projects / platform / upstream / cryptsetup.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix po files.
[platform/upstream/cryptsetup.git] / lib / setup.c
1 #include <string.h>
2 #include <stdio.h>
3 #include <stdlib.h>
4 #include <stdarg.h>
5 #include <fcntl.h>
6 #include <errno.h>
7
8 #include "libcryptsetup.h"
9 #include "luks.h"
10 #include "loopaes.h"
11 #include "internal.h"
12 #include "crypto_backend.h"
13
14 struct crypt_device {
15         char *type;
16
17         char *device;
18         struct volume_key *volume_key;
19         uint64_t timeout;
20         uint64_t iteration_time;
21         int tries;
22         int password_verify;
23         int rng_type;
24
25         /* used in CRYPT_LUKS1 */
26         struct luks_phdr hdr;
27         uint64_t PBKDF2_per_sec;
28
29         /* used in CRYPT_PLAIN */
30         struct crypt_params_plain plain_hdr;
31         char *plain_cipher;
32         char *plain_cipher_mode;
33         char *plain_uuid;
34
35         /* used in CRYPT_LOOPAES */
36         struct crypt_params_loopaes loopaes_hdr;
37         char *loopaes_cipher;
38         char *loopaes_cipher_mode;
39         char *loopaes_uuid;
40         unsigned int loopaes_key_size;
41
42         /* callbacks definitions */
43         void (*log)(int level, const char *msg, void *usrptr);
44         void *log_usrptr;
45         int (*confirm)(const char *msg, void *usrptr);
46         void *confirm_usrptr;
47         int (*password)(const char *msg, char *buf, size_t length, void *usrptr);
48         void *password_usrptr;
49 };
50
51 /* Log helper */
52 static void (*_default_log)(int level, const char *msg, void *usrptr) = NULL;
53 static int _debug_level = 0;
54
55 void crypt_set_debug_level(int level)
56 {
57         _debug_level = level;
58 }
59
60 int crypt_get_debug_level()
61 {
62         return _debug_level;
63 }
64
65 void crypt_log(struct crypt_device *cd, int level, const char *msg)
66 {
67         if (cd && cd->log)
68                 cd->log(level, msg, cd->log_usrptr);
69         else if (_default_log)
70                 _default_log(level, msg, NULL);
71 }
72
73 void logger(struct crypt_device *cd, int level, const char *file,
74             int line, const char *format, ...)
75 {
76         va_list argp;
77         char *target = NULL;
78
79         va_start(argp, format);
80
81         if (vasprintf(&target, format, argp) > 0) {
82                 if (level >= 0) {
83                         crypt_log(cd, level, target);
84 #ifdef CRYPT_DEBUG
85                 } else if (_debug_level)
86                         printf("# %s:%d %s\n", file ?: "?", line, target);
87 #else
88                 } else if (_debug_level)
89                         printf("# %s\n", target);
90 #endif
91         }
92
93         va_end(argp);
94         free(target);
95 }
96
97 static int init_crypto(struct crypt_device *ctx)
98 {
99         int r;
100
101         r = crypt_random_init(ctx);
102         if (r < 0) {
103                 log_err(ctx, _("Cannot initialize crypto RNG backend.\n"));
104                 return r;
105         }
106
107         r = crypt_backend_init(ctx);
108         if (r < 0)
109                 log_err(ctx, _("Cannot initialize crypto backend.\n"));
110
111         return r;
112 }
113
114 /*
115  * Password processing behaviour matrix of process_key
116  *
117  * from binary file: check if there is sufficently large key material
118  * interactive & from fd: hash if requested, otherwise crop or pad with '0'
119  */
120 static char *process_key(struct crypt_device *cd, const char *hash_name,
121                          const char *key_file, size_t key_size,
122                          const char *pass, size_t passLen)
123 {
124         char *key;
125
126         if (!key_size)
127                 return NULL;
128
129         key = crypt_safe_alloc(key_size);
130         memset(key, 0, key_size);
131
132         /* key is coming from binary file */
133         if (key_file && strcmp(key_file, "-")) {
134                 if(passLen < key_size) {
135                         log_err(cd, _("Cannot not read %d bytes from key file %s.\n"),
136                                 key_size, key_file);
137                         crypt_safe_free(key);
138                         return NULL;
139                 }
140                 memcpy(key, pass, key_size);
141                 return key;
142         }
143
144         /* key is coming from tty, fd or binary stdin */
145         if (hash_name) {
146                 if (crypt_plain_hash(cd, hash_name, key, key_size, pass, passLen) < 0) {
147                         log_err(cd, _("Key processing error (using hash algorithm %s).\n"),
148                                 hash_name);
149                         crypt_safe_free(key);
150                         return NULL;
151                 }
152         } else if (passLen > key_size) {
153                 memcpy(key, pass, key_size);
154         } else {
155                 memcpy(key, pass, passLen);
156         }
157
158         return key;
159 }
160
161 static int isPLAIN(const char *type)
162 {
163         return (type && !strcmp(CRYPT_PLAIN, type));
164 }
165
166 static int isLUKS(const char *type)
167 {
168         return (type && !strcmp(CRYPT_LUKS1, type));
169 }
170
171 static int isLOOPAES(const char *type)
172 {
173         return (type && !strcmp(CRYPT_LOOPAES, type));
174 }
175
176 /* keyslot helpers */
177 static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
178 {
179         if (*keyslot == CRYPT_ANY_SLOT) {
180                 *keyslot = LUKS_keyslot_find_empty(&cd->hdr);
181                 if (*keyslot < 0) {
182                         log_err(cd, _("All key slots full.\n"));
183                         return -EINVAL;
184                 }
185         }
186
187         switch (LUKS_keyslot_info(&cd->hdr, *keyslot)) {
188                 case CRYPT_SLOT_INVALID:
189                         log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
190                                 *keyslot, LUKS_NUMKEYS - 1);
191                         return -EINVAL;
192                 case CRYPT_SLOT_INACTIVE:
193                         break;
194                 default:
195                         log_err(cd, _("Key slot %d is full, please select another one.\n"),
196                                 *keyslot);
197                         return -EINVAL;
198         }
199
200         return 0;
201 }
202
203 static int verify_other_keyslot(struct crypt_device *cd,
204                                 const char *key_file,
205                                 int keyIndex)
206 {
207         struct volume_key *vk = NULL;
208         crypt_keyslot_info ki;
209         int openedIndex, r;
210         char *password = NULL;
211         unsigned int passwordLen;
212
213         r = crypt_get_key(_("Enter any remaining LUKS passphrase: "),
214                           &password, &passwordLen, 0, key_file, cd->timeout,
215                           cd->password_verify, cd);
216         if(r < 0)
217                 goto out;
218
219         ki = crypt_keyslot_status(cd, keyIndex);
220         if (ki == CRYPT_SLOT_ACTIVE) /* Not last slot */
221                 LUKS_keyslot_set(&cd->hdr, keyIndex, 0);
222
223         openedIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT,
224                                              password, passwordLen,
225                                              &cd->hdr, &vk, cd);
226
227         if (ki == CRYPT_SLOT_ACTIVE)
228                 LUKS_keyslot_set(&cd->hdr, keyIndex, 1);
229
230         if (openedIndex < 0)
231                 r = -EPERM;
232         else
233                 log_verbose(cd, _("Key slot %d verified.\n"), openedIndex);
234 out:
235         crypt_free_volume_key(vk);
236         crypt_safe_free(password);
237         return r;
238 }
239
240 static int find_keyslot_by_passphrase(struct crypt_device *cd,
241                                       const char *key_file,
242                                       char *message)
243 {
244         struct volume_key *vk = NULL;
245         char *password = NULL;
246         unsigned int passwordLen;
247         int r;
248
249         r = crypt_get_key(message,&password,&passwordLen, 0, key_file,
250                           cd->timeout, cd->password_verify, cd);
251         if (r < 0)
252                 goto out;
253
254         r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
255                                    passwordLen, &cd->hdr, &vk, cd);
256 out:
257         crypt_free_volume_key(vk);
258         crypt_safe_free(password);
259         return r;
260 }
261
262 static int luks_remove_helper(struct crypt_device *cd,
263                               int key_slot,
264                               const char *other_key_file,
265                               const char *key_file,
266                               int verify)
267 {
268         crypt_keyslot_info ki;
269         int r = -EINVAL;
270
271         if (key_slot == CRYPT_ANY_SLOT) {
272                 key_slot = find_keyslot_by_passphrase(cd, key_file,
273                                 _("Enter LUKS passphrase to be deleted: "));
274                 if(key_slot < 0) {
275                         r = -EPERM;
276                         goto out;
277                 }
278
279                 log_std(cd, _("Key slot %d selected for deletion.\n"), key_slot);
280         }
281
282         ki = crypt_keyslot_status(cd, key_slot);
283         if (ki == CRYPT_SLOT_INVALID) {
284                 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
285                         key_slot, LUKS_NUMKEYS - 1);
286                 r = -EINVAL;
287                 goto out;
288         }
289         if (ki <= CRYPT_SLOT_INACTIVE) {
290                 log_err(cd, _("Key %d not active. Can't wipe.\n"), key_slot);
291                 r = -EINVAL;
292                 goto out;
293         }
294
295         if (ki == CRYPT_SLOT_ACTIVE_LAST && cd->confirm &&
296             !(cd->confirm(_("This is the last keyslot."
297                             " Device will become unusable after purging this key."),
298                          cd->confirm_usrptr))) {
299                 r = -EINVAL;
300                 goto out;
301         }
302
303         if(verify)
304                 r = verify_other_keyslot(cd, other_key_file, key_slot);
305         else
306                 r = 0;
307
308         if (!r)
309                 r = crypt_keyslot_destroy(cd, key_slot);
310 out:
311         return (r < 0) ? r : 0;
312 }
313
314 static int create_device_helper(struct crypt_device *cd,
315                                 const char *name,
316                                 const char *hash,
317                                 const char *cipher,
318                                 const char *cipher_mode,
319                                 const char *key_file,
320                                 const char *key,
321                                 unsigned int keyLen,
322                                 int key_size,
323                                 uint64_t size,
324                                 uint64_t skip,
325                                 uint64_t offset,
326                                 const char *uuid,
327                                 int read_only,
328                                 unsigned int flags,
329                                 int reload)
330 {
331         crypt_status_info ci;
332         char *dm_cipher = NULL;
333         char *processed_key = NULL;
334         int r;
335
336         if (!name)
337                 return -EINVAL;
338
339         ci = crypt_status(cd, name);
340         if (ci == CRYPT_INVALID)
341                 return -EINVAL;
342
343         if (reload && ci < CRYPT_ACTIVE)
344                 return -EINVAL;
345
346         if (!reload && ci >= CRYPT_ACTIVE) {
347                 log_err(cd, _("Device %s already exists.\n"), name);
348                 return -EEXIST;
349         }
350
351         if (key_size < 0 || key_size > 1024) {
352                 log_err(cd, _("Invalid key size %d.\n"), key_size);
353                 return -EINVAL;
354         }
355
356         r = device_check_and_adjust(cd, cd->device, !reload, &size, &offset, &read_only);
357         if (r)
358                 return r;
359
360         if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
361                 return -ENOMEM;
362
363         processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
364         if (!processed_key) {
365                 r = -ENOENT;
366                 goto out;
367         }
368
369         r = dm_create_device(name, cd->device, dm_cipher ?: cipher, cd->type, uuid, size, skip, offset,
370                              key_size, processed_key, read_only, reload);
371 out:
372         free(dm_cipher);
373         crypt_safe_free(processed_key);
374         return r;
375 }
376
377 static int open_from_hdr_and_vk(struct crypt_device *cd,
378                                 struct volume_key *vk,
379                                 const char *name,
380                                 uint32_t flags)
381 {
382         uint64_t size, offset;
383         char *cipher;
384         int read_only, no_uuid, r;
385
386         size = 0;
387         offset = crypt_get_data_offset(cd);
388         read_only = flags & CRYPT_ACTIVATE_READONLY;
389         no_uuid = flags & CRYPT_ACTIVATE_NO_UUID;
390
391         r = device_check_and_adjust(cd, cd->device, 1, &size, &offset, &read_only);
392         if (r)
393                 return r;
394
395         if (asprintf(&cipher, "%s-%s", crypt_get_cipher(cd),
396                      crypt_get_cipher_mode(cd)) < 0)
397                 r = -ENOMEM;
398         else
399                 r = dm_create_device(name, cd->device, cipher, cd->type,
400                                      no_uuid ? NULL : crypt_get_uuid(cd),
401                                      size, 0, offset, vk->keylength, vk->key,
402                                      read_only, 0);
403         free(cipher);
404         return r;
405 }
406
407 static void log_wrapper(int level, const char *msg, void *usrptr)
408 {
409         void (*xlog)(int level, char *msg) = usrptr;
410         xlog(level, (char *)msg);
411 }
412
413 static int yesDialog_wrapper(const char *msg, void *usrptr)
414 {
415         int (*xyesDialog)(char *msg) = usrptr;
416         return xyesDialog((char*)msg);
417 }
418
419 int crypt_confirm(struct crypt_device *cd, const char *msg)
420 {
421         if (!cd || !cd->confirm)
422                 return 1;
423         else
424                 return cd->confirm(msg, cd->confirm_usrptr);
425 }
426
427 static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
428                               unsigned int *key_len, int force_verify)
429 {
430         char *prompt = NULL;
431         int r;
432
433         *key = NULL;
434         if(!msg && asprintf(&prompt, _("Enter passphrase for %s: "),
435                             cd->device) < 0)
436                 return -ENOMEM;
437
438         if (!msg)
439                 msg = prompt;
440
441         if (cd->password) {
442                 *key = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
443                 if (!*key) {
444                         r = -ENOMEM;
445                         goto out;
446                 }
447                 r = cd->password(msg, *key, MAX_TTY_PASSWORD_LEN, cd->password_usrptr);
448                 if (r < 0) {
449                         crypt_safe_free(*key);
450                         *key = NULL;
451                 } else
452                         *key_len = r;
453         } else
454                 r = crypt_get_key(msg, key, key_len, 0, NULL, cd->timeout,
455                                   (force_verify || cd->password_verify), cd);
456 out:
457         free(prompt);
458         return (r < 0) ? r: 0;
459 }
460
461 static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslot,
462                                              struct volume_key **vk)
463 {
464         char *passphrase_read = NULL;
465         unsigned int passphrase_size_read;
466         int r = -EINVAL, tries = cd->tries;
467
468         *vk = NULL;
469         do {
470                 crypt_free_volume_key(*vk);
471                 *vk = NULL;
472
473                 r = key_from_terminal(cd, NULL, &passphrase_read,
474                                       &passphrase_size_read, 0);
475                 if(r < 0)
476                         goto out;
477
478                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
479                                            passphrase_size_read, &cd->hdr, vk, cd);
480                 crypt_safe_free(passphrase_read);
481                 passphrase_read = NULL;
482         } while (r == -EPERM && (--tries > 0));
483 out:
484         if (r < 0) {
485                 crypt_free_volume_key(*vk);
486                 *vk = NULL;
487         }
488
489         crypt_safe_free(passphrase_read);
490         return r;
491 }
492
493 static int key_from_file(struct crypt_device *cd, char *msg,
494                           char **key, unsigned int *key_len,
495                           const char *key_file, size_t key_size)
496 {
497         return crypt_get_key(msg, key, key_len, key_size, key_file,
498                              cd->timeout, 0, cd);
499 }
500
501 static int _crypt_init(struct crypt_device **cd,
502                        const char *type,
503                        struct crypt_options *options,
504                        int load, int need_dm)
505 {
506         int init_by_name, r;
507
508         /* if it is plain device and mapping table is being reloaded
509         initialize it by name*/
510         init_by_name = (type && !strcmp(type, CRYPT_PLAIN) && load);
511
512         /* Some of old API calls do not require DM in kernel,
513            fake initialisation by initialise it with kernel_check disabled */
514         if (!need_dm)
515                 (void)dm_init(NULL, 0);
516         if (init_by_name)
517                 r = crypt_init_by_name(cd, options->name);
518         else
519                 r = crypt_init(cd, options->device);
520         if (!need_dm)
521                 dm_exit();
522
523         if (r)
524                 return -EINVAL;
525
526         crypt_set_log_callback(*cd, log_wrapper, options->icb->log);
527         crypt_set_confirm_callback(*cd, yesDialog_wrapper, options->icb->yesDialog);
528
529         crypt_set_timeout(*cd, options->timeout);
530         crypt_set_password_retry(*cd, options->tries);
531         crypt_set_iterarion_time(*cd, options->iteration_time ?: 1000);
532         crypt_set_password_verify(*cd, options->flags & CRYPT_FLAG_VERIFY);
533
534         if (load && !init_by_name)
535                 r = crypt_load(*cd, type, NULL);
536
537         if (!r && type && !(*cd)->type) {
538                 (*cd)->type = strdup(type);
539                 if (!(*cd)->type)
540                         r = -ENOMEM;
541         }
542
543         if (r)
544                 crypt_free(*cd);
545
546         return r;
547 }
548
549 void crypt_set_log_callback(struct crypt_device *cd,
550         void (*log)(int level, const char *msg, void *usrptr),
551         void *usrptr)
552 {
553         if (!cd)
554                 _default_log = log;
555         else {
556                 cd->log = log;
557                 cd->log_usrptr = usrptr;
558         }
559 }
560
561 void crypt_set_confirm_callback(struct crypt_device *cd,
562         int (*confirm)(const char *msg, void *usrptr),
563         void *usrptr)
564 {
565         cd->confirm = confirm;
566         cd->confirm_usrptr = usrptr;
567 }
568
569 void crypt_set_password_callback(struct crypt_device *cd,
570         int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
571         void *usrptr)
572 {
573         cd->password = password;
574         cd->password_usrptr = usrptr;
575 }
576
577 /* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
578  *          offset, size, skip, timeout, tries, passphrase_fd (ignored),
579  *          flags, icb */
580 static int crypt_create_and_update_device(struct crypt_options *options, int update)
581 {
582         struct crypt_device *cd = NULL;
583         char *key = NULL;
584         unsigned int keyLen;
585         int r;
586
587         r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
588         if (r)
589                 return r;
590
591         r = crypt_get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
592                           options->key_file, cd->timeout, cd->password_verify, cd);
593         if (!r)
594                 r = create_device_helper(cd, options->name, options->hash,
595                         options->cipher, NULL, options->key_file, key, keyLen,
596                         options->key_size, options->size, options->skip,
597                         options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
598                         options->flags, update);
599
600         crypt_safe_free(key);
601         crypt_free(cd);
602         return r;
603 }
604
605 int crypt_create_device(struct crypt_options *options)
606 {
607         return crypt_create_and_update_device(options, 0);
608 }
609
610 int crypt_update_device(struct crypt_options *options)
611 {
612         return crypt_create_and_update_device(options, 1);
613 }
614
615 /* OPTIONS: name, size, icb */
616 int crypt_resize_device(struct crypt_options *options)
617 {
618         struct crypt_device *cd = NULL;
619         char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
620         char *type = NULL;
621         uint64_t size, skip, offset;
622         int key_size, read_only, r;
623
624         log_dbg("Resizing device %s to %" PRIu64 " sectors.", options->name, options->size);
625
626         if (dm_init(NULL, 1) < 0)
627                 return -ENOSYS;
628
629         r = dm_query_device(options->name, &device, &size, &skip, &offset,
630                             &cipher, &key_size, &key, &read_only, NULL, &uuid);
631         if (r < 0) {
632                 log_err(NULL, _("Device %s is not active.\n"), options->name);
633                 goto out;
634         }
635
636         /* Try to determine type of device from UUID */
637         type = CRYPT_PLAIN;
638         if (uuid) {
639                 if (!strncmp(uuid, CRYPT_PLAIN, strlen(CRYPT_PLAIN))) {
640                         type = CRYPT_PLAIN;
641                         free (uuid);
642                         uuid = NULL;
643                 } else if (!strncmp(uuid, CRYPT_LUKS1, strlen(CRYPT_LUKS1)))
644                         type = CRYPT_LUKS1;
645         }
646
647         if (!options->device)
648                 options->device = device;
649
650         r = _crypt_init(&cd, type, options, 1, 1);
651         if (r)
652                 goto out;
653
654         size = options->size;
655         r = device_check_and_adjust(cd, device, 0, &size, &offset, &read_only);
656         if (r)
657                 goto out;
658
659         r = dm_create_device(options->name, device, cipher, type,
660                              crypt_get_uuid(cd), size, skip, offset,
661                              key_size, key, read_only, 1);
662 out:
663         crypt_safe_free(key);
664         free(cipher);
665         if (options->device == device)
666                 options->device = NULL;
667         free(device);
668         free(uuid);
669         crypt_free(cd);
670         dm_exit();
671         return r;
672 }
673
674 /* OPTIONS: name, icb */
675 int crypt_query_device(struct crypt_options *options)
676 {
677         int read_only, r;
678
679         log_dbg("Query device %s.", options->name);
680
681         if (dm_init(NULL, 1) < 0)
682                 return -ENOSYS;
683
684         r = dm_status_device(options->name);
685         if (r < 0)
686                 goto out;
687
688         r = dm_query_device(options->name, (char **)&options->device, &options->size,
689                             &options->skip, &options->offset, (char **)&options->cipher,
690                             &options->key_size, NULL, &read_only, NULL, NULL);
691         if (r >= 0) {
692                 if (read_only)
693                         options->flags |= CRYPT_FLAG_READONLY;
694
695                 options->flags |= CRYPT_FLAG_FREE_DEVICE;
696                 options->flags |= CRYPT_FLAG_FREE_CIPHER;
697
698                 r = 1;
699         }
700 out:
701         if (r == -ENODEV)
702                 r = 0;
703
704         dm_exit();
705         return r;
706 }
707
708 /* OPTIONS: name, icb */
709 int crypt_remove_device(struct crypt_options *options)
710 {
711         struct crypt_device *cd = NULL;
712         int r;
713
714         r = crypt_init_by_name(&cd, options->name);
715         if (r == 0)
716                 r = crypt_deactivate(cd, options->name);
717
718         crypt_free(cd);
719         return r;
720
721 }
722
723 /* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
724  *          new_key_file, iteration_time, timeout, flags, icb */
725 int crypt_luksFormat(struct crypt_options *options)
726 {
727         char cipherName[LUKS_CIPHERNAME_L];
728         char cipherMode[LUKS_CIPHERMODE_L];
729         char *password=NULL;
730         unsigned int passwordLen;
731         struct crypt_device *cd = NULL;
732         struct crypt_params_luks1 cp = {
733                 .hash = options->hash,
734                 .data_alignment = options->align_payload
735         };
736         int r;
737
738         r = crypt_parse_name_and_mode(options->cipher, cipherName, NULL, cipherMode);
739         if(r < 0) {
740                 log_err(cd, _("No known cipher specification pattern detected.\n"));
741                 return r;
742         }
743
744         if ((r = _crypt_init(&cd, CRYPT_LUKS1, options, 0, 1)))
745                 return r;
746
747         if (options->key_slot >= LUKS_NUMKEYS && options->key_slot != CRYPT_ANY_SLOT) {
748                 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
749                         options->key_slot, LUKS_NUMKEYS - 1);
750                 r = -EINVAL;
751                 goto out;
752         }
753
754         r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, 0,
755                           options->new_key_file, cd->timeout, cd->password_verify, cd);
756
757         if(r < 0)
758                 goto out;
759
760         r = crypt_format(cd, CRYPT_LUKS1, cipherName, cipherMode,
761                          NULL, NULL, options->key_size, &cp);
762         if (r < 0)
763                 goto out;
764
765         /* Add keyslot using internally stored volume key generated during format */
766         r = crypt_keyslot_add_by_volume_key(cd, options->key_slot, NULL, 0,
767                                             password, passwordLen);
768 out:
769         crypt_free(cd);
770         crypt_safe_free(password);
771         return (r < 0) ? r : 0;
772 }
773
774 /* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
775 int crypt_luksOpen(struct crypt_options *options)
776 {
777         struct crypt_device *cd = NULL;
778         uint32_t flags = 0;
779         int r;
780
781         if (!options->name)
782                 return -EINVAL;
783
784         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
785         if (r)
786                 return r;
787
788         if (options->flags & CRYPT_FLAG_READONLY)
789                 flags |= CRYPT_ACTIVATE_READONLY;
790
791         if (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS)
792                 flags |= CRYPT_ACTIVATE_NO_UUID;
793
794         if (options->key_file)
795                 r = crypt_activate_by_keyfile(cd, options->name,
796                         CRYPT_ANY_SLOT, options->key_file, options->key_size,
797                         flags);
798         else
799                 r = crypt_activate_by_passphrase(cd, options->name,
800                         CRYPT_ANY_SLOT, options->passphrase,
801                         options->passphrase ? strlen(options->passphrase) : 0,
802                         flags);
803
804         crypt_free(cd);
805         return (r < 0) ? r : 0;
806 }
807
808 /* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
809 int crypt_luksKillSlot(struct crypt_options *options)
810 {
811         struct crypt_device *cd = NULL;
812         int r;
813
814         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
815         if (r)
816                 return r;
817
818         r = luks_remove_helper(cd, options->key_slot, options->key_file, NULL,
819                                options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
820
821         crypt_free(cd);
822         return (r < 0) ? r : 0;
823 }
824
825 /* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
826 int crypt_luksRemoveKey(struct crypt_options *options)
827 {
828         struct crypt_device *cd = NULL;
829         int r;
830
831         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
832         if (r)
833                 return r;
834
835         r = luks_remove_helper(cd, CRYPT_ANY_SLOT, options->key_file, options->new_key_file,
836                                options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
837
838         crypt_free(cd);
839         return (r < 0) ? r : 0;
840 }
841
842
843 /* OPTIONS: device, new_key_file, key_file, key_slot, flags,
844             iteration_time, timeout, icb */
845 int crypt_luksAddKey(struct crypt_options *options)
846 {
847         struct crypt_device *cd = NULL;
848         int r = -EINVAL;
849
850         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
851         if (r)
852                 return r;
853
854         if (options->key_file || options->new_key_file)
855                 r = crypt_keyslot_add_by_keyfile(cd, options->key_slot,
856                                                  options->key_file, 0,
857                                                  options->new_key_file, 0);
858         else
859                 r = crypt_keyslot_add_by_passphrase(cd, options->key_slot,
860                                                     NULL, 0, NULL, 0);
861
862         crypt_free(cd);
863         return (r < 0) ? r : 0;
864 }
865
866 /* OPTIONS: device, icb */
867 int crypt_luksUUID(struct crypt_options *options)
868 {
869         struct crypt_device *cd = NULL;
870         char *uuid;
871         int r;
872
873         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
874         if (r)
875                 return r;
876
877         uuid = (char *)crypt_get_uuid(cd);
878         log_std(cd, uuid ?: "");
879         log_std(cd, "\n");
880         crypt_free(cd);
881         return 0;
882 }
883
884 /* OPTIONS: device, icb */
885 int crypt_isLuks(struct crypt_options *options)
886 {
887         struct crypt_device *cd = NULL;
888         int r;
889
890         log_dbg("Check device %s for LUKS header.", options->device);
891
892         r = init_crypto(cd);
893         if (r < 0)
894                 return r;
895
896         r = crypt_init(&cd, options->device);
897         if (r < 0)
898                 return -EINVAL;
899
900         /* Do print fail here, no need to crypt_load() */
901         r = LUKS_read_phdr(cd->device, &cd->hdr, 0, cd) ? -EINVAL : 0;
902
903         crypt_free(cd);
904         return r;
905 }
906
907 /* OPTIONS: device, icb */
908 int crypt_luksDump(struct crypt_options *options)
909 {
910         struct crypt_device *cd = NULL;
911         int r;
912
913         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
914         if(r < 0)
915                 return r;
916
917         r = crypt_dump(cd);
918
919         crypt_free(cd);
920         return r;
921 }
922
923 void crypt_get_error(char *buf, size_t size)
924 {
925         const char *error = get_error();
926
927         if (!buf || size < 1)
928                 set_error(NULL);
929         else if (error) {
930                 strncpy(buf, error, size - 1);
931                 buf[size - 1] = '\0';
932                 set_error(NULL);
933         } else
934                 buf[0] = '\0';
935 }
936
937 void crypt_put_options(struct crypt_options *options)
938 {
939         if (options->flags & CRYPT_FLAG_FREE_DEVICE) {
940                 free((char *)options->device);
941                 options->device = NULL;
942                 options->flags &= ~CRYPT_FLAG_FREE_DEVICE;
943         }
944         if (options->flags & CRYPT_FLAG_FREE_CIPHER) {
945                 free((char *)options->cipher);
946                 options->cipher = NULL;
947                 options->flags &= ~CRYPT_FLAG_FREE_CIPHER;
948         }
949 }
950
951 const char *crypt_get_dir(void)
952 {
953         return dm_get_dir();
954 }
955
956 /////////////////////////////////
957 //
958 // New API
959 //
960
961 int crypt_init(struct crypt_device **cd, const char *device)
962 {
963         struct crypt_device *h = NULL;
964
965         if (!cd)
966                 return -EINVAL;
967
968         log_dbg("Allocating crypt device %s context.", device);
969
970         if (device && !device_ready(NULL, device, O_RDONLY))
971                 return -ENOTBLK;
972
973         if (!(h = malloc(sizeof(struct crypt_device))))
974                 return -ENOMEM;
975
976         memset(h, 0, sizeof(*h));
977
978         if (device) {
979                 h->device = strdup(device);
980                 if (!h->device) {
981                         free(h);
982                         return -ENOMEM;
983                 }
984         } else
985                 h->device = NULL;
986
987         if (dm_init(h, 1) < 0) {
988                 free(h);
989                 return -ENOSYS;
990         }
991
992         h->iteration_time = 1000;
993         h->password_verify = 0;
994         h->tries = 3;
995         h->rng_type = crypt_random_default_key_rng();
996         *cd = h;
997         return 0;
998 }
999
1000 int crypt_init_by_name(struct crypt_device **cd, const char *name)
1001 {
1002         crypt_status_info ci;
1003         struct crypt_active_device cad;
1004         char *device = NULL, *cipher_full = NULL, *device_uuid = NULL;
1005         char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
1006         char *key = NULL;
1007         int key_size = 0, key_nums, r;
1008
1009
1010         log_dbg("Allocating crypt device context by device %s.", name);
1011
1012         ci = crypt_status(NULL, name);
1013         if (ci == CRYPT_INVALID)
1014                 return -ENODEV;
1015
1016         if (ci < CRYPT_ACTIVE) {
1017                 log_err(NULL, _("Device %s is not active.\n"), name);
1018                 return -ENODEV;
1019         }
1020
1021         r = dm_query_device(name, &device, &cad.size, &cad.iv_offset, &cad.offset,
1022                             &cipher_full, &key_size, &key, NULL, NULL,
1023                             &device_uuid);
1024         if (r < 0)
1025                 goto out;
1026
1027         /* Underlying device disappeared but mapping still active */
1028         if (!device)
1029                 log_verbose(NULL, _("Underlying device for crypt device %s disappeared.\n"),
1030                             name);
1031
1032         *cd = NULL;
1033         r = crypt_init(cd, device);
1034         if (r < 0)
1035                 goto out;
1036
1037         /* Try to initialise basic parameters from active device */
1038         if (device_uuid) {
1039                 if (!strncmp(CRYPT_PLAIN, device_uuid, sizeof(CRYPT_PLAIN)-1)) {
1040                         (*cd)->type = strdup(CRYPT_PLAIN);
1041                         (*cd)->plain_uuid = strdup(device_uuid);
1042                         (*cd)->plain_hdr.hash = NULL; /* no way to get this */
1043                         (*cd)->plain_hdr.offset = cad.offset;
1044                         (*cd)->plain_hdr.skip = cad.iv_offset;
1045                         (*cd)->volume_key = crypt_alloc_volume_key(key_size, key);
1046                         if (!(*cd)->volume_key) {
1047                                 r = -ENOMEM;
1048                                 goto out;
1049                         }
1050
1051                         r = crypt_parse_name_and_mode(cipher_full, cipher, NULL, cipher_mode);
1052                         if (!r) {
1053                                 (*cd)->plain_cipher = strdup(cipher);
1054                                 (*cd)->plain_cipher_mode = strdup(cipher_mode);
1055                         }
1056                 } else if (!strncmp(CRYPT_LOOPAES, device_uuid, sizeof(CRYPT_LOOPAES)-1)) {
1057                         (*cd)->type = strdup(CRYPT_LOOPAES);
1058                         (*cd)->loopaes_uuid = strdup(device_uuid);
1059                         (*cd)->loopaes_hdr.offset = cad.offset;
1060
1061                         r = crypt_parse_name_and_mode(cipher_full, cipher,
1062                                                       &key_nums, cipher_mode);
1063                         if (!r) {
1064                                 (*cd)->loopaes_cipher = strdup(cipher);
1065                                 (*cd)->loopaes_cipher_mode = strdup(cipher_mode);
1066                                 /* version 3 uses last key for IV */
1067                                 if (key_size % key_nums)
1068                                         key_nums++;
1069                                 (*cd)->loopaes_key_size = key_size / key_nums;
1070                         }
1071                 } else if (!strncmp(CRYPT_LUKS1, device_uuid, sizeof(CRYPT_LUKS1)-1)) {
1072                         if (device) {
1073                                 if (crypt_load(*cd, CRYPT_LUKS1, NULL) < 0 ||
1074                                     crypt_volume_key_verify(*cd, key, key_size) < 0) {
1075                                         log_dbg("LUKS device header does not match active device.");
1076                                         goto out;
1077                                 }
1078
1079                                 (*cd)->volume_key = crypt_alloc_volume_key(key_size, key);
1080                                 if (!(*cd)->volume_key) {
1081                                         r = -ENOMEM;
1082                                         goto out;
1083                                 }
1084                         }
1085                 }
1086         } else
1087                 log_dbg("Active device has no UUID set, some parameters are not set.");
1088
1089 out:
1090         if (r < 0) {
1091                 crypt_free(*cd);
1092                 *cd = NULL;
1093         }
1094         crypt_safe_free(key);
1095         free(device);
1096         free(cipher_full);
1097         free(device_uuid);
1098         return r;
1099 }
1100
1101 static int _crypt_format_plain(struct crypt_device *cd,
1102                                const char *cipher,
1103                                const char *cipher_mode,
1104                                const char *uuid,
1105                                size_t volume_key_size,
1106                                struct crypt_params_plain *params)
1107 {
1108         if (!cipher || !cipher_mode) {
1109                 log_err(cd, _("Invalid plain crypt parameters.\n"));
1110                 return -EINVAL;
1111         }
1112
1113         if (volume_key_size > 1024) {
1114                 log_err(cd, _("Invalid key size.\n"));
1115                 return -EINVAL;
1116         }
1117
1118         cd->volume_key = crypt_alloc_volume_key(volume_key_size, NULL);
1119         if (!cd->volume_key)
1120                 return -ENOMEM;
1121
1122         cd->plain_cipher = strdup(cipher);
1123         cd->plain_cipher_mode = strdup(cipher_mode);
1124
1125         if (uuid)
1126                 cd->plain_uuid = strdup(uuid);
1127
1128         if (params && params->hash)
1129                 cd->plain_hdr.hash = strdup(params->hash);
1130
1131         cd->plain_hdr.offset = params ? params->offset : 0;
1132         cd->plain_hdr.skip = params ? params->skip : 0;
1133
1134         if (!cd->plain_cipher || !cd->plain_cipher_mode)
1135                 return -ENOMEM;
1136
1137         return 0;
1138 }
1139
1140 static int _crypt_format_luks1(struct crypt_device *cd,
1141                                const char *cipher,
1142                                const char *cipher_mode,
1143                                const char *uuid,
1144                                const char *volume_key,
1145                                size_t volume_key_size,
1146                                struct crypt_params_luks1 *params)
1147 {
1148         int r;
1149         unsigned long required_alignment = DEFAULT_DISK_ALIGNMENT;
1150         unsigned long alignment_offset = 0;
1151
1152         if (!cd->device) {
1153                 log_err(cd, _("Can't format LUKS without device.\n"));
1154                 return -EINVAL;
1155         }
1156
1157         if (volume_key)
1158                 cd->volume_key = crypt_alloc_volume_key(volume_key_size,
1159                                                       volume_key);
1160         else
1161                 cd->volume_key = crypt_generate_volume_key(cd, volume_key_size);
1162
1163         if(!cd->volume_key)
1164                 return -ENOMEM;
1165
1166         if (params && params->data_alignment)
1167                 required_alignment = params->data_alignment * SECTOR_SIZE;
1168         else
1169                 get_topology_alignment(cd->device, &required_alignment,
1170                                        &alignment_offset, DEFAULT_DISK_ALIGNMENT);
1171
1172         r = LUKS_generate_phdr(&cd->hdr, cd->volume_key, cipher, cipher_mode,
1173                                (params && params->hash) ? params->hash : "sha1",
1174                                uuid, LUKS_STRIPES,
1175                                required_alignment / SECTOR_SIZE,
1176                                alignment_offset / SECTOR_SIZE,
1177                                cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1178         if(r < 0)
1179                 return r;
1180
1181         /* Wipe first 8 sectors - fs magic numbers etc. */
1182         r = wipe_device_header(cd->device, 8);
1183         if(r < 0) {
1184                 if (r == -EBUSY)
1185                         log_err(cd, _("Cannot format device %s which is still in use.\n"),
1186                                 cd->device);
1187                 else
1188                         log_err(cd, _("Cannot wipe header on device %s.\n"),
1189                                 cd->device);
1190
1191                 return r;
1192         }
1193
1194         r = LUKS_write_phdr(cd->device, &cd->hdr, cd);
1195
1196         return r;
1197 }
1198
1199 static int _crypt_format_loopaes(struct crypt_device *cd,
1200                                  const char *cipher,
1201                                  const char *uuid,
1202                                  size_t volume_key_size,
1203                                  struct crypt_params_loopaes *params)
1204 {
1205         if (!cd->device) {
1206                 log_err(cd, _("Can't format LOOPAES without device.\n"));
1207                 return -EINVAL;
1208         }
1209
1210         if (volume_key_size > 1024) {
1211                 log_err(cd, _("Invalid key size.\n"));
1212                 return -EINVAL;
1213         }
1214
1215         cd->loopaes_key_size = volume_key_size;
1216
1217         cd->loopaes_cipher = strdup(cipher ?: DEFAULT_LOOPAES_CIPHER);
1218
1219         if (uuid)
1220                 cd->loopaes_uuid = strdup(uuid);
1221
1222         if (params && params->hash)
1223                 cd->loopaes_hdr.hash = strdup(params->hash);
1224
1225         cd->loopaes_hdr.offset = params ? params->offset : 0;
1226
1227         return 0;
1228 }
1229
1230 int crypt_format(struct crypt_device *cd,
1231         const char *type,
1232         const char *cipher,
1233         const char *cipher_mode,
1234         const char *uuid,
1235         const char *volume_key,
1236         size_t volume_key_size,
1237         void *params)
1238 {
1239         int r;
1240
1241         if (!type)
1242                 return -EINVAL;
1243
1244         log_dbg("Formatting device %s as type %s.", cd->device ?: "(none)", type);
1245
1246         r = init_crypto(cd);
1247         if (r < 0)
1248                 return r;
1249
1250         if (isPLAIN(type))
1251                 r = _crypt_format_plain(cd, cipher, cipher_mode,
1252                                         uuid, volume_key_size, params);
1253         else if (isLUKS(type))
1254                 r = _crypt_format_luks1(cd, cipher, cipher_mode,
1255                                         uuid, volume_key, volume_key_size, params);
1256         else if (isLOOPAES(type))
1257                 r = _crypt_format_loopaes(cd, cipher, uuid, volume_key_size, params);
1258         else {
1259                 /* FIXME: allow plugins here? */
1260                 log_err(cd, _("Unknown crypt device type %s requested.\n"), type);
1261                 r = -EINVAL;
1262         }
1263
1264         if (!r && !(cd->type = strdup(type)))
1265                 r = -ENOMEM;
1266
1267         if (r < 0) {
1268                 crypt_free_volume_key(cd->volume_key);
1269                 cd->volume_key = NULL;
1270         }
1271
1272         return r;
1273 }
1274
1275 int crypt_load(struct crypt_device *cd,
1276                const char *requested_type,
1277                void *params)
1278 {
1279         struct luks_phdr hdr;
1280         int r;
1281
1282         log_dbg("Trying to load %s crypt type from device %s.",
1283                 requested_type ?: "any", cd->device ?: "(none)");
1284
1285         if (!cd->device)
1286                 return -EINVAL;
1287
1288         if (requested_type && !isLUKS(requested_type))
1289                 return -EINVAL;
1290
1291         r = init_crypto(cd);
1292         if (r < 0)
1293                 return r;
1294
1295         r = LUKS_read_phdr(cd->device, &hdr, 1, cd);
1296
1297         if (!r) {
1298                 memcpy(&cd->hdr, &hdr, sizeof(hdr));
1299                 cd->type = strdup(CRYPT_LUKS1);
1300                 if (!cd->type)
1301                         r = -ENOMEM;
1302         }
1303
1304         return r;
1305 }
1306
1307 int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
1308 {
1309         char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
1310         uint64_t size, skip, offset;
1311         int key_size, read_only, r;
1312
1313         /* Device context type must be initialised */
1314         if (!cd->type || !crypt_get_uuid(cd))
1315                 return -EINVAL;
1316
1317         r = dm_query_device(name, &device, &size, &skip, &offset,
1318                             &cipher, &key_size, &key, &read_only, NULL, &uuid);
1319         if (r < 0) {
1320                 log_err(NULL, _("Device %s is not active.\n"), name);
1321                 goto out;
1322         }
1323
1324         if (!uuid) {
1325                 r = -EINVAL;
1326                 goto out;
1327         }
1328
1329         r = device_check_and_adjust(cd, device, 0, &new_size, &offset, &read_only);
1330         if (r)
1331                 goto out;
1332
1333         if (new_size == size) {
1334                 log_dbg("Device has already requested size %" PRIu64
1335                         " sectors.", size);
1336                 r = 0;
1337                 goto out;
1338         }
1339
1340         log_dbg("Resizing device %s to %" PRIu64 " sectors.", name, new_size);
1341
1342         r = dm_create_device(name, device, cipher, cd->type,
1343                              crypt_get_uuid(cd), new_size, skip, offset,
1344                              key_size, key, read_only, 1);
1345 out:
1346         crypt_safe_free(key);
1347         free(cipher);
1348         free(device);
1349         free(uuid);
1350
1351         return r;
1352 }
1353
1354 int crypt_set_uuid(struct crypt_device *cd, const char *uuid)
1355 {
1356         if (!isLUKS(cd->type)) {
1357                 log_err(cd, _("This operation is not supported for this device type.\n"));
1358                 return  -EINVAL;
1359         }
1360
1361         if (uuid && !strncmp(uuid, cd->hdr.uuid, sizeof(cd->hdr.uuid))) {
1362                 log_dbg("UUID is the same as requested (%s) for device %s.",
1363                         uuid, cd->device);
1364                 return 0;
1365         }
1366
1367         if (uuid)
1368                 log_dbg("Requested new UUID change to %s for %s.", uuid, cd->device);
1369         else
1370                 log_dbg("Requested new UUID refresh for %s.", cd->device);
1371
1372         if (!crypt_confirm(cd, _("Do you really want to change UUID of device?")))
1373                 return -EPERM;
1374
1375         return LUKS_hdr_uuid_set(cd->device, &cd->hdr, uuid, cd);
1376 }
1377
1378 int crypt_header_backup(struct crypt_device *cd,
1379                         const char *requested_type,
1380                         const char *backup_file)
1381 {
1382         int r;
1383
1384         if ((requested_type && !isLUKS(requested_type)) || !backup_file)
1385                 return -EINVAL;
1386
1387         r = init_crypto(cd);
1388         if (r < 0)
1389                 return r;
1390
1391         log_dbg("Requested header backup of device %s (%s) to "
1392                 "file %s.", cd->device, requested_type, backup_file);
1393
1394         return LUKS_hdr_backup(backup_file, cd->device, &cd->hdr, cd);
1395 }
1396
1397 int crypt_header_restore(struct crypt_device *cd,
1398                          const char *requested_type,
1399                          const char *backup_file)
1400 {
1401         int r;
1402
1403         if (requested_type && !isLUKS(requested_type))
1404                 return -EINVAL;
1405
1406         /* Some hash functions need initialized gcrypt library */
1407         r = init_crypto(cd);
1408         if (r < 0)
1409                 return r;
1410
1411         log_dbg("Requested header restore to device %s (%s) from "
1412                 "file %s.", cd->device, requested_type, backup_file);
1413
1414         return LUKS_hdr_restore(backup_file, cd->device, &cd->hdr, cd);
1415 }
1416
1417 void crypt_free(struct crypt_device *cd)
1418 {
1419         if (cd) {
1420                 log_dbg("Releasing crypt device %s context.", cd->device);
1421
1422                 dm_exit();
1423                 crypt_free_volume_key(cd->volume_key);
1424
1425                 free(cd->device);
1426                 free(cd->type);
1427
1428                 /* used in plain device only */
1429                 free((char*)cd->plain_hdr.hash);
1430                 free(cd->plain_cipher);
1431                 free(cd->plain_cipher_mode);
1432                 free(cd->plain_uuid);
1433
1434                 free(cd);
1435         }
1436 }
1437
1438 int crypt_suspend(struct crypt_device *cd,
1439                   const char *name)
1440 {
1441         crypt_status_info ci;
1442         int r, suspended = 0;
1443
1444         log_dbg("Suspending volume %s.", name);
1445
1446         ci = crypt_status(NULL, name);
1447         if (ci < CRYPT_ACTIVE) {
1448                 log_err(cd, _("Volume %s is not active.\n"), name);
1449                 return -EINVAL;
1450         }
1451
1452         if (!cd && dm_init(NULL, 1) < 0)
1453                 return -ENOSYS;
1454
1455         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1456                             NULL, NULL, NULL, NULL, &suspended, NULL);
1457         if (r < 0)
1458                 goto out;
1459
1460         if (suspended) {
1461                 log_err(cd, _("Volume %s is already suspended.\n"), name);
1462                 r = -EINVAL;
1463                 goto out;
1464         }
1465
1466         r = dm_suspend_and_wipe_key(name);
1467         if (r == -ENOTSUP)
1468                 log_err(cd, "Suspend is not supported for device %s.\n", name);
1469         else if (r)
1470                 log_err(cd, "Error during suspending device %s.\n", name);
1471 out:
1472         if (!cd)
1473                 dm_exit();
1474         return r;
1475 }
1476
1477 int crypt_resume_by_passphrase(struct crypt_device *cd,
1478                                const char *name,
1479                                int keyslot,
1480                                const char *passphrase,
1481                                size_t passphrase_size)
1482 {
1483         struct volume_key *vk = NULL;
1484         int r, suspended = 0;
1485
1486         log_dbg("Resuming volume %s.", name);
1487
1488         if (!isLUKS(cd->type)) {
1489                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1490                 r = -EINVAL;
1491                 goto out;
1492         }
1493
1494         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1495                             NULL, NULL, NULL, NULL, &suspended, NULL);
1496         if (r < 0)
1497                 return r;
1498
1499         if (!suspended) {
1500                 log_err(cd, _("Volume %s is not suspended.\n"), name);
1501                 return -EINVAL;
1502         }
1503
1504         if (passphrase) {
1505                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1506                                            passphrase_size, &cd->hdr, &vk, cd);
1507         } else
1508                 r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
1509
1510         if (r >= 0) {
1511                 keyslot = r;
1512                 r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1513                 if (r == -ENOTSUP)
1514                         log_err(cd, "Resume is not supported for device %s.\n", name);
1515                 else if (r)
1516                         log_err(cd, "Error during resuming device %s.\n", name);
1517         } else
1518                 r = keyslot;
1519 out:
1520         crypt_free_volume_key(vk);
1521         return r < 0 ? r : keyslot;
1522 }
1523
1524 int crypt_resume_by_keyfile(struct crypt_device *cd,
1525                             const char *name,
1526                             int keyslot,
1527                             const char *keyfile,
1528                             size_t keyfile_size)
1529 {
1530         struct volume_key *vk = NULL;
1531         char *passphrase_read = NULL;
1532         unsigned int passphrase_size_read;
1533         int r, suspended = 0;
1534
1535         log_dbg("Resuming volume %s.", name);
1536
1537         if (!isLUKS(cd->type)) {
1538                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1539                 r = -EINVAL;
1540                 goto out;
1541         }
1542
1543         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1544                             NULL, NULL, NULL, NULL, &suspended, NULL);
1545         if (r < 0)
1546                 return r;
1547
1548         if (!suspended) {
1549                 log_err(cd, _("Volume %s is not suspended.\n"), name);
1550                 return -EINVAL;
1551         }
1552
1553         if (!keyfile)
1554                 return -EINVAL;
1555
1556         r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1557                           &passphrase_size_read, keyfile, keyfile_size);
1558         if (r < 0)
1559                 goto out;
1560
1561         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1562                                    passphrase_size_read, &cd->hdr, &vk, cd);
1563         if (r < 0)
1564                 goto out;
1565
1566         keyslot = r;
1567         r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1568         if (r)
1569                 log_err(cd, "Error during resuming device %s.\n", name);
1570 out:
1571         crypt_safe_free(passphrase_read);
1572         crypt_free_volume_key(vk);
1573         return r < 0 ? r : keyslot;
1574 }
1575
1576 // slot manipulation
1577 int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
1578         int keyslot, // -1 any
1579         const char *passphrase, // NULL -> terminal
1580         size_t passphrase_size,
1581         const char *new_passphrase, // NULL -> terminal
1582         size_t new_passphrase_size)
1583 {
1584         struct volume_key *vk = NULL;
1585         char *password = NULL, *new_password = NULL;
1586         unsigned int passwordLen, new_passwordLen;
1587         int r;
1588
1589         log_dbg("Adding new keyslot, existing passphrase %sprovided,"
1590                 "new passphrase %sprovided.",
1591                 passphrase ? "" : "not ", new_passphrase  ? "" : "not ");
1592
1593         if (!isLUKS(cd->type)) {
1594                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1595                 return -EINVAL;
1596         }
1597
1598         r = keyslot_verify_or_find_empty(cd, &keyslot);
1599         if (r)
1600                 return r;
1601
1602         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1603                 /* No slots used, try to use pre-generated key in header */
1604                 if (cd->volume_key) {
1605                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1606                         r = vk ? 0 : -ENOMEM;
1607                 } else {
1608                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1609                         return -EINVAL;
1610                 }
1611         } else if (passphrase) {
1612                 /* Passphrase provided, use it to unlock existing keyslot */
1613                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, passphrase,
1614                                            passphrase_size, &cd->hdr, &vk, cd);
1615         } else {
1616                 /* Passphrase not provided, ask first and use it to unlock existing keyslot */
1617                 r = key_from_terminal(cd, _("Enter any passphrase: "),
1618                                       &password, &passwordLen, 0);
1619                 if (r < 0)
1620                         goto out;
1621
1622                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
1623                                            passwordLen, &cd->hdr, &vk, cd);
1624                 crypt_safe_free(password);
1625         }
1626
1627         if(r < 0)
1628                 goto out;
1629
1630         if (new_passphrase) {
1631                 new_password = (char *)new_passphrase;
1632                 new_passwordLen = new_passphrase_size;
1633         } else {
1634                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1635                                       &new_password, &new_passwordLen, 1);
1636                 if(r < 0)
1637                         goto out;
1638         }
1639
1640         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1641                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1642         if(r < 0) goto out;
1643
1644         r = 0;
1645 out:
1646         if (!new_passphrase)
1647                 crypt_safe_free(new_password);
1648         crypt_free_volume_key(vk);
1649         return r ?: keyslot;
1650 }
1651
1652 int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
1653         int keyslot,
1654         const char *keyfile,
1655         size_t keyfile_size,
1656         const char *new_keyfile,
1657         size_t new_keyfile_size)
1658 {
1659         struct volume_key *vk = NULL;
1660         char *password = NULL; unsigned int passwordLen;
1661         char *new_password = NULL; unsigned int new_passwordLen;
1662         int r;
1663
1664         log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
1665                 keyfile ?: "[none]", new_keyfile ?: "[none]");
1666
1667         if (!isLUKS(cd->type)) {
1668                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1669                 return -EINVAL;
1670         }
1671
1672         r = keyslot_verify_or_find_empty(cd, &keyslot);
1673         if (r)
1674                 return r;
1675
1676         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1677                 /* No slots used, try to use pre-generated key in header */
1678                 if (cd->volume_key) {
1679                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1680                         r = vk ? 0 : -ENOMEM;
1681                 } else {
1682                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1683                         return -EINVAL;
1684                 }
1685         } else {
1686                 /* Read password from file of (if NULL) from terminal */
1687                 if (keyfile)
1688                         r = key_from_file(cd, _("Enter any passphrase: "),
1689                                           &password, &passwordLen,
1690                                           keyfile, keyfile_size);
1691                 else
1692                         r = key_from_terminal(cd, _("Enter any passphrase: "),
1693                                               &password, &passwordLen, 0);
1694                 if (r < 0)
1695                         goto out;
1696
1697                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password, passwordLen,
1698                                            &cd->hdr, &vk, cd);
1699         }
1700
1701         if(r < 0)
1702                 goto out;
1703
1704         if (new_keyfile)
1705                 r = key_from_file(cd, _("Enter new passphrase for key slot: "),
1706                                   &new_password, &new_passwordLen, new_keyfile,
1707                                   new_keyfile_size);
1708         else
1709                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1710                                       &new_password, &new_passwordLen, 1);
1711         if (r < 0)
1712                 goto out;
1713
1714         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1715                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1716 out:
1717         crypt_safe_free(password);
1718         crypt_safe_free(new_password);
1719         crypt_free_volume_key(vk);
1720         return r < 0 ? r : keyslot;
1721 }
1722
1723 int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
1724         int keyslot,
1725         const char *volume_key,
1726         size_t volume_key_size,
1727         const char *passphrase,
1728         size_t passphrase_size)
1729 {
1730         struct volume_key *vk = NULL;
1731         int r = -EINVAL;
1732         char *new_password = NULL; unsigned int new_passwordLen;
1733
1734         log_dbg("Adding new keyslot %d using volume key.", keyslot);
1735
1736         if (!isLUKS(cd->type)) {
1737                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1738                 return -EINVAL;
1739         }
1740
1741         if (volume_key)
1742                 vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1743         else if (cd->volume_key)
1744                 vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1745
1746         if (!vk)
1747                 return -ENOMEM;
1748
1749         r = LUKS_verify_volume_key(&cd->hdr, vk);
1750         if (r < 0) {
1751                 log_err(cd, _("Volume key does not match the volume.\n"));
1752                 goto out;
1753         }
1754
1755         r = keyslot_verify_or_find_empty(cd, &keyslot);
1756         if (r)
1757                 goto out;
1758
1759         if (!passphrase) {
1760                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1761                                       &new_password, &new_passwordLen, 1);
1762                 if (r < 0)
1763                         goto out;
1764                 passphrase = new_password;
1765                 passphrase_size = new_passwordLen;
1766         }
1767
1768         r = LUKS_set_key(cd->device, keyslot, passphrase, passphrase_size,
1769                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1770 out:
1771         crypt_safe_free(new_password);
1772         crypt_free_volume_key(vk);
1773         return (r < 0) ? r : keyslot;
1774 }
1775
1776 int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
1777 {
1778         crypt_keyslot_info ki;
1779
1780         log_dbg("Destroying keyslot %d.", keyslot);
1781
1782         if (!isLUKS(cd->type)) {
1783                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1784                 return -EINVAL;
1785         }
1786
1787         ki = crypt_keyslot_status(cd, keyslot);
1788         if (ki == CRYPT_SLOT_INVALID) {
1789                 log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
1790                 return -EINVAL;
1791         }
1792
1793         if (ki == CRYPT_SLOT_INACTIVE) {
1794                 log_err(cd, _("Key slot %d is not used.\n"), keyslot);
1795                 return -EINVAL;
1796         }
1797
1798         return LUKS_del_key(cd->device, keyslot, &cd->hdr, cd);
1799 }
1800
1801 // activation/deactivation of device mapping
1802 int crypt_activate_by_passphrase(struct crypt_device *cd,
1803         const char *name,
1804         int keyslot,
1805         const char *passphrase,
1806         size_t passphrase_size,
1807         uint32_t flags)
1808 {
1809         crypt_status_info ci;
1810         struct volume_key *vk = NULL;
1811         char *read_passphrase = NULL;
1812         unsigned int passphraseLen = 0;
1813         int r;
1814
1815         log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
1816                 name ? "Activating" : "Checking", name ?: "",
1817                 keyslot, passphrase ? "" : "[none] ");
1818
1819         if (name) {
1820                 ci = crypt_status(NULL, name);
1821                 if (ci == CRYPT_INVALID)
1822                         return -EINVAL;
1823                 else if (ci >= CRYPT_ACTIVE) {
1824                         log_err(cd, _("Device %s already exists.\n"), name);
1825                         return -EEXIST;
1826                 }
1827         }
1828
1829         /* plain, use hashed passphrase */
1830         if (isPLAIN(cd->type)) {
1831                 if (!passphrase) {
1832                         r = key_from_terminal(cd, NULL, &read_passphrase,
1833                                               &passphraseLen, 0);
1834                         if (r < 0)
1835                                 goto out;
1836                         passphrase = read_passphrase;
1837                         passphrase_size = passphraseLen;
1838                 }
1839                 r = create_device_helper(cd, name, cd->plain_hdr.hash,
1840                                          cd->plain_cipher, cd->plain_cipher_mode,
1841                                          NULL, passphrase, passphrase_size,
1842                                          cd->volume_key->keylength, 0,
1843                                          cd->plain_hdr.skip, cd->plain_hdr.offset,
1844                                          cd->plain_uuid,
1845                                          flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1846                 keyslot = 0;
1847         } else if (isLUKS(cd->type)) {
1848                 /* provided passphrase, do not retry */
1849                 if (passphrase) {
1850                         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1851                                                    passphrase_size, &cd->hdr, &vk, cd);
1852                 } else
1853                         r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
1854
1855                 if (r >= 0) {
1856                         keyslot = r;
1857                         if (name)
1858                                 r = open_from_hdr_and_vk(cd, vk, name, flags);
1859                 }
1860         } else
1861                 r = -EINVAL;
1862 out:
1863         crypt_safe_free(read_passphrase);
1864         crypt_free_volume_key(vk);
1865
1866         return r < 0  ? r : keyslot;
1867 }
1868
1869 int crypt_activate_by_keyfile(struct crypt_device *cd,
1870         const char *name,
1871         int keyslot,
1872         const char *keyfile,
1873         size_t keyfile_size,
1874         uint32_t flags)
1875 {
1876         crypt_status_info ci;
1877         struct volume_key *vk = NULL;
1878         char *passphrase_read = NULL;
1879         unsigned int passphrase_size_read, key_count = 0;
1880         int r;
1881
1882         log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
1883                 name ?: "", keyslot, keyfile ?: "[none]");
1884
1885         if (name) {
1886                 ci = crypt_status(NULL, name);
1887                 if (ci == CRYPT_INVALID)
1888                         return -EINVAL;
1889                 else if (ci >= CRYPT_ACTIVE) {
1890                         log_err(cd, _("Device %s already exists.\n"), name);
1891                         return -EEXIST;
1892                 }
1893         }
1894
1895         if (!keyfile)
1896                 return -EINVAL;
1897
1898         if (isPLAIN(cd->type)) {
1899                 r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1900                                   &passphrase_size_read, keyfile, keyfile_size);
1901                 if (r < 0)
1902                         goto out;
1903                 r = create_device_helper(cd, name, cd->plain_hdr.hash,
1904                                          cd->plain_cipher, cd->plain_cipher_mode,
1905                                          NULL, passphrase_read, passphrase_size_read,
1906                                          cd->volume_key->keylength, 0,
1907                                          cd->plain_hdr.skip, cd->plain_hdr.offset,
1908                                          cd->plain_uuid,
1909                                          flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1910         } else if (isLUKS(cd->type)) {
1911                 r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1912                           &passphrase_size_read, keyfile, keyfile_size);
1913                 if (r < 0)
1914                         goto out;
1915                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1916                                            passphrase_size_read, &cd->hdr, &vk, cd);
1917                 if (r < 0)
1918                         goto out;
1919                 keyslot = r;
1920
1921                 if (name) {
1922                         r = open_from_hdr_and_vk(cd, vk, name, flags);
1923                         if (r < 0)
1924                                 goto out;
1925                 }
1926                 r = keyslot;
1927         } else if (isLOOPAES(cd->type)) {
1928                 r = key_from_file(cd, NULL, &passphrase_read, &passphrase_size_read,
1929                                   keyfile, LOOPAES_KEYFILE_MAXSIZE);
1930                 if (r < 0)
1931                         goto out;
1932                 r = LOOPAES_parse_keyfile(cd, &vk, &key_count,
1933                                           passphrase_read, passphrase_size_read);
1934                 if (r < 0)
1935                         goto out;
1936                 if (name)
1937                         r = LOOPAES_activate(cd, name, cd->loopaes_cipher,
1938                                              key_count, vk, flags);
1939         } else
1940                 r = -EINVAL;
1941
1942 out:
1943         crypt_safe_free(passphrase_read);
1944         crypt_free_volume_key(vk);
1945
1946         return r;
1947 }
1948
1949 int crypt_activate_by_volume_key(struct crypt_device *cd,
1950         const char *name,
1951         const char *volume_key,
1952         size_t volume_key_size,
1953         uint32_t flags)
1954 {
1955         crypt_status_info ci;
1956         struct volume_key *vk;
1957         int r;
1958
1959         log_dbg("Activating volume %s by volume key.", name);
1960
1961         /* use key directly, no hash */
1962         if (isPLAIN(cd->type)) {
1963                 if (!volume_key || !volume_key_size || !cd->volume_key ||
1964                         volume_key_size != cd->volume_key->keylength) {
1965                         log_err(cd, _("Incorrect volume key specified for plain device.\n"));
1966                         return -EINVAL;
1967                 }
1968
1969                 return create_device_helper(cd, name, NULL,
1970                         cd->plain_cipher, cd->plain_cipher_mode, NULL, volume_key, volume_key_size,
1971                         cd->volume_key->keylength, 0, cd->plain_hdr.skip,
1972                         cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1973         }
1974
1975         if (!isLUKS(cd->type)) {
1976                 log_err(cd, _("Device type is not properly initialised.\n"));
1977                 return -EINVAL;
1978         }
1979
1980         if (name) {
1981                 ci = crypt_status(NULL, name);
1982                 if (ci == CRYPT_INVALID)
1983                         return -EINVAL;
1984                 else if (ci >= CRYPT_ACTIVE) {
1985                         log_err(cd, _("Device %s already exists.\n"), name);
1986                         return -EEXIST;
1987                 }
1988         }
1989
1990         /* If key is not provided, try to use internal key */
1991         if (!volume_key) {
1992                 if (!cd->volume_key) {
1993                         log_err(cd, _("Volume key does not match the volume.\n"));
1994                         return -EINVAL;
1995                 }
1996                 volume_key_size = cd->volume_key->keylength;
1997                 volume_key = cd->volume_key->key;
1998         }
1999
2000         vk = crypt_alloc_volume_key(volume_key_size, volume_key);
2001         if (!vk)
2002                 return -ENOMEM;
2003         r = LUKS_verify_volume_key(&cd->hdr, vk);
2004
2005         if (r == -EPERM)
2006                 log_err(cd, _("Volume key does not match the volume.\n"));
2007
2008         if (!r && name)
2009                 r = open_from_hdr_and_vk(cd, vk, name, flags);
2010
2011         crypt_free_volume_key(vk);
2012
2013         return r;
2014 }
2015
2016 int crypt_deactivate(struct crypt_device *cd, const char *name)
2017 {
2018         int r;
2019
2020         if (!name)
2021                 return -EINVAL;
2022
2023         log_dbg("Deactivating volume %s.", name);
2024
2025         if (!cd && dm_init(NULL, 1) < 0)
2026                 return -ENOSYS;
2027
2028         switch (crypt_status(cd, name)) {
2029                 case CRYPT_ACTIVE:
2030                         r = dm_remove_device(name, 0, 0);
2031                         break;
2032                 case CRYPT_BUSY:
2033                         log_err(cd, _("Device %s is busy.\n"), name);
2034                         r = -EBUSY;
2035                         break;
2036                 case CRYPT_INACTIVE:
2037                         log_err(cd, _("Device %s is not active.\n"), name);
2038                         r = -ENODEV;
2039                         break;
2040                 default:
2041                         log_err(cd, _("Invalid device %s.\n"), name);
2042                         r = -EINVAL;
2043         }
2044
2045         if (!cd)
2046                 dm_exit();
2047
2048         return r;
2049 }
2050
2051 int crypt_volume_key_get(struct crypt_device *cd,
2052         int keyslot,
2053         char *volume_key,
2054         size_t *volume_key_size,
2055         const char *passphrase,
2056         size_t passphrase_size)
2057 {
2058         struct volume_key *vk;
2059         char *processed_key = NULL;
2060         int r, key_len;
2061
2062         key_len = crypt_get_volume_key_size(cd);
2063         if (key_len > *volume_key_size) {
2064                 log_err(cd, _("Volume key buffer too small.\n"));
2065                 return -ENOMEM;
2066         }
2067
2068         if (isPLAIN(cd->type) && cd->plain_hdr.hash) {
2069                 processed_key = process_key(cd, cd->plain_hdr.hash, NULL, key_len,
2070                                             passphrase, passphrase_size);
2071                 if (!processed_key) {
2072                         log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
2073                         return -EINVAL;
2074                 }
2075                 memcpy(volume_key, processed_key, key_len);
2076                 *volume_key_size = key_len;
2077                 crypt_safe_free(processed_key);
2078                 return 0;
2079         }
2080
2081         if (isLUKS(cd->type)) {
2082                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
2083                                         passphrase_size, &cd->hdr, &vk, cd);
2084
2085                 if (r >= 0) {
2086                         memcpy(volume_key, vk->key, vk->keylength);
2087                         *volume_key_size = vk->keylength;
2088                 }
2089
2090                 crypt_free_volume_key(vk);
2091                 return r;
2092         }
2093
2094         log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
2095         return -EINVAL;
2096 }
2097
2098 int crypt_volume_key_verify(struct crypt_device *cd,
2099         const char *volume_key,
2100         size_t volume_key_size)
2101 {
2102         struct volume_key *vk;
2103         int r;
2104
2105         if (!isLUKS(cd->type)) {
2106                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2107                 return -EINVAL;
2108         }
2109
2110         vk = crypt_alloc_volume_key(volume_key_size, volume_key);
2111         if (!vk)
2112                 return -ENOMEM;
2113
2114         r = LUKS_verify_volume_key(&cd->hdr, vk);
2115
2116         if (r == -EPERM)
2117                 log_err(cd, _("Volume key does not match the volume.\n"));
2118
2119         crypt_free_volume_key(vk);
2120
2121         return r;
2122 }
2123
2124 void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
2125 {
2126         log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
2127         cd->timeout = timeout_sec;
2128 }
2129
2130 void crypt_set_password_retry(struct crypt_device *cd, int tries)
2131 {
2132         log_dbg("Password retry count set to %d.", tries);
2133         cd->tries = tries;
2134 }
2135
2136 void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
2137 {
2138         log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
2139         cd->iteration_time = iteration_time_ms;
2140 }
2141
2142 void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
2143 {
2144         log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
2145         cd->password_verify = password_verify ? 1 : 0;
2146 }
2147
2148 void crypt_set_rng_type(struct crypt_device *cd, int rng_type)
2149 {
2150         switch (rng_type) {
2151         case CRYPT_RNG_URANDOM:
2152         case CRYPT_RNG_RANDOM:
2153                 log_dbg("RNG set to %d (%s).", rng_type, rng_type ? "random" : "urandom");
2154                 cd->rng_type = rng_type;
2155         }
2156 }
2157
2158 int crypt_get_rng_type(struct crypt_device *cd)
2159 {
2160         if (!cd)
2161                 return -EINVAL;
2162
2163         return cd->rng_type;
2164 }
2165
2166 int crypt_memory_lock(struct crypt_device *cd, int lock)
2167 {
2168         return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
2169 }
2170
2171 // reporting
2172 crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
2173 {
2174         int r;
2175
2176         if (!cd && dm_init(NULL, 1) < 0)
2177                 return CRYPT_INVALID;
2178
2179         r = dm_status_device(name);
2180
2181         if (!cd)
2182                 dm_exit();
2183
2184         if (r < 0 && r != -ENODEV)
2185                 return CRYPT_INVALID;
2186
2187         if (r == 0)
2188                 return CRYPT_ACTIVE;
2189
2190         if (r > 0)
2191                 return CRYPT_BUSY;
2192
2193         return CRYPT_INACTIVE;
2194 }
2195
2196 static void hexprintICB(struct crypt_device *cd, char *d, int n)
2197 {
2198         int i;
2199         for(i = 0; i < n; i++)
2200                 log_std(cd, "%02hhx ", (char)d[i]);
2201 }
2202
2203 int crypt_dump(struct crypt_device *cd)
2204 {
2205         int i;
2206         if (!isLUKS(cd->type)) { //FIXME
2207                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2208                 return -EINVAL;
2209         }
2210
2211         log_std(cd, "LUKS header information for %s\n\n", cd->device);
2212         log_std(cd, "Version:       \t%d\n", cd->hdr.version);
2213         log_std(cd, "Cipher name:   \t%s\n", cd->hdr.cipherName);
2214         log_std(cd, "Cipher mode:   \t%s\n", cd->hdr.cipherMode);
2215         log_std(cd, "Hash spec:     \t%s\n", cd->hdr.hashSpec);
2216         log_std(cd, "Payload offset:\t%d\n", cd->hdr.payloadOffset);
2217         log_std(cd, "MK bits:       \t%d\n", cd->hdr.keyBytes * 8);
2218         log_std(cd, "MK digest:     \t");
2219         hexprintICB(cd, cd->hdr.mkDigest, LUKS_DIGESTSIZE);
2220         log_std(cd, "\n");
2221         log_std(cd, "MK salt:       \t");
2222         hexprintICB(cd, cd->hdr.mkDigestSalt, LUKS_SALTSIZE/2);
2223         log_std(cd, "\n               \t");
2224         hexprintICB(cd, cd->hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
2225         log_std(cd, "\n");
2226         log_std(cd, "MK iterations: \t%d\n", cd->hdr.mkDigestIterations);
2227         log_std(cd, "UUID:          \t%s\n\n", cd->hdr.uuid);
2228         for(i = 0; i < LUKS_NUMKEYS; i++) {
2229                 if(cd->hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
2230                         log_std(cd, "Key Slot %d: ENABLED\n",i);
2231                         log_std(cd, "\tIterations:         \t%d\n",
2232                                 cd->hdr.keyblock[i].passwordIterations);
2233                         log_std(cd, "\tSalt:               \t");
2234                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt,
2235                                     LUKS_SALTSIZE/2);
2236                         log_std(cd, "\n\t                      \t");
2237                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt +
2238                                     LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
2239                         log_std(cd, "\n");
2240
2241                         log_std(cd, "\tKey material offset:\t%d\n",
2242                                 cd->hdr.keyblock[i].keyMaterialOffset);
2243                         log_std(cd, "\tAF stripes:            \t%d\n",
2244                                 cd->hdr.keyblock[i].stripes);
2245                 }
2246                 else 
2247                         log_std(cd, "Key Slot %d: DISABLED\n", i);
2248         }
2249
2250         return 0;
2251 }
2252
2253 const char *crypt_get_cipher(struct crypt_device *cd)
2254 {
2255         if (isPLAIN(cd->type))
2256                 return cd->plain_cipher;
2257
2258         if (isLUKS(cd->type))
2259                 return cd->hdr.cipherName;
2260
2261         if (isLOOPAES(cd->type))
2262                 return cd->loopaes_cipher;
2263
2264         return NULL;
2265 }
2266
2267 const char *crypt_get_cipher_mode(struct crypt_device *cd)
2268 {
2269         if (isPLAIN(cd->type))
2270                 return cd->plain_cipher_mode;
2271
2272         if (isLUKS(cd->type))
2273                 return cd->hdr.cipherMode;
2274
2275         if (isLOOPAES(cd->type))
2276                 return cd->loopaes_cipher_mode;
2277
2278         return NULL;
2279 }
2280
2281 const char *crypt_get_uuid(struct crypt_device *cd)
2282 {
2283         if (isLUKS(cd->type))
2284                 return cd->hdr.uuid;
2285
2286         if (isPLAIN(cd->type))
2287                 return cd->plain_uuid;
2288
2289         if (isLOOPAES(cd->type))
2290                 return cd->loopaes_uuid;
2291
2292         return NULL;
2293 }
2294
2295 const char *crypt_get_device_name(struct crypt_device *cd)
2296 {
2297         return cd->device;
2298 }
2299
2300 int crypt_get_volume_key_size(struct crypt_device *cd)
2301 {
2302         if (isPLAIN(cd->type) && cd->volume_key)
2303                 return cd->volume_key->keylength;
2304
2305         if (isLUKS(cd->type))
2306                 return cd->hdr.keyBytes;
2307
2308         if (isLOOPAES(cd->type))
2309                 return cd->loopaes_key_size;
2310
2311         return 0;
2312 }
2313
2314 uint64_t crypt_get_data_offset(struct crypt_device *cd)
2315 {
2316         if (isPLAIN(cd->type))
2317                 return cd->plain_hdr.offset;
2318
2319         if (isLUKS(cd->type))
2320                 return cd->hdr.payloadOffset;
2321
2322         if (isLOOPAES(cd->type))
2323                 return cd->loopaes_hdr.offset;
2324
2325         return 0;
2326 }
2327
2328 crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
2329 {
2330         if (!isLUKS(cd->type)) {
2331                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2332                 return CRYPT_SLOT_INVALID;
2333         }
2334
2335         return LUKS_keyslot_info(&cd->hdr, keyslot);
2336 }
2337
2338 int crypt_keyslot_max(const char *type)
2339 {
2340         if (type && isLUKS(type))
2341                 return LUKS_NUMKEYS;
2342
2343         return -EINVAL;
2344 }
2345
2346 const char *crypt_get_type(struct crypt_device *cd)
2347 {
2348         return cd->type;
2349 }
2350
2351 int crypt_get_active_device(struct crypt_device *cd,
2352                             const char *name,
2353                             struct crypt_active_device *cad)
2354 {
2355         int r, readonly;
2356
2357         r = dm_query_device(name, NULL, &cad->size, &cad->iv_offset, &cad->offset,
2358                             NULL, NULL, NULL, &readonly, NULL, NULL);
2359         if (r < 0)
2360                 return r;
2361
2362         cad->flags = readonly ? CRYPT_ACTIVATE_READONLY : 0;
2363
2364         return 0;
2365 }
Domain: System / System Framework;