2 * LUKS - Linux Unified Key Setup v2
4 * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2015-2023 Milan Broz
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #ifndef _CRYPTSETUP_LUKS2_INTERNAL_H
23 #define _CRYPTSETUP_LUKS2_INTERNAL_H
27 #include <json-c/json.h>
32 /* override useless forward slash escape when supported by json-c */
33 #ifndef JSON_C_TO_STRING_NOSLASHESCAPE
34 #define JSON_C_TO_STRING_NOSLASHESCAPE 0
38 * On-disk access function prototypes
40 int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
41 struct device *device, int do_recovery, int do_blkprobe);
42 int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr,
43 struct device *device, bool seqid_check);
44 int LUKS2_device_write_lock(struct crypt_device *cd,
45 struct luks2_hdr *hdr, struct device *device);
48 * JSON struct access helpers
50 json_object *LUKS2_get_keyslot_jobj(struct luks2_hdr *hdr, int keyslot);
51 json_object *LUKS2_get_token_jobj(struct luks2_hdr *hdr, int token);
52 json_object *LUKS2_get_digest_jobj(struct luks2_hdr *hdr, int digest);
53 json_object *LUKS2_get_segment_jobj(struct luks2_hdr *hdr, int segment);
54 json_object *LUKS2_get_tokens_jobj(struct luks2_hdr *hdr);
55 json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr);
57 void hexprint_base64(struct crypt_device *cd, json_object *jobj,
58 const char *sep, const char *line_sep);
60 uint64_t crypt_jobj_get_uint64(json_object *jobj);
61 uint32_t crypt_jobj_get_uint32(json_object *jobj);
62 json_object *crypt_jobj_new_uint64(uint64_t value);
64 int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
65 void json_object_object_del_by_uint(json_object *jobj, unsigned key);
66 int json_object_copy(json_object *jobj_src, json_object **jobj_dst);
68 void JSON_DBG(struct crypt_device *cd, json_object *jobj, const char *desc);
71 * LUKS2 JSON validation
74 /* validation helper */
75 bool validate_json_uint32(json_object *jobj);
76 json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name,
77 const char *section, const char *key, json_type type);
78 json_object *json_contains_string(struct crypt_device *cd, json_object *jobj,
79 const char *name, const char *section, const char *key);
81 int LUKS2_hdr_validate(struct crypt_device *cd, json_object *hdr_jobj, uint64_t json_size);
82 int LUKS2_check_json_size(struct crypt_device *cd, const struct luks2_hdr *hdr);
83 int LUKS2_token_validate(struct crypt_device *cd, json_object *hdr_jobj,
84 json_object *jobj_token, const char *key);
85 void LUKS2_token_dump(struct crypt_device *cd, int token);
88 * LUKS2 JSON repair for known glitches
90 void LUKS2_hdr_repair(struct crypt_device *cd, json_object *jobj_hdr);
91 void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_hdr);
96 json_object *LUKS2_array_jobj(json_object *array, const char *num);
97 json_object *LUKS2_array_remove(json_object *array, const char *num);
104 * LUKS2 keyslots handlers (EXPERIMENTAL)
106 typedef int (*keyslot_alloc_func)(struct crypt_device *cd, int keyslot,
107 size_t volume_key_len,
108 const struct luks2_keyslot_params *params);
109 typedef int (*keyslot_update_func)(struct crypt_device *cd, int keyslot,
110 const struct luks2_keyslot_params *params);
111 typedef int (*keyslot_open_func) (struct crypt_device *cd, int keyslot,
112 const char *password, size_t password_len,
113 char *volume_key, size_t volume_key_len);
114 typedef int (*keyslot_store_func)(struct crypt_device *cd, int keyslot,
115 const char *password, size_t password_len,
116 const char *volume_key, size_t volume_key_len);
117 typedef int (*keyslot_wipe_func) (struct crypt_device *cd, int keyslot);
118 typedef int (*keyslot_dump_func) (struct crypt_device *cd, int keyslot);
119 typedef int (*keyslot_validate_func) (struct crypt_device *cd, json_object *jobj_keyslot);
120 typedef void(*keyslot_repair_func) (json_object *jobj_keyslot);
122 /* see LUKS2_luks2_to_luks1 */
123 int placeholder_keyslot_alloc(struct crypt_device *cd,
125 uint64_t area_offset,
126 uint64_t area_length);
128 /* validate all keyslot implementations in hdr json */
129 int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj);
133 keyslot_alloc_func alloc;
134 keyslot_update_func update;
135 keyslot_open_func open;
136 keyslot_store_func store;
137 keyslot_wipe_func wipe;
138 keyslot_dump_func dump;
139 keyslot_validate_func validate;
140 keyslot_repair_func repair;
143 struct reenc_protection {
144 enum { REENC_PROTECTION_NOT_SET = 0,
145 REENC_PROTECTION_NONE,
146 REENC_PROTECTION_CHECKSUM,
147 REENC_PROTECTION_JOURNAL,
148 REENC_PROTECTION_DATASHIFT } type;
152 char hash[LUKS2_CHECKSUM_ALG_L];
153 struct crypt_hash *ch;
155 /* buffer for checksums */
157 size_t checksums_len;
167 * LUKS2 digest handlers (EXPERIMENTAL)
169 typedef int (*digest_verify_func)(struct crypt_device *cd, int digest,
170 const char *volume_key, size_t volume_key_len);
171 typedef int (*digest_store_func) (struct crypt_device *cd, int digest,
172 const char *volume_key, size_t volume_key_len);
173 typedef int (*digest_dump_func) (struct crypt_device *cd, int digest);
177 digest_verify_func verify;
178 digest_store_func store;
179 digest_dump_func dump;
182 int keyring_open(struct crypt_device *cd,
188 void keyring_dump(struct crypt_device *cd, const char *json);
190 int keyring_validate(struct crypt_device *cd, const char *json);
192 void keyring_buffer_free(void *buffer, size_t buffer_size);
194 struct crypt_token_handler_v2 {
196 crypt_token_open_func open;
197 crypt_token_buffer_free_func buffer_free;
198 crypt_token_validate_func validate;
199 crypt_token_dump_func dump;
201 /* here ends v1. Do not touch anything above */
203 crypt_token_open_pin_func open_pin;
204 crypt_token_version_func version;
210 * Initial sequence of structure members in union 'u' must be always
211 * identical. Version 4 must fully contain version 3 which must
212 * subsequently fully contain version 2, etc.
214 * See C standard, section 6.5.2.3, item 5.
216 struct crypt_token_handler_internal {
219 crypt_token_handler v1; /* deprecated public structure */
220 struct crypt_token_handler_v2 v2; /* internal helper v2 structure */
224 int LUKS2_find_area_gap(struct crypt_device *cd, struct luks2_hdr *hdr,
225 size_t keylength, uint64_t *area_offset, uint64_t *area_length);
226 int LUKS2_find_area_max_gap(struct crypt_device *cd, struct luks2_hdr *hdr,
227 uint64_t *area_offset, uint64_t *area_length);
229 uint64_t LUKS2_hdr_and_areas_size_jobj(json_object *jobj);
231 int LUKS2_check_cipher(struct crypt_device *cd,
234 const char *cipher_mode);
236 static inline const char *crypt_reencrypt_mode_to_str(crypt_reencrypt_mode_info mi)
238 if (mi == CRYPT_REENCRYPT_REENCRYPT)
240 if (mi == CRYPT_REENCRYPT_ENCRYPT)
242 if (mi == CRYPT_REENCRYPT_DECRYPT)
248 * Generic LUKS2 keyslot
250 int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
251 struct luks2_hdr *hdr,
254 size_t buffer_length);
256 int LUKS2_keyslot_reencrypt_allocate(struct crypt_device *cd,
257 struct luks2_hdr *hdr,
259 const struct crypt_params_reencrypt *params,
262 int LUKS2_keyslot_reencrypt_update_needed(struct crypt_device *cd,
263 struct luks2_hdr *hdr,
265 const struct crypt_params_reencrypt *params,
268 int LUKS2_keyslot_reencrypt_update(struct crypt_device *cd,
269 struct luks2_hdr *hdr,
271 const struct crypt_params_reencrypt *params,
273 struct volume_key *vks);
275 int LUKS2_keyslot_reencrypt_load(struct crypt_device *cd,
276 struct luks2_hdr *hdr,
278 struct reenc_protection *rp,
281 int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
282 struct luks2_hdr *hdr,
284 struct volume_key *vks);
286 int LUKS2_keyslot_dump(struct crypt_device *cd,
289 int LUKS2_keyslot_jobj_area(json_object *jobj_keyslot, uint64_t *offset, uint64_t *length);
292 uint64_t json_segment_get_offset(json_object *jobj_segment, unsigned blockwise);
293 const char *json_segment_type(json_object *jobj_segment);
294 uint64_t json_segment_get_iv_offset(json_object *jobj_segment);
295 uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise);
296 const char *json_segment_get_cipher(json_object *jobj_segment);
297 uint32_t json_segment_get_sector_size(json_object *jobj_segment);
298 bool json_segment_is_backup(json_object *jobj_segment);
299 json_object *json_segments_get_segment(json_object *jobj_segments, int segment);
300 unsigned json_segments_count(json_object *jobj_segments);
301 void json_segment_remove_flag(json_object *jobj_segment, const char *flag);
302 uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise);
303 json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption);
304 json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, const char *cipher, uint32_t sector_size, unsigned reencryption);
305 int json_segments_segment_in_reencrypt(json_object *jobj_segments);
306 bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2);
307 bool json_segment_contains_flag(json_object *jobj_segment, const char *flag_str, size_t len);
309 int LUKS2_assembly_multisegment_dmd(struct crypt_device *cd,
310 struct luks2_hdr *hdr,
311 struct volume_key *vks,
312 json_object *jobj_segments,
313 struct crypt_dm_active_device *dmd);
316 * Generic LUKS2 segment
318 int LUKS2_segments_count(struct luks2_hdr *hdr);
320 int LUKS2_segment_first_unused_id(struct luks2_hdr *hdr);
322 int LUKS2_segment_set_flag(json_object *jobj_segment, const char *flag);
324 json_object *LUKS2_get_segment_by_flag(struct luks2_hdr *hdr, const char *flag);
326 int LUKS2_get_segment_id_by_flag(struct luks2_hdr *hdr, const char *flag);
328 int LUKS2_segments_set(struct crypt_device *cd,
329 struct luks2_hdr *hdr,
330 json_object *jobj_segments,
333 uint64_t LUKS2_segment_offset(struct luks2_hdr *hdr,
337 uint64_t LUKS2_segment_size(struct luks2_hdr *hdr,
341 int LUKS2_segment_is_type(struct luks2_hdr *hdr,
345 int LUKS2_segment_by_type(struct luks2_hdr *hdr,
348 int LUKS2_last_segment_by_type(struct luks2_hdr *hdr,
351 int LUKS2_get_default_segment(struct luks2_hdr *hdr);
353 int LUKS2_reencrypt_digest_new(struct luks2_hdr *hdr);
354 int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr);
355 int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise);
358 * Generic LUKS2 digest
360 int LUKS2_digest_verify_by_digest(struct crypt_device *cd,
362 const struct volume_key *vk);
364 void LUKS2_digests_erase_unused(struct crypt_device *cd,
365 struct luks2_hdr *hdr);
367 int LUKS2_digest_dump(struct crypt_device *cd,
371 * Generic LUKS2 token
373 int LUKS2_tokens_count(struct luks2_hdr *hdr);
378 int LUKS2_reload(struct crypt_device *cd,
380 struct volume_key *vks,
381 uint64_t device_size,
384 int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment);
385 int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type);
386 int LUKS2_set_keyslots_size(struct luks2_hdr *hdr, uint64_t data_offset);