2 * LUKS - Linux Unified Key Setup
4 * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
5 * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * version 2 as published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 #include <sys/types.h>
23 #include <netinet/in.h>
32 #include <uuid/uuid.h>
39 #define div_round_up(a,b) ({ \
40 typeof(a) __a = (a); \
41 typeof(b) __b = (b); \
42 (__a - 1) / __b + 1; \
45 static inline int round_up_modulo(int x, int m) {
46 return div_round_up(x, m) * m;
49 /* Get size of struct luks_phrd with all keyslots material space */
50 static uint64_t LUKS_device_sectors(size_t keyLen)
52 uint64_t keyslot_sectors, sector;
55 keyslot_sectors = AF_split_sectors(keyLen, LUKS_STRIPES);
56 sector = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE;
58 for (i = 0; i < LUKS_NUMKEYS; i++) {
59 sector = round_up_modulo(sector, LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
60 sector += keyslot_sectors;
66 static int LUKS_check_device_size(struct crypt_device *ctx, size_t keyLength)
68 struct device *device = crypt_metadata_device(ctx);
69 uint64_t dev_sectors, hdr_sectors;
74 if(device_size(device, &dev_sectors)) {
75 log_dbg("Cannot get device size for device %s.", device_path(device));
79 dev_sectors >>= SECTOR_SHIFT;
80 hdr_sectors = LUKS_device_sectors(keyLength);
81 log_dbg("Key length %u, device size %" PRIu64 " sectors, header size %"
82 PRIu64 " sectors.",keyLength, dev_sectors, hdr_sectors);
84 if (hdr_sectors > dev_sectors) {
85 log_err(ctx, _("Device %s is too small.\n"), device_path(device));
92 /* Check keyslot to prevent access outside of header and keyslot area */
93 static int LUKS_check_keyslot_size(const struct luks_phdr *phdr, unsigned int keyIndex)
95 uint32_t secs_per_stripes;
97 /* First sectors is the header itself */
98 if (phdr->keyblock[keyIndex].keyMaterialOffset * SECTOR_SIZE < sizeof(*phdr)) {
99 log_dbg("Invalid offset %u in keyslot %u.",
100 phdr->keyblock[keyIndex].keyMaterialOffset, keyIndex);
104 /* Ignore following check for detached header where offset can be zero. */
105 if (phdr->payloadOffset == 0)
108 if (phdr->payloadOffset <= phdr->keyblock[keyIndex].keyMaterialOffset) {
109 log_dbg("Invalid offset %u in keyslot %u (beyond data area offset %u).",
110 phdr->keyblock[keyIndex].keyMaterialOffset, keyIndex,
111 phdr->payloadOffset);
115 secs_per_stripes = AF_split_sectors(phdr->keyBytes, phdr->keyblock[keyIndex].stripes);
117 if (phdr->payloadOffset < (phdr->keyblock[keyIndex].keyMaterialOffset + secs_per_stripes)) {
118 log_dbg("Invalid keyslot size %u (offset %u, stripes %u) in "
119 "keyslot %u (beyond data area offset %u).",
121 phdr->keyblock[keyIndex].keyMaterialOffset,
122 phdr->keyblock[keyIndex].stripes,
123 keyIndex, phdr->payloadOffset);
130 static const char *dbg_slot_state(crypt_keyslot_info ki)
133 case CRYPT_SLOT_INACTIVE:
135 case CRYPT_SLOT_ACTIVE:
137 case CRYPT_SLOT_ACTIVE_LAST:
138 return "ACTIVE_LAST";
139 case CRYPT_SLOT_INVALID:
146 const char *backup_file,
147 struct luks_phdr *hdr,
148 struct crypt_device *ctx)
150 struct device *device = crypt_metadata_device(ctx);
151 int r = 0, devfd = -1;
156 if(stat(backup_file, &st) == 0) {
157 log_err(ctx, _("Requested file %s already exist.\n"), backup_file);
161 r = LUKS_read_phdr(hdr, 1, 0, ctx);
165 buffer_size = LUKS_device_sectors(hdr->keyBytes) << SECTOR_SHIFT;
166 buffer = crypt_safe_alloc(buffer_size);
167 if (!buffer || buffer_size < LUKS_ALIGN_KEYSLOTS) {
172 log_dbg("Storing backup of header (%u bytes) and keyslot area (%u bytes).",
173 sizeof(*hdr), buffer_size - LUKS_ALIGN_KEYSLOTS);
175 devfd = open(device_path(device), O_RDONLY | O_DIRECT | O_SYNC);
177 log_err(ctx, _("Device %s is not a valid LUKS device.\n"), device_path(device));
182 if(read_blockwise(devfd, device_block_size(device), buffer, buffer_size) < buffer_size) {
188 /* Wipe unused area, so backup cannot contain old signatures */
189 memset(buffer + sizeof(*hdr), 0, LUKS_ALIGN_KEYSLOTS - sizeof(*hdr));
191 devfd = creat(backup_file, S_IRUSR);
196 if(write(devfd, buffer, buffer_size) < buffer_size) {
197 log_err(ctx, _("Cannot write header backup file %s.\n"), backup_file);
207 crypt_safe_free(buffer);
211 int LUKS_hdr_restore(
212 const char *backup_file,
213 struct luks_phdr *hdr,
214 struct crypt_device *ctx)
216 struct device *device = crypt_metadata_device(ctx);
217 int r = 0, devfd = -1, diff_uuid = 0;
218 ssize_t buffer_size = 0;
219 char *buffer = NULL, msg[200];
221 struct luks_phdr hdr_file;
223 if(stat(backup_file, &st) < 0) {
224 log_err(ctx, _("Backup file %s doesn't exist.\n"), backup_file);
228 r = LUKS_read_phdr_backup(backup_file, &hdr_file, 0, ctx);
230 buffer_size = LUKS_device_sectors(hdr_file.keyBytes) << SECTOR_SHIFT;
232 if (r || buffer_size < LUKS_ALIGN_KEYSLOTS) {
233 log_err(ctx, _("Backup file doesn't contain valid LUKS header.\n"));
238 buffer = crypt_safe_alloc(buffer_size);
244 devfd = open(backup_file, O_RDONLY);
246 log_err(ctx, _("Cannot open header backup file %s.\n"), backup_file);
251 if(read(devfd, buffer, buffer_size) < buffer_size) {
252 log_err(ctx, _("Cannot read header backup file %s.\n"), backup_file);
258 r = LUKS_read_phdr(hdr, 0, 0, ctx);
260 log_dbg("Device %s already contains LUKS header, checking UUID and offset.", device_path(device));
261 if(hdr->payloadOffset != hdr_file.payloadOffset ||
262 hdr->keyBytes != hdr_file.keyBytes) {
263 log_err(ctx, _("Data offset or key size differs on device and backup, restore failed.\n"));
267 if (memcmp(hdr->uuid, hdr_file.uuid, UUID_STRING_L))
271 if (snprintf(msg, sizeof(msg), _("Device %s %s%s"), device_path(device),
272 r ? _("does not contain LUKS header. Replacing header can destroy data on that device.") :
273 _("already contains LUKS header. Replacing header will destroy existing keyslots."),
274 diff_uuid ? _("\nWARNING: real device header has different UUID than backup!") : "") < 0) {
279 if (!crypt_confirm(ctx, msg)) {
284 log_dbg("Storing backup of header (%u bytes) and keyslot area (%u bytes) to device %s.",
285 sizeof(*hdr), buffer_size - LUKS_ALIGN_KEYSLOTS, device_path(device));
287 devfd = open(device_path(device), O_WRONLY | O_DIRECT | O_SYNC);
290 log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
291 device_path(device));
293 log_err(ctx, _("Cannot open device %s.\n"), device_path(device));
298 if (write_blockwise(devfd, device_block_size(device), buffer, buffer_size) < buffer_size) {
304 /* Be sure to reload new data */
305 r = LUKS_read_phdr(hdr, 1, 0, ctx);
309 crypt_safe_free(buffer);
313 /* This routine should do some just basic recovery for known problems. */
314 static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
316 struct luks_phdr temp_phdr;
317 const unsigned char *sector = (const unsigned char*)phdr;
318 struct volume_key *vk;
319 uint64_t PBKDF2_per_sec = 1;
320 int i, bad, r, need_write = 0;
322 if (phdr->keyBytes != 16 && phdr->keyBytes != 32) {
323 log_err(ctx, _("Non standard key size, manual repair required.\n"));
326 /* cryptsetup 1.0 did not align to 4k, cannot repair this one */
327 if (phdr->keyblock[0].keyMaterialOffset < (LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE)) {
328 log_err(ctx, _("Non standard keyslots alignment, manual repair required.\n"));
332 vk = crypt_alloc_volume_key(phdr->keyBytes, NULL);
334 log_verbose(ctx, _("Repairing keyslots.\n"));
336 log_dbg("Generating second header with the same parameters for check.");
337 /* cipherName, cipherMode, hashSpec, uuid are already null terminated */
338 /* payloadOffset - cannot check */
339 r = LUKS_generate_phdr(&temp_phdr, vk, phdr->cipherName, phdr->cipherMode,
340 phdr->hashSpec,phdr->uuid, LUKS_STRIPES,
341 phdr->payloadOffset, 0,
345 log_err(ctx, _("Repair failed."));
349 for(i = 0; i < LUKS_NUMKEYS; ++i) {
350 if (phdr->keyblock[i].active == LUKS_KEY_ENABLED) {
351 log_dbg("Skipping repair for active keyslot %i.", i);
356 if (phdr->keyblock[i].keyMaterialOffset != temp_phdr.keyblock[i].keyMaterialOffset) {
357 log_err(ctx, _("Keyslot %i: offset repaired (%u -> %u).\n"), i,
358 (unsigned)phdr->keyblock[i].keyMaterialOffset,
359 (unsigned)temp_phdr.keyblock[i].keyMaterialOffset);
360 phdr->keyblock[i].keyMaterialOffset = temp_phdr.keyblock[i].keyMaterialOffset;
364 if (phdr->keyblock[i].stripes != temp_phdr.keyblock[i].stripes) {
365 log_err(ctx, _("Keyslot %i: stripes repaired (%u -> %u).\n"), i,
366 (unsigned)phdr->keyblock[i].stripes,
367 (unsigned)temp_phdr.keyblock[i].stripes);
368 phdr->keyblock[i].stripes = temp_phdr.keyblock[i].stripes;
372 /* Known case - MSDOS partition table signature */
373 if (i == 6 && sector[0x1fe] == 0x55 && sector[0x1ff] == 0xaa) {
374 log_err(ctx, _("Keyslot %i: bogus partition signature.\n"), i);
379 log_err(ctx, _("Keyslot %i: salt wiped.\n"), i);
380 phdr->keyblock[i].active = LUKS_KEY_DISABLED;
381 memset(&phdr->keyblock[i].passwordSalt, 0x00, LUKS_SALTSIZE);
382 phdr->keyblock[i].passwordIterations = 0;
390 log_verbose(ctx, _("Writing LUKS header to disk.\n"));
391 r = LUKS_write_phdr(phdr, ctx);
394 crypt_free_volume_key(vk);
395 memset(&temp_phdr, 0, sizeof(temp_phdr));
399 static int _check_and_convert_hdr(const char *device,
400 struct luks_phdr *hdr,
401 int require_luks_device,
403 struct crypt_device *ctx)
407 char luksMagic[] = LUKS_MAGIC;
409 if(memcmp(hdr->magic, luksMagic, LUKS_MAGIC_L)) { /* Check magic */
410 log_dbg("LUKS header not detected.");
411 if (require_luks_device)
412 log_err(ctx, _("Device %s is not a valid LUKS device.\n"), device);
414 } else if((hdr->version = ntohs(hdr->version)) != 1) { /* Convert every uint16/32_t item from network byte order */
415 log_err(ctx, _("Unsupported LUKS version %d.\n"), hdr->version);
419 hdr->hashSpec[LUKS_HASHSPEC_L - 1] = '\0';
420 if (PBKDF2_HMAC_ready(hdr->hashSpec) < 0) {
421 log_err(ctx, _("Requested LUKS hash %s is not supported.\n"), hdr->hashSpec);
425 /* Header detected */
426 hdr->payloadOffset = ntohl(hdr->payloadOffset);
427 hdr->keyBytes = ntohl(hdr->keyBytes);
428 hdr->mkDigestIterations = ntohl(hdr->mkDigestIterations);
430 for(i = 0; i < LUKS_NUMKEYS; ++i) {
431 hdr->keyblock[i].active = ntohl(hdr->keyblock[i].active);
432 hdr->keyblock[i].passwordIterations = ntohl(hdr->keyblock[i].passwordIterations);
433 hdr->keyblock[i].keyMaterialOffset = ntohl(hdr->keyblock[i].keyMaterialOffset);
434 hdr->keyblock[i].stripes = ntohl(hdr->keyblock[i].stripes);
435 if (LUKS_check_keyslot_size(hdr, i)) {
436 log_err(ctx, _("LUKS keyslot %u is invalid.\n"), i);
441 /* Avoid unterminated strings */
442 hdr->cipherName[LUKS_CIPHERNAME_L - 1] = '\0';
443 hdr->cipherMode[LUKS_CIPHERMODE_L - 1] = '\0';
444 hdr->uuid[UUID_STRING_L - 1] = '\0';
448 r = _keyslot_repair(hdr, ctx);
450 log_verbose(ctx, _("No known problems detected for LUKS header.\n"));
456 static void _to_lower(char *str, unsigned max_len)
458 for(; *str && max_len; str++, max_len--)
460 *str = tolower(*str);
463 static void LUKS_fix_header_compatible(struct luks_phdr *header)
465 /* Old cryptsetup expects "sha1", gcrypt allows case insensistive names,
466 * so always convert hash to lower case in header */
467 _to_lower(header->hashSpec, LUKS_HASHSPEC_L);
470 int LUKS_read_phdr_backup(const char *backup_file,
471 struct luks_phdr *hdr,
472 int require_luks_device,
473 struct crypt_device *ctx)
475 ssize_t hdr_size = sizeof(struct luks_phdr);
476 int devfd = 0, r = 0;
478 log_dbg("Reading LUKS header of size %d from backup file %s",
479 (int)hdr_size, backup_file);
481 devfd = open(backup_file, O_RDONLY);
483 log_err(ctx, _("Cannot open file %s.\n"), backup_file);
487 if (read(devfd, hdr, hdr_size) < hdr_size)
490 LUKS_fix_header_compatible(hdr);
491 r = _check_and_convert_hdr(backup_file, hdr,
492 require_luks_device, 0, ctx);
499 int LUKS_read_phdr(struct luks_phdr *hdr,
500 int require_luks_device,
502 struct crypt_device *ctx)
504 struct device *device = crypt_metadata_device(ctx);
505 ssize_t hdr_size = sizeof(struct luks_phdr);
506 int devfd = 0, r = 0;
508 /* LUKS header starts at offset 0, first keyslot on LUKS_ALIGN_KEYSLOTS */
509 assert(sizeof(struct luks_phdr) <= LUKS_ALIGN_KEYSLOTS);
511 /* Stripes count cannot be changed without additional code fixes yet */
512 assert(LUKS_STRIPES == 4000);
514 if (repair && !require_luks_device)
517 log_dbg("Reading LUKS header of size %d from device %s",
518 hdr_size, device_path(device));
520 devfd = open(device_path(device), O_RDONLY | O_DIRECT | O_SYNC);
522 log_err(ctx, _("Cannot open device %s.\n"), device_path(device));
526 if (read_blockwise(devfd, device_block_size(device), hdr, hdr_size) < hdr_size)
529 r = _check_and_convert_hdr(device_path(device), hdr, require_luks_device,
533 r = LUKS_check_device_size(ctx, hdr->keyBytes);
539 int LUKS_write_phdr(struct luks_phdr *hdr,
540 struct crypt_device *ctx)
542 struct device *device = crypt_metadata_device(ctx);
543 ssize_t hdr_size = sizeof(struct luks_phdr);
546 struct luks_phdr convHdr;
549 log_dbg("Updating LUKS header of size %d on device %s",
550 sizeof(struct luks_phdr), device_path(device));
552 r = LUKS_check_device_size(ctx, hdr->keyBytes);
556 devfd = open(device_path(device), O_RDWR | O_DIRECT | O_SYNC);
559 log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
560 device_path(device));
562 log_err(ctx, _("Cannot open device %s.\n"), device_path(device));
566 memcpy(&convHdr, hdr, hdr_size);
567 memset(&convHdr._padding, 0, sizeof(convHdr._padding));
569 /* Convert every uint16/32_t item to network byte order */
570 convHdr.version = htons(hdr->version);
571 convHdr.payloadOffset = htonl(hdr->payloadOffset);
572 convHdr.keyBytes = htonl(hdr->keyBytes);
573 convHdr.mkDigestIterations = htonl(hdr->mkDigestIterations);
574 for(i = 0; i < LUKS_NUMKEYS; ++i) {
575 convHdr.keyblock[i].active = htonl(hdr->keyblock[i].active);
576 convHdr.keyblock[i].passwordIterations = htonl(hdr->keyblock[i].passwordIterations);
577 convHdr.keyblock[i].keyMaterialOffset = htonl(hdr->keyblock[i].keyMaterialOffset);
578 convHdr.keyblock[i].stripes = htonl(hdr->keyblock[i].stripes);
581 r = write_blockwise(devfd, device_block_size(device), &convHdr, hdr_size) < hdr_size ? -EIO : 0;
583 log_err(ctx, _("Error during update of LUKS header on device %s.\n"), device_path(device));
586 /* Re-read header from disk to be sure that in-memory and on-disk data are the same. */
588 r = LUKS_read_phdr(hdr, 1, 0, ctx);
590 log_err(ctx, _("Error re-reading LUKS header after update on device %s.\n"),
591 device_path(device));
597 static int LUKS_PBKDF2_performance_check(const char *hashSpec,
598 uint64_t *PBKDF2_per_sec,
599 struct crypt_device *ctx)
601 if (!*PBKDF2_per_sec) {
602 if (PBKDF2_performance_check(hashSpec, PBKDF2_per_sec) < 0) {
603 log_err(ctx, _("Not compatible PBKDF2 options (using hash algorithm %s).\n"), hashSpec);
606 log_dbg("PBKDF2: %" PRIu64 " iterations per second using hash %s.", *PBKDF2_per_sec, hashSpec);
612 int LUKS_generate_phdr(struct luks_phdr *header,
613 const struct volume_key *vk,
614 const char *cipherName, const char *cipherMode, const char *hashSpec,
615 const char *uuid, unsigned int stripes,
616 unsigned int alignPayload,
617 unsigned int alignOffset,
618 uint32_t iteration_time_ms,
619 uint64_t *PBKDF2_per_sec,
620 int detached_metadata_device,
621 struct crypt_device *ctx)
624 unsigned int blocksPerStripeSet = AF_split_sectors(vk->keylength, stripes);
626 uuid_t partitionUuid;
628 char luksMagic[] = LUKS_MAGIC;
630 /* For separate metadata device allow zero alignment */
631 if (alignPayload == 0 && !detached_metadata_device)
632 alignPayload = DEFAULT_DISK_ALIGNMENT / SECTOR_SIZE;
634 if (PBKDF2_HMAC_ready(hashSpec) < 0) {
635 log_err(ctx, _("Requested LUKS hash %s is not supported.\n"), hashSpec);
639 if (uuid && uuid_parse(uuid, partitionUuid) == -1) {
640 log_err(ctx, _("Wrong LUKS UUID format provided.\n"));
644 uuid_generate(partitionUuid);
646 memset(header,0,sizeof(struct luks_phdr));
649 memcpy(header->magic,luksMagic,LUKS_MAGIC_L);
651 strncpy(header->cipherName,cipherName,LUKS_CIPHERNAME_L);
652 strncpy(header->cipherMode,cipherMode,LUKS_CIPHERMODE_L);
653 strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L);
655 header->keyBytes=vk->keylength;
657 LUKS_fix_header_compatible(header);
659 log_dbg("Generating LUKS header version %d using hash %s, %s, %s, MK %d bytes",
660 header->version, header->hashSpec ,header->cipherName, header->cipherMode,
663 r = crypt_random_get(ctx, header->mkDigestSalt, LUKS_SALTSIZE, CRYPT_RND_SALT);
665 log_err(ctx, _("Cannot create LUKS header: reading random salt failed.\n"));
669 if ((r = LUKS_PBKDF2_performance_check(header->hashSpec, PBKDF2_per_sec, ctx)))
672 /* Compute master key digest */
673 iteration_time_ms /= 8;
674 header->mkDigestIterations = at_least((uint32_t)(*PBKDF2_per_sec/1024) * iteration_time_ms,
675 LUKS_MKD_ITERATIONS_MIN);
677 r = PBKDF2_HMAC(header->hashSpec,vk->key,vk->keylength,
678 header->mkDigestSalt,LUKS_SALTSIZE,
679 header->mkDigestIterations,
680 header->mkDigest,LUKS_DIGESTSIZE);
682 log_err(ctx, _("Cannot create LUKS header: header digest failed (using hash %s).\n"),
687 currentSector = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE;
688 for(i = 0; i < LUKS_NUMKEYS; ++i) {
689 header->keyblock[i].active = LUKS_KEY_DISABLED;
690 header->keyblock[i].keyMaterialOffset = currentSector;
691 header->keyblock[i].stripes = stripes;
692 currentSector = round_up_modulo(currentSector + blocksPerStripeSet,
693 LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
696 if (detached_metadata_device) {
697 /* for separate metadata device use alignPayload directly */
698 header->payloadOffset = alignPayload;
700 /* alignOffset - offset from natural device alignment provided by topology info */
701 currentSector = round_up_modulo(currentSector, alignPayload);
702 header->payloadOffset = currentSector + alignOffset;
705 uuid_unparse(partitionUuid, header->uuid);
707 log_dbg("Data offset %d, UUID %s, digest iterations %" PRIu32,
708 header->payloadOffset, header->uuid, header->mkDigestIterations);
713 int LUKS_hdr_uuid_set(
714 struct luks_phdr *hdr,
716 struct crypt_device *ctx)
718 uuid_t partitionUuid;
720 if (uuid && uuid_parse(uuid, partitionUuid) == -1) {
721 log_err(ctx, _("Wrong LUKS UUID format provided.\n"));
725 uuid_generate(partitionUuid);
727 uuid_unparse(partitionUuid, hdr->uuid);
729 return LUKS_write_phdr(hdr, ctx);
732 int LUKS_set_key(unsigned int keyIndex,
733 const char *password, size_t passwordLen,
734 struct luks_phdr *hdr, struct volume_key *vk,
735 uint32_t iteration_time_ms,
736 uint64_t *PBKDF2_per_sec,
737 struct crypt_device *ctx)
739 struct volume_key *derived_key;
742 uint64_t PBKDF2_temp;
745 if(hdr->keyblock[keyIndex].active != LUKS_KEY_DISABLED) {
746 log_err(ctx, _("Key slot %d active, purge first.\n"), keyIndex);
750 /* LUKS keyslot has always at least 4000 stripes accoding to specification */
751 if(hdr->keyblock[keyIndex].stripes < 4000) {
752 log_err(ctx, _("Key slot %d material includes too few stripes. Header manipulation?\n"),
757 log_dbg("Calculating data for key slot %d", keyIndex);
759 if ((r = LUKS_PBKDF2_performance_check(hdr->hashSpec, PBKDF2_per_sec, ctx)))
763 * Avoid floating point operation
764 * Final iteration count is at least LUKS_SLOT_ITERATIONS_MIN
766 PBKDF2_temp = (*PBKDF2_per_sec / 2) * (uint64_t)iteration_time_ms;
768 if (PBKDF2_temp > UINT32_MAX)
769 PBKDF2_temp = UINT32_MAX;
770 hdr->keyblock[keyIndex].passwordIterations = at_least((uint32_t)PBKDF2_temp,
771 LUKS_SLOT_ITERATIONS_MIN);
773 log_dbg("Key slot %d use %d password iterations.", keyIndex, hdr->keyblock[keyIndex].passwordIterations);
775 derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
779 r = crypt_random_get(ctx, hdr->keyblock[keyIndex].passwordSalt,
780 LUKS_SALTSIZE, CRYPT_RND_SALT);
784 r = PBKDF2_HMAC(hdr->hashSpec, password,passwordLen,
785 hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE,
786 hdr->keyblock[keyIndex].passwordIterations,
787 derived_key->key, hdr->keyBytes);
792 * AF splitting, the masterkey stored in vk->key is split to AfKey
794 assert(vk->keylength == hdr->keyBytes);
795 AFEKSize = AF_split_sectors(vk->keylength, hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE;
796 AfKey = crypt_safe_alloc(AFEKSize);
802 log_dbg("Using hash %s for AF in key slot %d, %d stripes",
803 hdr->hashSpec, keyIndex, hdr->keyblock[keyIndex].stripes);
804 r = AF_split(vk->key,AfKey,vk->keylength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
808 log_dbg("Updating key slot %d [0x%04x] area.", keyIndex,
809 hdr->keyblock[keyIndex].keyMaterialOffset << 9);
810 /* Encryption via dm */
811 r = LUKS_encrypt_to_storage(AfKey,
815 hdr->keyblock[keyIndex].keyMaterialOffset,
820 /* Mark the key as active in phdr */
821 r = LUKS_keyslot_set(hdr, (int)keyIndex, 1);
825 r = LUKS_write_phdr(hdr, ctx);
831 crypt_safe_free(AfKey);
832 crypt_free_volume_key(derived_key);
836 /* Check whether a volume key is invalid. */
837 int LUKS_verify_volume_key(const struct luks_phdr *hdr,
838 const struct volume_key *vk)
840 char checkHashBuf[LUKS_DIGESTSIZE];
842 if (PBKDF2_HMAC(hdr->hashSpec, vk->key, vk->keylength,
843 hdr->mkDigestSalt, LUKS_SALTSIZE,
844 hdr->mkDigestIterations, checkHashBuf,
845 LUKS_DIGESTSIZE) < 0)
848 if (memcmp(checkHashBuf, hdr->mkDigest, LUKS_DIGESTSIZE))
854 /* Try to open a particular key slot */
855 static int LUKS_open_key(unsigned int keyIndex,
856 const char *password,
858 struct luks_phdr *hdr,
859 struct volume_key *vk,
860 struct crypt_device *ctx)
862 crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyIndex);
863 struct volume_key *derived_key;
868 log_dbg("Trying to open key slot %d [%s].", keyIndex,
871 if (ki < CRYPT_SLOT_ACTIVE)
874 derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
878 assert(vk->keylength == hdr->keyBytes);
879 AFEKSize = AF_split_sectors(vk->keylength, hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE;
880 AfKey = crypt_safe_alloc(AFEKSize);
884 r = PBKDF2_HMAC(hdr->hashSpec, password,passwordLen,
885 hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE,
886 hdr->keyblock[keyIndex].passwordIterations,
887 derived_key->key, hdr->keyBytes);
891 log_dbg("Reading key slot %d area.", keyIndex);
892 r = LUKS_decrypt_from_storage(AfKey,
896 hdr->keyblock[keyIndex].keyMaterialOffset,
901 r = AF_merge(AfKey,vk->key,vk->keylength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
905 r = LUKS_verify_volume_key(hdr, vk);
907 log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
909 crypt_safe_free(AfKey);
910 crypt_free_volume_key(derived_key);
914 int LUKS_open_key_with_hdr(int keyIndex,
915 const char *password,
917 struct luks_phdr *hdr,
918 struct volume_key **vk,
919 struct crypt_device *ctx)
924 *vk = crypt_alloc_volume_key(hdr->keyBytes, NULL);
927 r = LUKS_open_key(keyIndex, password, passwordLen, hdr, *vk, ctx);
928 return (r < 0) ? r : keyIndex;
931 for(i = 0; i < LUKS_NUMKEYS; i++) {
932 r = LUKS_open_key(i, password, passwordLen, hdr, *vk, ctx);
936 /* Do not retry for errors that are no -EPERM or -ENOENT,
937 former meaning password wrong, latter key slot inactive */
938 if ((r != -EPERM) && (r != -ENOENT))
941 /* Warning, early returns above */
942 log_err(ctx, _("No key available with this passphrase.\n"));
946 int LUKS_del_key(unsigned int keyIndex,
947 struct luks_phdr *hdr,
948 struct crypt_device *ctx)
950 struct device *device = crypt_metadata_device(ctx);
951 unsigned int startOffset, endOffset;
954 r = LUKS_read_phdr(hdr, 1, 0, ctx);
958 r = LUKS_keyslot_set(hdr, keyIndex, 0);
960 log_err(ctx, _("Key slot %d is invalid, please select keyslot between 0 and %d.\n"),
961 keyIndex, LUKS_NUMKEYS - 1);
965 /* secure deletion of key material */
966 startOffset = hdr->keyblock[keyIndex].keyMaterialOffset;
967 endOffset = startOffset + AF_split_sectors(hdr->keyBytes, hdr->keyblock[keyIndex].stripes);
969 r = crypt_wipe(device, startOffset * SECTOR_SIZE,
970 (endOffset - startOffset) * SECTOR_SIZE,
974 log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
975 device_path(device));
978 log_err(ctx, _("Cannot wipe device %s.\n"),
979 device_path(device));
983 /* Wipe keyslot info */
984 memset(&hdr->keyblock[keyIndex].passwordSalt, 0, LUKS_SALTSIZE);
985 hdr->keyblock[keyIndex].passwordIterations = 0;
987 r = LUKS_write_phdr(hdr, ctx);
992 crypt_keyslot_info LUKS_keyslot_info(struct luks_phdr *hdr, int keyslot)
996 if(keyslot >= LUKS_NUMKEYS || keyslot < 0)
997 return CRYPT_SLOT_INVALID;
999 if (hdr->keyblock[keyslot].active == LUKS_KEY_DISABLED)
1000 return CRYPT_SLOT_INACTIVE;
1002 if (hdr->keyblock[keyslot].active != LUKS_KEY_ENABLED)
1003 return CRYPT_SLOT_INVALID;
1005 for(i = 0; i < LUKS_NUMKEYS; i++)
1006 if(i != keyslot && hdr->keyblock[i].active == LUKS_KEY_ENABLED)
1007 return CRYPT_SLOT_ACTIVE;
1009 return CRYPT_SLOT_ACTIVE_LAST;
1012 int LUKS_keyslot_find_empty(struct luks_phdr *hdr)
1016 for (i = 0; i < LUKS_NUMKEYS; i++)
1017 if(hdr->keyblock[i].active == LUKS_KEY_DISABLED)
1020 if (i == LUKS_NUMKEYS)
1026 int LUKS_keyslot_active_count(struct luks_phdr *hdr)
1030 for (i = 0; i < LUKS_NUMKEYS; i++)
1031 if(hdr->keyblock[i].active == LUKS_KEY_ENABLED)
1037 int LUKS_keyslot_set(struct luks_phdr *hdr, int keyslot, int enable)
1039 crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyslot);
1041 if (ki == CRYPT_SLOT_INVALID)
1044 hdr->keyblock[keyslot].active = enable ? LUKS_KEY_ENABLED : LUKS_KEY_DISABLED;
1045 log_dbg("Key slot %d was %s in LUKS header.", keyslot, enable ? "enabled" : "disabled");
1049 int LUKS1_activate(struct crypt_device *cd,
1051 struct volume_key *vk,
1055 char *dm_cipher = NULL;
1056 enum devcheck device_check;
1057 struct crypt_dm_active_device dmd = {
1059 .uuid = crypt_get_uuid(cd),
1062 .data_device = crypt_data_device(cd),
1066 .offset = crypt_get_data_offset(cd),
1071 if (dmd.flags & CRYPT_ACTIVATE_SHARED)
1072 device_check = DEV_SHARED;
1074 device_check = DEV_EXCL;
1076 r = device_block_adjust(cd, dmd.data_device, device_check,
1077 dmd.u.crypt.offset, &dmd.size, &dmd.flags);
1081 r = asprintf(&dm_cipher, "%s-%s", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
1085 dmd.u.crypt.cipher = dm_cipher;
1086 r = dm_create_device(cd, name, CRYPT_LUKS1, &dmd, 0);