lib/setup.c

   1 /*
   2  * libcryptsetup - cryptsetup library
   3  *
   4  * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
   5  * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
   6  * Copyright (C) 2009-2011, Red Hat, Inc. All rights reserved.
   7  *
   8  * This program is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU General Public License
  10  * version 2 as published by the Free Software Foundation.
  11  *
  12  * This program is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  * GNU General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU General Public License
  18  * along with this program; if not, write to the Free Software
  19  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  20  */
  21
  22 #include <string.h>
  23 #include <stdio.h>
  24 #include <stdlib.h>
  25 #include <stdarg.h>
  26 #include <fcntl.h>
  27 #include <errno.h>
  28
  29 #include "libcryptsetup.h"
  30 #include "luks.h"
  31 #include "loopaes.h"
  32 #include "internal.h"
  33 #include "crypto_backend.h"
  34
  35 struct crypt_device {
  36         char *type;
  37
  38         char *device;
  39         char *backing_file;
  40         int loop_fd;
  41         struct volume_key *volume_key;
  42         uint64_t timeout;
  43         uint64_t iteration_time;
  44         int tries;
  45         int password_verify;
  46         int rng_type;
  47
  48         /* used in CRYPT_LUKS1 */
  49         struct luks_phdr hdr;
  50         uint64_t PBKDF2_per_sec;
  51
  52         /* used in CRYPT_PLAIN */
  53         struct crypt_params_plain plain_hdr;
  54         char *plain_cipher;
  55         char *plain_cipher_mode;
  56         char *plain_uuid;
  57
  58         /* used in CRYPT_LOOPAES */
  59         struct crypt_params_loopaes loopaes_hdr;
  60         char *loopaes_cipher;
  61         char *loopaes_cipher_mode;
  62         char *loopaes_uuid;
  63         unsigned int loopaes_key_size;
  64
  65         /* callbacks definitions */
  66         void (*log)(int level, const char *msg, void *usrptr);
  67         void *log_usrptr;
  68         int (*confirm)(const char *msg, void *usrptr);
  69         void *confirm_usrptr;
  70         int (*password)(const char *msg, char *buf, size_t length, void *usrptr);
  71         void *password_usrptr;
  72 };
  73
  74 /* Log helper */
  75 static void (*_default_log)(int level, const char *msg, void *usrptr) = NULL;
  76 static int _debug_level = 0;
  77
  78 void crypt_set_debug_level(int level)
  79 {
  80         _debug_level = level;
  81 }
  82
  83 int crypt_get_debug_level(void)
  84 {
  85         return _debug_level;
  86 }
  87
  88 void crypt_log(struct crypt_device *cd, int level, const char *msg)
  89 {
  90         if (cd && cd->log)
  91                 cd->log(level, msg, cd->log_usrptr);
  92         else if (_default_log)
  93                 _default_log(level, msg, NULL);
  94 }
  95
  96 __attribute__((format(printf, 5, 6)))
  97 void logger(struct crypt_device *cd, int level, const char *file,
  98             int line, const char *format, ...)
  99 {
 100         va_list argp;
 101         char *target = NULL;
 102
 103         va_start(argp, format);
 104
 105         if (vasprintf(&target, format, argp) > 0) {
 106                 if (level >= 0) {
 107                         crypt_log(cd, level, target);
 108 #ifdef CRYPT_DEBUG
 109                 } else if (_debug_level)
 110                         printf("# %s:%d %s\n", file ?: "?", line, target);
 111 #else
 112                 } else if (_debug_level)
 113                         printf("# %s\n", target);
 114 #endif
 115         }
 116
 117         va_end(argp);
 118         free(target);
 119 }
 120
 121 static int init_crypto(struct crypt_device *ctx)
 122 {
 123         int r;
 124
 125         r = crypt_random_init(ctx);
 126         if (r < 0) {
 127                 log_err(ctx, _("Cannot initialize crypto RNG backend.\n"));
 128                 return r;
 129         }
 130
 131         r = crypt_backend_init(ctx);
 132         if (r < 0)
 133                 log_err(ctx, _("Cannot initialize crypto backend.\n"));
 134
 135         return r;
 136 }
 137
 138 static int process_key(struct crypt_device *cd, const char *hash_name,
 139                        size_t key_size, const char *pass, size_t passLen,
 140                        struct volume_key **vk)
 141 {
 142         int r;
 143
 144         if (!key_size)
 145                 return -EINVAL;
 146
 147         *vk = crypt_alloc_volume_key(key_size, NULL);
 148         if (!*vk)
 149                 return -ENOMEM;
 150
 151         if (hash_name) {
 152                 r = crypt_plain_hash(cd, hash_name, (*vk)->key, key_size, pass, passLen);
 153                 if (r < 0) {
 154                         if (r == -ENOENT)
 155                                 log_err(cd, _("Hash algorithm %s not supported.\n"),
 156                                         hash_name);
 157                         else
 158                                 log_err(cd, _("Key processing error (using hash %s).\n"),
 159                                         hash_name);
 160                         crypt_free_volume_key(*vk);
 161                         *vk = NULL;
 162                         return -EINVAL;
 163                 }
 164         } else if (passLen > key_size) {
 165                 memcpy((*vk)->key, pass, key_size);
 166         } else {
 167                 memcpy((*vk)->key, pass, passLen);
 168         }
 169
 170         return 0;
 171 }
 172
 173 static int isPLAIN(const char *type)
 174 {
 175         return (type && !strcmp(CRYPT_PLAIN, type));
 176 }
 177
 178 static int isLUKS(const char *type)
 179 {
 180         return (type && !strcmp(CRYPT_LUKS1, type));
 181 }
 182
 183 static int isLOOPAES(const char *type)
 184 {
 185         return (type && !strcmp(CRYPT_LOOPAES, type));
 186 }
 187
 188 /* keyslot helpers */
 189 static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
 190 {
 191         if (*keyslot == CRYPT_ANY_SLOT) {
 192                 *keyslot = LUKS_keyslot_find_empty(&cd->hdr);
 193                 if (*keyslot < 0) {
 194                         log_err(cd, _("All key slots full.\n"));
 195                         return -EINVAL;
 196                 }
 197         }
 198
 199         switch (LUKS_keyslot_info(&cd->hdr, *keyslot)) {
 200                 case CRYPT_SLOT_INVALID:
 201                         log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
 202                                 *keyslot, LUKS_NUMKEYS - 1);
 203                         return -EINVAL;
 204                 case CRYPT_SLOT_INACTIVE:
 205                         break;
 206                 default:
 207                         log_err(cd, _("Key slot %d is full, please select another one.\n"),
 208                                 *keyslot);
 209                         return -EINVAL;
 210         }
 211
 212         return 0;
 213 }
 214
 215 int PLAIN_activate(struct crypt_device *cd,
 216                      const char *name,
 217                      struct volume_key *vk,
 218                      uint64_t size,
 219                      uint32_t flags)
 220 {
 221         int r;
 222         char *dm_cipher = NULL;
 223         struct crypt_dm_active_device dmd = {
 224                 .device = crypt_get_device_name(cd),
 225                 .cipher = NULL,
 226                 .uuid   = crypt_get_uuid(cd),
 227                 .vk    = vk,
 228                 .offset = crypt_get_data_offset(cd),
 229                 .iv_offset = crypt_get_iv_offset(cd),
 230                 .size   = size,
 231                 .flags  = flags
 232         };
 233
 234         r = device_check_and_adjust(cd, dmd.device,
 235                                     (dmd.flags & CRYPT_ACTIVATE_SHARED) ? DEV_SHARED : DEV_EXCL,
 236                                     &dmd.size, &dmd.offset, &flags);
 237         if (r)
 238                 return r;
 239
 240         if (crypt_get_cipher_mode(cd))
 241                 r = asprintf(&dm_cipher, "%s-%s", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
 242         else
 243                 r = asprintf(&dm_cipher, "%s", crypt_get_cipher(cd));
 244         if (r < 0)
 245                 return -ENOMEM;
 246
 247         dmd.cipher = dm_cipher;
 248         log_dbg("Trying to activate PLAIN device %s using cipher %s.", name, dmd.cipher);
 249
 250         r = dm_create_device(name, CRYPT_PLAIN, &dmd, 0);
 251
 252         // FIXME
 253         if (!cd->plain_uuid && dm_query_device(name, DM_ACTIVE_UUID, &dmd) >= 0)
 254                 cd->plain_uuid = (char*)dmd.uuid;
 255
 256         free(dm_cipher);
 257         return r;
 258 }
 259
 260 int crypt_confirm(struct crypt_device *cd, const char *msg)
 261 {
 262         if (!cd || !cd->confirm)
 263                 return 1;
 264         else
 265                 return cd->confirm(msg, cd->confirm_usrptr);
 266 }
 267
 268 static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
 269                               size_t *key_len, int force_verify)
 270 {
 271         char *prompt = NULL;
 272         int r;
 273
 274         *key = NULL;
 275         if(!msg && asprintf(&prompt, _("Enter passphrase for %s: "),
 276                             cd->backing_file ?: cd->device) < 0)
 277                 return -ENOMEM;
 278
 279         if (!msg)
 280                 msg = prompt;
 281
 282         if (cd->password) {
 283                 *key = crypt_safe_alloc(DEFAULT_PASSPHRASE_SIZE_MAX);
 284                 if (!*key) {
 285                         r = -ENOMEM;
 286                         goto out;
 287                 }
 288                 r = cd->password(msg, *key, DEFAULT_PASSPHRASE_SIZE_MAX,
 289                                  cd->password_usrptr);
 290                 if (r < 0) {
 291                         crypt_safe_free(*key);
 292                         *key = NULL;
 293                 } else
 294                         *key_len = r;
 295         } else
 296                 r = crypt_get_key(msg, key, key_len, 0, NULL, cd->timeout,
 297                                   (force_verify || cd->password_verify), cd);
 298 out:
 299         free(prompt);
 300         return (r < 0) ? r: 0;
 301 }
 302
 303 static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslot,
 304                                              struct volume_key **vk)
 305 {
 306         char *passphrase_read = NULL;
 307         size_t passphrase_size_read;
 308         int r = -EINVAL, eperm = 0, tries = cd->tries;
 309
 310         *vk = NULL;
 311         do {
 312                 crypt_free_volume_key(*vk);
 313                 *vk = NULL;
 314
 315                 r = key_from_terminal(cd, NULL, &passphrase_read,
 316                                       &passphrase_size_read, 0);
 317                 if(r < 0)
 318                         goto out;
 319
 320                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
 321                                            passphrase_size_read, &cd->hdr, vk, cd);
 322                 if (r == -EPERM)
 323                         eperm = 1;
 324                 crypt_safe_free(passphrase_read);
 325                 passphrase_read = NULL;
 326         } while (r == -EPERM && (--tries > 0));
 327 out:
 328         if (r < 0) {
 329                 crypt_free_volume_key(*vk);
 330                 *vk = NULL;
 331
 332                 /* Report wrong passphrase if at least one try failed */
 333                 if (eperm && r == -EPIPE)
 334                         r = -EPERM;
 335         }
 336
 337         crypt_safe_free(passphrase_read);
 338         return r;
 339 }
 340
 341 static int key_from_file(struct crypt_device *cd, char *msg,
 342                           char **key, size_t *key_len,
 343                           const char *key_file, size_t key_size)
 344 {
 345         return crypt_get_key(msg, key, key_len, key_size, key_file,
 346                              cd->timeout, 0, cd);
 347 }
 348
 349 void crypt_set_log_callback(struct crypt_device *cd,
 350         void (*log)(int level, const char *msg, void *usrptr),
 351         void *usrptr)
 352 {
 353         if (!cd)
 354                 _default_log = log;
 355         else {
 356                 cd->log = log;
 357                 cd->log_usrptr = usrptr;
 358         }
 359 }
 360
 361 void crypt_set_confirm_callback(struct crypt_device *cd,
 362         int (*confirm)(const char *msg, void *usrptr),
 363         void *usrptr)
 364 {
 365         cd->confirm = confirm;
 366         cd->confirm_usrptr = usrptr;
 367 }
 368
 369 void crypt_set_password_callback(struct crypt_device *cd,
 370         int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
 371         void *usrptr)
 372 {
 373         cd->password = password;
 374         cd->password_usrptr = usrptr;
 375 }
 376
 377 void crypt_get_error(char *buf, size_t size)
 378 {
 379         const char *error = get_error();
 380
 381         if (!buf || size < 1)
 382                 set_error(NULL);
 383         else if (error) {
 384                 strncpy(buf, error, size - 1);
 385                 buf[size - 1] = '\0';
 386                 set_error(NULL);
 387         } else
 388                 buf[0] = '\0';
 389 }
 390
 391 const char *crypt_get_dir(void)
 392 {
 393         return dm_get_dir();
 394 }
 395
 396 int crypt_init(struct crypt_device **cd, const char *device)
 397 {
 398         struct crypt_device *h = NULL;
 399         int r, readonly = 0;
 400
 401         if (!cd)
 402                 return -EINVAL;
 403
 404         log_dbg("Allocating crypt device %s context.", device);
 405
 406         if (!(h = malloc(sizeof(struct crypt_device))))
 407                 return -ENOMEM;
 408
 409         memset(h, 0, sizeof(*h));
 410         h->loop_fd = -1;
 411
 412         if (device) {
 413                 r = device_ready(NULL, device, O_RDONLY);
 414                 if (r == -ENOTBLK) {
 415                         h->device = crypt_loop_get_device();
 416                         log_dbg("Not a block device, %s%s.",
 417                                 h->device ? "using free loop device " :
 418                                          "no free loop device found",
 419                                 h->device ?: "");
 420                         if (!h->device) {
 421                                 log_err(NULL, _("Cannot find a free loopback device.\n"));
 422                                 r = -ENOSYS;
 423                                 goto bad;
 424                         }
 425
 426                         /* Keep the loop open, dettached on last close. */
 427                         h->loop_fd = crypt_loop_attach(h->device, device, 0, 1, &readonly);
 428                         if (h->loop_fd == -1) {
 429                                 log_err(NULL, _("Attaching loopback device failed "
 430                                         "(loop device with autoclear flag is required).\n"));
 431                                 r = -EINVAL;
 432                                 goto bad;
 433                         }
 434
 435                         h->backing_file = crypt_loop_backing_file(h->device);
 436                         r = device_ready(NULL, h->device, O_RDONLY);
 437                 }
 438                 if (r < 0) {
 439                         r = -ENOTBLK;
 440                         goto bad;
 441                 }
 442         }
 443
 444         if (!h->device && device && !(h->device = strdup(device))) {
 445                 r = -ENOMEM;
 446                 goto bad;
 447         }
 448
 449         if (dm_init(h, 1) < 0) {
 450                 r = -ENOSYS;
 451                 goto bad;
 452         }
 453
 454         h->iteration_time = 1000;
 455         h->password_verify = 0;
 456         h->tries = 3;
 457         h->rng_type = crypt_random_default_key_rng();
 458         *cd = h;
 459         return 0;
 460 bad:
 461
 462         if (h) {
 463                 if (h->loop_fd != -1)
 464                         close(h->loop_fd);
 465                 free(h->device);
 466                 free(h->backing_file);
 467         }
 468         free(h);
 469         return r;
 470 }
 471
 472 int crypt_init_by_name(struct crypt_device **cd, const char *name)
 473 {
 474         crypt_status_info ci;
 475         struct crypt_dm_active_device dmd;
 476         char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
 477         int key_nums, r;
 478
 479
 480         log_dbg("Allocating crypt device context by device %s.", name);
 481
 482         ci = crypt_status(NULL, name);
 483         if (ci == CRYPT_INVALID)
 484                 return -ENODEV;
 485
 486         if (ci < CRYPT_ACTIVE) {
 487                 log_err(NULL, _("Device %s is not active.\n"), name);
 488                 return -ENODEV;
 489         }
 490
 491         r = dm_query_device(name, DM_ACTIVE_DEVICE | DM_ACTIVE_CIPHER |
 492                                   DM_ACTIVE_UUID | DM_ACTIVE_KEYSIZE, &dmd);
 493         if (r < 0)
 494                 goto out;
 495
 496         *cd = NULL;
 497         r = crypt_init(cd, dmd.device);
 498
 499         /* Underlying device disappeared but mapping still active */
 500         if (!dmd.device || r == -ENOTBLK)
 501                 log_verbose(NULL, _("Underlying device for crypt device %s disappeared.\n"),
 502                             name);
 503
 504         /* Underlying device is not readable but crypt mapping exists */
 505         if (r == -ENOTBLK) {
 506                 free((char*)dmd.device);
 507                 dmd.device = NULL;
 508                 r = crypt_init(cd, NULL);
 509         }
 510
 511         if (r < 0)
 512                 goto out;
 513
 514         /* Try to initialise basic parameters from active device */
 515
 516         if (!(*cd)->backing_file && dmd.device && crypt_loop_device(dmd.device) &&
 517             !((*cd)->backing_file = crypt_loop_backing_file(dmd.device))) {
 518                 r = -ENOMEM;
 519                 goto out;
 520         }
 521
 522         if (dmd.uuid) {
 523                 if (!strncmp(CRYPT_PLAIN, dmd.uuid, sizeof(CRYPT_PLAIN)-1)) {
 524                         (*cd)->type = strdup(CRYPT_PLAIN);
 525                         (*cd)->plain_uuid = strdup(dmd.uuid);
 526                         (*cd)->plain_hdr.hash = NULL; /* no way to get this */
 527                         (*cd)->plain_hdr.offset = dmd.offset;
 528                         (*cd)->plain_hdr.skip = dmd.iv_offset;
 529
 530                         r = crypt_parse_name_and_mode(dmd.cipher, cipher, NULL, cipher_mode);
 531                         if (!r) {
 532                                 (*cd)->plain_cipher = strdup(cipher);
 533                                 (*cd)->plain_cipher_mode = strdup(cipher_mode);
 534                         }
 535                 } else if (!strncmp(CRYPT_LOOPAES, dmd.uuid, sizeof(CRYPT_LOOPAES)-1)) {
 536                         (*cd)->type = strdup(CRYPT_LOOPAES);
 537                         (*cd)->loopaes_uuid = strdup(dmd.uuid);
 538                         (*cd)->loopaes_hdr.offset = dmd.offset;
 539
 540                         r = crypt_parse_name_and_mode(dmd.cipher, cipher,
 541                                                       &key_nums, cipher_mode);
 542                         if (!r) {
 543                                 (*cd)->loopaes_cipher = strdup(cipher);
 544                                 (*cd)->loopaes_cipher_mode = strdup(cipher_mode);
 545                                 /* version 3 uses last key for IV */
 546                                 if (dmd.vk->keylength % key_nums)
 547                                         key_nums++;
 548                                 (*cd)->loopaes_key_size = dmd.vk->keylength / key_nums;
 549                         }
 550                 } else if (!strncmp(CRYPT_LUKS1, dmd.uuid, sizeof(CRYPT_LUKS1)-1)) {
 551                         if (dmd.device) {
 552                                 r = crypt_load(*cd, CRYPT_LUKS1, NULL);
 553                                 if (r < 0) {
 554                                         log_dbg("LUKS device header does not match active device.");
 555                                         /* initialise empty context */
 556                                         r = 0;
 557                                 }
 558                         }
 559                 }
 560         } else
 561                 log_dbg("Active device has no UUID set, some parameters are not set.");
 562
 563 out:
 564         if (r < 0) {
 565                 crypt_free(*cd);
 566                 *cd = NULL;
 567         }
 568         crypt_free_volume_key(dmd.vk);
 569         free((char*)dmd.device);
 570         free((char*)dmd.cipher);
 571         free((char*)dmd.uuid);
 572         return r;
 573 }
 574
 575 static int _crypt_format_plain(struct crypt_device *cd,
 576                                const char *cipher,
 577                                const char *cipher_mode,
 578                                const char *uuid,
 579                                size_t volume_key_size,
 580                                struct crypt_params_plain *params)
 581 {
 582         if (!cipher || !cipher_mode) {
 583                 log_err(cd, _("Invalid plain crypt parameters.\n"));
 584                 return -EINVAL;
 585         }
 586
 587         if (volume_key_size > 1024) {
 588                 log_err(cd, _("Invalid key size.\n"));
 589                 return -EINVAL;
 590         }
 591
 592         cd->volume_key = crypt_alloc_volume_key(volume_key_size, NULL);
 593         if (!cd->volume_key)
 594                 return -ENOMEM;
 595
 596         cd->plain_cipher = strdup(cipher);
 597         cd->plain_cipher_mode = strdup(cipher_mode);
 598
 599         if (uuid)
 600                 cd->plain_uuid = strdup(uuid);
 601
 602         if (params && params->hash)
 603                 cd->plain_hdr.hash = strdup(params->hash);
 604
 605         cd->plain_hdr.offset = params ? params->offset : 0;
 606         cd->plain_hdr.skip = params ? params->skip : 0;
 607         cd->plain_hdr.size = params ? params->size : 0;
 608
 609         if (!cd->plain_cipher || !cd->plain_cipher_mode)
 610                 return -ENOMEM;
 611
 612         return 0;
 613 }
 614
 615 static int _crypt_format_luks1(struct crypt_device *cd,
 616                                const char *cipher,
 617                                const char *cipher_mode,
 618                                const char *uuid,
 619                                const char *volume_key,
 620                                size_t volume_key_size,
 621                                struct crypt_params_luks1 *params)
 622 {
 623         int r;
 624         unsigned long required_alignment = DEFAULT_DISK_ALIGNMENT;
 625         unsigned long alignment_offset = 0;
 626
 627         if (!cd->device) {
 628                 log_err(cd, _("Can't format LUKS without device.\n"));
 629                 return -EINVAL;
 630         }
 631
 632         if (volume_key)
 633                 cd->volume_key = crypt_alloc_volume_key(volume_key_size,
 634                                                       volume_key);
 635         else
 636                 cd->volume_key = crypt_generate_volume_key(cd, volume_key_size);
 637
 638         if(!cd->volume_key)
 639                 return -ENOMEM;
 640
 641         if (params && params->data_alignment)
 642                 required_alignment = params->data_alignment * SECTOR_SIZE;
 643         else
 644                 get_topology_alignment(cd->device, &required_alignment,
 645                                        &alignment_offset, DEFAULT_DISK_ALIGNMENT);
 646
 647         r = LUKS_generate_phdr(&cd->hdr, cd->volume_key, cipher, cipher_mode,
 648                                (params && params->hash) ? params->hash : "sha1",
 649                                uuid, LUKS_STRIPES,
 650                                required_alignment / SECTOR_SIZE,
 651                                alignment_offset / SECTOR_SIZE,
 652                                cd->iteration_time, &cd->PBKDF2_per_sec, cd);
 653         if(r < 0)
 654                 return r;
 655
 656         /* Wipe first 8 sectors - fs magic numbers etc. */
 657         r = wipe_device_header(cd->device, 8);
 658         if(r < 0) {
 659                 if (r == -EBUSY)
 660                         log_err(cd, _("Cannot format device %s which is still in use.\n"),
 661                                 cd->device);
 662                 else
 663                         log_err(cd, _("Cannot wipe header on device %s.\n"),
 664                                 cd->device);
 665
 666                 return r;
 667         }
 668
 669         r = LUKS_write_phdr(cd->device, &cd->hdr, cd);
 670
 671         return r;
 672 }
 673
 674 static int _crypt_format_loopaes(struct crypt_device *cd,
 675                                  const char *cipher,
 676                                  const char *uuid,
 677                                  size_t volume_key_size,
 678                                  struct crypt_params_loopaes *params)
 679 {
 680         if (!cd->device) {
 681                 log_err(cd, _("Can't format LOOPAES without device.\n"));
 682                 return -EINVAL;
 683         }
 684
 685         if (volume_key_size > 1024) {
 686                 log_err(cd, _("Invalid key size.\n"));
 687                 return -EINVAL;
 688         }
 689
 690         cd->loopaes_key_size = volume_key_size;
 691
 692         cd->loopaes_cipher = strdup(cipher ?: DEFAULT_LOOPAES_CIPHER);
 693
 694         if (uuid)
 695                 cd->loopaes_uuid = strdup(uuid);
 696
 697         if (params && params->hash)
 698                 cd->loopaes_hdr.hash = strdup(params->hash);
 699
 700         cd->loopaes_hdr.offset = params ? params->offset : 0;
 701         cd->loopaes_hdr.skip = params ? params->skip : 0;
 702
 703         return 0;
 704 }
 705
 706 int crypt_format(struct crypt_device *cd,
 707         const char *type,
 708         const char *cipher,
 709         const char *cipher_mode,
 710         const char *uuid,
 711         const char *volume_key,
 712         size_t volume_key_size,
 713         void *params)
 714 {
 715         int r;
 716
 717         if (!type)
 718                 return -EINVAL;
 719
 720         log_dbg("Formatting device %s as type %s.", cd->device ?: "(none)", type);
 721
 722         r = init_crypto(cd);
 723         if (r < 0)
 724                 return r;
 725
 726         if (isPLAIN(type))
 727                 r = _crypt_format_plain(cd, cipher, cipher_mode,
 728                                         uuid, volume_key_size, params);
 729         else if (isLUKS(type))
 730                 r = _crypt_format_luks1(cd, cipher, cipher_mode,
 731                                         uuid, volume_key, volume_key_size, params);
 732         else if (isLOOPAES(type))
 733                 r = _crypt_format_loopaes(cd, cipher, uuid, volume_key_size, params);
 734         else {
 735                 /* FIXME: allow plugins here? */
 736                 log_err(cd, _("Unknown crypt device type %s requested.\n"), type);
 737                 r = -EINVAL;
 738         }
 739
 740         if (!r && !(cd->type = strdup(type)))
 741                 r = -ENOMEM;
 742
 743         if (r < 0) {
 744                 crypt_free_volume_key(cd->volume_key);
 745                 cd->volume_key = NULL;
 746         }
 747
 748         return r;
 749 }
 750
 751 int crypt_load(struct crypt_device *cd,
 752                const char *requested_type,
 753                void *params __attribute__((unused)))
 754 {
 755         struct luks_phdr hdr;
 756         int r;
 757
 758         log_dbg("Trying to load %s crypt type from device %s.",
 759                 requested_type ?: "any", cd->device ?: "(none)");
 760
 761         if (!cd->device)
 762                 return -EINVAL;
 763
 764         if (requested_type && !isLUKS(requested_type))
 765                 return -EINVAL;
 766
 767         r = init_crypto(cd);
 768         if (r < 0)
 769                 return r;
 770
 771         r = LUKS_read_phdr(cd->device, &hdr, 1, cd);
 772
 773         if (!r) {
 774                 memcpy(&cd->hdr, &hdr, sizeof(hdr));
 775                 cd->type = strdup(CRYPT_LUKS1);
 776                 if (!cd->type)
 777                         r = -ENOMEM;
 778         }
 779
 780         return r;
 781 }
 782
 783 int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 784 {
 785         struct crypt_dm_active_device dmd;
 786         int r;
 787
 788         /* Device context type must be initialised */
 789         if (!cd->type || !crypt_get_uuid(cd))
 790                 return -EINVAL;
 791
 792         log_dbg("Resizing device %s to %" PRIu64 " sectors.", name, new_size);
 793
 794         r = dm_query_device(name, DM_ACTIVE_DEVICE | DM_ACTIVE_CIPHER |
 795                                   DM_ACTIVE_UUID | DM_ACTIVE_KEYSIZE |
 796                                   DM_ACTIVE_KEY, &dmd);
 797         if (r < 0) {
 798                 log_err(NULL, _("Device %s is not active.\n"), name);
 799                 goto out;
 800         }
 801
 802         if (!dmd.uuid) {
 803                 r = -EINVAL;
 804                 goto out;
 805         }
 806
 807         r = device_check_and_adjust(cd, dmd.device, DEV_OK, &new_size, &dmd.offset, &dmd.flags);
 808         if (r)
 809                 goto out;
 810
 811         if (new_size == dmd.size) {
 812                 log_dbg("Device has already requested size %" PRIu64
 813                         " sectors.", dmd.size);
 814                 r = 0;
 815         } else {
 816                 dmd.size = new_size;
 817                 r = dm_create_device(name, cd->type, &dmd, 1);
 818         }
 819 out:
 820         crypt_free_volume_key(dmd.vk);
 821         free((char*)dmd.cipher);
 822         free((char*)dmd.device);
 823         free((char*)dmd.uuid);
 824
 825         return r;
 826 }
 827
 828 int crypt_set_uuid(struct crypt_device *cd, const char *uuid)
 829 {
 830         if (!isLUKS(cd->type)) {
 831                 log_err(cd, _("This operation is not supported for this device type.\n"));
 832                 return  -EINVAL;
 833         }
 834
 835         if (uuid && !strncmp(uuid, cd->hdr.uuid, sizeof(cd->hdr.uuid))) {
 836                 log_dbg("UUID is the same as requested (%s) for device %s.",
 837                         uuid, cd->device);
 838                 return 0;
 839         }
 840
 841         if (uuid)
 842                 log_dbg("Requested new UUID change to %s for %s.", uuid, cd->device);
 843         else
 844                 log_dbg("Requested new UUID refresh for %s.", cd->device);
 845
 846         if (!crypt_confirm(cd, _("Do you really want to change UUID of device?")))
 847                 return -EPERM;
 848
 849         return LUKS_hdr_uuid_set(cd->device, &cd->hdr, uuid, cd);
 850 }
 851
 852 int crypt_header_backup(struct crypt_device *cd,
 853                         const char *requested_type,
 854                         const char *backup_file)
 855 {
 856         int r;
 857
 858         if ((requested_type && !isLUKS(requested_type)) || !backup_file)
 859                 return -EINVAL;
 860
 861         r = init_crypto(cd);
 862         if (r < 0)
 863                 return r;
 864
 865         log_dbg("Requested header backup of device %s (%s) to "
 866                 "file %s.", cd->device, requested_type, backup_file);
 867
 868         return LUKS_hdr_backup(backup_file, cd->device, &cd->hdr, cd);
 869 }
 870
 871 int crypt_header_restore(struct crypt_device *cd,
 872                          const char *requested_type,
 873                          const char *backup_file)
 874 {
 875         int r;
 876
 877         if (requested_type && !isLUKS(requested_type))
 878                 return -EINVAL;
 879
 880         /* Some hash functions need initialized gcrypt library */
 881         r = init_crypto(cd);
 882         if (r < 0)
 883                 return r;
 884
 885         log_dbg("Requested header restore to device %s (%s) from "
 886                 "file %s.", cd->device, requested_type, backup_file);
 887
 888         return LUKS_hdr_restore(backup_file, cd->device, &cd->hdr, cd);
 889 }
 890
 891 void crypt_free(struct crypt_device *cd)
 892 {
 893         if (cd) {
 894                 log_dbg("Releasing crypt device %s context.", cd->device);
 895
 896                 if (cd->loop_fd != -1)
 897                         close(cd->loop_fd);
 898
 899                 dm_exit();
 900                 crypt_free_volume_key(cd->volume_key);
 901
 902                 free(cd->device);
 903                 free(cd->backing_file);
 904                 free(cd->type);
 905
 906                 /* used in plain device only */
 907                 free((char*)cd->plain_hdr.hash);
 908                 free(cd->plain_cipher);
 909                 free(cd->plain_cipher_mode);
 910                 free(cd->plain_uuid);
 911
 912                 /* used in loop-AES device only */
 913                 free((char*)cd->loopaes_hdr.hash);
 914                 free(cd->loopaes_cipher);
 915                 free(cd->loopaes_uuid);
 916
 917                 free(cd);
 918         }
 919 }
 920
 921 int crypt_suspend(struct crypt_device *cd,
 922                   const char *name)
 923 {
 924         crypt_status_info ci;
 925         int r;
 926
 927         log_dbg("Suspending volume %s.", name);
 928
 929         if (!isLUKS(cd->type)) {
 930                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
 931                 r = -EINVAL;
 932                 goto out;
 933         }
 934
 935         ci = crypt_status(NULL, name);
 936         if (ci < CRYPT_ACTIVE) {
 937                 log_err(cd, _("Volume %s is not active.\n"), name);
 938                 return -EINVAL;
 939         }
 940
 941         if (!cd && dm_init(NULL, 1) < 0)
 942                 return -ENOSYS;
 943
 944         r = dm_status_suspended(name);
 945         if (r < 0)
 946                 goto out;
 947
 948         if (r) {
 949                 log_err(cd, _("Volume %s is already suspended.\n"), name);
 950                 r = -EINVAL;
 951                 goto out;
 952         }
 953
 954         r = dm_suspend_and_wipe_key(name);
 955         if (r == -ENOTSUP)
 956                 log_err(cd, "Suspend is not supported for device %s.\n", name);
 957         else if (r)
 958                 log_err(cd, "Error during suspending device %s.\n", name);
 959 out:
 960         if (!cd)
 961                 dm_exit();
 962         return r;
 963 }
 964
 965 int crypt_resume_by_passphrase(struct crypt_device *cd,
 966                                const char *name,
 967                                int keyslot,
 968                                const char *passphrase,
 969                                size_t passphrase_size)
 970 {
 971         struct volume_key *vk = NULL;
 972         int r;
 973
 974         log_dbg("Resuming volume %s.", name);
 975
 976         if (!isLUKS(cd->type)) {
 977                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
 978                 r = -EINVAL;
 979                 goto out;
 980         }
 981
 982         r = dm_status_suspended(name);
 983         if (r < 0)
 984                 return r;
 985
 986         if (!r) {
 987                 log_err(cd, _("Volume %s is not suspended.\n"), name);
 988                 return -EINVAL;
 989         }
 990
 991         if (passphrase) {
 992                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
 993                                            passphrase_size, &cd->hdr, &vk, cd);
 994         } else
 995                 r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
 996
 997         if (r >= 0) {
 998                 keyslot = r;
 999                 r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1000                 if (r == -ENOTSUP)
1001                         log_err(cd, "Resume is not supported for device %s.\n", name);
1002                 else if (r)
1003                         log_err(cd, "Error during resuming device %s.\n", name);
1004         } else
1005                 r = keyslot;
1006 out:
1007         crypt_free_volume_key(vk);
1008         return r < 0 ? r : keyslot;
1009 }
1010
1011 int crypt_resume_by_keyfile(struct crypt_device *cd,
1012                             const char *name,
1013                             int keyslot,
1014                             const char *keyfile,
1015                             size_t keyfile_size)
1016 {
1017         struct volume_key *vk = NULL;
1018         char *passphrase_read = NULL;
1019         size_t passphrase_size_read;
1020         int r;
1021
1022         log_dbg("Resuming volume %s.", name);
1023
1024         if (!isLUKS(cd->type)) {
1025                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1026                 r = -EINVAL;
1027                 goto out;
1028         }
1029
1030         r = dm_status_suspended(name);
1031         if (r < 0)
1032                 return r;
1033
1034         if (!r) {
1035                 log_err(cd, _("Volume %s is not suspended.\n"), name);
1036                 return -EINVAL;
1037         }
1038
1039         if (!keyfile)
1040                 return -EINVAL;
1041
1042         r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1043                           &passphrase_size_read, keyfile, keyfile_size);
1044         if (r < 0)
1045                 goto out;
1046
1047         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1048                                    passphrase_size_read, &cd->hdr, &vk, cd);
1049         if (r < 0)
1050                 goto out;
1051
1052         keyslot = r;
1053         r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1054         if (r)
1055                 log_err(cd, "Error during resuming device %s.\n", name);
1056 out:
1057         crypt_safe_free(passphrase_read);
1058         crypt_free_volume_key(vk);
1059         return r < 0 ? r : keyslot;
1060 }
1061
1062 // slot manipulation
1063 int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
1064         int keyslot, // -1 any
1065         const char *passphrase, // NULL -> terminal
1066         size_t passphrase_size,
1067         const char *new_passphrase, // NULL -> terminal
1068         size_t new_passphrase_size)
1069 {
1070         struct volume_key *vk = NULL;
1071         char *password = NULL, *new_password = NULL;
1072         size_t passwordLen, new_passwordLen;
1073         int r;
1074
1075         log_dbg("Adding new keyslot, existing passphrase %sprovided,"
1076                 "new passphrase %sprovided.",
1077                 passphrase ? "" : "not ", new_passphrase  ? "" : "not ");
1078
1079         if (!isLUKS(cd->type)) {
1080                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1081                 return -EINVAL;
1082         }
1083
1084         r = keyslot_verify_or_find_empty(cd, &keyslot);
1085         if (r)
1086                 return r;
1087
1088         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1089                 /* No slots used, try to use pre-generated key in header */
1090                 if (cd->volume_key) {
1091                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1092                         r = vk ? 0 : -ENOMEM;
1093                 } else {
1094                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1095                         return -EINVAL;
1096                 }
1097         } else if (passphrase) {
1098                 /* Passphrase provided, use it to unlock existing keyslot */
1099                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, passphrase,
1100                                            passphrase_size, &cd->hdr, &vk, cd);
1101         } else {
1102                 /* Passphrase not provided, ask first and use it to unlock existing keyslot */
1103                 r = key_from_terminal(cd, _("Enter any passphrase: "),
1104                                       &password, &passwordLen, 0);
1105                 if (r < 0)
1106                         goto out;
1107
1108                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
1109                                            passwordLen, &cd->hdr, &vk, cd);
1110                 crypt_safe_free(password);
1111         }
1112
1113         if(r < 0)
1114                 goto out;
1115
1116         if (new_passphrase) {
1117                 new_password = (char *)new_passphrase;
1118                 new_passwordLen = new_passphrase_size;
1119         } else {
1120                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1121                                       &new_password, &new_passwordLen, 1);
1122                 if(r < 0)
1123                         goto out;
1124         }
1125
1126         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1127                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1128         if(r < 0) goto out;
1129
1130         r = 0;
1131 out:
1132         if (!new_passphrase)
1133                 crypt_safe_free(new_password);
1134         crypt_free_volume_key(vk);
1135         return r ?: keyslot;
1136 }
1137
1138 int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
1139         int keyslot,
1140         const char *keyfile,
1141         size_t keyfile_size,
1142         const char *new_keyfile,
1143         size_t new_keyfile_size)
1144 {
1145         struct volume_key *vk = NULL;
1146         char *password = NULL; size_t passwordLen;
1147         char *new_password = NULL; size_t new_passwordLen;
1148         int r;
1149
1150         log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
1151                 keyfile ?: "[none]", new_keyfile ?: "[none]");
1152
1153         if (!isLUKS(cd->type)) {
1154                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1155                 return -EINVAL;
1156         }
1157
1158         r = keyslot_verify_or_find_empty(cd, &keyslot);
1159         if (r)
1160                 return r;
1161
1162         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1163                 /* No slots used, try to use pre-generated key in header */
1164                 if (cd->volume_key) {
1165                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1166                         r = vk ? 0 : -ENOMEM;
1167                 } else {
1168                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1169                         return -EINVAL;
1170                 }
1171         } else {
1172                 /* Read password from file of (if NULL) from terminal */
1173                 if (keyfile)
1174                         r = key_from_file(cd, _("Enter any passphrase: "),
1175                                           &password, &passwordLen,
1176                                           keyfile, keyfile_size);
1177                 else
1178                         r = key_from_terminal(cd, _("Enter any passphrase: "),
1179                                               &password, &passwordLen, 0);
1180                 if (r < 0)
1181                         goto out;
1182
1183                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password, passwordLen,
1184                                            &cd->hdr, &vk, cd);
1185         }
1186
1187         if(r < 0)
1188                 goto out;
1189
1190         if (new_keyfile)
1191                 r = key_from_file(cd, _("Enter new passphrase for key slot: "),
1192                                   &new_password, &new_passwordLen, new_keyfile,
1193                                   new_keyfile_size);
1194         else
1195                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1196                                       &new_password, &new_passwordLen, 1);
1197         if (r < 0)
1198                 goto out;
1199
1200         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1201                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1202 out:
1203         crypt_safe_free(password);
1204         crypt_safe_free(new_password);
1205         crypt_free_volume_key(vk);
1206         return r < 0 ? r : keyslot;
1207 }
1208
1209 int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
1210         int keyslot,
1211         const char *volume_key,
1212         size_t volume_key_size,
1213         const char *passphrase,
1214         size_t passphrase_size)
1215 {
1216         struct volume_key *vk = NULL;
1217         int r = -EINVAL;
1218         char *new_password = NULL; size_t new_passwordLen;
1219
1220         log_dbg("Adding new keyslot %d using volume key.", keyslot);
1221
1222         if (!isLUKS(cd->type)) {
1223                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1224                 return -EINVAL;
1225         }
1226
1227         if (volume_key)
1228                 vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1229         else if (cd->volume_key)
1230                 vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1231
1232         if (!vk)
1233                 return -ENOMEM;
1234
1235         r = LUKS_verify_volume_key(&cd->hdr, vk);
1236         if (r < 0) {
1237                 log_err(cd, _("Volume key does not match the volume.\n"));
1238                 goto out;
1239         }
1240
1241         r = keyslot_verify_or_find_empty(cd, &keyslot);
1242         if (r)
1243                 goto out;
1244
1245         if (!passphrase) {
1246                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1247                                       &new_password, &new_passwordLen, 1);
1248                 if (r < 0)
1249                         goto out;
1250                 passphrase = new_password;
1251                 passphrase_size = new_passwordLen;
1252         }
1253
1254         r = LUKS_set_key(cd->device, keyslot, passphrase, passphrase_size,
1255                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1256 out:
1257         crypt_safe_free(new_password);
1258         crypt_free_volume_key(vk);
1259         return (r < 0) ? r : keyslot;
1260 }
1261
1262 int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
1263 {
1264         crypt_keyslot_info ki;
1265
1266         log_dbg("Destroying keyslot %d.", keyslot);
1267
1268         if (!isLUKS(cd->type)) {
1269                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1270                 return -EINVAL;
1271         }
1272
1273         ki = crypt_keyslot_status(cd, keyslot);
1274         if (ki == CRYPT_SLOT_INVALID) {
1275                 log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
1276                 return -EINVAL;
1277         }
1278
1279         if (ki == CRYPT_SLOT_INACTIVE) {
1280                 log_err(cd, _("Key slot %d is not used.\n"), keyslot);
1281                 return -EINVAL;
1282         }
1283
1284         return LUKS_del_key(cd->device, keyslot, &cd->hdr, cd);
1285 }
1286
1287 // activation/deactivation of device mapping
1288 int crypt_activate_by_passphrase(struct crypt_device *cd,
1289         const char *name,
1290         int keyslot,
1291         const char *passphrase,
1292         size_t passphrase_size,
1293         uint32_t flags)
1294 {
1295         crypt_status_info ci;
1296         struct volume_key *vk = NULL;
1297         char *read_passphrase = NULL;
1298         size_t passphraseLen = 0;
1299         int r;
1300
1301         log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
1302                 name ? "Activating" : "Checking", name ?: "",
1303                 keyslot, passphrase ? "" : "[none] ");
1304
1305         if (name) {
1306                 ci = crypt_status(NULL, name);
1307                 if (ci == CRYPT_INVALID)
1308                         return -EINVAL;
1309                 else if (ci >= CRYPT_ACTIVE) {
1310                         log_err(cd, _("Device %s already exists.\n"), name);
1311                         return -EEXIST;
1312                 }
1313         }
1314
1315         /* plain, use hashed passphrase */
1316         if (isPLAIN(cd->type)) {
1317                 if (!name)
1318                         return -EINVAL;
1319
1320                 if (!passphrase) {
1321                         r = key_from_terminal(cd, NULL, &read_passphrase,
1322                                               &passphraseLen, 0);
1323                         if (r < 0)
1324                                 goto out;
1325                         passphrase = read_passphrase;
1326                         passphrase_size = passphraseLen;
1327                 }
1328
1329                 r = process_key(cd, cd->plain_hdr.hash,
1330                                 cd->volume_key->keylength,
1331                                 passphrase, passphrase_size, &vk);
1332                 if (r < 0)
1333                         goto out;
1334
1335                 r = PLAIN_activate(cd, name, vk, cd->plain_hdr.size, flags);
1336                 keyslot = 0;
1337         } else if (isLUKS(cd->type)) {
1338                 /* provided passphrase, do not retry */
1339                 if (passphrase) {
1340                         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1341                                                    passphrase_size, &cd->hdr, &vk, cd);
1342                 } else
1343                         r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
1344
1345                 if (r >= 0) {
1346                         keyslot = r;
1347                         if (name)
1348                                 r = LUKS1_activate(cd, name, vk, flags);
1349                 }
1350         } else
1351                 r = -EINVAL;
1352 out:
1353         crypt_safe_free(read_passphrase);
1354         crypt_free_volume_key(vk);
1355
1356         return r < 0  ? r : keyslot;
1357 }
1358
1359 int crypt_activate_by_keyfile(struct crypt_device *cd,
1360         const char *name,
1361         int keyslot,
1362         const char *keyfile,
1363         size_t keyfile_size,
1364         uint32_t flags)
1365 {
1366         crypt_status_info ci;
1367         struct volume_key *vk = NULL;
1368         char *passphrase_read = NULL;
1369         size_t passphrase_size_read;
1370         unsigned int key_count = 0;
1371         int r;
1372
1373         log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
1374                 name ?: "", keyslot, keyfile ?: "[none]");
1375
1376         if (name) {
1377                 ci = crypt_status(NULL, name);
1378                 if (ci == CRYPT_INVALID)
1379                         return -EINVAL;
1380                 else if (ci >= CRYPT_ACTIVE) {
1381                         log_err(cd, _("Device %s already exists.\n"), name);
1382                         return -EEXIST;
1383                 }
1384         }
1385
1386         if (!keyfile)
1387                 return -EINVAL;
1388
1389         if (isPLAIN(cd->type)) {
1390                 if (!name)
1391                         return -EINVAL;
1392
1393                 r = key_from_file(cd, _("Enter passphrase: "),
1394                                   &passphrase_read, &passphrase_size_read,
1395                                   keyfile, keyfile_size);
1396                 if (r < 0)
1397                         goto out;
1398
1399                 r = process_key(cd, cd->plain_hdr.hash,
1400                                 cd->volume_key->keylength,
1401                                 passphrase_read, passphrase_size_read, &vk);
1402                 if (r < 0)
1403                         goto out;
1404
1405                 r = PLAIN_activate(cd, name, vk, cd->plain_hdr.size, flags);
1406         } else if (isLUKS(cd->type)) {
1407                 r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1408                           &passphrase_size_read, keyfile, keyfile_size);
1409                 if (r < 0)
1410                         goto out;
1411                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1412                                            passphrase_size_read, &cd->hdr, &vk, cd);
1413                 if (r < 0)
1414                         goto out;
1415                 keyslot = r;
1416
1417                 if (name) {
1418                         r = LUKS1_activate(cd, name, vk, flags);
1419                         if (r < 0)
1420                                 goto out;
1421                 }
1422                 r = keyslot;
1423         } else if (isLOOPAES(cd->type)) {
1424                 r = key_from_file(cd, NULL, &passphrase_read, &passphrase_size_read,
1425                                   keyfile, keyfile_size);
1426                 if (r < 0)
1427                         goto out;
1428                 r = LOOPAES_parse_keyfile(cd, &vk, cd->loopaes_hdr.hash, &key_count,
1429                                           passphrase_read, passphrase_size_read);
1430                 if (r < 0)
1431                         goto out;
1432                 if (name)
1433                         r = LOOPAES_activate(cd, name, cd->loopaes_cipher,
1434                                              key_count, vk, flags);
1435         } else
1436                 r = -EINVAL;
1437
1438 out:
1439         crypt_safe_free(passphrase_read);
1440         crypt_free_volume_key(vk);
1441
1442         return r;
1443 }
1444
1445 int crypt_activate_by_volume_key(struct crypt_device *cd,
1446         const char *name,
1447         const char *volume_key,
1448         size_t volume_key_size,
1449         uint32_t flags)
1450 {
1451         crypt_status_info ci;
1452         struct volume_key *vk = NULL;
1453         int r = -EINVAL;
1454
1455         log_dbg("Activating volume %s by volume key.", name);
1456
1457         if (name) {
1458                 ci = crypt_status(NULL, name);
1459                 if (ci == CRYPT_INVALID)
1460                         return -EINVAL;
1461                 else if (ci >= CRYPT_ACTIVE) {
1462                         log_err(cd, _("Device %s already exists.\n"), name);
1463                         return -EEXIST;
1464                 }
1465         }
1466
1467         /* use key directly, no hash */
1468         if (isPLAIN(cd->type)) {
1469                 if (!name)
1470                         return -EINVAL;
1471
1472                 if (!volume_key || !volume_key_size || !cd->volume_key ||
1473                         volume_key_size != cd->volume_key->keylength) {
1474                         log_err(cd, _("Incorrect volume key specified for plain device.\n"));
1475                         return -EINVAL;
1476                 }
1477
1478                 vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1479                 if (!vk)
1480                         return -ENOMEM;
1481
1482                 r = PLAIN_activate(cd, name, vk, cd->plain_hdr.size, flags);
1483         } else if (isLUKS(cd->type)) {
1484                 /* If key is not provided, try to use internal key */
1485                 if (!volume_key) {
1486                         if (!cd->volume_key) {
1487                                 log_err(cd, _("Volume key does not match the volume.\n"));
1488                                 return -EINVAL;
1489                         }
1490                         volume_key_size = cd->volume_key->keylength;
1491                         volume_key = cd->volume_key->key;
1492                 }
1493
1494                 vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1495                 if (!vk)
1496                         return -ENOMEM;
1497                 r = LUKS_verify_volume_key(&cd->hdr, vk);
1498
1499                 if (r == -EPERM)
1500                         log_err(cd, _("Volume key does not match the volume.\n"));
1501
1502                 if (!r && name)
1503                         r = LUKS1_activate(cd, name, vk, flags);
1504         } else
1505                 log_err(cd, _("Device type is not properly initialised.\n"));
1506
1507         crypt_free_volume_key(vk);
1508
1509         return r;
1510 }
1511
1512 int crypt_deactivate(struct crypt_device *cd, const char *name)
1513 {
1514         int r;
1515
1516         if (!name)
1517                 return -EINVAL;
1518
1519         log_dbg("Deactivating volume %s.", name);
1520
1521         if (!cd && dm_init(NULL, 1) < 0)
1522                 return -ENOSYS;
1523
1524         switch (crypt_status(cd, name)) {
1525                 case CRYPT_ACTIVE:
1526                         r = dm_remove_device(name, 0, 0);
1527                         break;
1528                 case CRYPT_BUSY:
1529                         log_err(cd, _("Device %s is busy.\n"), name);
1530                         r = -EBUSY;
1531                         break;
1532                 case CRYPT_INACTIVE:
1533                         log_err(cd, _("Device %s is not active.\n"), name);
1534                         r = -ENODEV;
1535                         break;
1536                 default:
1537                         log_err(cd, _("Invalid device %s.\n"), name);
1538                         r = -EINVAL;
1539         }
1540
1541         if (!cd)
1542                 dm_exit();
1543
1544         return r;
1545 }
1546
1547 int crypt_volume_key_get(struct crypt_device *cd,
1548         int keyslot,
1549         char *volume_key,
1550         size_t *volume_key_size,
1551         const char *passphrase,
1552         size_t passphrase_size)
1553 {
1554         struct volume_key *vk = NULL;
1555         unsigned key_len;
1556         int r = -EINVAL;
1557
1558         key_len = crypt_get_volume_key_size(cd);
1559         if (key_len > *volume_key_size) {
1560                 log_err(cd, _("Volume key buffer too small.\n"));
1561                 return -ENOMEM;
1562         }
1563
1564         if (isPLAIN(cd->type) && cd->plain_hdr.hash) {
1565                 r = process_key(cd, cd->plain_hdr.hash, key_len,
1566                                 passphrase, passphrase_size, &vk);
1567                 if (r < 0)
1568                         log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
1569         } else if (isLUKS(cd->type)) {
1570                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1571                                         passphrase_size, &cd->hdr, &vk, cd);
1572
1573         } else
1574                 log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
1575
1576         if (r >= 0) {
1577                 memcpy(volume_key, vk->key, vk->keylength);
1578                 *volume_key_size = vk->keylength;
1579         }
1580
1581         crypt_free_volume_key(vk);
1582         return r;
1583 }
1584
1585 int crypt_volume_key_verify(struct crypt_device *cd,
1586         const char *volume_key,
1587         size_t volume_key_size)
1588 {
1589         struct volume_key *vk;
1590         int r;
1591
1592         if (!isLUKS(cd->type)) {
1593                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1594                 return -EINVAL;
1595         }
1596
1597         vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1598         if (!vk)
1599                 return -ENOMEM;
1600
1601         r = LUKS_verify_volume_key(&cd->hdr, vk);
1602
1603         if (r == -EPERM)
1604                 log_err(cd, _("Volume key does not match the volume.\n"));
1605
1606         crypt_free_volume_key(vk);
1607
1608         return r;
1609 }
1610
1611 void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
1612 {
1613         log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
1614         cd->timeout = timeout_sec;
1615 }
1616
1617 void crypt_set_password_retry(struct crypt_device *cd, int tries)
1618 {
1619         log_dbg("Password retry count set to %d.", tries);
1620         cd->tries = tries;
1621 }
1622
1623 void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
1624 {
1625         log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
1626         cd->iteration_time = iteration_time_ms;
1627 }
1628
1629 void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
1630 {
1631         log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
1632         cd->password_verify = password_verify ? 1 : 0;
1633 }
1634
1635 void crypt_set_rng_type(struct crypt_device *cd, int rng_type)
1636 {
1637         switch (rng_type) {
1638         case CRYPT_RNG_URANDOM:
1639         case CRYPT_RNG_RANDOM:
1640                 log_dbg("RNG set to %d (%s).", rng_type, rng_type ? "random" : "urandom");
1641                 cd->rng_type = rng_type;
1642         }
1643 }
1644
1645 int crypt_get_rng_type(struct crypt_device *cd)
1646 {
1647         if (!cd)
1648                 return -EINVAL;
1649
1650         return cd->rng_type;
1651 }
1652
1653 int crypt_memory_lock(struct crypt_device *cd, int lock)
1654 {
1655         return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
1656 }
1657
1658 // reporting
1659 crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
1660 {
1661         int r;
1662
1663         if (!cd && dm_init(NULL, 1) < 0)
1664                 return CRYPT_INVALID;
1665
1666         r = dm_status_device(name);
1667
1668         if (!cd)
1669                 dm_exit();
1670
1671         if (r < 0 && r != -ENODEV)
1672                 return CRYPT_INVALID;
1673
1674         if (r == 0)
1675                 return CRYPT_ACTIVE;
1676
1677         if (r > 0)
1678                 return CRYPT_BUSY;
1679
1680         return CRYPT_INACTIVE;
1681 }
1682
1683 static void hexprintICB(struct crypt_device *cd, char *d, int n)
1684 {
1685         int i;
1686         for(i = 0; i < n; i++)
1687                 log_std(cd, "%02hhx ", (char)d[i]);
1688 }
1689
1690 int crypt_dump(struct crypt_device *cd)
1691 {
1692         int i;
1693         if (!isLUKS(cd->type)) { //FIXME
1694                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1695                 return -EINVAL;
1696         }
1697
1698         log_std(cd, "LUKS header information for %s\n\n", cd->device);
1699         log_std(cd, "Version:       \t%d\n", cd->hdr.version);
1700         log_std(cd, "Cipher name:   \t%s\n", cd->hdr.cipherName);
1701         log_std(cd, "Cipher mode:   \t%s\n", cd->hdr.cipherMode);
1702         log_std(cd, "Hash spec:     \t%s\n", cd->hdr.hashSpec);
1703         log_std(cd, "Payload offset:\t%d\n", cd->hdr.payloadOffset);
1704         log_std(cd, "MK bits:       \t%d\n", cd->hdr.keyBytes * 8);
1705         log_std(cd, "MK digest:     \t");
1706         hexprintICB(cd, cd->hdr.mkDigest, LUKS_DIGESTSIZE);
1707         log_std(cd, "\n");
1708         log_std(cd, "MK salt:       \t");
1709         hexprintICB(cd, cd->hdr.mkDigestSalt, LUKS_SALTSIZE/2);
1710         log_std(cd, "\n               \t");
1711         hexprintICB(cd, cd->hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
1712         log_std(cd, "\n");
1713         log_std(cd, "MK iterations: \t%d\n", cd->hdr.mkDigestIterations);
1714         log_std(cd, "UUID:          \t%s\n\n", cd->hdr.uuid);
1715         for(i = 0; i < LUKS_NUMKEYS; i++) {
1716                 if(cd->hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
1717                         log_std(cd, "Key Slot %d: ENABLED\n",i);
1718                         log_std(cd, "\tIterations:         \t%d\n",
1719                                 cd->hdr.keyblock[i].passwordIterations);
1720                         log_std(cd, "\tSalt:               \t");
1721                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt,
1722                                     LUKS_SALTSIZE/2);
1723                         log_std(cd, "\n\t                      \t");
1724                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt +
1725                                     LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
1726                         log_std(cd, "\n");
1727
1728                         log_std(cd, "\tKey material offset:\t%d\n",
1729                                 cd->hdr.keyblock[i].keyMaterialOffset);
1730                         log_std(cd, "\tAF stripes:            \t%d\n",
1731                                 cd->hdr.keyblock[i].stripes);
1732                 }
1733                 else
1734                         log_std(cd, "Key Slot %d: DISABLED\n", i);
1735         }
1736
1737         return 0;
1738 }
1739
1740 const char *crypt_get_cipher(struct crypt_device *cd)
1741 {
1742         if (isPLAIN(cd->type))
1743                 return cd->plain_cipher;
1744
1745         if (isLUKS(cd->type))
1746                 return cd->hdr.cipherName;
1747
1748         if (isLOOPAES(cd->type))
1749                 return cd->loopaes_cipher;
1750
1751         return NULL;
1752 }
1753
1754 const char *crypt_get_cipher_mode(struct crypt_device *cd)
1755 {
1756         if (isPLAIN(cd->type))
1757                 return cd->plain_cipher_mode;
1758
1759         if (isLUKS(cd->type))
1760                 return cd->hdr.cipherMode;
1761
1762         if (isLOOPAES(cd->type))
1763                 return cd->loopaes_cipher_mode;
1764
1765         return NULL;
1766 }
1767
1768 const char *crypt_get_uuid(struct crypt_device *cd)
1769 {
1770         if (isLUKS(cd->type))
1771                 return cd->hdr.uuid;
1772
1773         if (isPLAIN(cd->type))
1774                 return cd->plain_uuid;
1775
1776         if (isLOOPAES(cd->type))
1777                 return cd->loopaes_uuid;
1778
1779         return NULL;
1780 }
1781
1782 const char *crypt_get_device_name(struct crypt_device *cd)
1783 {
1784         return cd->device;
1785 }
1786
1787 int crypt_get_volume_key_size(struct crypt_device *cd)
1788 {
1789         if (isPLAIN(cd->type) && cd->volume_key)
1790                 return cd->volume_key->keylength;
1791
1792         if (isLUKS(cd->type))
1793                 return cd->hdr.keyBytes;
1794
1795         if (isLOOPAES(cd->type))
1796                 return cd->loopaes_key_size;
1797
1798         return 0;
1799 }
1800
1801 uint64_t crypt_get_data_offset(struct crypt_device *cd)
1802 {
1803         if (isPLAIN(cd->type))
1804                 return cd->plain_hdr.offset;
1805
1806         if (isLUKS(cd->type))
1807                 return cd->hdr.payloadOffset;
1808
1809         if (isLOOPAES(cd->type))
1810                 return cd->loopaes_hdr.offset;
1811
1812         return 0;
1813 }
1814
1815 uint64_t crypt_get_iv_offset(struct crypt_device *cd)
1816 {
1817         if (isPLAIN(cd->type))
1818                 return cd->plain_hdr.skip;
1819
1820         if (isLUKS(cd->type))
1821                 return 0;
1822
1823         if (isLOOPAES(cd->type))
1824                 return cd->loopaes_hdr.skip;
1825
1826         return 0;
1827 }
1828
1829 crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
1830 {
1831         if (!isLUKS(cd->type)) {
1832                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1833                 return CRYPT_SLOT_INVALID;
1834         }
1835
1836         return LUKS_keyslot_info(&cd->hdr, keyslot);
1837 }
1838
1839 int crypt_keyslot_max(const char *type)
1840 {
1841         if (type && isLUKS(type))
1842                 return LUKS_NUMKEYS;
1843
1844         return -EINVAL;
1845 }
1846
1847 const char *crypt_get_type(struct crypt_device *cd)
1848 {
1849         return cd->type;
1850 }
1851
1852 int crypt_get_active_device(struct crypt_device *cd __attribute__((unused)),
1853                             const char *name,
1854                             struct crypt_active_device *cad)
1855 {
1856         struct crypt_dm_active_device dmd;
1857         int r;
1858
1859         r = dm_query_device(name, 0, &dmd);
1860         if (r < 0)
1861                 return r;
1862
1863         cad->offset     = dmd.offset;
1864         cad->iv_offset  = dmd.iv_offset;
1865         cad->size       = dmd.size;
1866         cad->flags      = dmd.flags;
1867
1868         return 0;
1869 }