
1352
r = -EINVAL;
1353
else {
1354
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1355
passphrase_size_read, &cd->hdr, &mk, cd);
1356
safe_free(passphrase_read);
1357
}
1358
1359
if (r >= 0) {
1360
keyslot = r;
1361
r = dm_resume_and_reinstate_key(name, mk->keyLength, mk->key);
1362
if (r)
1363
log_err(cd, "Error during resuming device %s.\n", name);
1364
} else
1365
r = keyslot;
1366
out:
1367
LUKS_dealloc_masterkey(mk);
1368
return r < 0 ? r : keyslot;
1369
}
1370
1371
// slot manipulation
1372
int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
1373
int keyslot, // -1 any
1374
const char *passphrase, // NULL -> terminal
1375
size_t passphrase_size,
1376
const char *new_passphrase, // NULL -> terminal
1377
size_t new_passphrase_size)
1378
{
1379
struct luks_masterkey *mk = NULL;
1380
char *password = NULL, *new_password = NULL;
1381
unsigned int passwordLen, new_passwordLen;
1382
int r;
1383
1384
log_dbg("Adding new keyslot, existing passphrase %sprovided,"
1385
"new passphrase %sprovided.",
1386
passphrase ? "" : "not ", new_passphrase ? "" : "not ");
1387
1388
if (!isLUKS(cd->type)) {
1389
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1390
return -EINVAL;
1391
}
1392
1393
r = keyslot_verify_or_find_empty(cd, &keyslot);
1394
if (r)
1395
return r;
1396
1397
if (!LUKS_keyslot_active_count(&cd->hdr)) {
1398
/* No slots used, try to use pre-generated key in header */
1399
if (cd->volume_key) {
1400
mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
1401
r = mk ? 0 : -ENOMEM;
1402
} else {
1403
log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1404
return -EINVAL;
1405
}
1406
} else if (passphrase) {
1407
/* Passphrase provided, use it to unlock existing keyslot */
1408
r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, passphrase,
1409
passphrase_size, &cd->hdr, &mk, cd);
1410
} else {
1411
/* Passphrase not provided, ask first and use it to unlock existing keyslot */
1412
key_from_terminal(cd, _("Enter any passphrase: "),
1413
&password, &passwordLen, 0);
1414
if (!password) {
1415
r = -EINVAL;
1416
goto out;
1417
}
1418
1419
r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
1420
passwordLen, &cd->hdr, &mk, cd);
1421
safe_free(password);
1422
}
1423
1424
if(r < 0)
1425
goto out;
1426
1427
if (new_passphrase) {
1428
new_password = (char *)new_passphrase;
1429
new_passwordLen = new_passphrase_size;
1430
} else {
1431
key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1432
&new_password, &new_passwordLen, 1);
1433
if(!new_password) {
1434
r = -EINVAL;
1435
goto out;
1436
}
1437
}
1438
1439
r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1440
&cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1441
if(r < 0) goto out;
1442
1443
r = 0;
1444
out:
1445
if (!new_passphrase)
1446
safe_free(new_password);
1447
LUKS_dealloc_masterkey(mk);
1448
return r ?: keyslot;
1449
}
1450
1451
int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
1452
int keyslot,
1453
const char *keyfile,
1454
size_t keyfile_size,
1455
const char *new_keyfile,
1456
size_t new_keyfile_size)
1457
{
1458
struct luks_masterkey *mk=NULL;
1459
char *password=NULL; unsigned int passwordLen;
1460
char *new_password = NULL; unsigned int new_passwordLen;
1461
int r;
1462
1463
log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
1464
keyfile ?: "[none]", new_keyfile ?: "[none]");
1465
1466
if (!isLUKS(cd->type)) {
1467
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1468
return -EINVAL;
1469
}
1470
1471
r = keyslot_verify_or_find_empty(cd, &keyslot);
1472
if (r)
1473
return r;
1474
1475
if (!LUKS_keyslot_active_count(&cd->hdr)) {
1476
/* No slots used, try to use pre-generated key in header */
1477
if (cd->volume_key) {
1478
mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
1479
r = mk ? 0 : -ENOMEM;
1480
} else {
1481
log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1482
return -EINVAL;
1483
}
1484
} else {
1485
/* Read password from file of (if NULL) from terminal */
1486
if (keyfile)
1487
key_from_file(cd, _("Enter any passphrase: "), &password, &passwordLen,
1488
keyfile, keyfile_size);
1489
else
1490
key_from_terminal(cd, _("Enter any passphrase: "),
1491
&password, &passwordLen, 1);
1492
1493
if (!password)
1494
return -EINVAL;
1495
1496
r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password, passwordLen,
1497
&cd->hdr, &mk, cd);
1498
safe_free(password);
1499
}
1500
1501
if(r < 0)
1502
goto out;
1503
1504
if (new_keyfile)
1505
key_from_file(cd, _("Enter new passphrase for key slot: "),
1506
&new_password, &new_passwordLen, new_keyfile,
1507
new_keyfile_size);
1508
else
1509
key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1510
&new_password, &new_passwordLen, 1);
1511
1512
if(!new_password) {
1513
r = -EINVAL;
1514
goto out;
1515
}
1516
1517
r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1518
&cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1519
out:
1520
safe_free(new_password);
1521
LUKS_dealloc_masterkey(mk);
1522
return r < 0 ? r : keyslot;
1523
}
1524
1525
int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
1526
int keyslot,
1527
const char *volume_key,
1528
size_t volume_key_size,
1529
const char *passphrase,
1530
size_t passphrase_size)
1531
{
1532
struct luks_masterkey *mk = NULL;
1533
int r = -EINVAL;
1534
char *new_password = NULL; unsigned int new_passwordLen;
1535
1536
log_dbg("Adding new keyslot %d using volume key.", keyslot);
1537
1538
if (!isLUKS(cd->type)) {
1539
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1540
return -EINVAL;
1541
}
1542
1543
if (volume_key)
1544
mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
1545
else if (cd->volume_key)
1546
mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
1547
1548
if (!mk)
1549
return -ENOMEM;
1550
1551
r = LUKS_verify_master_key(&cd->hdr, mk);
1552
if (r < 0) {
1553
log_err(cd, _("Volume key does not match the volume.\n"));
1554
goto out;
1555
}
1556
1557
r = keyslot_verify_or_find_empty(cd, &keyslot);
1558
if (r)
1559
goto out;
1560
1561
if (!passphrase) {
1562
key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1563
&new_password, &new_passwordLen, 1);
1564
passphrase = new_password;
1565
passphrase_size = new_passwordLen;
1566
}
1567
1568
r = LUKS_set_key(cd->device, keyslot, passphrase, passphrase_size,
1569
&cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1570
out:
1571
if (new_password)
1572
safe_free(new_password);
1573
LUKS_dealloc_masterkey(mk);
1574
return r ?: keyslot;
1575
}
1576
1577
int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
1578
{
1579
crypt_keyslot_info ki;
1580
1581
log_dbg("Destroying keyslot %d.", keyslot);
1582
1583
if (!isLUKS(cd->type)) {
1584
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1585
return -EINVAL;
1586
}
1587
1588
ki = crypt_keyslot_status(cd, keyslot);
1589
if (ki == SLOT_INVALID) {
1590
log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
1591
return -EINVAL;
1592
}
1593
1594
if (ki == SLOT_INACTIVE) {
1595
log_err(cd, _("Key slot %d is not used.\n"), keyslot);
1596
return -EINVAL;
1597
}
1598
1599
return LUKS_del_key(cd->device, keyslot, &cd->hdr, cd);
1600
}
1601
1602
// activation/deactivation of device mapping
1603
int crypt_activate_by_passphrase(struct crypt_device *cd,
1604
const char *name,
1605
int keyslot,
1606
const char *passphrase,
1607
size_t passphrase_size,
1608
uint32_t flags)
1609
{
1610
crypt_status_info ci;
1611
struct luks_masterkey *mk = NULL;
1612
char *prompt = NULL;
1613
int r;
1614
1615
log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
1616
name ? "Activating" : "Checking", name ?: "",
1617
keyslot, passphrase ? "" : "[none] ");
1618
1619
if (!name)
1620
return -EINVAL;
1621
1622
/* plain, use hashed passphrase */
1623
if (isPLAIN(cd->type))
1624
return create_device_helper(cd, name, cd->plain_hdr.hash,
1625
cd->plain_cipher, cd->plain_cipher_mode, NULL, passphrase, passphrase_size,
1626
cd->volume_key->keyLength, 0, cd->plain_hdr.skip,
1627
cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1628
1629
if (name) {
1630
ci = crypt_status(NULL, name);
1631
if (ci == INVALID)
1632
return -EINVAL;
1633
else if (ci >= ACTIVE) {
1634
log_err(cd, _("Device %s already exists.\n"), name);
1635
return -EEXIST;
1636
}
1637
}
1638
1639
if(asprintf(&prompt, _("Enter passphrase for %s: "), cd->device) < 0)
1640
return -ENOMEM;
1641
1642
/* provided passphrase, do not retry */
1643
if (passphrase) {
1644
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1645
passphrase_size, &cd->hdr, &mk, cd);
1646
} else
1647
r = volume_key_by_terminal_passphrase(cd, keyslot, &mk);
1648
1649
if (r >= 0) {
1650
keyslot = r;
1651
if (name)
1652
r = open_from_hdr_and_mk(cd, mk, name, flags);
1653
}
1654
1655
LUKS_dealloc_masterkey(mk);
1656
free(prompt);
1657
1658
return r < 0 ? r : keyslot;
1659
}
1660
1661
int crypt_activate_by_keyfile(struct crypt_device *cd,
1662
const char *name,
1663
int keyslot,
1664
const char *keyfile,
1665
size_t keyfile_size,
1666
uint32_t flags)
1667
{
1668
crypt_status_info ci;
1669
struct luks_masterkey *mk = NULL;
1670
char *passphrase_read = NULL;
1671
unsigned int passphrase_size_read;
1672
int r;
1673
1674
log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
1675
name, keyslot, keyfile ?: "[none]");
1676
1677
if (!isLUKS(cd->type)) {
1678
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1679
return -EINVAL;
1680
}
1681
1682
if (name) {
1683
ci = crypt_status(NULL, name);
1684
if (ci == INVALID)
1685
return -EINVAL;
1686
else if (ci >= ACTIVE) {
1687
log_err(cd, _("Device %s already exists.\n"), name);
1688
return -EEXIST;
1689
}
1690
}
1691
1692
if (!keyfile)
1693
return -EINVAL;
1694
1695
key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1696
&passphrase_size_read, keyfile, keyfile_size);
1697
if(!passphrase_read)
1698
r = -EINVAL;
1699
else {
1700
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1701
passphrase_size_read, &cd->hdr, &mk, cd);
1702
safe_free(passphrase_read);
1703
}
1704
1705
if (r >= 0) {
1706
keyslot = r;
1707
r = open_from_hdr_and_mk(cd, mk, name, flags);
1708
}
1709
1710
LUKS_dealloc_masterkey(mk);
1711
1712
return r < 0 ? r : keyslot;
1713
}
1714
1715
int crypt_activate_by_volume_key(struct crypt_device *cd,
1716
const char *name,
1717
const char *volume_key,
1718
size_t volume_key_size,
1719
uint32_t flags)
1720
{
1721
crypt_status_info ci;
1722
struct luks_masterkey *mk;
1723
int r;
1724
1725
log_dbg("Activating volume %s by volume key.", name);
1726
1727
/* use key directly, no hash */
1728
if (isPLAIN(cd->type))
1729
return create_device_helper(cd, name, NULL,
1730
cd->plain_cipher, cd->plain_cipher_mode, NULL, volume_key, volume_key_size,
1731
cd->volume_key->keyLength, 0, cd->plain_hdr.skip,
1732
cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1733
1734
if (!isLUKS(cd->type)) {
1735
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1736
return -EINVAL;
1737
}
1738
1739
if (name) {
1740
ci = crypt_status(NULL, name);
1741
if (ci == INVALID)
1742
return -EINVAL;
1743
else if (ci >= ACTIVE) {
1744
log_err(cd, _("Device %s already exists.\n"), name);
1745
return -EEXIST;
1746
}
1747
}
1748
1749
mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
1750
if (!mk)
1751
return -ENOMEM;
1752
r = LUKS_verify_master_key(&cd->hdr, mk);
1753
1754
if (r == -EPERM)
1755
log_err(cd, _("Volume key does not match the volume.\n"));
1756
1757
if (!r && name)
1758
r = open_from_hdr_and_mk(cd, mk, name, flags);
1759
1760
LUKS_dealloc_masterkey(mk);
1761
1762
return r;
1763
}
1764
1765
int crypt_deactivate(struct crypt_device *cd, const char *name)
1766
{
1767
int r;
1768
1769
if (!name)
1770
return -EINVAL;
1771
1772
log_dbg("Deactivating volume %s.", name);
1773
1774
if (!cd && dm_init(NULL, 1) < 0)
1775
return -ENOSYS;
1776
1777
switch (crypt_status(cd, name)) {
1778
case ACTIVE: r = dm_remove_device(name, 0, 0);
1779
break;
1780
case BUSY: log_err(cd, _("Device %s is busy.\n"), name);
1781
r = -EBUSY;
1782
break;
1783
case INACTIVE: log_err(cd, _("Device %s is not active.\n"), name);
1784
r = -ENODEV;
1785
break;
1786
default: log_err(cd, _("Invalid device %s.\n"), name);
1787
r = -EINVAL;
1788
}
1789
1790
if (!cd)
1791
dm_exit();
1792
1793
return r;
1794
}
1795
1796
// misc helper functions
1797
int crypt_volume_key_get(struct crypt_device *cd,
1798
int keyslot,
1799
char *volume_key,
1800
size_t *volume_key_size,
1801
const char *passphrase,
1802
size_t passphrase_size)
1803
{
1804
struct luks_masterkey *mk;
1805
char *processed_key = NULL;
1806
int r, key_len;
1807
1808
key_len = crypt_get_volume_key_size(cd);
1809
if (key_len > *volume_key_size) {
1810
log_err(cd, _("Volume key buffer too small.\n"));
1811
return -ENOMEM;
1812
}
1813
1814
if (isPLAIN(cd->type)) {
1815
processed_key = process_key(cd, cd->plain_hdr.hash, NULL, key_len,
1816
passphrase, passphrase_size);
1817
if (!processed_key) {
1818
log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
1819
return -EINVAL;
1820
}
1821
memcpy(volume_key, processed_key, key_len);
1822
*volume_key_size = key_len;
1823
safe_free(processed_key);
1824
return 0;
1825
}
1826
1827
if (isLUKS(cd->type)) {
1828
r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1829
passphrase_size, &cd->hdr, &mk, cd);
1830
1831
if (r >= 0) {
1832
memcpy(volume_key, mk->key, mk->keyLength);
1833
*volume_key_size = mk->keyLength;
1834
}
1835
1836
LUKS_dealloc_masterkey(mk);
1837
return r;
1838
}
1839
1840
log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
1841
return -EINVAL;
1842
}
1843
1844
int crypt_volume_key_verify(struct crypt_device *cd,
1845
const char *volume_key,
1846
size_t volume_key_size)
1847
{
1848
struct luks_masterkey *mk;
1849
int r;
1850
1851
if (!isLUKS(cd->type)) {
1852
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1853
return -EINVAL;
1854
}
1855
1856
mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
1857
if (!mk)
1858
return -ENOMEM;
1859
1860
r = LUKS_verify_master_key(&cd->hdr, mk);
1861
1862
if (r == -EPERM)
1863
log_err(cd, _("Volume key does not match the volume.\n"));
1864
1865
LUKS_dealloc_masterkey(mk);
1866
1867
return r;
1868
}
1869
1870
void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
1871
{
1872
log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
1873
cd->timeout = timeout_sec;
1874
}
1875
1876
void crypt_set_password_retry(struct crypt_device *cd, int tries)
1877
{
1878
log_dbg("Password retry count set to %d.", tries);
1879
cd->tries = tries;
1880
}
1881
1882
void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
1883
{
1884
log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
1885
cd->iteration_time = iteration_time_ms;
1886
}
1887
1888
void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
1889
{
1890
log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
1891
cd->password_verify = password_verify ? 1 : 0;
1892
}
1893
1894
int crypt_memory_lock(struct crypt_device *cd, int lock)
1895
{
1896
return lock ? memlock_inc(cd) : memlock_dec(cd);
1897
}
1898
1899
// reporting
1900
crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
1901
{
1902
int r;
1903
1904
if (!cd && dm_init(NULL, 1) < 0)
1905
return INVALID;
1906
1907
r = dm_status_device(name);
1908
1909
if (!cd)
1910
dm_exit();
1911
1912
if (r < 0 && r != -ENODEV)
1913
return INVALID;
1914
1915
if (r == 0)
1916
return ACTIVE;
1917
1918
if (r > 0)
1919
return BUSY;
1920
1921
return INACTIVE;
1922
}
1923
1924
static void hexprintICB(struct crypt_device *cd, char *d, int n)
1925
{
1926
int i;
1927
for(i = 0; i < n; i++)
1928
log_std(cd, "%02hhx ", (char)d[i]);
1929
}
1930
1931
int crypt_dump(struct crypt_device *cd)
1932
{
1933
int i;
1934
if (!isLUKS(cd->type)) { //FIXME
1935
log_err(cd, _("This operation is supported only for LUKS device.\n"));
1936
return -EINVAL;
1937
}
1938
1939
log_std(cd, "LUKS header information for %s\n\n", cd->device);
1940
log_std(cd, "Version: \t%d\n", cd->hdr.version);
1941
log_std(cd, "Cipher name: \t%s\n", cd->hdr.cipherName);
1942
log_std(cd, "Cipher mode: \t%s\n", cd->hdr.cipherMode);
1943
log_std(cd, "Hash spec: \t%s\n", cd->hdr.hashSpec);
1944
log_std(cd, "Payload offset:\t%d\n", cd->hdr.payloadOffset);
1945
log_std(cd, "MK bits: \t%d\n", cd->hdr.keyBytes * 8);
1946
log_std(cd, "MK digest: \t");
1947
hexprintICB(cd, cd->hdr.mkDigest, LUKS_DIGESTSIZE);
1948
log_std(cd, "\n");
1949
log_std(cd, "MK salt: \t");
1950
hexprintICB(cd, cd->hdr.mkDigestSalt, LUKS_SALTSIZE/2);
1951
log_std(cd, "\n \t");
1952
hexprintICB(cd, cd->hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
1953
log_std(cd, "\n");
1954
log_std(cd, "MK iterations: \t%d\n", cd->hdr.mkDigestIterations);
1955
log_std(cd, "UUID: \t%s\n\n", cd->hdr.uuid);
1956
for(i = 0; i < LUKS_NUMKEYS; i++) {
1957
if(cd->hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
1958
log_std(cd, "Key Slot %d: ENABLED\n",i);
1959
log_std(cd, "\tIterations: \t%d\n",
1960
cd->hdr.keyblock[i].passwordIterations);
1961
log_std(cd, "\tSalt: \t");
1962
hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt,
1963
LUKS_SALTSIZE/2);
1964
log_std(cd, "\n\t \t");
1965
hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt +
1966
LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
1967
log_std(cd, "\n");
1968
1969
log_std(cd, "\tKey material offset:\t%d\n",
1970
cd->hdr.keyblock[i].keyMaterialOffset);
1971
log_std(cd, "\tAF stripes: \t%d\n",
1972
cd->hdr.keyblock[i].stripes);
1973
}
1974
else
1975
log_std(cd, "Key Slot %d: DISABLED\n", i);
1976
}
1977
return 0;
1978
}
1979
1980
const char *crypt_get_cipher(struct crypt_device *cd)
1981
{
1982
if (isPLAIN(cd->type))
1983
return cd->plain_cipher;
1984
1985
if (isLUKS(cd->type))
1986
return cd->hdr.cipherName;
1987
1988
return NULL;
1989
}
1990
1991
const char *crypt_get_cipher_mode(struct crypt_device *cd)
1992
{
1993
if (isPLAIN(cd->type))
1994
return cd->plain_cipher_mode;
1995
1996
if (isLUKS(cd->type))
1997
return cd->hdr.cipherMode;
1998
1999
return NULL;
2000
}
2001
2002
const char *crypt_get_uuid(struct crypt_device *cd)
2003
{
2004
if (isLUKS(cd->type))
2005
return cd->hdr.uuid;
2006
2007
return NULL;
2008
}
2009
2010
int crypt_get_volume_key_size(struct crypt_device *cd)
2011
{
2012
if (isPLAIN(cd->type))
2013
return cd->volume_key->keyLength;
2014
2015
if (isLUKS(cd->type))
2016
return cd->hdr.keyBytes;
2017
2018
return 0;
2019
}
2020
2021
uint64_t crypt_get_data_offset(struct crypt_device *cd)
2022
{
2023
if (isPLAIN(cd->type))
2024
return cd->plain_hdr.offset;
2025
2026
if (isLUKS(cd->type))
2027
return cd->hdr.payloadOffset;
2028
2029
return 0;
2030
}
2031
2032
crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
2033
{
2034
if (!isLUKS(cd->type)) {
2035
log_err(cd, _("This operation is supported only for LUKS device.\n"));
2036
return SLOT_INVALID;
2037
}
2038
2039
return LUKS_keyslot_info(&cd->hdr, keyslot);
2040
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1