2
* LUKS - Linux Unified Key Setup
4
* Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
6
* This program is free software; you can redistribute it and/or
7
* modify it under the terms of the GNU General Public License
8
* version 2 as published by the Free Software Foundation.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
#include <sys/types.h>
22
#include <sys/ioctl.h>
24
#include <netinet/in.h>
37
#include <uuid/uuid.h>
38
#include <../lib/internal.h>
40
#define div_round_up(a,b) ({ \
41
typeof(a) __a = (a); \
42
typeof(b) __b = (b); \
43
(__a - 1) / __b + 1; \
46
static inline int round_up_modulo(int x, int m) {
47
return div_round_up(x, m) * m;
50
struct luks_masterkey *LUKS_alloc_masterkey(int keylength, const char *key)
52
struct luks_masterkey *mk=malloc(sizeof(*mk) + keylength);
53
if(NULL == mk) return NULL;
54
mk->keyLength=keylength;
56
memcpy(&mk->key, key, keylength);
60
void LUKS_dealloc_masterkey(struct luks_masterkey *mk)
63
memset(mk->key,0,mk->keyLength);
69
struct luks_masterkey *LUKS_generate_masterkey(int keylength)
71
struct luks_masterkey *mk=LUKS_alloc_masterkey(keylength, NULL);
72
if(NULL == mk) return NULL;
74
int r = getRandom(mk->key,keylength);
76
LUKS_dealloc_masterkey(mk);
83
const char *backup_file,
85
struct luks_phdr *hdr,
86
struct crypt_device *ctx)
88
int r = 0, devfd = -1;
93
if(stat(backup_file, &st) == 0) {
94
log_err(ctx, _("Requested file %s already exist.\n"), backup_file);
98
r = LUKS_read_phdr(device, hdr, 0, ctx);
102
buffer_size = hdr->payloadOffset << SECTOR_SHIFT;
103
buffer = safe_alloc(buffer_size);
104
if (!buffer || buffer_size < LUKS_ALIGN_KEYSLOTS) {
109
log_dbg("Storing backup of header (%u bytes) and keyslot area (%u bytes).",
110
sizeof(*hdr), buffer_size - LUKS_ALIGN_KEYSLOTS);
112
devfd = open(device, O_RDONLY | O_DIRECT | O_SYNC);
114
log_err(ctx, _("Device %s is not a valid LUKS device.\n"), device);
119
if(read_blockwise(devfd, buffer, buffer_size) < buffer_size) {
125
/* Wipe unused area, so backup cannot contain old signatures */
126
memset(buffer + sizeof(*hdr), 0, LUKS_ALIGN_KEYSLOTS - sizeof(*hdr));
128
devfd = creat(backup_file, S_IRUSR);
133
if(write(devfd, buffer, buffer_size) < buffer_size) {
134
log_err(ctx, _("Cannot write header backup file %s.\n"), backup_file);
148
int LUKS_hdr_restore(
149
const char *backup_file,
151
struct luks_phdr *hdr,
152
struct crypt_device *ctx)
154
int r = 0, devfd = -1, diff_uuid = 0;
156
char *buffer = NULL, msg[200];
158
struct luks_phdr hdr_file;
160
if(stat(backup_file, &st) < 0) {
161
log_err(ctx, _("Backup file %s doesn't exist.\n"), backup_file);
165
r = LUKS_read_phdr_backup(backup_file, device, &hdr_file, 0, ctx);
166
buffer_size = hdr_file.payloadOffset << SECTOR_SHIFT;
168
if (r || buffer_size < LUKS_ALIGN_KEYSLOTS) {
169
log_err(ctx, _("Backup file do not contain valid LUKS header.\n"));
174
buffer = safe_alloc(buffer_size);
180
devfd = open(backup_file, O_RDONLY);
182
log_err(ctx, _("Cannot open header backup file %s.\n"), backup_file);
187
if(read(devfd, buffer, buffer_size) < buffer_size) {
188
log_err(ctx, _("Cannot read header backup file %s.\n"), backup_file);
194
r = LUKS_read_phdr(device, hdr, 0, ctx);
196
log_dbg("Device %s already contains LUKS header, checking UUID and offset.", device);
197
if(hdr->payloadOffset != hdr_file.payloadOffset ||
198
hdr->keyBytes != hdr_file.keyBytes) {
199
log_err(ctx, _("Data offset or key size differs on device and backup, restore failed.\n"));
203
if (memcmp(hdr->uuid, hdr_file.uuid, UUID_STRING_L))
207
if (snprintf(msg, sizeof(msg), _("Device %s %s%s"), device,
208
r ? _("does not contain LUKS header. Replacing header can destroy data on that device.") :
209
_("already contains LUKS header. Replacing header will destroy existing keyslots."),
210
diff_uuid ? _("\nWARNING: real device header has different UUID than backup!") : "") < 0) {
215
if (!crypt_confirm(ctx, msg)) {
220
log_dbg("Storing backup of header (%u bytes) and keyslot area (%u bytes) to device %s.",
221
sizeof(*hdr), buffer_size - LUKS_ALIGN_KEYSLOTS, device);
223
devfd = open(device, O_WRONLY | O_DIRECT | O_SYNC);
225
log_err(ctx, _("Cannot open device %s.\n"), device);
230
if(write_blockwise(devfd, buffer, buffer_size) < buffer_size) {
236
/* Be sure to reload new data */
237
r = LUKS_read_phdr(device, hdr, 0, ctx);
245
static int _check_and_convert_hdr(const char *device,
246
struct luks_phdr *hdr,
247
int require_luks_device,
248
struct crypt_device *ctx)
252
char luksMagic[] = LUKS_MAGIC;
254
if(memcmp(hdr->magic, luksMagic, LUKS_MAGIC_L)) { /* Check magic */
255
log_dbg("LUKS header not detected.");
256
if (require_luks_device)
257
log_err(ctx, _("Device %s is not a valid LUKS device.\n"), device);
259
set_error(_("Device %s is not a valid LUKS device."), device);
261
} else if((hdr->version = ntohs(hdr->version)) != 1) { /* Convert every uint16/32_t item from network byte order */
262
log_err(ctx, _("Unsupported LUKS version %d.\n"), hdr->version);
264
} else if (PBKDF2_HMAC_ready(hdr->hashSpec) < 0) {
265
log_err(ctx, _("Requested LUKS hash %s is not supported.\n"), hdr->hashSpec);
268
hdr->payloadOffset = ntohl(hdr->payloadOffset);
269
hdr->keyBytes = ntohl(hdr->keyBytes);
270
hdr->mkDigestIterations = ntohl(hdr->mkDigestIterations);
272
for(i = 0; i < LUKS_NUMKEYS; ++i) {
273
hdr->keyblock[i].active = ntohl(hdr->keyblock[i].active);
274
hdr->keyblock[i].passwordIterations = ntohl(hdr->keyblock[i].passwordIterations);
275
hdr->keyblock[i].keyMaterialOffset = ntohl(hdr->keyblock[i].keyMaterialOffset);
276
hdr->keyblock[i].stripes = ntohl(hdr->keyblock[i].stripes);
283
static void _to_lower(char *str, unsigned max_len)
285
for(; *str && max_len; str++, max_len--)
287
*str = tolower(*str);
290
static void LUKS_fix_header_compatible(struct luks_phdr *header)
292
/* Old cryptsetup expects "sha1", gcrypt allows case insensistive names,
293
* so always convert hash to lower case in header */
294
_to_lower(header->hashSpec, LUKS_HASHSPEC_L);
297
int LUKS_read_phdr_backup(const char *backup_file,
299
struct luks_phdr *hdr,
300
int require_luks_device,
301
struct crypt_device *ctx)
303
int devfd = 0, r = 0;
305
log_dbg("Reading LUKS header of size %d from backup file %s",
306
sizeof(struct luks_phdr), backup_file);
308
devfd = open(backup_file, O_RDONLY);
310
log_err(ctx, _("Cannot open file %s.\n"), device);
314
if(read(devfd, hdr, sizeof(struct luks_phdr)) < sizeof(struct luks_phdr))
317
LUKS_fix_header_compatible(hdr);
318
r = _check_and_convert_hdr(backup_file, hdr, require_luks_device, ctx);
325
int LUKS_read_phdr(const char *device,
326
struct luks_phdr *hdr,
327
int require_luks_device,
328
struct crypt_device *ctx)
330
int devfd = 0, r = 0;
333
log_dbg("Reading LUKS header of size %d from device %s",
334
sizeof(struct luks_phdr), device);
336
devfd = open(device,O_RDONLY | O_DIRECT | O_SYNC);
338
log_err(ctx, _("Cannot open device %s.\n"), device);
342
if(read_blockwise(devfd, hdr, sizeof(struct luks_phdr)) < sizeof(struct luks_phdr))
345
r = _check_and_convert_hdr(device, hdr, require_luks_device, ctx);
348
if (r == 0 && (ioctl(devfd, BLKGETSIZE64, &size) < 0 ||
349
size < (uint64_t)hdr->payloadOffset)) {
350
log_err(ctx, _("LUKS header detected but device %s is too small.\n"), device);
359
int LUKS_write_phdr(const char *device,
360
struct luks_phdr *hdr,
361
struct crypt_device *ctx)
365
struct luks_phdr convHdr;
368
log_dbg("Updating LUKS header of size %d on device %s",
369
sizeof(struct luks_phdr), device);
371
devfd = open(device,O_RDWR | O_DIRECT | O_SYNC);
373
log_err(ctx, _("Cannot open device %s.\n"), device);
377
memcpy(&convHdr, hdr, sizeof(struct luks_phdr));
378
memset(&convHdr._padding, 0, sizeof(convHdr._padding));
380
/* Convert every uint16/32_t item to network byte order */
381
convHdr.version = htons(hdr->version);
382
convHdr.payloadOffset = htonl(hdr->payloadOffset);
383
convHdr.keyBytes = htonl(hdr->keyBytes);
384
convHdr.mkDigestIterations = htonl(hdr->mkDigestIterations);
385
for(i = 0; i < LUKS_NUMKEYS; ++i) {
386
convHdr.keyblock[i].active = htonl(hdr->keyblock[i].active);
387
convHdr.keyblock[i].passwordIterations = htonl(hdr->keyblock[i].passwordIterations);
388
convHdr.keyblock[i].keyMaterialOffset = htonl(hdr->keyblock[i].keyMaterialOffset);
389
convHdr.keyblock[i].stripes = htonl(hdr->keyblock[i].stripes);
392
r = write_blockwise(devfd, &convHdr, sizeof(struct luks_phdr)) < sizeof(struct luks_phdr) ? -EIO : 0;
394
log_err(ctx, _("Error during update of LUKS header on device %s.\n"), device);
397
/* Re-read header from disk to be sure that in-memory and on-disk data are the same. */
399
r = LUKS_read_phdr(device, hdr, 1, ctx);
401
log_err(ctx, _("Error re-reading LUKS header after update on device %s.\n"), device);
407
static int LUKS_PBKDF2_performance_check(const char *hashSpec,
408
uint64_t *PBKDF2_per_sec,
409
struct crypt_device *ctx)
411
if (!*PBKDF2_per_sec) {
412
if (PBKDF2_performance_check(hashSpec, PBKDF2_per_sec) < 0) {
413
log_err(ctx, _("Not compatible PBKDF2 options (using hash algorithm %s).\n"), hashSpec);
416
log_dbg("PBKDF2: %" PRIu64 " iterations per second using hash %s.", *PBKDF2_per_sec, hashSpec);
422
int LUKS_generate_phdr(struct luks_phdr *header,
423
const struct luks_masterkey *mk,
424
const char *cipherName, const char *cipherMode, const char *hashSpec,
425
const char *uuid, unsigned int stripes,
426
unsigned int alignPayload,
427
unsigned int alignOffset,
428
uint32_t iteration_time_ms,
429
uint64_t *PBKDF2_per_sec,
430
struct crypt_device *ctx)
433
unsigned int blocksPerStripeSet = div_round_up(mk->keyLength*stripes,SECTOR_SIZE);
435
char luksMagic[] = LUKS_MAGIC;
436
uuid_t partitionUuid;
438
int alignSectors = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE;
439
if (alignPayload == 0)
440
alignPayload = alignSectors;
442
memset(header,0,sizeof(struct luks_phdr));
445
memcpy(header->magic,luksMagic,LUKS_MAGIC_L);
447
strncpy(header->cipherName,cipherName,LUKS_CIPHERNAME_L);
448
strncpy(header->cipherMode,cipherMode,LUKS_CIPHERMODE_L);
449
strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L);
451
header->keyBytes=mk->keyLength;
453
LUKS_fix_header_compatible(header);
455
log_dbg("Generating LUKS header version %d using hash %s, %s, %s, MK %d bytes",
456
header->version, header->hashSpec ,header->cipherName, header->cipherMode,
459
r = getRandom(header->mkDigestSalt,LUKS_SALTSIZE);
461
log_err(ctx, _("Cannot create LUKS header: reading random salt failed.\n"));
465
if ((r = LUKS_PBKDF2_performance_check(header->hashSpec, PBKDF2_per_sec, ctx)))
468
/* Compute master key digest */
469
iteration_time_ms /= 8;
470
header->mkDigestIterations = at_least((uint32_t)(*PBKDF2_per_sec/1024) * iteration_time_ms,
471
LUKS_MKD_ITERATIONS_MIN);
473
r = PBKDF2_HMAC(header->hashSpec,mk->key,mk->keyLength,
474
header->mkDigestSalt,LUKS_SALTSIZE,
475
header->mkDigestIterations,
476
header->mkDigest,LUKS_DIGESTSIZE);
478
log_err(ctx, _("Cannot create LUKS header: header digest failed (using hash %s).\n"),
483
currentSector = round_up_modulo(LUKS_PHDR_SIZE, alignSectors);
484
for(i = 0; i < LUKS_NUMKEYS; ++i) {
485
header->keyblock[i].active = LUKS_KEY_DISABLED;
486
header->keyblock[i].keyMaterialOffset = currentSector;
487
header->keyblock[i].stripes = stripes;
488
currentSector = round_up_modulo(currentSector + blocksPerStripeSet, alignSectors);
490
currentSector = round_up_modulo(currentSector, alignPayload);
492
/* alignOffset - offset from natural device alignment provided by topology info */
493
header->payloadOffset = currentSector + alignOffset;
495
if (uuid && !uuid_parse(uuid, partitionUuid)) {
496
log_err(ctx, _("Wrong UUID format provided, generating new one.\n"));
500
uuid_generate(partitionUuid);
501
uuid_unparse(partitionUuid, header->uuid);
503
log_dbg("Data offset %d, UUID %s, digest iterations %" PRIu32,
504
header->payloadOffset, header->uuid, header->mkDigestIterations);
509
int LUKS_set_key(const char *device, unsigned int keyIndex,
510
const char *password, size_t passwordLen,
511
struct luks_phdr *hdr, struct luks_masterkey *mk,
512
uint32_t iteration_time_ms,
513
uint64_t *PBKDF2_per_sec,
514
struct crypt_device *ctx)
516
char derivedKey[hdr->keyBytes];
518
unsigned int AFEKSize;
519
uint64_t PBKDF2_temp;
522
if(hdr->keyblock[keyIndex].active != LUKS_KEY_DISABLED) {
523
log_err(ctx, _("Key slot %d active, purge first.\n"), keyIndex);
527
if(hdr->keyblock[keyIndex].stripes < LUKS_STRIPES) {
528
log_err(ctx, _("Key slot %d material includes too few stripes. Header manipulation?\n"),
533
log_dbg("Calculating data for key slot %d", keyIndex);
535
if ((r = LUKS_PBKDF2_performance_check(hdr->hashSpec, PBKDF2_per_sec, ctx)))
539
* Avoid floating point operation
540
* Final iteration count is at least LUKS_SLOT_ITERATIONS_MIN
542
PBKDF2_temp = (*PBKDF2_per_sec / 2) * (uint64_t)iteration_time_ms;
544
if (PBKDF2_temp > UINT32_MAX)
545
PBKDF2_temp = UINT32_MAX;
546
hdr->keyblock[keyIndex].passwordIterations = at_least((uint32_t)PBKDF2_temp,
547
LUKS_SLOT_ITERATIONS_MIN);
549
log_dbg("Key slot %d use %d password iterations.", keyIndex, hdr->keyblock[keyIndex].passwordIterations);
551
r = getRandom(hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE);
554
// assert((mk->keyLength % TWOFISH_BLOCKSIZE) == 0); FIXME
556
r = PBKDF2_HMAC(hdr->hashSpec, password,passwordLen,
557
hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE,
558
hdr->keyblock[keyIndex].passwordIterations,
559
derivedKey, hdr->keyBytes);
563
* AF splitting, the masterkey stored in mk->key is splitted to AfMK
565
AFEKSize = hdr->keyblock[keyIndex].stripes*mk->keyLength;
566
AfKey = (char *)malloc(AFEKSize);
567
if(AfKey == NULL) return -ENOMEM;
569
log_dbg("Using hash %s for AF in key slot %d, %d stripes",
570
hdr->hashSpec, keyIndex, hdr->keyblock[keyIndex].stripes);
571
r = AF_split(mk->key,AfKey,mk->keyLength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
574
log_dbg("Updating key slot %d [0x%04x] area on device %s.", keyIndex,
575
hdr->keyblock[keyIndex].keyMaterialOffset << 9, device);
576
/* Encryption via dm */
577
r = LUKS_encrypt_to_storage(AfKey,
583
hdr->keyblock[keyIndex].keyMaterialOffset,
587
log_err(ctx, _("Failed to write to key storage.\n"));
591
/* Mark the key as active in phdr */
592
r = LUKS_keyslot_set(hdr, (int)keyIndex, 1);
595
r = LUKS_write_phdr(device, hdr, ctx);
604
/* Check whether a master key is invalid. */
605
int LUKS_verify_master_key(const struct luks_phdr *hdr,
606
const struct luks_masterkey *mk)
608
char checkHashBuf[LUKS_DIGESTSIZE];
610
if (PBKDF2_HMAC(hdr->hashSpec, mk->key, mk->keyLength,
611
hdr->mkDigestSalt, LUKS_SALTSIZE,
612
hdr->mkDigestIterations, checkHashBuf,
613
LUKS_DIGESTSIZE) < 0)
616
if (memcmp(checkHashBuf, hdr->mkDigest, LUKS_DIGESTSIZE))
622
/* Try to open a particular key slot */
623
static int LUKS_open_key(const char *device,
624
unsigned int keyIndex,
625
const char *password,
627
struct luks_phdr *hdr,
628
struct luks_masterkey *mk,
629
struct crypt_device *ctx)
631
crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyIndex);
632
char derivedKey[hdr->keyBytes];
637
log_dbg("Trying to open key slot %d [%d].", keyIndex, (int)ki);
639
if (ki < CRYPT_SLOT_ACTIVE)
642
// assert((mk->keyLength % TWOFISH_BLOCKSIZE) == 0); FIXME
644
AFEKSize = hdr->keyblock[keyIndex].stripes*mk->keyLength;
645
AfKey = (char *)malloc(AFEKSize);
646
if(AfKey == NULL) return -ENOMEM;
648
r = PBKDF2_HMAC(hdr->hashSpec, password,passwordLen,
649
hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE,
650
hdr->keyblock[keyIndex].passwordIterations,
651
derivedKey, hdr->keyBytes);
654
log_dbg("Reading key slot %d area.", keyIndex);
655
r = LUKS_decrypt_from_storage(AfKey,
661
hdr->keyblock[keyIndex].keyMaterialOffset,
664
log_err(ctx, _("Failed to read from key storage.\n"));
668
r = AF_merge(AfKey,mk->key,mk->keyLength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
671
r = LUKS_verify_master_key(hdr, mk);
673
log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
679
int LUKS_open_key_with_hdr(const char *device,
681
const char *password,
683
struct luks_phdr *hdr,
684
struct luks_masterkey **mk,
685
struct crypt_device *ctx)
690
*mk = LUKS_alloc_masterkey(hdr->keyBytes, NULL);
693
return LUKS_open_key(device, keyIndex, password, passwordLen, hdr, *mk, ctx);
695
for(i = 0; i < LUKS_NUMKEYS; i++) {
696
r = LUKS_open_key(device, i, password, passwordLen, hdr, *mk, ctx);
700
/* Do not retry for errors that are no -EPERM or -ENOENT,
701
former meaning password wrong, latter key slot inactive */
702
if ((r != -EPERM) && (r != -ENOENT))
705
/* Warning, early returns above */
706
log_err(ctx, _("No key available with this passphrase.\n"));
711
* Wipe patterns according to Gutmann's Paper
714
static void wipeSpecial(char *buffer, size_t buffer_size, unsigned int turn)
718
unsigned char write_modes[][3] = {
719
{"\x55\x55\x55"}, {"\xaa\xaa\xaa"}, {"\x92\x49\x24"},
720
{"\x49\x24\x92"}, {"\x24\x92\x49"}, {"\x00\x00\x00"},
721
{"\x11\x11\x11"}, {"\x22\x22\x22"}, {"\x33\x33\x33"},
722
{"\x44\x44\x44"}, {"\x55\x55\x55"}, {"\x66\x66\x66"},
723
{"\x77\x77\x77"}, {"\x88\x88\x88"}, {"\x99\x99\x99"},
724
{"\xaa\xaa\xaa"}, {"\xbb\xbb\xbb"}, {"\xcc\xcc\xcc"},
725
{"\xdd\xdd\xdd"}, {"\xee\xee\xee"}, {"\xff\xff\xff"},
726
{"\x92\x49\x24"}, {"\x49\x24\x92"}, {"\x24\x92\x49"},
727
{"\x6d\xb6\xdb"}, {"\xb6\xdb\x6d"}, {"\xdb\x6d\xb6"}
730
for(i = 0; i < buffer_size / 3; ++i) {
731
memcpy(buffer, write_modes[turn], 3);
736
static int wipe(const char *device, unsigned int from, unsigned int to)
741
unsigned int bufLen = (to - from) * SECTOR_SIZE;
744
devfd = open(device, O_RDWR | O_DIRECT | O_SYNC);
748
buffer = (char *) malloc(bufLen);
749
if(!buffer) return -ENOMEM;
751
for(i = 0; i < 39; ++i) {
752
if (i >= 0 && i < 5) getRandom(buffer, bufLen);
753
else if(i >= 5 && i < 32) wipeSpecial(buffer, bufLen, i - 5);
754
else if(i >= 32 && i < 38) getRandom(buffer, bufLen);
755
else if(i >= 38 && i < 39) memset(buffer, 0xFF, bufLen);
757
if(write_lseek_blockwise(devfd, buffer, bufLen, from * SECTOR_SIZE) < 0) {
769
int LUKS_del_key(const char *device,
770
unsigned int keyIndex,
771
struct luks_phdr *hdr,
772
struct crypt_device *ctx)
774
unsigned int startOffset, endOffset, stripesLen;
777
r = LUKS_read_phdr(device, hdr, 1, ctx);
781
r = LUKS_keyslot_set(hdr, keyIndex, 0);
783
log_err(ctx, _("Key slot %d is invalid, please select keyslot between 0 and %d.\n"),
784
keyIndex, LUKS_NUMKEYS - 1);
788
/* secure deletion of key material */
789
startOffset = hdr->keyblock[keyIndex].keyMaterialOffset;
790
stripesLen = hdr->keyBytes * hdr->keyblock[keyIndex].stripes;
791
endOffset = startOffset + div_round_up(stripesLen, SECTOR_SIZE);
793
r = wipe(device, startOffset, endOffset);
795
log_err(ctx, _("Cannot wipe device %s.\n"), device);
799
r = LUKS_write_phdr(device, hdr, ctx);
804
crypt_keyslot_info LUKS_keyslot_info(struct luks_phdr *hdr, int keyslot)
808
if(keyslot >= LUKS_NUMKEYS || keyslot < 0)
809
return CRYPT_SLOT_INVALID;
811
if (hdr->keyblock[keyslot].active == LUKS_KEY_DISABLED)
812
return CRYPT_SLOT_INACTIVE;
814
if (hdr->keyblock[keyslot].active != LUKS_KEY_ENABLED)
815
return CRYPT_SLOT_INVALID;
817
for(i = 0; i < LUKS_NUMKEYS; i++)
818
if(i != keyslot && hdr->keyblock[i].active == LUKS_KEY_ENABLED)
819
return CRYPT_SLOT_ACTIVE;
821
return CRYPT_SLOT_ACTIVE_LAST;
824
int LUKS_keyslot_find_empty(struct luks_phdr *hdr)
828
for (i = 0; i < LUKS_NUMKEYS; i++)
829
if(hdr->keyblock[i].active == LUKS_KEY_DISABLED)
832
if (i == LUKS_NUMKEYS)
838
int LUKS_keyslot_active_count(struct luks_phdr *hdr)
842
for (i = 0; i < LUKS_NUMKEYS; i++)
843
if(hdr->keyblock[i].active == LUKS_KEY_ENABLED)
849
int LUKS_keyslot_set(struct luks_phdr *hdr, int keyslot, int enable)
851
crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyslot);
853
if (ki == CRYPT_SLOT_INVALID)
856
hdr->keyblock[keyslot].active = enable ? LUKS_KEY_ENABLED : LUKS_KEY_DISABLED;
857
log_dbg("Key slot %d was %s in LUKS header.", keyslot, enable ? "enabled" : "disabled");