lib/setup.c

   1 #include <string.h>
   2 #include <stdio.h>
   3 #include <stdlib.h>
   4 #include <stdarg.h>
   5 #include <fcntl.h>
   6 #include <errno.h>
   7
   8 #include "libcryptsetup.h"
   9 #include "luks.h"
  10 #include "loopaes.h"
  11 #include "internal.h"
  12 #include "crypto_backend.h"
  13
  14 struct crypt_device {
  15         char *type;
  16
  17         char *device;
  18         struct volume_key *volume_key;
  19         uint64_t timeout;
  20         uint64_t iteration_time;
  21         int tries;
  22         int password_verify;
  23         int rng_type;
  24
  25         /* used in CRYPT_LUKS1 */
  26         struct luks_phdr hdr;
  27         uint64_t PBKDF2_per_sec;
  28
  29         /* used in CRYPT_PLAIN */
  30         struct crypt_params_plain plain_hdr;
  31         char *plain_cipher;
  32         char *plain_cipher_mode;
  33         char *plain_uuid;
  34
  35         /* used in CRYPT_LOOPAES */
  36         struct crypt_params_loopaes loopaes_hdr;
  37         char *loopaes_cipher;
  38         char *loopaes_cipher_mode;
  39         char *loopaes_uuid;
  40         unsigned int loopaes_key_size;
  41
  42         /* callbacks definitions */
  43         void (*log)(int level, const char *msg, void *usrptr);
  44         void *log_usrptr;
  45         int (*confirm)(const char *msg, void *usrptr);
  46         void *confirm_usrptr;
  47         int (*password)(const char *msg, char *buf, size_t length, void *usrptr);
  48         void *password_usrptr;
  49 };
  50
  51 /* Log helper */
  52 static void (*_default_log)(int level, const char *msg, void *usrptr) = NULL;
  53 static int _debug_level = 0;
  54
  55 void crypt_set_debug_level(int level)
  56 {
  57         _debug_level = level;
  58 }
  59
  60 int crypt_get_debug_level()
  61 {
  62         return _debug_level;
  63 }
  64
  65 void crypt_log(struct crypt_device *cd, int level, const char *msg)
  66 {
  67         if (cd && cd->log)
  68                 cd->log(level, msg, cd->log_usrptr);
  69         else if (_default_log)
  70                 _default_log(level, msg, NULL);
  71 }
  72
  73 void logger(struct crypt_device *cd, int level, const char *file,
  74             int line, const char *format, ...)
  75 {
  76         va_list argp;
  77         char *target = NULL;
  78
  79         va_start(argp, format);
  80
  81         if (vasprintf(&target, format, argp) > 0) {
  82                 if (level >= 0) {
  83                         crypt_log(cd, level, target);
  84 #ifdef CRYPT_DEBUG
  85                 } else if (_debug_level)
  86                         printf("# %s:%d %s\n", file ?: "?", line, target);
  87 #else
  88                 } else if (_debug_level)
  89                         printf("# %s\n", target);
  90 #endif
  91         }
  92
  93         va_end(argp);
  94         free(target);
  95 }
  96
  97 static int init_crypto(struct crypt_device *ctx)
  98 {
  99         int r;
 100
 101         r = crypt_random_init(ctx);
 102         if (r < 0) {
 103                 log_err(ctx, _("Cannot initialize crypto RNG backend.\n"));
 104                 return r;
 105         }
 106
 107         r = crypt_backend_init(ctx);
 108         if (r < 0)
 109                 log_err(ctx, _("Cannot initialize crypto backend.\n"));
 110
 111         return r;
 112 }
 113
 114 /*
 115  * Password processing behaviour matrix of process_key
 116  *
 117  * from binary file: check if there is sufficently large key material
 118  * interactive & from fd: hash if requested, otherwise crop or pad with '0'
 119  */
 120 static char *process_key(struct crypt_device *cd, const char *hash_name,
 121                          const char *key_file, size_t key_size,
 122                          const char *pass, size_t passLen)
 123 {
 124         char *key;
 125
 126         if (!key_size)
 127                 return NULL;
 128
 129         key = crypt_safe_alloc(key_size);
 130         memset(key, 0, key_size);
 131
 132         /* key is coming from binary file */
 133         if (key_file && strcmp(key_file, "-")) {
 134                 if(passLen < key_size) {
 135                         log_err(cd, _("Cannot not read %d bytes from key file %s.\n"),
 136                                 key_size, key_file);
 137                         crypt_safe_free(key);
 138                         return NULL;
 139                 }
 140                 memcpy(key, pass, key_size);
 141                 return key;
 142         }
 143
 144         /* key is coming from tty, fd or binary stdin */
 145         if (hash_name) {
 146                 if (crypt_plain_hash(cd, hash_name, key, key_size, pass, passLen) < 0) {
 147                         log_err(cd, _("Key processing error (using hash algorithm %s).\n"),
 148                                 hash_name);
 149                         crypt_safe_free(key);
 150                         return NULL;
 151                 }
 152         } else if (passLen > key_size) {
 153                 memcpy(key, pass, key_size);
 154         } else {
 155                 memcpy(key, pass, passLen);
 156         }
 157
 158         return key;
 159 }
 160
 161 static int isPLAIN(const char *type)
 162 {
 163         return (type && !strcmp(CRYPT_PLAIN, type));
 164 }
 165
 166 static int isLUKS(const char *type)
 167 {
 168         return (type && !strcmp(CRYPT_LUKS1, type));
 169 }
 170
 171 static int isLOOPAES(const char *type)
 172 {
 173         return (type && !strcmp(CRYPT_LOOPAES, type));
 174 }
 175
 176 /* keyslot helpers */
 177 static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
 178 {
 179         if (*keyslot == CRYPT_ANY_SLOT) {
 180                 *keyslot = LUKS_keyslot_find_empty(&cd->hdr);
 181                 if (*keyslot < 0) {
 182                         log_err(cd, _("All key slots full.\n"));
 183                         return -EINVAL;
 184                 }
 185         }
 186
 187         switch (LUKS_keyslot_info(&cd->hdr, *keyslot)) {
 188                 case CRYPT_SLOT_INVALID:
 189                         log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
 190                                 *keyslot, LUKS_NUMKEYS - 1);
 191                         return -EINVAL;
 192                 case CRYPT_SLOT_INACTIVE:
 193                         break;
 194                 default:
 195                         log_err(cd, _("Key slot %d is full, please select another one.\n"),
 196                                 *keyslot);
 197                         return -EINVAL;
 198         }
 199
 200         return 0;
 201 }
 202
 203 static int verify_other_keyslot(struct crypt_device *cd,
 204                                 const char *key_file,
 205                                 int keyIndex)
 206 {
 207         struct volume_key *vk = NULL;
 208         crypt_keyslot_info ki;
 209         int openedIndex, r;
 210         char *password = NULL;
 211         unsigned int passwordLen;
 212
 213         r = crypt_get_key(_("Enter any remaining LUKS passphrase: "),
 214                           &password, &passwordLen, 0, key_file, cd->timeout,
 215                           cd->password_verify, cd);
 216         if(r < 0)
 217                 goto out;
 218
 219         ki = crypt_keyslot_status(cd, keyIndex);
 220         if (ki == CRYPT_SLOT_ACTIVE) /* Not last slot */
 221                 LUKS_keyslot_set(&cd->hdr, keyIndex, 0);
 222
 223         openedIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT,
 224                                              password, passwordLen,
 225                                              &cd->hdr, &vk, cd);
 226
 227         if (ki == CRYPT_SLOT_ACTIVE)
 228                 LUKS_keyslot_set(&cd->hdr, keyIndex, 1);
 229
 230         if (openedIndex < 0)
 231                 r = -EPERM;
 232         else
 233                 log_verbose(cd, _("Key slot %d verified.\n"), openedIndex);
 234 out:
 235         crypt_free_volume_key(vk);
 236         crypt_safe_free(password);
 237         return r;
 238 }
 239
 240 static int find_keyslot_by_passphrase(struct crypt_device *cd,
 241                                       const char *key_file,
 242                                       char *message)
 243 {
 244         struct volume_key *vk = NULL;
 245         char *password = NULL;
 246         unsigned int passwordLen;
 247         int r;
 248
 249         r = crypt_get_key(message,&password,&passwordLen, 0, key_file,
 250                           cd->timeout, cd->password_verify, cd);
 251         if (r < 0)
 252                 goto out;
 253
 254         r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
 255                                    passwordLen, &cd->hdr, &vk, cd);
 256 out:
 257         crypt_free_volume_key(vk);
 258         crypt_safe_free(password);
 259         return r;
 260 }
 261
 262 static int luks_remove_helper(struct crypt_device *cd,
 263                               int key_slot,
 264                               const char *other_key_file,
 265                               const char *key_file,
 266                               int verify)
 267 {
 268         crypt_keyslot_info ki;
 269         int r = -EINVAL;
 270
 271         if (key_slot == CRYPT_ANY_SLOT) {
 272                 key_slot = find_keyslot_by_passphrase(cd, key_file,
 273                                 _("Enter LUKS passphrase to be deleted: "));
 274                 if(key_slot < 0) {
 275                         r = -EPERM;
 276                         goto out;
 277                 }
 278
 279                 log_std(cd, _("Key slot %d selected for deletion.\n"), key_slot);
 280         }
 281
 282         ki = crypt_keyslot_status(cd, key_slot);
 283         if (ki == CRYPT_SLOT_INVALID) {
 284                 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
 285                         key_slot, LUKS_NUMKEYS - 1);
 286                 r = -EINVAL;
 287                 goto out;
 288         }
 289         if (ki <= CRYPT_SLOT_INACTIVE) {
 290                 log_err(cd, _("Key %d not active. Can't wipe.\n"), key_slot);
 291                 r = -EINVAL;
 292                 goto out;
 293         }
 294
 295         if (ki == CRYPT_SLOT_ACTIVE_LAST && cd->confirm &&
 296             !(cd->confirm(_("This is the last keyslot."
 297                             " Device will become unusable after purging this key."),
 298                          cd->confirm_usrptr))) {
 299                 r = -EINVAL;
 300                 goto out;
 301         }
 302
 303         if(verify)
 304                 r = verify_other_keyslot(cd, other_key_file, key_slot);
 305         else
 306                 r = 0;
 307
 308         if (!r)
 309                 r = crypt_keyslot_destroy(cd, key_slot);
 310 out:
 311         return (r < 0) ? r : 0;
 312 }
 313
 314 static int create_device_helper(struct crypt_device *cd,
 315                                 const char *name,
 316                                 const char *hash,
 317                                 const char *cipher,
 318                                 const char *cipher_mode,
 319                                 const char *key_file,
 320                                 const char *key,
 321                                 unsigned int keyLen,
 322                                 int key_size,
 323                                 uint64_t size,
 324                                 uint64_t skip,
 325                                 uint64_t offset,
 326                                 const char *uuid,
 327                                 int read_only,
 328                                 unsigned int flags,
 329                                 int reload)
 330 {
 331         crypt_status_info ci;
 332         char *dm_cipher = NULL;
 333         char *processed_key = NULL;
 334         int r;
 335
 336         if (!name)
 337                 return -EINVAL;
 338
 339         ci = crypt_status(cd, name);
 340         if (ci == CRYPT_INVALID)
 341                 return -EINVAL;
 342
 343         if (reload && ci < CRYPT_ACTIVE)
 344                 return -EINVAL;
 345
 346         if (!reload && ci >= CRYPT_ACTIVE) {
 347                 log_err(cd, _("Device %s already exists.\n"), name);
 348                 return -EEXIST;
 349         }
 350
 351         if (key_size < 0 || key_size > 1024) {
 352                 log_err(cd, _("Invalid key size %d.\n"), key_size);
 353                 return -EINVAL;
 354         }
 355
 356         r = device_check_and_adjust(cd, cd->device, !reload, &size, &offset, &read_only);
 357         if (r)
 358                 return r;
 359
 360         if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
 361                 return -ENOMEM;
 362
 363         processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
 364         if (!processed_key) {
 365                 r = -ENOENT;
 366                 goto out;
 367         }
 368
 369         r = dm_create_device(name, cd->device, dm_cipher ?: cipher, cd->type, uuid, size, skip, offset,
 370                              key_size, processed_key, read_only, reload);
 371 out:
 372         free(dm_cipher);
 373         crypt_safe_free(processed_key);
 374         return r;
 375 }
 376
 377 static int open_from_hdr_and_vk(struct crypt_device *cd,
 378                                 struct volume_key *vk,
 379                                 const char *name,
 380                                 uint32_t flags)
 381 {
 382         uint64_t size, offset;
 383         char *cipher;
 384         int read_only, no_uuid, r;
 385
 386         size = 0;
 387         offset = crypt_get_data_offset(cd);
 388         read_only = flags & CRYPT_ACTIVATE_READONLY;
 389         no_uuid = flags & CRYPT_ACTIVATE_NO_UUID;
 390
 391         r = device_check_and_adjust(cd, cd->device, 1, &size, &offset, &read_only);
 392         if (r)
 393                 return r;
 394
 395         if (asprintf(&cipher, "%s-%s", crypt_get_cipher(cd),
 396                      crypt_get_cipher_mode(cd)) < 0)
 397                 r = -ENOMEM;
 398         else
 399                 r = dm_create_device(name, cd->device, cipher, cd->type,
 400                                      no_uuid ? NULL : crypt_get_uuid(cd),
 401                                      size, 0, offset, vk->keylength, vk->key,
 402                                      read_only, 0);
 403         free(cipher);
 404         return r;
 405 }
 406
 407 static void log_wrapper(int level, const char *msg, void *usrptr)
 408 {
 409         void (*xlog)(int level, char *msg) = usrptr;
 410         xlog(level, (char *)msg);
 411 }
 412
 413 static int yesDialog_wrapper(const char *msg, void *usrptr)
 414 {
 415         int (*xyesDialog)(char *msg) = usrptr;
 416         return xyesDialog((char*)msg);
 417 }
 418
 419 int crypt_confirm(struct crypt_device *cd, const char *msg)
 420 {
 421         if (!cd || !cd->confirm)
 422                 return 1;
 423         else
 424                 return cd->confirm(msg, cd->confirm_usrptr);
 425 }
 426
 427 static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
 428                               unsigned int *key_len, int force_verify)
 429 {
 430         char *prompt = NULL;
 431         int r;
 432
 433         *key = NULL;
 434         if(!msg && asprintf(&prompt, _("Enter passphrase for %s: "),
 435                             cd->device) < 0)
 436                 return -ENOMEM;
 437
 438         if (!msg)
 439                 msg = prompt;
 440
 441         if (cd->password) {
 442                 *key = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
 443                 if (!*key) {
 444                         r = -ENOMEM;
 445                         goto out;
 446                 }
 447                 r = cd->password(msg, *key, MAX_TTY_PASSWORD_LEN, cd->password_usrptr);
 448                 if (r < 0) {
 449                         crypt_safe_free(*key);
 450                         *key = NULL;
 451                 } else
 452                         *key_len = r;
 453         } else
 454                 r = crypt_get_key(msg, key, key_len, 0, NULL, cd->timeout,
 455                                   (force_verify || cd->password_verify), cd);
 456 out:
 457         free(prompt);
 458         return (r < 0) ? r: 0;
 459 }
 460
 461 static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslot,
 462                                              struct volume_key **vk)
 463 {
 464         char *passphrase_read = NULL;
 465         unsigned int passphrase_size_read;
 466         int r = -EINVAL, tries = cd->tries;
 467
 468         *vk = NULL;
 469         do {
 470                 crypt_free_volume_key(*vk);
 471                 *vk = NULL;
 472
 473                 r = key_from_terminal(cd, NULL, &passphrase_read,
 474                                       &passphrase_size_read, 0);
 475                 if(r < 0)
 476                         goto out;
 477
 478                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
 479                                            passphrase_size_read, &cd->hdr, vk, cd);
 480                 crypt_safe_free(passphrase_read);
 481                 passphrase_read = NULL;
 482         } while (r == -EPERM && (--tries > 0));
 483 out:
 484         if (r < 0) {
 485                 crypt_free_volume_key(*vk);
 486                 *vk = NULL;
 487         }
 488
 489         crypt_safe_free(passphrase_read);
 490         return r;
 491 }
 492
 493 static int key_from_file(struct crypt_device *cd, char *msg,
 494                           char **key, unsigned int *key_len,
 495                           const char *key_file, size_t key_size)
 496 {
 497         return crypt_get_key(msg, key, key_len, key_size, key_file,
 498                              cd->timeout, 0, cd);
 499 }
 500
 501 static int _crypt_init(struct crypt_device **cd,
 502                        const char *type,
 503                        struct crypt_options *options,
 504                        int load, int need_dm)
 505 {
 506         int init_by_name, r;
 507
 508         /* if it is plain device and mapping table is being reloaded
 509         initialize it by name*/
 510         init_by_name = (type && !strcmp(type, CRYPT_PLAIN) && load);
 511
 512         /* Some of old API calls do not require DM in kernel,
 513            fake initialisation by initialise it with kernel_check disabled */
 514         if (!need_dm)
 515                 (void)dm_init(NULL, 0);
 516         if (init_by_name)
 517                 r = crypt_init_by_name(cd, options->name);
 518         else
 519                 r = crypt_init(cd, options->device);
 520         if (!need_dm)
 521                 dm_exit();
 522
 523         if (r)
 524                 return -EINVAL;
 525
 526         crypt_set_log_callback(*cd, log_wrapper, options->icb->log);
 527         crypt_set_confirm_callback(*cd, yesDialog_wrapper, options->icb->yesDialog);
 528
 529         crypt_set_timeout(*cd, options->timeout);
 530         crypt_set_password_retry(*cd, options->tries);
 531         crypt_set_iterarion_time(*cd, options->iteration_time ?: 1000);
 532         crypt_set_password_verify(*cd, options->flags & CRYPT_FLAG_VERIFY);
 533
 534         if (load && !init_by_name)
 535                 r = crypt_load(*cd, type, NULL);
 536
 537         if (!r && type && !(*cd)->type) {
 538                 (*cd)->type = strdup(type);
 539                 if (!(*cd)->type)
 540                         r = -ENOMEM;
 541         }
 542
 543         if (r)
 544                 crypt_free(*cd);
 545
 546         return r;
 547 }
 548
 549 void crypt_set_log_callback(struct crypt_device *cd,
 550         void (*log)(int level, const char *msg, void *usrptr),
 551         void *usrptr)
 552 {
 553         if (!cd)
 554                 _default_log = log;
 555         else {
 556                 cd->log = log;
 557                 cd->log_usrptr = usrptr;
 558         }
 559 }
 560
 561 void crypt_set_confirm_callback(struct crypt_device *cd,
 562         int (*confirm)(const char *msg, void *usrptr),
 563         void *usrptr)
 564 {
 565         cd->confirm = confirm;
 566         cd->confirm_usrptr = usrptr;
 567 }
 568
 569 void crypt_set_password_callback(struct crypt_device *cd,
 570         int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
 571         void *usrptr)
 572 {
 573         cd->password = password;
 574         cd->password_usrptr = usrptr;
 575 }
 576
 577 /* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
 578  *          offset, size, skip, timeout, tries, passphrase_fd (ignored),
 579  *          flags, icb */
 580 static int crypt_create_and_update_device(struct crypt_options *options, int update)
 581 {
 582         struct crypt_device *cd = NULL;
 583         char *key = NULL;
 584         unsigned int keyLen;
 585         int r;
 586
 587         r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
 588         if (r)
 589                 return r;
 590
 591         r = crypt_get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
 592                           options->key_file, cd->timeout, cd->password_verify, cd);
 593         if (!r)
 594                 r = create_device_helper(cd, options->name, options->hash,
 595                         options->cipher, NULL, options->key_file, key, keyLen,
 596                         options->key_size, options->size, options->skip,
 597                         options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
 598                         options->flags, update);
 599
 600         crypt_safe_free(key);
 601         crypt_free(cd);
 602         return r;
 603 }
 604
 605 int crypt_create_device(struct crypt_options *options)
 606 {
 607         return crypt_create_and_update_device(options, 0);
 608 }
 609
 610 int crypt_update_device(struct crypt_options *options)
 611 {
 612         return crypt_create_and_update_device(options, 1);
 613 }
 614
 615 /* OPTIONS: name, size, icb */
 616 int crypt_resize_device(struct crypt_options *options)
 617 {
 618         struct crypt_device *cd = NULL;
 619         char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
 620         char *type = NULL;
 621         uint64_t size, skip, offset;
 622         int key_size, read_only, r;
 623
 624         log_dbg("Resizing device %s to %" PRIu64 " sectors.", options->name, options->size);
 625
 626         if (dm_init(NULL, 1) < 0)
 627                 return -ENOSYS;
 628
 629         r = dm_query_device(options->name, &device, &size, &skip, &offset,
 630                             &cipher, &key_size, &key, &read_only, NULL, &uuid);
 631         if (r < 0) {
 632                 log_err(NULL, _("Device %s is not active.\n"), options->name);
 633                 goto out;
 634         }
 635
 636         /* Try to determine type of device from UUID */
 637         type = CRYPT_PLAIN;
 638         if (uuid) {
 639                 if (!strncmp(uuid, CRYPT_PLAIN, strlen(CRYPT_PLAIN))) {
 640                         type = CRYPT_PLAIN;
 641                         free (uuid);
 642                         uuid = NULL;
 643                 } else if (!strncmp(uuid, CRYPT_LUKS1, strlen(CRYPT_LUKS1)))
 644                         type = CRYPT_LUKS1;
 645         }
 646
 647         if (!options->device)
 648                 options->device = device;
 649
 650         r = _crypt_init(&cd, type, options, 1, 1);
 651         if (r)
 652                 goto out;
 653
 654         size = options->size;
 655         r = device_check_and_adjust(cd, device, 0, &size, &offset, &read_only);
 656         if (r)
 657                 goto out;
 658
 659         r = dm_create_device(options->name, device, cipher, type,
 660                              crypt_get_uuid(cd), size, skip, offset,
 661                              key_size, key, read_only, 1);
 662 out:
 663         crypt_safe_free(key);
 664         free(cipher);
 665         if (options->device == device)
 666                 options->device = NULL;
 667         free(device);
 668         free(uuid);
 669         crypt_free(cd);
 670         dm_exit();
 671         return r;
 672 }
 673
 674 /* OPTIONS: name, icb */
 675 int crypt_query_device(struct crypt_options *options)
 676 {
 677         int read_only, r;
 678
 679         log_dbg("Query device %s.", options->name);
 680
 681         if (dm_init(NULL, 1) < 0)
 682                 return -ENOSYS;
 683
 684         r = dm_status_device(options->name);
 685         if (r < 0)
 686                 goto out;
 687
 688         r = dm_query_device(options->name, (char **)&options->device, &options->size,
 689                             &options->skip, &options->offset, (char **)&options->cipher,
 690                             &options->key_size, NULL, &read_only, NULL, NULL);
 691         if (r >= 0) {
 692                 if (read_only)
 693                         options->flags |= CRYPT_FLAG_READONLY;
 694
 695                 options->flags |= CRYPT_FLAG_FREE_DEVICE;
 696                 options->flags |= CRYPT_FLAG_FREE_CIPHER;
 697
 698                 r = 1;
 699         }
 700 out:
 701         if (r == -ENODEV)
 702                 r = 0;
 703
 704         dm_exit();
 705         return r;
 706 }
 707
 708 /* OPTIONS: name, icb */
 709 int crypt_remove_device(struct crypt_options *options)
 710 {
 711         struct crypt_device *cd = NULL;
 712         int r;
 713
 714         r = crypt_init_by_name(&cd, options->name);
 715         if (r == 0)
 716                 r = crypt_deactivate(cd, options->name);
 717
 718         crypt_free(cd);
 719         return r;
 720
 721 }
 722
 723 /* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
 724  *          new_key_file, iteration_time, timeout, flags, icb */
 725 int crypt_luksFormat(struct crypt_options *options)
 726 {
 727         char cipherName[LUKS_CIPHERNAME_L];
 728         char cipherMode[LUKS_CIPHERMODE_L];
 729         char *password=NULL;
 730         unsigned int passwordLen;
 731         struct crypt_device *cd = NULL;
 732         struct crypt_params_luks1 cp = {
 733                 .hash = options->hash,
 734                 .data_alignment = options->align_payload
 735         };
 736         int r;
 737
 738         r = crypt_parse_name_and_mode(options->cipher, cipherName, NULL, cipherMode);
 739         if(r < 0) {
 740                 log_err(cd, _("No known cipher specification pattern detected.\n"));
 741                 return r;
 742         }
 743
 744         if ((r = _crypt_init(&cd, CRYPT_LUKS1, options, 0, 1)))
 745                 return r;
 746
 747         if (options->key_slot >= LUKS_NUMKEYS && options->key_slot != CRYPT_ANY_SLOT) {
 748                 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
 749                         options->key_slot, LUKS_NUMKEYS - 1);
 750                 r = -EINVAL;
 751                 goto out;
 752         }
 753
 754         r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, 0,
 755                           options->new_key_file, cd->timeout, cd->password_verify, cd);
 756
 757         if(r < 0)
 758                 goto out;
 759
 760         r = crypt_format(cd, CRYPT_LUKS1, cipherName, cipherMode,
 761                          NULL, NULL, options->key_size, &cp);
 762         if (r < 0)
 763                 goto out;
 764
 765         /* Add keyslot using internally stored volume key generated during format */
 766         r = crypt_keyslot_add_by_volume_key(cd, options->key_slot, NULL, 0,
 767                                             password, passwordLen);
 768 out:
 769         crypt_free(cd);
 770         crypt_safe_free(password);
 771         return (r < 0) ? r : 0;
 772 }
 773
 774 /* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
 775 int crypt_luksOpen(struct crypt_options *options)
 776 {
 777         struct crypt_device *cd = NULL;
 778         uint32_t flags = 0;
 779         int r;
 780
 781         if (!options->name)
 782                 return -EINVAL;
 783
 784         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
 785         if (r)
 786                 return r;
 787
 788         if (options->flags & CRYPT_FLAG_READONLY)
 789                 flags |= CRYPT_ACTIVATE_READONLY;
 790
 791         if (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS)
 792                 flags |= CRYPT_ACTIVATE_NO_UUID;
 793
 794         if (options->key_file)
 795                 r = crypt_activate_by_keyfile(cd, options->name,
 796                         CRYPT_ANY_SLOT, options->key_file, options->key_size,
 797                         flags);
 798         else
 799                 r = crypt_activate_by_passphrase(cd, options->name,
 800                         CRYPT_ANY_SLOT, options->passphrase,
 801                         options->passphrase ? strlen(options->passphrase) : 0,
 802                         flags);
 803
 804         crypt_free(cd);
 805         return (r < 0) ? r : 0;
 806 }
 807
 808 /* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
 809 int crypt_luksKillSlot(struct crypt_options *options)
 810 {
 811         struct crypt_device *cd = NULL;
 812         int r;
 813
 814         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
 815         if (r)
 816                 return r;
 817
 818         r = luks_remove_helper(cd, options->key_slot, options->key_file, NULL,
 819                                options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
 820
 821         crypt_free(cd);
 822         return (r < 0) ? r : 0;
 823 }
 824
 825 /* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
 826 int crypt_luksRemoveKey(struct crypt_options *options)
 827 {
 828         struct crypt_device *cd = NULL;
 829         int r;
 830
 831         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
 832         if (r)
 833                 return r;
 834
 835         r = luks_remove_helper(cd, CRYPT_ANY_SLOT, options->key_file, options->new_key_file,
 836                                options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
 837
 838         crypt_free(cd);
 839         return (r < 0) ? r : 0;
 840 }
 841
 842
 843 /* OPTIONS: device, new_key_file, key_file, key_slot, flags,
 844             iteration_time, timeout, icb */
 845 int crypt_luksAddKey(struct crypt_options *options)
 846 {
 847         struct crypt_device *cd = NULL;
 848         int r = -EINVAL;
 849
 850         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
 851         if (r)
 852                 return r;
 853
 854         if (options->key_file || options->new_key_file)
 855                 r = crypt_keyslot_add_by_keyfile(cd, options->key_slot,
 856                                                  options->key_file, 0,
 857                                                  options->new_key_file, 0);
 858         else
 859                 r = crypt_keyslot_add_by_passphrase(cd, options->key_slot,
 860                                                     NULL, 0, NULL, 0);
 861
 862         crypt_free(cd);
 863         return (r < 0) ? r : 0;
 864 }
 865
 866 /* OPTIONS: device, icb */
 867 int crypt_luksUUID(struct crypt_options *options)
 868 {
 869         struct crypt_device *cd = NULL;
 870         char *uuid;
 871         int r;
 872
 873         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
 874         if (r)
 875                 return r;
 876
 877         uuid = (char *)crypt_get_uuid(cd);
 878         log_std(cd, uuid ?: "");
 879         log_std(cd, "\n");
 880         crypt_free(cd);
 881         return 0;
 882 }
 883
 884 /* OPTIONS: device, icb */
 885 int crypt_isLuks(struct crypt_options *options)
 886 {
 887         struct crypt_device *cd = NULL;
 888         int r;
 889
 890         log_dbg("Check device %s for LUKS header.", options->device);
 891
 892         r = init_crypto(cd);
 893         if (r < 0)
 894                 return r;
 895
 896         r = crypt_init(&cd, options->device);
 897         if (r < 0)
 898                 return -EINVAL;
 899
 900         /* Do print fail here, no need to crypt_load() */
 901         r = LUKS_read_phdr(cd->device, &cd->hdr, 0, cd) ? -EINVAL : 0;
 902
 903         crypt_free(cd);
 904         return r;
 905 }
 906
 907 /* OPTIONS: device, icb */
 908 int crypt_luksDump(struct crypt_options *options)
 909 {
 910         struct crypt_device *cd = NULL;
 911         int r;
 912
 913         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
 914         if(r < 0)
 915                 return r;
 916
 917         r = crypt_dump(cd);
 918
 919         crypt_free(cd);
 920         return r;
 921 }
 922
 923 void crypt_get_error(char *buf, size_t size)
 924 {
 925         const char *error = get_error();
 926
 927         if (!buf || size < 1)
 928                 set_error(NULL);
 929         else if (error) {
 930                 strncpy(buf, error, size - 1);
 931                 buf[size - 1] = '\0';
 932                 set_error(NULL);
 933         } else
 934                 buf[0] = '\0';
 935 }
 936
 937 void crypt_put_options(struct crypt_options *options)
 938 {
 939         if (options->flags & CRYPT_FLAG_FREE_DEVICE) {
 940                 free((char *)options->device);
 941                 options->device = NULL;
 942                 options->flags &= ~CRYPT_FLAG_FREE_DEVICE;
 943         }
 944         if (options->flags & CRYPT_FLAG_FREE_CIPHER) {
 945                 free((char *)options->cipher);
 946                 options->cipher = NULL;
 947                 options->flags &= ~CRYPT_FLAG_FREE_CIPHER;
 948         }
 949 }
 950
 951 const char *crypt_get_dir(void)
 952 {
 953         return dm_get_dir();
 954 }
 955
 956 /////////////////////////////////
 957 //
 958 // New API
 959 //
 960
 961 int crypt_init(struct crypt_device **cd, const char *device)
 962 {
 963         struct crypt_device *h = NULL;
 964
 965         if (!cd)
 966                 return -EINVAL;
 967
 968         log_dbg("Allocating crypt device %s context.", device);
 969
 970         if (device && !device_ready(NULL, device, O_RDONLY))
 971                 return -ENOTBLK;
 972
 973         if (!(h = malloc(sizeof(struct crypt_device))))
 974                 return -ENOMEM;
 975
 976         memset(h, 0, sizeof(*h));
 977
 978         if (device) {
 979                 h->device = strdup(device);
 980                 if (!h->device) {
 981                         free(h);
 982                         return -ENOMEM;
 983                 }
 984         } else
 985                 h->device = NULL;
 986
 987         if (dm_init(h, 1) < 0) {
 988                 free(h);
 989                 return -ENOSYS;
 990         }
 991
 992         h->iteration_time = 1000;
 993         h->password_verify = 0;
 994         h->tries = 3;
 995         h->rng_type = crypt_random_default_key_rng();
 996         *cd = h;
 997         return 0;
 998 }
 999
1000 int crypt_init_by_name(struct crypt_device **cd, const char *name)
1001 {
1002         crypt_status_info ci;
1003         struct crypt_active_device cad;
1004         char *device = NULL, *cipher_full = NULL, *device_uuid = NULL;
1005         char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
1006         char *key = NULL;
1007         int key_size = 0, key_nums, r;
1008
1009
1010         log_dbg("Allocating crypt device context by device %s.", name);
1011
1012         ci = crypt_status(NULL, name);
1013         if (ci == CRYPT_INVALID)
1014                 return -ENODEV;
1015
1016         if (ci < CRYPT_ACTIVE) {
1017                 log_err(NULL, _("Device %s is not active.\n"), name);
1018                 return -ENODEV;
1019         }
1020
1021         r = dm_query_device(name, &device, &cad.size, &cad.iv_offset, &cad.offset,
1022                             &cipher_full, &key_size, &key, NULL, NULL,
1023                             &device_uuid);
1024         if (r < 0)
1025                 goto out;
1026
1027         *cd = NULL;
1028         r = crypt_init(cd, device);
1029
1030         /* Underlying device disappeared but mapping still active */
1031         if (!device || r == -ENOTBLK)
1032                 log_verbose(NULL, _("Underlying device for crypt device %s disappeared.\n"),
1033                             name);
1034
1035         /* Underlying device is not readable but crypt mapping exists */
1036         if (r == -ENOTBLK) {
1037                 free(device);
1038                 device = NULL;
1039                 r = crypt_init(cd, NULL);
1040         }
1041
1042         if (r < 0)
1043                 goto out;
1044
1045         /* Try to initialise basic parameters from active device */
1046         if (device_uuid) {
1047                 if (!strncmp(CRYPT_PLAIN, device_uuid, sizeof(CRYPT_PLAIN)-1)) {
1048                         (*cd)->type = strdup(CRYPT_PLAIN);
1049                         (*cd)->plain_uuid = strdup(device_uuid);
1050                         (*cd)->plain_hdr.hash = NULL; /* no way to get this */
1051                         (*cd)->plain_hdr.offset = cad.offset;
1052                         (*cd)->plain_hdr.skip = cad.iv_offset;
1053                         (*cd)->volume_key = crypt_alloc_volume_key(key_size, key);
1054                         if (!(*cd)->volume_key) {
1055                                 r = -ENOMEM;
1056                                 goto out;
1057                         }
1058
1059                         r = crypt_parse_name_and_mode(cipher_full, cipher, NULL, cipher_mode);
1060                         if (!r) {
1061                                 (*cd)->plain_cipher = strdup(cipher);
1062                                 (*cd)->plain_cipher_mode = strdup(cipher_mode);
1063                         }
1064                 } else if (!strncmp(CRYPT_LOOPAES, device_uuid, sizeof(CRYPT_LOOPAES)-1)) {
1065                         (*cd)->type = strdup(CRYPT_LOOPAES);
1066                         (*cd)->loopaes_uuid = strdup(device_uuid);
1067                         (*cd)->loopaes_hdr.offset = cad.offset;
1068
1069                         r = crypt_parse_name_and_mode(cipher_full, cipher,
1070                                                       &key_nums, cipher_mode);
1071                         if (!r) {
1072                                 (*cd)->loopaes_cipher = strdup(cipher);
1073                                 (*cd)->loopaes_cipher_mode = strdup(cipher_mode);
1074                                 /* version 3 uses last key for IV */
1075                                 if (key_size % key_nums)
1076                                         key_nums++;
1077                                 (*cd)->loopaes_key_size = key_size / key_nums;
1078                         }
1079                 } else if (!strncmp(CRYPT_LUKS1, device_uuid, sizeof(CRYPT_LUKS1)-1)) {
1080                         if (device) {
1081                                 if (crypt_load(*cd, CRYPT_LUKS1, NULL) < 0 ||
1082                                     crypt_volume_key_verify(*cd, key, key_size) < 0) {
1083                                         log_dbg("LUKS device header does not match active device.");
1084                                         goto out;
1085                                 }
1086
1087                                 (*cd)->volume_key = crypt_alloc_volume_key(key_size, key);
1088                                 if (!(*cd)->volume_key) {
1089                                         r = -ENOMEM;
1090                                         goto out;
1091                                 }
1092                         }
1093                 }
1094         } else
1095                 log_dbg("Active device has no UUID set, some parameters are not set.");
1096
1097 out:
1098         if (r < 0) {
1099                 crypt_free(*cd);
1100                 *cd = NULL;
1101         }
1102         crypt_safe_free(key);
1103         free(device);
1104         free(cipher_full);
1105         free(device_uuid);
1106         return r;
1107 }
1108
1109 static int _crypt_format_plain(struct crypt_device *cd,
1110                                const char *cipher,
1111                                const char *cipher_mode,
1112                                const char *uuid,
1113                                size_t volume_key_size,
1114                                struct crypt_params_plain *params)
1115 {
1116         if (!cipher || !cipher_mode) {
1117                 log_err(cd, _("Invalid plain crypt parameters.\n"));
1118                 return -EINVAL;
1119         }
1120
1121         if (volume_key_size > 1024) {
1122                 log_err(cd, _("Invalid key size.\n"));
1123                 return -EINVAL;
1124         }
1125
1126         cd->volume_key = crypt_alloc_volume_key(volume_key_size, NULL);
1127         if (!cd->volume_key)
1128                 return -ENOMEM;
1129
1130         cd->plain_cipher = strdup(cipher);
1131         cd->plain_cipher_mode = strdup(cipher_mode);
1132
1133         if (uuid)
1134                 cd->plain_uuid = strdup(uuid);
1135
1136         if (params && params->hash)
1137                 cd->plain_hdr.hash = strdup(params->hash);
1138
1139         cd->plain_hdr.offset = params ? params->offset : 0;
1140         cd->plain_hdr.skip = params ? params->skip : 0;
1141
1142         if (!cd->plain_cipher || !cd->plain_cipher_mode)
1143                 return -ENOMEM;
1144
1145         return 0;
1146 }
1147
1148 static int _crypt_format_luks1(struct crypt_device *cd,
1149                                const char *cipher,
1150                                const char *cipher_mode,
1151                                const char *uuid,
1152                                const char *volume_key,
1153                                size_t volume_key_size,
1154                                struct crypt_params_luks1 *params)
1155 {
1156         int r;
1157         unsigned long required_alignment = DEFAULT_DISK_ALIGNMENT;
1158         unsigned long alignment_offset = 0;
1159
1160         if (!cd->device) {
1161                 log_err(cd, _("Can't format LUKS without device.\n"));
1162                 return -EINVAL;
1163         }
1164
1165         if (volume_key)
1166                 cd->volume_key = crypt_alloc_volume_key(volume_key_size,
1167                                                       volume_key);
1168         else
1169                 cd->volume_key = crypt_generate_volume_key(cd, volume_key_size);
1170
1171         if(!cd->volume_key)
1172                 return -ENOMEM;
1173
1174         if (params && params->data_alignment)
1175                 required_alignment = params->data_alignment * SECTOR_SIZE;
1176         else
1177                 get_topology_alignment(cd->device, &required_alignment,
1178                                        &alignment_offset, DEFAULT_DISK_ALIGNMENT);
1179
1180         r = LUKS_generate_phdr(&cd->hdr, cd->volume_key, cipher, cipher_mode,
1181                                (params && params->hash) ? params->hash : "sha1",
1182                                uuid, LUKS_STRIPES,
1183                                required_alignment / SECTOR_SIZE,
1184                                alignment_offset / SECTOR_SIZE,
1185                                cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1186         if(r < 0)
1187                 return r;
1188
1189         /* Wipe first 8 sectors - fs magic numbers etc. */
1190         r = wipe_device_header(cd->device, 8);
1191         if(r < 0) {
1192                 if (r == -EBUSY)
1193                         log_err(cd, _("Cannot format device %s which is still in use.\n"),
1194                                 cd->device);
1195                 else
1196                         log_err(cd, _("Cannot wipe header on device %s.\n"),
1197                                 cd->device);
1198
1199                 return r;
1200         }
1201
1202         r = LUKS_write_phdr(cd->device, &cd->hdr, cd);
1203
1204         return r;
1205 }
1206
1207 static int _crypt_format_loopaes(struct crypt_device *cd,
1208                                  const char *cipher,
1209                                  const char *uuid,
1210                                  size_t volume_key_size,
1211                                  struct crypt_params_loopaes *params)
1212 {
1213         if (!cd->device) {
1214                 log_err(cd, _("Can't format LOOPAES without device.\n"));
1215                 return -EINVAL;
1216         }
1217
1218         if (volume_key_size > 1024) {
1219                 log_err(cd, _("Invalid key size.\n"));
1220                 return -EINVAL;
1221         }
1222
1223         cd->loopaes_key_size = volume_key_size;
1224
1225         cd->loopaes_cipher = strdup(cipher ?: DEFAULT_LOOPAES_CIPHER);
1226
1227         if (uuid)
1228                 cd->loopaes_uuid = strdup(uuid);
1229
1230         if (params && params->hash)
1231                 cd->loopaes_hdr.hash = strdup(params->hash);
1232
1233         cd->loopaes_hdr.offset = params ? params->offset : 0;
1234
1235         return 0;
1236 }
1237
1238 int crypt_format(struct crypt_device *cd,
1239         const char *type,
1240         const char *cipher,
1241         const char *cipher_mode,
1242         const char *uuid,
1243         const char *volume_key,
1244         size_t volume_key_size,
1245         void *params)
1246 {
1247         int r;
1248
1249         if (!type)
1250                 return -EINVAL;
1251
1252         log_dbg("Formatting device %s as type %s.", cd->device ?: "(none)", type);
1253
1254         r = init_crypto(cd);
1255         if (r < 0)
1256                 return r;
1257
1258         if (isPLAIN(type))
1259                 r = _crypt_format_plain(cd, cipher, cipher_mode,
1260                                         uuid, volume_key_size, params);
1261         else if (isLUKS(type))
1262                 r = _crypt_format_luks1(cd, cipher, cipher_mode,
1263                                         uuid, volume_key, volume_key_size, params);
1264         else if (isLOOPAES(type))
1265                 r = _crypt_format_loopaes(cd, cipher, uuid, volume_key_size, params);
1266         else {
1267                 /* FIXME: allow plugins here? */
1268                 log_err(cd, _("Unknown crypt device type %s requested.\n"), type);
1269                 r = -EINVAL;
1270         }
1271
1272         if (!r && !(cd->type = strdup(type)))
1273                 r = -ENOMEM;
1274
1275         if (r < 0) {
1276                 crypt_free_volume_key(cd->volume_key);
1277                 cd->volume_key = NULL;
1278         }
1279
1280         return r;
1281 }
1282
1283 int crypt_load(struct crypt_device *cd,
1284                const char *requested_type,
1285                void *params)
1286 {
1287         struct luks_phdr hdr;
1288         int r;
1289
1290         log_dbg("Trying to load %s crypt type from device %s.",
1291                 requested_type ?: "any", cd->device ?: "(none)");
1292
1293         if (!cd->device)
1294                 return -EINVAL;
1295
1296         if (requested_type && !isLUKS(requested_type))
1297                 return -EINVAL;
1298
1299         r = init_crypto(cd);
1300         if (r < 0)
1301                 return r;
1302
1303         r = LUKS_read_phdr(cd->device, &hdr, 1, cd);
1304
1305         if (!r) {
1306                 memcpy(&cd->hdr, &hdr, sizeof(hdr));
1307                 cd->type = strdup(CRYPT_LUKS1);
1308                 if (!cd->type)
1309                         r = -ENOMEM;
1310         }
1311
1312         return r;
1313 }
1314
1315 int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
1316 {
1317         char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
1318         uint64_t size, skip, offset;
1319         int key_size, read_only, r;
1320
1321         /* Device context type must be initialised */
1322         if (!cd->type || !crypt_get_uuid(cd))
1323                 return -EINVAL;
1324
1325         r = dm_query_device(name, &device, &size, &skip, &offset,
1326                             &cipher, &key_size, &key, &read_only, NULL, &uuid);
1327         if (r < 0) {
1328                 log_err(NULL, _("Device %s is not active.\n"), name);
1329                 goto out;
1330         }
1331
1332         if (!uuid) {
1333                 r = -EINVAL;
1334                 goto out;
1335         }
1336
1337         r = device_check_and_adjust(cd, device, 0, &new_size, &offset, &read_only);
1338         if (r)
1339                 goto out;
1340
1341         if (new_size == size) {
1342                 log_dbg("Device has already requested size %" PRIu64
1343                         " sectors.", size);
1344                 r = 0;
1345                 goto out;
1346         }
1347
1348         log_dbg("Resizing device %s to %" PRIu64 " sectors.", name, new_size);
1349
1350         r = dm_create_device(name, device, cipher, cd->type,
1351                              crypt_get_uuid(cd), new_size, skip, offset,
1352                              key_size, key, read_only, 1);
1353 out:
1354         crypt_safe_free(key);
1355         free(cipher);
1356         free(device);
1357         free(uuid);
1358
1359         return r;
1360 }
1361
1362 int crypt_set_uuid(struct crypt_device *cd, const char *uuid)
1363 {
1364         if (!isLUKS(cd->type)) {
1365                 log_err(cd, _("This operation is not supported for this device type.\n"));
1366                 return  -EINVAL;
1367         }
1368
1369         if (uuid && !strncmp(uuid, cd->hdr.uuid, sizeof(cd->hdr.uuid))) {
1370                 log_dbg("UUID is the same as requested (%s) for device %s.",
1371                         uuid, cd->device);
1372                 return 0;
1373         }
1374
1375         if (uuid)
1376                 log_dbg("Requested new UUID change to %s for %s.", uuid, cd->device);
1377         else
1378                 log_dbg("Requested new UUID refresh for %s.", cd->device);
1379
1380         if (!crypt_confirm(cd, _("Do you really want to change UUID of device?")))
1381                 return -EPERM;
1382
1383         return LUKS_hdr_uuid_set(cd->device, &cd->hdr, uuid, cd);
1384 }
1385
1386 int crypt_header_backup(struct crypt_device *cd,
1387                         const char *requested_type,
1388                         const char *backup_file)
1389 {
1390         int r;
1391
1392         if ((requested_type && !isLUKS(requested_type)) || !backup_file)
1393                 return -EINVAL;
1394
1395         r = init_crypto(cd);
1396         if (r < 0)
1397                 return r;
1398
1399         log_dbg("Requested header backup of device %s (%s) to "
1400                 "file %s.", cd->device, requested_type, backup_file);
1401
1402         return LUKS_hdr_backup(backup_file, cd->device, &cd->hdr, cd);
1403 }
1404
1405 int crypt_header_restore(struct crypt_device *cd,
1406                          const char *requested_type,
1407                          const char *backup_file)
1408 {
1409         int r;
1410
1411         if (requested_type && !isLUKS(requested_type))
1412                 return -EINVAL;
1413
1414         /* Some hash functions need initialized gcrypt library */
1415         r = init_crypto(cd);
1416         if (r < 0)
1417                 return r;
1418
1419         log_dbg("Requested header restore to device %s (%s) from "
1420                 "file %s.", cd->device, requested_type, backup_file);
1421
1422         return LUKS_hdr_restore(backup_file, cd->device, &cd->hdr, cd);
1423 }
1424
1425 void crypt_free(struct crypt_device *cd)
1426 {
1427         if (cd) {
1428                 log_dbg("Releasing crypt device %s context.", cd->device);
1429
1430                 dm_exit();
1431                 crypt_free_volume_key(cd->volume_key);
1432
1433                 free(cd->device);
1434                 free(cd->type);
1435
1436                 /* used in plain device only */
1437                 free((char*)cd->plain_hdr.hash);
1438                 free(cd->plain_cipher);
1439                 free(cd->plain_cipher_mode);
1440                 free(cd->plain_uuid);
1441
1442                 free(cd);
1443         }
1444 }
1445
1446 int crypt_suspend(struct crypt_device *cd,
1447                   const char *name)
1448 {
1449         crypt_status_info ci;
1450         int r, suspended = 0;
1451
1452         log_dbg("Suspending volume %s.", name);
1453
1454         ci = crypt_status(NULL, name);
1455         if (ci < CRYPT_ACTIVE) {
1456                 log_err(cd, _("Volume %s is not active.\n"), name);
1457                 return -EINVAL;
1458         }
1459
1460         if (!cd && dm_init(NULL, 1) < 0)
1461                 return -ENOSYS;
1462
1463         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1464                             NULL, NULL, NULL, NULL, &suspended, NULL);
1465         if (r < 0)
1466                 goto out;
1467
1468         if (suspended) {
1469                 log_err(cd, _("Volume %s is already suspended.\n"), name);
1470                 r = -EINVAL;
1471                 goto out;
1472         }
1473
1474         r = dm_suspend_and_wipe_key(name);
1475         if (r == -ENOTSUP)
1476                 log_err(cd, "Suspend is not supported for device %s.\n", name);
1477         else if (r)
1478                 log_err(cd, "Error during suspending device %s.\n", name);
1479 out:
1480         if (!cd)
1481                 dm_exit();
1482         return r;
1483 }
1484
1485 int crypt_resume_by_passphrase(struct crypt_device *cd,
1486                                const char *name,
1487                                int keyslot,
1488                                const char *passphrase,
1489                                size_t passphrase_size)
1490 {
1491         struct volume_key *vk = NULL;
1492         int r, suspended = 0;
1493
1494         log_dbg("Resuming volume %s.", name);
1495
1496         if (!isLUKS(cd->type)) {
1497                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1498                 r = -EINVAL;
1499                 goto out;
1500         }
1501
1502         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1503                             NULL, NULL, NULL, NULL, &suspended, NULL);
1504         if (r < 0)
1505                 return r;
1506
1507         if (!suspended) {
1508                 log_err(cd, _("Volume %s is not suspended.\n"), name);
1509                 return -EINVAL;
1510         }
1511
1512         if (passphrase) {
1513                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1514                                            passphrase_size, &cd->hdr, &vk, cd);
1515         } else
1516                 r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
1517
1518         if (r >= 0) {
1519                 keyslot = r;
1520                 r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1521                 if (r == -ENOTSUP)
1522                         log_err(cd, "Resume is not supported for device %s.\n", name);
1523                 else if (r)
1524                         log_err(cd, "Error during resuming device %s.\n", name);
1525         } else
1526                 r = keyslot;
1527 out:
1528         crypt_free_volume_key(vk);
1529         return r < 0 ? r : keyslot;
1530 }
1531
1532 int crypt_resume_by_keyfile(struct crypt_device *cd,
1533                             const char *name,
1534                             int keyslot,
1535                             const char *keyfile,
1536                             size_t keyfile_size)
1537 {
1538         struct volume_key *vk = NULL;
1539         char *passphrase_read = NULL;
1540         unsigned int passphrase_size_read;
1541         int r, suspended = 0;
1542
1543         log_dbg("Resuming volume %s.", name);
1544
1545         if (!isLUKS(cd->type)) {
1546                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1547                 r = -EINVAL;
1548                 goto out;
1549         }
1550
1551         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1552                             NULL, NULL, NULL, NULL, &suspended, NULL);
1553         if (r < 0)
1554                 return r;
1555
1556         if (!suspended) {
1557                 log_err(cd, _("Volume %s is not suspended.\n"), name);
1558                 return -EINVAL;
1559         }
1560
1561         if (!keyfile)
1562                 return -EINVAL;
1563
1564         r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1565                           &passphrase_size_read, keyfile, keyfile_size);
1566         if (r < 0)
1567                 goto out;
1568
1569         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1570                                    passphrase_size_read, &cd->hdr, &vk, cd);
1571         if (r < 0)
1572                 goto out;
1573
1574         keyslot = r;
1575         r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1576         if (r)
1577                 log_err(cd, "Error during resuming device %s.\n", name);
1578 out:
1579         crypt_safe_free(passphrase_read);
1580         crypt_free_volume_key(vk);
1581         return r < 0 ? r : keyslot;
1582 }
1583
1584 // slot manipulation
1585 int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
1586         int keyslot, // -1 any
1587         const char *passphrase, // NULL -> terminal
1588         size_t passphrase_size,
1589         const char *new_passphrase, // NULL -> terminal
1590         size_t new_passphrase_size)
1591 {
1592         struct volume_key *vk = NULL;
1593         char *password = NULL, *new_password = NULL;
1594         unsigned int passwordLen, new_passwordLen;
1595         int r;
1596
1597         log_dbg("Adding new keyslot, existing passphrase %sprovided,"
1598                 "new passphrase %sprovided.",
1599                 passphrase ? "" : "not ", new_passphrase  ? "" : "not ");
1600
1601         if (!isLUKS(cd->type)) {
1602                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1603                 return -EINVAL;
1604         }
1605
1606         r = keyslot_verify_or_find_empty(cd, &keyslot);
1607         if (r)
1608                 return r;
1609
1610         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1611                 /* No slots used, try to use pre-generated key in header */
1612                 if (cd->volume_key) {
1613                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1614                         r = vk ? 0 : -ENOMEM;
1615                 } else {
1616                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1617                         return -EINVAL;
1618                 }
1619         } else if (passphrase) {
1620                 /* Passphrase provided, use it to unlock existing keyslot */
1621                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, passphrase,
1622                                            passphrase_size, &cd->hdr, &vk, cd);
1623         } else {
1624                 /* Passphrase not provided, ask first and use it to unlock existing keyslot */
1625                 r = key_from_terminal(cd, _("Enter any passphrase: "),
1626                                       &password, &passwordLen, 0);
1627                 if (r < 0)
1628                         goto out;
1629
1630                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
1631                                            passwordLen, &cd->hdr, &vk, cd);
1632                 crypt_safe_free(password);
1633         }
1634
1635         if(r < 0)
1636                 goto out;
1637
1638         if (new_passphrase) {
1639                 new_password = (char *)new_passphrase;
1640                 new_passwordLen = new_passphrase_size;
1641         } else {
1642                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1643                                       &new_password, &new_passwordLen, 1);
1644                 if(r < 0)
1645                         goto out;
1646         }
1647
1648         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1649                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1650         if(r < 0) goto out;
1651
1652         r = 0;
1653 out:
1654         if (!new_passphrase)
1655                 crypt_safe_free(new_password);
1656         crypt_free_volume_key(vk);
1657         return r ?: keyslot;
1658 }
1659
1660 int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
1661         int keyslot,
1662         const char *keyfile,
1663         size_t keyfile_size,
1664         const char *new_keyfile,
1665         size_t new_keyfile_size)
1666 {
1667         struct volume_key *vk = NULL;
1668         char *password = NULL; unsigned int passwordLen;
1669         char *new_password = NULL; unsigned int new_passwordLen;
1670         int r;
1671
1672         log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
1673                 keyfile ?: "[none]", new_keyfile ?: "[none]");
1674
1675         if (!isLUKS(cd->type)) {
1676                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1677                 return -EINVAL;
1678         }
1679
1680         r = keyslot_verify_or_find_empty(cd, &keyslot);
1681         if (r)
1682                 return r;
1683
1684         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1685                 /* No slots used, try to use pre-generated key in header */
1686                 if (cd->volume_key) {
1687                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1688                         r = vk ? 0 : -ENOMEM;
1689                 } else {
1690                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1691                         return -EINVAL;
1692                 }
1693         } else {
1694                 /* Read password from file of (if NULL) from terminal */
1695                 if (keyfile)
1696                         r = key_from_file(cd, _("Enter any passphrase: "),
1697                                           &password, &passwordLen,
1698                                           keyfile, keyfile_size);
1699                 else
1700                         r = key_from_terminal(cd, _("Enter any passphrase: "),
1701                                               &password, &passwordLen, 0);
1702                 if (r < 0)
1703                         goto out;
1704
1705                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password, passwordLen,
1706                                            &cd->hdr, &vk, cd);
1707         }
1708
1709         if(r < 0)
1710                 goto out;
1711
1712         if (new_keyfile)
1713                 r = key_from_file(cd, _("Enter new passphrase for key slot: "),
1714                                   &new_password, &new_passwordLen, new_keyfile,
1715                                   new_keyfile_size);
1716         else
1717                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1718                                       &new_password, &new_passwordLen, 1);
1719         if (r < 0)
1720                 goto out;
1721
1722         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1723                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1724 out:
1725         crypt_safe_free(password);
1726         crypt_safe_free(new_password);
1727         crypt_free_volume_key(vk);
1728         return r < 0 ? r : keyslot;
1729 }
1730
1731 int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
1732         int keyslot,
1733         const char *volume_key,
1734         size_t volume_key_size,
1735         const char *passphrase,
1736         size_t passphrase_size)
1737 {
1738         struct volume_key *vk = NULL;
1739         int r = -EINVAL;
1740         char *new_password = NULL; unsigned int new_passwordLen;
1741
1742         log_dbg("Adding new keyslot %d using volume key.", keyslot);
1743
1744         if (!isLUKS(cd->type)) {
1745                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1746                 return -EINVAL;
1747         }
1748
1749         if (volume_key)
1750                 vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1751         else if (cd->volume_key)
1752                 vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1753
1754         if (!vk)
1755                 return -ENOMEM;
1756
1757         r = LUKS_verify_volume_key(&cd->hdr, vk);
1758         if (r < 0) {
1759                 log_err(cd, _("Volume key does not match the volume.\n"));
1760                 goto out;
1761         }
1762
1763         r = keyslot_verify_or_find_empty(cd, &keyslot);
1764         if (r)
1765                 goto out;
1766
1767         if (!passphrase) {
1768                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1769                                       &new_password, &new_passwordLen, 1);
1770                 if (r < 0)
1771                         goto out;
1772                 passphrase = new_password;
1773                 passphrase_size = new_passwordLen;
1774         }
1775
1776         r = LUKS_set_key(cd->device, keyslot, passphrase, passphrase_size,
1777                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1778 out:
1779         crypt_safe_free(new_password);
1780         crypt_free_volume_key(vk);
1781         return (r < 0) ? r : keyslot;
1782 }
1783
1784 int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
1785 {
1786         crypt_keyslot_info ki;
1787
1788         log_dbg("Destroying keyslot %d.", keyslot);
1789
1790         if (!isLUKS(cd->type)) {
1791                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1792                 return -EINVAL;
1793         }
1794
1795         ki = crypt_keyslot_status(cd, keyslot);
1796         if (ki == CRYPT_SLOT_INVALID) {
1797                 log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
1798                 return -EINVAL;
1799         }
1800
1801         if (ki == CRYPT_SLOT_INACTIVE) {
1802                 log_err(cd, _("Key slot %d is not used.\n"), keyslot);
1803                 return -EINVAL;
1804         }
1805
1806         return LUKS_del_key(cd->device, keyslot, &cd->hdr, cd);
1807 }
1808
1809 // activation/deactivation of device mapping
1810 int crypt_activate_by_passphrase(struct crypt_device *cd,
1811         const char *name,
1812         int keyslot,
1813         const char *passphrase,
1814         size_t passphrase_size,
1815         uint32_t flags)
1816 {
1817         crypt_status_info ci;
1818         struct volume_key *vk = NULL;
1819         char *read_passphrase = NULL;
1820         unsigned int passphraseLen = 0;
1821         int r;
1822
1823         log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
1824                 name ? "Activating" : "Checking", name ?: "",
1825                 keyslot, passphrase ? "" : "[none] ");
1826
1827         if (name) {
1828                 ci = crypt_status(NULL, name);
1829                 if (ci == CRYPT_INVALID)
1830                         return -EINVAL;
1831                 else if (ci >= CRYPT_ACTIVE) {
1832                         log_err(cd, _("Device %s already exists.\n"), name);
1833                         return -EEXIST;
1834                 }
1835         }
1836
1837         /* plain, use hashed passphrase */
1838         if (isPLAIN(cd->type)) {
1839                 if (!passphrase) {
1840                         r = key_from_terminal(cd, NULL, &read_passphrase,
1841                                               &passphraseLen, 0);
1842                         if (r < 0)
1843                                 goto out;
1844                         passphrase = read_passphrase;
1845                         passphrase_size = passphraseLen;
1846                 }
1847                 r = create_device_helper(cd, name, cd->plain_hdr.hash,
1848                                          cd->plain_cipher, cd->plain_cipher_mode,
1849                                          NULL, passphrase, passphrase_size,
1850                                          cd->volume_key->keylength, 0,
1851                                          cd->plain_hdr.skip, cd->plain_hdr.offset,
1852                                          cd->plain_uuid,
1853                                          flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1854                 keyslot = 0;
1855         } else if (isLUKS(cd->type)) {
1856                 /* provided passphrase, do not retry */
1857                 if (passphrase) {
1858                         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1859                                                    passphrase_size, &cd->hdr, &vk, cd);
1860                 } else
1861                         r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
1862
1863                 if (r >= 0) {
1864                         keyslot = r;
1865                         if (name)
1866                                 r = open_from_hdr_and_vk(cd, vk, name, flags);
1867                 }
1868         } else
1869                 r = -EINVAL;
1870 out:
1871         crypt_safe_free(read_passphrase);
1872         crypt_free_volume_key(vk);
1873
1874         return r < 0  ? r : keyslot;
1875 }
1876
1877 int crypt_activate_by_keyfile(struct crypt_device *cd,
1878         const char *name,
1879         int keyslot,
1880         const char *keyfile,
1881         size_t keyfile_size,
1882         uint32_t flags)
1883 {
1884         crypt_status_info ci;
1885         struct volume_key *vk = NULL;
1886         char *passphrase_read = NULL;
1887         unsigned int passphrase_size_read, key_count = 0;
1888         int r;
1889
1890         log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
1891                 name ?: "", keyslot, keyfile ?: "[none]");
1892
1893         if (name) {
1894                 ci = crypt_status(NULL, name);
1895                 if (ci == CRYPT_INVALID)
1896                         return -EINVAL;
1897                 else if (ci >= CRYPT_ACTIVE) {
1898                         log_err(cd, _("Device %s already exists.\n"), name);
1899                         return -EEXIST;
1900                 }
1901         }
1902
1903         if (!keyfile)
1904                 return -EINVAL;
1905
1906         if (isPLAIN(cd->type)) {
1907                 r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1908                                   &passphrase_size_read, keyfile, keyfile_size);
1909                 if (r < 0)
1910                         goto out;
1911                 r = create_device_helper(cd, name, cd->plain_hdr.hash,
1912                                          cd->plain_cipher, cd->plain_cipher_mode,
1913                                          NULL, passphrase_read, passphrase_size_read,
1914                                          cd->volume_key->keylength, 0,
1915                                          cd->plain_hdr.skip, cd->plain_hdr.offset,
1916                                          cd->plain_uuid,
1917                                          flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1918         } else if (isLUKS(cd->type)) {
1919                 r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1920                           &passphrase_size_read, keyfile, keyfile_size);
1921                 if (r < 0)
1922                         goto out;
1923                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1924                                            passphrase_size_read, &cd->hdr, &vk, cd);
1925                 if (r < 0)
1926                         goto out;
1927                 keyslot = r;
1928
1929                 if (name) {
1930                         r = open_from_hdr_and_vk(cd, vk, name, flags);
1931                         if (r < 0)
1932                                 goto out;
1933                 }
1934                 r = keyslot;
1935         } else if (isLOOPAES(cd->type)) {
1936                 r = key_from_file(cd, NULL, &passphrase_read, &passphrase_size_read,
1937                                   keyfile, LOOPAES_KEYFILE_MAXSIZE);
1938                 if (r < 0)
1939                         goto out;
1940                 r = LOOPAES_parse_keyfile(cd, &vk, &key_count,
1941                                           passphrase_read, passphrase_size_read);
1942                 if (r < 0)
1943                         goto out;
1944                 if (name)
1945                         r = LOOPAES_activate(cd, name, cd->loopaes_cipher,
1946                                              key_count, vk, flags);
1947         } else
1948                 r = -EINVAL;
1949
1950 out:
1951         crypt_safe_free(passphrase_read);
1952         crypt_free_volume_key(vk);
1953
1954         return r;
1955 }
1956
1957 int crypt_activate_by_volume_key(struct crypt_device *cd,
1958         const char *name,
1959         const char *volume_key,
1960         size_t volume_key_size,
1961         uint32_t flags)
1962 {
1963         crypt_status_info ci;
1964         struct volume_key *vk;
1965         int r;
1966
1967         log_dbg("Activating volume %s by volume key.", name);
1968
1969         /* use key directly, no hash */
1970         if (isPLAIN(cd->type)) {
1971                 if (!volume_key || !volume_key_size || !cd->volume_key ||
1972                         volume_key_size != cd->volume_key->keylength) {
1973                         log_err(cd, _("Incorrect volume key specified for plain device.\n"));
1974                         return -EINVAL;
1975                 }
1976
1977                 return create_device_helper(cd, name, NULL,
1978                         cd->plain_cipher, cd->plain_cipher_mode, NULL, volume_key, volume_key_size,
1979                         cd->volume_key->keylength, 0, cd->plain_hdr.skip,
1980                         cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1981         }
1982
1983         if (!isLUKS(cd->type)) {
1984                 log_err(cd, _("Device type is not properly initialised.\n"));
1985                 return -EINVAL;
1986         }
1987
1988         if (name) {
1989                 ci = crypt_status(NULL, name);
1990                 if (ci == CRYPT_INVALID)
1991                         return -EINVAL;
1992                 else if (ci >= CRYPT_ACTIVE) {
1993                         log_err(cd, _("Device %s already exists.\n"), name);
1994                         return -EEXIST;
1995                 }
1996         }
1997
1998         /* If key is not provided, try to use internal key */
1999         if (!volume_key) {
2000                 if (!cd->volume_key) {
2001                         log_err(cd, _("Volume key does not match the volume.\n"));
2002                         return -EINVAL;
2003                 }
2004                 volume_key_size = cd->volume_key->keylength;
2005                 volume_key = cd->volume_key->key;
2006         }
2007
2008         vk = crypt_alloc_volume_key(volume_key_size, volume_key);
2009         if (!vk)
2010                 return -ENOMEM;
2011         r = LUKS_verify_volume_key(&cd->hdr, vk);
2012
2013         if (r == -EPERM)
2014                 log_err(cd, _("Volume key does not match the volume.\n"));
2015
2016         if (!r && name)
2017                 r = open_from_hdr_and_vk(cd, vk, name, flags);
2018
2019         crypt_free_volume_key(vk);
2020
2021         return r;
2022 }
2023
2024 int crypt_deactivate(struct crypt_device *cd, const char *name)
2025 {
2026         int r;
2027
2028         if (!name)
2029                 return -EINVAL;
2030
2031         log_dbg("Deactivating volume %s.", name);
2032
2033         if (!cd && dm_init(NULL, 1) < 0)
2034                 return -ENOSYS;
2035
2036         switch (crypt_status(cd, name)) {
2037                 case CRYPT_ACTIVE:
2038                         r = dm_remove_device(name, 0, 0);
2039                         break;
2040                 case CRYPT_BUSY:
2041                         log_err(cd, _("Device %s is busy.\n"), name);
2042                         r = -EBUSY;
2043                         break;
2044                 case CRYPT_INACTIVE:
2045                         log_err(cd, _("Device %s is not active.\n"), name);
2046                         r = -ENODEV;
2047                         break;
2048                 default:
2049                         log_err(cd, _("Invalid device %s.\n"), name);
2050                         r = -EINVAL;
2051         }
2052
2053         if (!cd)
2054                 dm_exit();
2055
2056         return r;
2057 }
2058
2059 int crypt_volume_key_get(struct crypt_device *cd,
2060         int keyslot,
2061         char *volume_key,
2062         size_t *volume_key_size,
2063         const char *passphrase,
2064         size_t passphrase_size)
2065 {
2066         struct volume_key *vk;
2067         char *processed_key = NULL;
2068         int r, key_len;
2069
2070         key_len = crypt_get_volume_key_size(cd);
2071         if (key_len > *volume_key_size) {
2072                 log_err(cd, _("Volume key buffer too small.\n"));
2073                 return -ENOMEM;
2074         }
2075
2076         if (isPLAIN(cd->type) && cd->plain_hdr.hash) {
2077                 processed_key = process_key(cd, cd->plain_hdr.hash, NULL, key_len,
2078                                             passphrase, passphrase_size);
2079                 if (!processed_key) {
2080                         log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
2081                         return -EINVAL;
2082                 }
2083                 memcpy(volume_key, processed_key, key_len);
2084                 *volume_key_size = key_len;
2085                 crypt_safe_free(processed_key);
2086                 return 0;
2087         }
2088
2089         if (isLUKS(cd->type)) {
2090                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
2091                                         passphrase_size, &cd->hdr, &vk, cd);
2092
2093                 if (r >= 0) {
2094                         memcpy(volume_key, vk->key, vk->keylength);
2095                         *volume_key_size = vk->keylength;
2096                 }
2097
2098                 crypt_free_volume_key(vk);
2099                 return r;
2100         }
2101
2102         log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
2103         return -EINVAL;
2104 }
2105
2106 int crypt_volume_key_verify(struct crypt_device *cd,
2107         const char *volume_key,
2108         size_t volume_key_size)
2109 {
2110         struct volume_key *vk;
2111         int r;
2112
2113         if (!isLUKS(cd->type)) {
2114                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2115                 return -EINVAL;
2116         }
2117
2118         vk = crypt_alloc_volume_key(volume_key_size, volume_key);
2119         if (!vk)
2120                 return -ENOMEM;
2121
2122         r = LUKS_verify_volume_key(&cd->hdr, vk);
2123
2124         if (r == -EPERM)
2125                 log_err(cd, _("Volume key does not match the volume.\n"));
2126
2127         crypt_free_volume_key(vk);
2128
2129         return r;
2130 }
2131
2132 void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
2133 {
2134         log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
2135         cd->timeout = timeout_sec;
2136 }
2137
2138 void crypt_set_password_retry(struct crypt_device *cd, int tries)
2139 {
2140         log_dbg("Password retry count set to %d.", tries);
2141         cd->tries = tries;
2142 }
2143
2144 void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
2145 {
2146         log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
2147         cd->iteration_time = iteration_time_ms;
2148 }
2149
2150 void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
2151 {
2152         log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
2153         cd->password_verify = password_verify ? 1 : 0;
2154 }
2155
2156 void crypt_set_rng_type(struct crypt_device *cd, int rng_type)
2157 {
2158         switch (rng_type) {
2159         case CRYPT_RNG_URANDOM:
2160         case CRYPT_RNG_RANDOM:
2161                 log_dbg("RNG set to %d (%s).", rng_type, rng_type ? "random" : "urandom");
2162                 cd->rng_type = rng_type;
2163         }
2164 }
2165
2166 int crypt_get_rng_type(struct crypt_device *cd)
2167 {
2168         if (!cd)
2169                 return -EINVAL;
2170
2171         return cd->rng_type;
2172 }
2173
2174 int crypt_memory_lock(struct crypt_device *cd, int lock)
2175 {
2176         return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
2177 }
2178
2179 // reporting
2180 crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
2181 {
2182         int r;
2183
2184         if (!cd && dm_init(NULL, 1) < 0)
2185                 return CRYPT_INVALID;
2186
2187         r = dm_status_device(name);
2188
2189         if (!cd)
2190                 dm_exit();
2191
2192         if (r < 0 && r != -ENODEV)
2193                 return CRYPT_INVALID;
2194
2195         if (r == 0)
2196                 return CRYPT_ACTIVE;
2197
2198         if (r > 0)
2199                 return CRYPT_BUSY;
2200
2201         return CRYPT_INACTIVE;
2202 }
2203
2204 static void hexprintICB(struct crypt_device *cd, char *d, int n)
2205 {
2206         int i;
2207         for(i = 0; i < n; i++)
2208                 log_std(cd, "%02hhx ", (char)d[i]);
2209 }
2210
2211 int crypt_dump(struct crypt_device *cd)
2212 {
2213         int i;
2214         if (!isLUKS(cd->type)) { //FIXME
2215                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2216                 return -EINVAL;
2217         }
2218
2219         log_std(cd, "LUKS header information for %s\n\n", cd->device);
2220         log_std(cd, "Version:       \t%d\n", cd->hdr.version);
2221         log_std(cd, "Cipher name:   \t%s\n", cd->hdr.cipherName);
2222         log_std(cd, "Cipher mode:   \t%s\n", cd->hdr.cipherMode);
2223         log_std(cd, "Hash spec:     \t%s\n", cd->hdr.hashSpec);
2224         log_std(cd, "Payload offset:\t%d\n", cd->hdr.payloadOffset);
2225         log_std(cd, "MK bits:       \t%d\n", cd->hdr.keyBytes * 8);
2226         log_std(cd, "MK digest:     \t");
2227         hexprintICB(cd, cd->hdr.mkDigest, LUKS_DIGESTSIZE);
2228         log_std(cd, "\n");
2229         log_std(cd, "MK salt:       \t");
2230         hexprintICB(cd, cd->hdr.mkDigestSalt, LUKS_SALTSIZE/2);
2231         log_std(cd, "\n               \t");
2232         hexprintICB(cd, cd->hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
2233         log_std(cd, "\n");
2234         log_std(cd, "MK iterations: \t%d\n", cd->hdr.mkDigestIterations);
2235         log_std(cd, "UUID:          \t%s\n\n", cd->hdr.uuid);
2236         for(i = 0; i < LUKS_NUMKEYS; i++) {
2237                 if(cd->hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
2238                         log_std(cd, "Key Slot %d: ENABLED\n",i);
2239                         log_std(cd, "\tIterations:         \t%d\n",
2240                                 cd->hdr.keyblock[i].passwordIterations);
2241                         log_std(cd, "\tSalt:               \t");
2242                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt,
2243                                     LUKS_SALTSIZE/2);
2244                         log_std(cd, "\n\t                      \t");
2245                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt +
2246                                     LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
2247                         log_std(cd, "\n");
2248
2249                         log_std(cd, "\tKey material offset:\t%d\n",
2250                                 cd->hdr.keyblock[i].keyMaterialOffset);
2251                         log_std(cd, "\tAF stripes:            \t%d\n",
2252                                 cd->hdr.keyblock[i].stripes);
2253                 }
2254                 else
2255                         log_std(cd, "Key Slot %d: DISABLED\n", i);
2256         }
2257
2258         return 0;
2259 }
2260
2261 const char *crypt_get_cipher(struct crypt_device *cd)
2262 {
2263         if (isPLAIN(cd->type))
2264                 return cd->plain_cipher;
2265
2266         if (isLUKS(cd->type))
2267                 return cd->hdr.cipherName;
2268
2269         if (isLOOPAES(cd->type))
2270                 return cd->loopaes_cipher;
2271
2272         return NULL;
2273 }
2274
2275 const char *crypt_get_cipher_mode(struct crypt_device *cd)
2276 {
2277         if (isPLAIN(cd->type))
2278                 return cd->plain_cipher_mode;
2279
2280         if (isLUKS(cd->type))
2281                 return cd->hdr.cipherMode;
2282
2283         if (isLOOPAES(cd->type))
2284                 return cd->loopaes_cipher_mode;
2285
2286         return NULL;
2287 }
2288
2289 const char *crypt_get_uuid(struct crypt_device *cd)
2290 {
2291         if (isLUKS(cd->type))
2292                 return cd->hdr.uuid;
2293
2294         if (isPLAIN(cd->type))
2295                 return cd->plain_uuid;
2296
2297         if (isLOOPAES(cd->type))
2298                 return cd->loopaes_uuid;
2299
2300         return NULL;
2301 }
2302
2303 const char *crypt_get_device_name(struct crypt_device *cd)
2304 {
2305         return cd->device;
2306 }
2307
2308 int crypt_get_volume_key_size(struct crypt_device *cd)
2309 {
2310         if (isPLAIN(cd->type) && cd->volume_key)
2311                 return cd->volume_key->keylength;
2312
2313         if (isLUKS(cd->type))
2314                 return cd->hdr.keyBytes;
2315
2316         if (isLOOPAES(cd->type))
2317                 return cd->loopaes_key_size;
2318
2319         return 0;
2320 }
2321
2322 uint64_t crypt_get_data_offset(struct crypt_device *cd)
2323 {
2324         if (isPLAIN(cd->type))
2325                 return cd->plain_hdr.offset;
2326
2327         if (isLUKS(cd->type))
2328                 return cd->hdr.payloadOffset;
2329
2330         if (isLOOPAES(cd->type))
2331                 return cd->loopaes_hdr.offset;
2332
2333         return 0;
2334 }
2335
2336 crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
2337 {
2338         if (!isLUKS(cd->type)) {
2339                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2340                 return CRYPT_SLOT_INVALID;
2341         }
2342
2343         return LUKS_keyslot_info(&cd->hdr, keyslot);
2344 }
2345
2346 int crypt_keyslot_max(const char *type)
2347 {
2348         if (type && isLUKS(type))
2349                 return LUKS_NUMKEYS;
2350
2351         return -EINVAL;
2352 }
2353
2354 const char *crypt_get_type(struct crypt_device *cd)
2355 {
2356         return cd->type;
2357 }
2358
2359 int crypt_get_active_device(struct crypt_device *cd,
2360                             const char *name,
2361                             struct crypt_active_device *cad)
2362 {
2363         int r, readonly;
2364
2365         r = dm_query_device(name, NULL, &cad->size, &cad->iv_offset, &cad->offset,
2366                             NULL, NULL, NULL, &readonly, NULL, NULL);
2367         if (r < 0)
2368                 return r;
2369
2370         cad->flags = readonly ? CRYPT_ACTIVATE_READONLY : 0;
2371
2372         return 0;
2373 }