8 #include "libcryptsetup.h"
13 /* callbacks definitions */
14 void (*log)(int class, const char *msg, void *usrptr);
19 static void (*_default_log)(int class, char *msg) = NULL;
20 static int _debug_level = 0;
22 void crypt_set_debug_level(int level)
27 void set_default_log(void (*log)(int class, char *msg))
32 void logger(struct crypt_device *cd, int class, const char *file,
33 int line, const char *format, ...)
38 va_start(argp, format);
40 if (vasprintf(&target, format, argp) > 0) {
43 cd->log(class, target, cd->log_usrptr);
44 else if (_default_log)
45 _default_log(class, target);
47 } else if (_debug_level)
48 printf("# %s:%d %s\n", file ?: "?", line, target);
50 } else if (_debug_level)
51 printf("# %s\n", target);
59 static void hexprintICB(struct crypt_device *cd, char *d, int n)
62 for(i = 0; i < n; i++)
63 log_std(cd, "%02hhx ", (char)d[i]);
67 * Password processing behaviour matrix of process_key
69 * from binary file: check if there is sufficently large key material
70 * interactive & from fd: hash if requested, otherwise crop or pad with '0'
72 static char *process_key(struct crypt_device *cd,
73 struct crypt_options *options,
74 const char *pass, size_t passLen)
76 char *key = safe_alloc(options->key_size);
77 memset(key, 0, options->key_size);
79 /* key is coming from binary file */
80 if (options->key_file && strcmp(options->key_file, "-")) {
81 if(passLen < options->key_size) {
82 log_err(cd, _("Cannot not read %d bytes from key file %s.\n"),
83 options->key_size, options->key_file);
87 memcpy(key,pass,options->key_size);
91 /* key is coming from tty, fd or binary stdin */
93 if (hash(NULL, options->hash,
94 key, options->key_size,
97 log_err(cd, _("Key processing error.\n"));
101 } else if (passLen > options->key_size) {
102 memcpy(key, pass, options->key_size);
104 memcpy(key, pass, passLen);
110 int parse_into_name_and_mode(const char *nameAndMode, char *name, char *mode)
112 /* Token content stringification, see info cpp/stringification */
114 #define xstr(s) str(s)
115 #define scanpattern1 "%" xstr(LUKS_CIPHERNAME_L) "[^-]-%" xstr(LUKS_CIPHERMODE_L) "s"
116 #define scanpattern2 "%" xstr(LUKS_CIPHERNAME_L) "[^-]"
120 if(sscanf(nameAndMode,scanpattern1, name, mode) != 2) {
121 if((r = sscanf(nameAndMode,scanpattern2,name)) == 1)
122 strncpy(mode,"cbc-plain",10);
135 static int keyslot_is_valid(struct crypt_device *cd, int keySlotIndex)
137 if(keySlotIndex >= LUKS_NUMKEYS || keySlotIndex < 0) {
138 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
139 keySlotIndex, LUKS_NUMKEYS - 1);
146 /* Select free keyslot or verifies that the one specified is empty */
147 static int keyslot_from_option(struct crypt_device *cd, int keySlotOption, struct luks_phdr *hdr) {
148 if(keySlotOption >= 0) {
149 if(!keyslot_is_valid(cd, keySlotOption))
151 else if(hdr->keyblock[keySlotOption].active != LUKS_KEY_DISABLED) {
152 log_err(cd, _("Key slot %d is full, please select another one.\n"),
156 return keySlotOption;
160 /* Find empty key slot */
161 for(i=0; i<LUKS_NUMKEYS; i++) {
162 if(hdr->keyblock[i].active == LUKS_KEY_DISABLED) break;
164 if(i==LUKS_NUMKEYS) {
165 log_err(cd, _("All key slots full.\n"));
172 static int create_device_helper(int reload, struct crypt_options *options)
174 struct crypt_device *cd = NULL;
175 struct device_infos infos;
178 char *processed_key = NULL;
181 r = dm_status_device(options->name);
187 log_err(cd, _("Device %s already exists.\n"), options->name);
194 if (options->key_size < 0 || options->key_size > 1024) {
195 log_err(cd, _("Invalid key size %d.\n"), options->key_size);
199 if (get_device_infos(options->device, &infos, cd) < 0)
202 if (!options->size) {
203 options->size = infos.size;
204 if (!options->size) {
205 log_err(cd, "Not a block device");
208 if (options->size <= options->offset) {
209 log_err(cd, "Invalid offset");
212 options->size -= options->offset;
216 options->flags |= CRYPT_FLAG_READONLY;
218 get_key("Enter passphrase: ", &key, &keyLen, options->key_size,
219 options->key_file, options->timeout, options->flags, NULL);
221 log_err(cd, "Key reading error");
225 processed_key = process_key(cd, options, key, keyLen);
231 r = dm_create_device(options->name, options->device, options->cipher,
232 NULL, options->size, options->skip, options->offset,
233 options->key_size, processed_key,
234 options->flags & CRYPT_FLAG_READONLY, reload);
236 safe_free(processed_key);
241 static int luks_remove_helper(struct crypt_device *cd,
242 struct crypt_options *options, int supply_it)
244 struct luks_masterkey *mk;
245 struct luks_phdr hdr;
247 unsigned int passwordLen;
248 const char *device = options->device;
253 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
258 get_key("Enter LUKS passphrase to be deleted: ",&password,&passwordLen, 0, options->new_key_file,
259 options->timeout, options->flags, cd);
261 r = -EINVAL; goto out;
264 keyIndex = LUKS_open_key_with_hdr(device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
266 log_err(cd, "No remaining key available with this passphrase.\n");
267 r = -EPERM; goto out;
269 log_std(cd ,"key slot %d selected for deletion.\n", keyIndex);
274 keyIndex = options->key_slot;
275 if (!keyslot_is_valid(cd, keyIndex)) {
276 r = -EINVAL; goto out;
280 if (LUKS_keyslot_info(&hdr, keyIndex) == SLOT_INACTIVE) {
281 log_err(cd, _("Key %d not active. Can't wipe.\n"), keyIndex);
286 last_slot = (LUKS_keyslot_info(&hdr, keyIndex) == SLOT_ACTIVE_LAST);
287 if(last_slot && !(options->icb->yesDialog(_("This is the last keyslot. Device will become unusable after purging this key.")))) {
288 r = -EINVAL; goto out;
291 if(options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY) {
292 options->flags &= ~CRYPT_FLAG_VERIFY_ON_DELKEY;
293 get_key("Enter any remaining LUKS passphrase: ",&password,&passwordLen, 0, options->key_file,
294 options->timeout, options->flags, cd);
296 r = -EINVAL; goto out;
299 r = LUKS_read_phdr(device, &hdr, 1, cd);
301 options->icb->log(CRYPT_LOG_ERROR,"Failed to access device.\n");
306 hdr.keyblock[keyIndex].active = LUKS_KEY_DISABLED;
308 openedIndex = LUKS_open_key_with_hdr(device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
310 if (openedIndex >= 0) {
311 LUKS_dealloc_masterkey(mk);
314 if(openedIndex < 0) {
315 log_err(cd, "No remaining key available with this passphrase.\n");
316 r = -EPERM; goto out;
318 log_std(cd, "key slot %d verified.\n", openedIndex);
320 r = LUKS_del_key(device, keyIndex, cd);
329 /* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
330 * offset, size, skip, timeout, tries, passphrase_fd (ignored),
332 int crypt_create_device(struct crypt_options *options)
334 return create_device_helper(0, options);
337 /* OPTIONS: same as create above */
338 int crypt_update_device(struct crypt_options *options)
340 return create_device_helper(1, options);
343 /* OPTIONS: name, size, icb */
344 int crypt_resize_device(struct crypt_options *options)
346 struct crypt_device *cd = NULL;
347 char *device, *cipher, *key = NULL;
348 uint64_t size, skip, offset;
349 int key_size, read_only, r;
350 struct device_infos infos;
352 r = dm_query_device(options->name, &device, &size, &skip, &offset,
353 &cipher, &key_size, &key, &read_only);
357 if (get_device_infos(device, &infos, cd) < 0)
360 if (!options->size) {
361 options->size = infos.size;
362 if (!options->size) {
363 log_err(cd, "Not a block device");
366 if (options->size <= offset) {
367 log_err(cd, "Invalid offset");
370 options->size -= offset;
372 size = options->size;
375 options->flags |= CRYPT_FLAG_READONLY;
377 r = dm_create_device(options->name, device, cipher, NULL, size, skip, offset,
378 key_size, key, read_only, 1);
387 /* OPTIONS: name, icb */
388 int crypt_query_device(struct crypt_options *options)
392 r = dm_status_device(options->name);
396 r = dm_query_device(options->name, (char **)&options->device, &options->size,
397 &options->skip, &options->offset, (char **)&options->cipher,
398 &options->key_size, NULL, &read_only);
404 options->flags |= CRYPT_FLAG_READONLY;
406 options->flags |= CRYPT_FLAG_FREE_DEVICE;
407 options->flags |= CRYPT_FLAG_FREE_CIPHER;
412 /* OPTIONS: name, icb */
413 int crypt_remove_device(struct crypt_options *options)
417 r = dm_status_device(options->name);
421 log_err(NULL, "Device busy");
425 return dm_remove_device(options->name, 0, 0);
428 /* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
429 * new_key_file, iteration_time, timeout, flags, icb */
430 int crypt_luksFormat(struct crypt_options *options)
432 struct crypt_device *cd = NULL;
433 struct luks_phdr header;
434 struct luks_masterkey *mk=NULL;
436 char cipherName[LUKS_CIPHERNAME_L];
437 char cipherMode[LUKS_CIPHERMODE_L];
438 unsigned int passwordLen;
439 uint64_t PBKDF2perSecond = 0;
442 if (!device_ready(cd, options->device, O_RDWR | O_EXCL))
445 mk = LUKS_generate_masterkey(options->key_size);
446 if(NULL == mk) return -ENOMEM; // FIXME This may be misleading, since we don't know what went wrong
449 #define printoffset(entry) \
450 logger(options, CRYPT_LOG_ERROR, \
451 "offset of " #entry " = %d\n", (char *)(&header.entry)-(char *)(&header))
453 log_err("sizeof phdr %d, sizeof key slot %d\n",
454 sizeof(struct luks_phdr),
455 sizeof(header.keyblock[0]));
458 printoffset(version);
459 printoffset(cipherName);
460 printoffset(cipherMode);
461 printoffset(hashSpec);
462 printoffset(payloadOffset);
463 printoffset(keyBytes);
464 printoffset(mkDigest);
465 printoffset(mkDigestSalt);
466 printoffset(mkDigestIterations);
470 r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
472 log_err(cd, _("No known cipher specification pattern detected.\n"));
476 r = LUKS_generate_phdr(&header, mk, cipherName, cipherMode, options->hash, NULL, LUKS_STRIPES, options->align_payload, NULL);
479 keyIndex = keyslot_from_option(NULL, options->key_slot, &header);
480 if(keyIndex == -EINVAL) {
481 r = -EINVAL; goto out;
484 get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->new_key_file,
485 options->timeout, options->flags, NULL);
487 r = -EINVAL; goto out;
490 /* Wipe first 8 sectors - fs magic numbers etc. */
491 r = wipe_device_header(options->device, 8);
494 /* Set key, also writes phdr */
495 r = LUKS_set_key(options->device, keyIndex, password, passwordLen, &header, mk,
496 options->iteration_time, &PBKDF2perSecond, NULL);
501 LUKS_dealloc_masterkey(mk);
506 /* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
507 int crypt_luksOpen(struct crypt_options *options)
509 struct crypt_device *cd = NULL;
510 struct luks_masterkey *mk=NULL;
511 struct luks_phdr hdr;
514 unsigned int passwordLen;
515 struct device_infos infos;
516 char *dmCipherSpec = NULL;
517 int r, tries = options->tries;
518 int excl = (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS) ? 0 : O_EXCL ;
520 r = dm_status_device(options->name);
522 log_err(cd, "Device %s already exists.", options->name);
526 if (!device_ready(cd, options->device, O_RDONLY | excl))
529 if (get_device_infos(options->device, &infos, cd) < 0) {
530 log_err(cd, "Can't get device information.\n");
535 options->flags |= CRYPT_FLAG_READONLY;
537 if(asprintf(&prompt, "Enter LUKS passphrase for %s: ", options->device) < 0)
543 if(options->passphrase) {
544 passwordLen = strlen(options->passphrase);
545 password = safe_alloc(passwordLen + 1);
546 strncpy(password, options->passphrase, passwordLen + 1);
549 get_key(prompt, &password, &passwordLen, options->key_size, options->key_file,
550 options->timeout, options->flags, cd);
558 r = -EINVAL; goto out;
561 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
565 r = LUKS_open_key_with_hdr(options->device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
567 log_err(cd, "No key available with this passphrase.\n");
571 log_err(NULL, "key slot %d unlocked.\n", r);
574 options->offset = hdr.payloadOffset;
575 if (asprintf(&dmCipherSpec, "%s-%s", hdr.cipherName, hdr.cipherMode) < 0) {
579 options->cipher = dmCipherSpec;
580 options->key_size = mk->keyLength;
583 options->size = infos.size;
584 if (!options->size) {
585 log_err(cd, "Not a block device.\n");
586 r = -ENOTBLK; goto out2;
588 if (options->size <= options->offset) {
589 log_err(cd, "Invalid offset");
590 r = -EINVAL; goto out2;
592 options->size -= options->offset;
593 /* FIXME: code allows multiple crypt mapping, cannot use uuid then.
594 * anyway, it is dangerous and can corrupt data. Remove it in next version! */
595 r = dm_create_device(options->name, options->device, options->cipher,
596 excl ? hdr.uuid : NULL, options->size,
597 0, options->offset, mk->keyLength, mk->key,
598 options->flags & CRYPT_FLAG_READONLY, 0);
606 LUKS_dealloc_masterkey(mk);
607 if (r == -EPERM && tries > 0)
615 /* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
616 int crypt_luksKillSlot(struct crypt_options *options)
618 return luks_remove_helper(NULL, options, 0);
621 /* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
622 int crypt_luksRemoveKey(struct crypt_options *options)
624 return luks_remove_helper(NULL, options, 1);
627 /* OPTIONS: device, new_key_file, key_file, key_slot, flags,
628 iteration_time, timeout, icb */
629 int crypt_luksAddKey(struct crypt_options *options)
631 struct crypt_device *cd = NULL;
632 struct luks_masterkey *mk=NULL;
633 struct luks_phdr hdr;
634 char *password=NULL; unsigned int passwordLen;
635 unsigned int keyIndex;
636 uint64_t PBKDF2perSecond = 0;
637 const char *device = options->device;
640 if (!device_ready(cd, options->device, O_RDWR))
643 r = LUKS_read_phdr(device, &hdr, 1, cd);
647 keyIndex = keyslot_from_option(cd, options->key_slot, &hdr);
648 if(keyIndex == -EINVAL) {
649 r = -EINVAL; goto out;
652 get_key("Enter any LUKS passphrase: ",
658 options->flags & ~(CRYPT_FLAG_VERIFY | CRYPT_FLAG_VERIFY_IF_POSSIBLE), cd);
661 r = -EINVAL; goto out;
663 r = LUKS_open_key_with_hdr(device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
665 options->icb->log(CRYPT_LOG_ERROR,"No key available with this passphrase.\n");
666 r = -EPERM; goto out;
670 get_key("Enter new passphrase for key slot: ",
674 options->new_key_file,
678 r = -EINVAL; goto out;
681 r = LUKS_set_key(device, keyIndex, password, passwordLen, &hdr, mk, options->iteration_time, &PBKDF2perSecond, cd);
687 LUKS_dealloc_masterkey(mk);
691 /* OPTIONS: device, icb */
692 int crypt_luksUUID(struct crypt_options *options)
694 struct crypt_device *cd = NULL;
695 struct luks_phdr hdr;
698 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
701 options->icb->log(CRYPT_LOG_NORMAL,hdr.uuid);
702 options->icb->log(CRYPT_LOG_NORMAL,"\n");
706 /* OPTIONS: device, icb */
707 int crypt_isLuks(struct crypt_options *options)
709 struct crypt_device *cd = NULL;
710 struct luks_phdr hdr;
711 return LUKS_read_phdr(options->device, &hdr, 0, cd);
714 /* OPTIONS: device, icb */
715 int crypt_luksDump(struct crypt_options *options)
717 struct crypt_device *cd = NULL;
718 struct luks_phdr hdr;
721 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
724 log_std(cd, "LUKS header information for %s\n\n", options->device);
725 log_std(cd, "Version: \t%d\n", hdr.version);
726 log_std(cd, "Cipher name: \t%s\n", hdr.cipherName);
727 log_std(cd, "Cipher mode: \t%s\n", hdr.cipherMode);
728 log_std(cd, "Hash spec: \t%s\n", hdr.hashSpec);
729 log_std(cd, "Payload offset:\t%d\n", hdr.payloadOffset);
730 log_std(cd, "MK bits: \t%d\n", hdr.keyBytes * 8);
731 log_std(cd, "MK digest: \t");
732 hexprintICB(cd, hdr.mkDigest, LUKS_DIGESTSIZE);
734 log_std(cd, "MK salt: \t");
735 hexprintICB(cd, hdr.mkDigestSalt, LUKS_SALTSIZE/2);
736 log_std(cd, "\n \t");
737 hexprintICB(cd, hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
739 log_std(cd, "MK iterations: \t%d\n", hdr.mkDigestIterations);
740 log_std(cd, "UUID: \t%s\n\n", hdr.uuid);
741 for(i = 0; i < LUKS_NUMKEYS; i++) {
742 if(hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
743 log_std(cd, "Key Slot %d: ENABLED\n",i);
744 log_std(cd, "\tIterations: \t%d\n",
745 hdr.keyblock[i].passwordIterations);
746 log_std(cd, "\tSalt: \t");
747 hexprintICB(cd, hdr.keyblock[i].passwordSalt,
749 log_std(cd, "\n\t \t");
750 hexprintICB(cd, hdr.keyblock[i].passwordSalt +
751 LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
754 log_std(cd, "\tKey material offset:\t%d\n",
755 hdr.keyblock[i].keyMaterialOffset);
756 log_std(cd, "\tAF stripes: \t%d\n",
757 hdr.keyblock[i].stripes);
760 log_std(cd, "Key Slot %d: DISABLED\n", i);
765 void crypt_get_error(char *buf, size_t size)
767 const char *error = get_error();
769 if (!buf || size < 1)
772 strncpy(buf, error, size - 1);
773 buf[size - 1] = '\0';
779 void crypt_put_options(struct crypt_options *options)
781 if (options->flags & CRYPT_FLAG_FREE_DEVICE) {
782 free((char *)options->device);
783 options->device = NULL;
784 options->flags &= ~CRYPT_FLAG_FREE_DEVICE;
786 if (options->flags & CRYPT_FLAG_FREE_CIPHER) {
787 free((char *)options->cipher);
788 options->cipher = NULL;
789 options->flags &= ~CRYPT_FLAG_FREE_CIPHER;
793 const char *crypt_get_dir(void)