projects / platform / upstream / cryptsetup.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
* Allow to activate by internally cached volume key
[platform/upstream/cryptsetup.git] / lib / setup.c
1 #include <string.h>
2 #include <stdio.h>
3 #include <stdlib.h>
4 #include <stdarg.h>
5 #include <fcntl.h>
6 #include <errno.h>
7
8 #include "libcryptsetup.h"
9 #include "luks.h"
10 #include "internal.h"
11
12 struct crypt_device {
13         char *type;
14
15         char *device;
16         struct volume_key *volume_key;
17         uint64_t timeout;
18         uint64_t iteration_time;
19         int tries;
20         int password_verify;
21         int rng_type;
22
23         /* used in CRYPT_LUKS1 */
24         struct luks_phdr hdr;
25         uint64_t PBKDF2_per_sec;
26
27         /* used in CRYPT_PLAIN */
28         struct crypt_params_plain plain_hdr;
29         char *plain_cipher;
30         char *plain_cipher_mode;
31         char *plain_uuid;
32
33         /* callbacks definitions */
34         void (*log)(int level, const char *msg, void *usrptr);
35         void *log_usrptr;
36         int (*confirm)(const char *msg, void *usrptr);
37         void *confirm_usrptr;
38         int (*password)(const char *msg, char *buf, size_t length, void *usrptr);
39         void *password_usrptr;
40 };
41
42 /* Log helper */
43 static void (*_default_log)(int level, const char *msg, void *usrptr) = NULL;
44 static int _debug_level = 0;
45
46 void crypt_set_debug_level(int level)
47 {
48         _debug_level = level;
49 }
50
51 int crypt_get_debug_level()
52 {
53         return _debug_level;
54 }
55
56 void crypt_log(struct crypt_device *cd, int level, const char *msg)
57 {
58         if (cd && cd->log)
59                 cd->log(level, msg, cd->log_usrptr);
60         else if (_default_log)
61                 _default_log(level, msg, NULL);
62 }
63
64 void logger(struct crypt_device *cd, int level, const char *file,
65             int line, const char *format, ...)
66 {
67         va_list argp;
68         char *target = NULL;
69
70         va_start(argp, format);
71
72         if (vasprintf(&target, format, argp) > 0) {
73                 if (level >= 0) {
74                         crypt_log(cd, level, target);
75 #ifdef CRYPT_DEBUG
76                 } else if (_debug_level)
77                         printf("# %s:%d %s\n", file ?: "?", line, target);
78 #else
79                 } else if (_debug_level)
80                         printf("# %s\n", target);
81 #endif
82         }
83
84         va_end(argp);
85         free(target);
86 }
87
88 /*
89  * Password processing behaviour matrix of process_key
90  *
91  * from binary file: check if there is sufficently large key material
92  * interactive & from fd: hash if requested, otherwise crop or pad with '0'
93  */
94 static char *process_key(struct crypt_device *cd, const char *hash_name,
95                          const char *key_file, size_t key_size,
96                          const char *pass, size_t passLen)
97 {
98         char *key;
99
100         if (!key_size)
101                 return NULL;
102
103         key = crypt_safe_alloc(key_size);
104         memset(key, 0, key_size);
105
106         /* key is coming from binary file */
107         if (key_file && strcmp(key_file, "-")) {
108                 if(passLen < key_size) {
109                         log_err(cd, _("Cannot not read %d bytes from key file %s.\n"),
110                                 key_size, key_file);
111                         crypt_safe_free(key);
112                         return NULL;
113                 }
114                 memcpy(key, pass, key_size);
115                 return key;
116         }
117
118         /* key is coming from tty, fd or binary stdin */
119         if (hash_name) {
120                 if (hash(NULL, hash_name, key, key_size, pass, passLen) < 0) {
121                         log_err(cd, _("Key processing error (using hash algorithm %s).\n"),
122                                 hash_name);
123                         crypt_safe_free(key);
124                         return NULL;
125                 }
126         } else if (passLen > key_size) {
127                 memcpy(key, pass, key_size);
128         } else {
129                 memcpy(key, pass, passLen);
130         }
131
132         return key;
133 }
134
135 static int isPLAIN(const char *type)
136 {
137         return (type && !strcmp(CRYPT_PLAIN, type));
138 }
139
140 static int isLUKS(const char *type)
141 {
142         return (type && !strcmp(CRYPT_LUKS1, type));
143 }
144
145 /* keyslot helpers */
146 static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
147 {
148         if (*keyslot == CRYPT_ANY_SLOT) {
149                 *keyslot = LUKS_keyslot_find_empty(&cd->hdr);
150                 if (*keyslot < 0) {
151                         log_err(cd, _("All key slots full.\n"));
152                         return -EINVAL;
153                 }
154         }
155
156         switch (LUKS_keyslot_info(&cd->hdr, *keyslot)) {
157                 case CRYPT_SLOT_INVALID:
158                         log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
159                                 *keyslot, LUKS_NUMKEYS - 1);
160                         return -EINVAL;
161                 case CRYPT_SLOT_INACTIVE:
162                         break;
163                 default:
164                         log_err(cd, _("Key slot %d is full, please select another one.\n"),
165                                 *keyslot);
166                         return -EINVAL;
167         }
168
169         return 0;
170 }
171
172 static int verify_other_keyslot(struct crypt_device *cd,
173                                 const char *key_file,
174                                 int keyIndex)
175 {
176         struct volume_key *vk = NULL;
177         crypt_keyslot_info ki;
178         int openedIndex, r;
179         char *password = NULL;
180         unsigned int passwordLen;
181
182         r = crypt_get_key(_("Enter any remaining LUKS passphrase: "),
183                           &password, &passwordLen, 0, key_file, cd->timeout,
184                           cd->password_verify, cd);
185         if(r < 0)
186                 goto out;
187
188         ki = crypt_keyslot_status(cd, keyIndex);
189         if (ki == CRYPT_SLOT_ACTIVE) /* Not last slot */
190                 LUKS_keyslot_set(&cd->hdr, keyIndex, 0);
191
192         openedIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT,
193                                              password, passwordLen,
194                                              &cd->hdr, &vk, cd);
195
196         if (ki == CRYPT_SLOT_ACTIVE)
197                 LUKS_keyslot_set(&cd->hdr, keyIndex, 1);
198
199         if (openedIndex < 0)
200                 r = -EPERM;
201         else
202                 log_verbose(cd, _("Key slot %d verified.\n"), openedIndex);
203 out:
204         crypt_free_volume_key(vk);
205         crypt_safe_free(password);
206         return r;
207 }
208
209 static int find_keyslot_by_passphrase(struct crypt_device *cd,
210                                       const char *key_file,
211                                       char *message)
212 {
213         struct volume_key *vk = NULL;
214         char *password = NULL;
215         unsigned int passwordLen;
216         int r;
217
218         r = crypt_get_key(message,&password,&passwordLen, 0, key_file,
219                           cd->timeout, cd->password_verify, cd);
220         if (r < 0)
221                 goto out;
222
223         r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
224                                    passwordLen, &cd->hdr, &vk, cd);
225 out:
226         crypt_free_volume_key(vk);
227         crypt_safe_free(password);
228         return r;
229 }
230
231 static int device_check_and_adjust(struct crypt_device *cd,
232                                    const char *device,
233                                    int open_exclusive,
234                                    uint64_t *size,
235                                    uint64_t *offset,
236                                    int *read_only)
237 {
238         int r, real_readonly;
239         uint64_t real_size;
240
241         if (!device)
242                 return -ENOTBLK;
243
244         r = get_device_infos(device, open_exclusive, &real_readonly, &real_size);
245         if (r < 0) {
246                 if (r == -EBUSY)
247                         log_err(cd, _("Cannot use device %s which is in use "
248                                       "(already mapped or mounted).\n"),
249                                       device);
250                 else
251                         log_err(cd, _("Cannot get info about device %s.\n"),
252                                 device);
253                 return r;
254         }
255
256         if (!*size) {
257                 *size = real_size;
258                 if (!*size) {
259                         log_err(cd, _("Device %s has zero size.\n"), device);
260                         return -ENOTBLK;
261                 }
262                 if (*size < *offset) {
263                         log_err(cd, _("Device %s is too small.\n"), device);
264                         return -EINVAL;
265                 }
266                 *size -= *offset;
267         }
268
269         if (real_readonly)
270                 *read_only = 1;
271
272         log_dbg("Calculated device size is %" PRIu64 " sectors (%s), offset %" PRIu64 ".",
273                 *size, *read_only ? "RO" : "RW", *offset);
274         return 0;
275 }
276
277 static int luks_remove_helper(struct crypt_device *cd,
278                               int key_slot,
279                               const char *other_key_file,
280                               const char *key_file,
281                               int verify)
282 {
283         crypt_keyslot_info ki;
284         int r = -EINVAL;
285
286         if (key_slot == CRYPT_ANY_SLOT) {
287                 key_slot = find_keyslot_by_passphrase(cd, key_file,
288                                 _("Enter LUKS passphrase to be deleted: "));
289                 if(key_slot < 0) {
290                         r = -EPERM;
291                         goto out;
292                 }
293
294                 log_std(cd, _("Key slot %d selected for deletion.\n"), key_slot);
295         }
296
297         ki = crypt_keyslot_status(cd, key_slot);
298         if (ki == CRYPT_SLOT_INVALID) {
299                 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
300                         key_slot, LUKS_NUMKEYS - 1);
301                 r = -EINVAL;
302                 goto out;
303         }
304         if (ki <= CRYPT_SLOT_INACTIVE) {
305                 log_err(cd, _("Key %d not active. Can't wipe.\n"), key_slot);
306                 r = -EINVAL;
307                 goto out;
308         }
309
310         if (ki == CRYPT_SLOT_ACTIVE_LAST && cd->confirm &&
311             !(cd->confirm(_("This is the last keyslot."
312                             " Device will become unusable after purging this key."),
313                          cd->confirm_usrptr))) {
314                 r = -EINVAL;
315                 goto out;
316         }
317
318         if(verify)
319                 r = verify_other_keyslot(cd, other_key_file, key_slot);
320         else
321                 r = 0;
322
323         if (!r)
324                 r = crypt_keyslot_destroy(cd, key_slot);
325 out:
326         return (r < 0) ? r : 0;
327 }
328
329 static int create_device_helper(struct crypt_device *cd,
330                                 const char *name,
331                                 const char *hash,
332                                 const char *cipher,
333                                 const char *cipher_mode,
334                                 const char *key_file,
335                                 const char *key,
336                                 unsigned int keyLen,
337                                 int key_size,
338                                 uint64_t size,
339                                 uint64_t skip,
340                                 uint64_t offset,
341                                 const char *uuid,
342                                 int read_only,
343                                 unsigned int flags,
344                                 int reload)
345 {
346         crypt_status_info ci;
347         char *dm_cipher = NULL;
348         char *processed_key = NULL;
349         int r;
350
351         if (!name)
352                 return -EINVAL;
353
354         ci = crypt_status(cd, name);
355         if (ci == CRYPT_INVALID)
356                 return -EINVAL;
357
358         if (reload && ci < CRYPT_ACTIVE)
359                 return -EINVAL;
360
361         if (!reload && ci >= CRYPT_ACTIVE) {
362                 log_err(cd, _("Device %s already exists.\n"), name);
363                 return -EEXIST;
364         }
365
366         if (key_size < 0 || key_size > 1024) {
367                 log_err(cd, _("Invalid key size %d.\n"), key_size);
368                 return -EINVAL;
369         }
370
371         r = device_check_and_adjust(cd, cd->device, !reload, &size, &offset, &read_only);
372         if (r)
373                 return r;
374
375         if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
376                 return -ENOMEM;
377
378         processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
379         if (!processed_key) {
380                 r = -ENOENT;
381                 goto out;
382         }
383
384         r = dm_create_device(name, cd->device, dm_cipher ?: cipher, cd->type, uuid, size, skip, offset,
385                              key_size, processed_key, read_only, reload);
386 out:
387         free(dm_cipher);
388         crypt_safe_free(processed_key);
389         return r;
390 }
391
392 static int open_from_hdr_and_vk(struct crypt_device *cd,
393                                 struct volume_key *vk,
394                                 const char *name,
395                                 uint32_t flags)
396 {
397         uint64_t size, offset;
398         char *cipher;
399         int read_only, no_uuid, r;
400
401         size = 0;
402         offset = crypt_get_data_offset(cd);
403         read_only = flags & CRYPT_ACTIVATE_READONLY;
404         no_uuid = flags & CRYPT_ACTIVATE_NO_UUID;
405
406         r = device_check_and_adjust(cd, cd->device, 1, &size, &offset, &read_only);
407         if (r)
408                 return r;
409
410         if (asprintf(&cipher, "%s-%s", crypt_get_cipher(cd),
411                      crypt_get_cipher_mode(cd)) < 0)
412                 r = -ENOMEM;
413         else
414                 r = dm_create_device(name, cd->device, cipher, cd->type,
415                                      no_uuid ? NULL : crypt_get_uuid(cd),
416                                      size, 0, offset, vk->keylength, vk->key,
417                                      read_only, 0);
418         free(cipher);
419         return r;
420 }
421
422 static void log_wrapper(int level, const char *msg, void *usrptr)
423 {
424         void (*xlog)(int level, char *msg) = usrptr;
425         xlog(level, (char *)msg);
426 }
427
428 static int yesDialog_wrapper(const char *msg, void *usrptr)
429 {
430         int (*xyesDialog)(char *msg) = usrptr;
431         return xyesDialog((char*)msg);
432 }
433
434 int crypt_confirm(struct crypt_device *cd, const char *msg)
435 {
436         if (!cd || !cd->confirm)
437                 return 1;
438         else
439                 return cd->confirm(msg, cd->confirm_usrptr);
440 }
441
442 static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
443                               unsigned int *key_len, int force_verify)
444 {
445         char *prompt = NULL;
446         int r;
447
448         *key = NULL;
449         if(!msg && asprintf(&prompt, _("Enter passphrase for %s: "),
450                             cd->device) < 0)
451                 return -ENOMEM;
452
453         if (!msg)
454                 msg = prompt;
455
456         if (cd->password) {
457                 *key = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
458                 if (!*key) {
459                         r = -ENOMEM;
460                         goto out;
461                 }
462                 r = cd->password(msg, *key, MAX_TTY_PASSWORD_LEN, cd->password_usrptr);
463                 if (r < 0) {
464                         crypt_safe_free(*key);
465                         *key = NULL;
466                 } else
467                         *key_len = r;
468         } else
469                 r = crypt_get_key(msg, key, key_len, 0, NULL, cd->timeout,
470                                   (force_verify || cd->password_verify), cd);
471 out:
472         free(prompt);
473         return (r < 0) ? r: 0;
474 }
475
476 static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslot,
477                                              struct volume_key **vk)
478 {
479         char *passphrase_read = NULL;
480         unsigned int passphrase_size_read;
481         int r = -EINVAL, tries = cd->tries;
482
483         *vk = NULL;
484         do {
485                 crypt_free_volume_key(*vk);
486                 *vk = NULL;
487
488                 r = key_from_terminal(cd, NULL, &passphrase_read,
489                                       &passphrase_size_read, 0);
490                 if(r < 0)
491                         goto out;
492
493                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
494                                            passphrase_size_read, &cd->hdr, vk, cd);
495                 crypt_safe_free(passphrase_read);
496                 passphrase_read = NULL;
497         } while (r == -EPERM && (--tries > 0));
498 out:
499         if (r < 0) {
500                 crypt_free_volume_key(*vk);
501                 *vk = NULL;
502         }
503
504         crypt_safe_free(passphrase_read);
505         return r;
506 }
507
508 static int key_from_file(struct crypt_device *cd, char *msg,
509                           char **key, unsigned int *key_len,
510                           const char *key_file, size_t key_size)
511 {
512         return crypt_get_key(msg, key, key_len, key_size, key_file,
513                              cd->timeout, 0, cd);
514 }
515
516 static int _crypt_init(struct crypt_device **cd,
517                        const char *type,
518                        struct crypt_options *options,
519                        int load, int need_dm)
520 {
521         int init_by_name, r;
522
523         /* if it is plain device and mapping table is being reloaded
524         initialize it by name*/
525         init_by_name = (type && !strcmp(type, CRYPT_PLAIN) && load);
526
527         /* Some of old API calls do not require DM in kernel,
528            fake initialisation by initialise it with kernel_check disabled */
529         if (!need_dm)
530                 (void)dm_init(NULL, 0);
531         if (init_by_name)
532                 r = crypt_init_by_name(cd, options->name);
533         else
534                 r = crypt_init(cd, options->device);
535         if (!need_dm)
536                 dm_exit();
537
538         if (r)
539                 return -EINVAL;
540
541         crypt_set_log_callback(*cd, log_wrapper, options->icb->log);
542         crypt_set_confirm_callback(*cd, yesDialog_wrapper, options->icb->yesDialog);
543
544         crypt_set_timeout(*cd, options->timeout);
545         crypt_set_password_retry(*cd, options->tries);
546         crypt_set_iterarion_time(*cd, options->iteration_time ?: 1000);
547         crypt_set_password_verify(*cd, options->flags & CRYPT_FLAG_VERIFY);
548
549         if (load && !init_by_name)
550                 r = crypt_load(*cd, type, NULL);
551
552         if (!r && type && !(*cd)->type) {
553                 (*cd)->type = strdup(type);
554                 if (!(*cd)->type)
555                         r = -ENOMEM;
556         }
557
558         if (r)
559                 crypt_free(*cd);
560
561         return r;
562 }
563
564 void crypt_set_log_callback(struct crypt_device *cd,
565         void (*log)(int level, const char *msg, void *usrptr),
566         void *usrptr)
567 {
568         if (!cd)
569                 _default_log = log;
570         else {
571                 cd->log = log;
572                 cd->log_usrptr = usrptr;
573         }
574 }
575
576 void crypt_set_confirm_callback(struct crypt_device *cd,
577         int (*confirm)(const char *msg, void *usrptr),
578         void *usrptr)
579 {
580         cd->confirm = confirm;
581         cd->confirm_usrptr = usrptr;
582 }
583
584 void crypt_set_password_callback(struct crypt_device *cd,
585         int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
586         void *usrptr)
587 {
588         cd->password = password;
589         cd->password_usrptr = usrptr;
590 }
591
592 /* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
593  *          offset, size, skip, timeout, tries, passphrase_fd (ignored),
594  *          flags, icb */
595 static int crypt_create_and_update_device(struct crypt_options *options, int update)
596 {
597         struct crypt_device *cd = NULL;
598         char *key = NULL;
599         unsigned int keyLen;
600         int r;
601
602         r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
603         if (r)
604                 return r;
605
606         r = crypt_get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
607                           options->key_file, cd->timeout, cd->password_verify, cd);
608         if (!r)
609                 r = create_device_helper(cd, options->name, options->hash,
610                         options->cipher, NULL, options->key_file, key, keyLen,
611                         options->key_size, options->size, options->skip,
612                         options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
613                         options->flags, update);
614
615         crypt_safe_free(key);
616         crypt_free(cd);
617         return r;
618 }
619
620 int crypt_create_device(struct crypt_options *options)
621 {
622         return crypt_create_and_update_device(options, 0);
623 }
624
625 int crypt_update_device(struct crypt_options *options)
626 {
627         return crypt_create_and_update_device(options, 1);
628 }
629
630 /* OPTIONS: name, size, icb */
631 int crypt_resize_device(struct crypt_options *options)
632 {
633         struct crypt_device *cd = NULL;
634         char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
635         char *type = NULL;
636         uint64_t size, skip, offset;
637         int key_size, read_only, r;
638
639         log_dbg("Resizing device %s to %" PRIu64 " sectors.", options->name, options->size);
640
641         if (dm_init(NULL, 1) < 0)
642                 return -ENOSYS;
643
644         r = dm_query_device(options->name, &device, &size, &skip, &offset,
645                             &cipher, &key_size, &key, &read_only, NULL, &uuid);
646         if (r < 0) {
647                 log_err(NULL, _("Device %s is not active.\n"), options->name);
648                 goto out;
649         }
650
651         /* Try to determine type of device from UUID */
652         type = CRYPT_PLAIN;
653         if (uuid) {
654                 if (!strncmp(uuid, CRYPT_PLAIN, strlen(CRYPT_PLAIN))) {
655                         type = CRYPT_PLAIN;
656                         free (uuid);
657                         uuid = NULL;
658                 } else if (!strncmp(uuid, CRYPT_LUKS1, strlen(CRYPT_LUKS1)))
659                         type = CRYPT_LUKS1;
660         }
661
662         if (!options->device)
663                 options->device = device;
664
665         r = _crypt_init(&cd, type, options, 1, 1);
666         if (r)
667                 goto out;
668
669         size = options->size;
670         r = device_check_and_adjust(cd, device, 0, &size, &offset, &read_only);
671         if (r)
672                 goto out;
673
674         r = dm_create_device(options->name, device, cipher, type,
675                              crypt_get_uuid(cd), size, skip, offset,
676                              key_size, key, read_only, 1);
677 out:
678         crypt_safe_free(key);
679         free(cipher);
680         if (options->device == device)
681                 options->device = NULL;
682         free(device);
683         free(uuid);
684         crypt_free(cd);
685         dm_exit();
686         return r;
687 }
688
689 /* OPTIONS: name, icb */
690 int crypt_query_device(struct crypt_options *options)
691 {
692         int read_only, r;
693
694         log_dbg("Query device %s.", options->name);
695
696         if (dm_init(NULL, 1) < 0)
697                 return -ENOSYS;
698
699         r = dm_status_device(options->name);
700         if (r < 0)
701                 goto out;
702
703         r = dm_query_device(options->name, (char **)&options->device, &options->size,
704                             &options->skip, &options->offset, (char **)&options->cipher,
705                             &options->key_size, NULL, &read_only, NULL, NULL);
706         if (r >= 0) {
707                 if (read_only)
708                         options->flags |= CRYPT_FLAG_READONLY;
709
710                 options->flags |= CRYPT_FLAG_FREE_DEVICE;
711                 options->flags |= CRYPT_FLAG_FREE_CIPHER;
712
713                 r = 1;
714         }
715 out:
716         if (r == -ENODEV)
717                 r = 0;
718
719         dm_exit();
720         return r;
721 }
722
723 /* OPTIONS: name, icb */
724 int crypt_remove_device(struct crypt_options *options)
725 {
726         struct crypt_device *cd = NULL;
727         int r;
728
729         r = crypt_init_by_name(&cd, options->name);
730         if (r == 0)
731                 r = crypt_deactivate(cd, options->name);
732
733         crypt_free(cd);
734         return r;
735
736 }
737
738 /* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
739  *          new_key_file, iteration_time, timeout, flags, icb */
740 int crypt_luksFormat(struct crypt_options *options)
741 {
742         char cipherName[LUKS_CIPHERNAME_L];
743         char cipherMode[LUKS_CIPHERMODE_L];
744         char *password=NULL;
745         unsigned int passwordLen;
746         struct crypt_device *cd = NULL;
747         struct crypt_params_luks1 cp = {
748                 .hash = options->hash,
749                 .data_alignment = options->align_payload
750         };
751         int r;
752
753         r = crypt_parse_name_and_mode(options->cipher, cipherName, cipherMode);
754         if(r < 0) {
755                 log_err(cd, _("No known cipher specification pattern detected.\n"));
756                 return r;
757         }
758
759         if ((r = _crypt_init(&cd, CRYPT_LUKS1, options, 0, 1)))
760                 return r;
761
762         if (options->key_slot >= LUKS_NUMKEYS && options->key_slot != CRYPT_ANY_SLOT) {
763                 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
764                         options->key_slot, LUKS_NUMKEYS - 1);
765                 r = -EINVAL;
766                 goto out;
767         }
768
769         r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, 0,
770                           options->new_key_file, cd->timeout, cd->password_verify, cd);
771
772         if(r < 0)
773                 goto out;
774
775         r = crypt_format(cd, CRYPT_LUKS1, cipherName, cipherMode,
776                          NULL, NULL, options->key_size, &cp);
777         if (r < 0)
778                 goto out;
779
780         /* Add keyslot using internally stored volume key generated during format */
781         r = crypt_keyslot_add_by_volume_key(cd, options->key_slot, NULL, 0,
782                                             password, passwordLen);
783 out:
784         crypt_free(cd);
785         crypt_safe_free(password);
786         return (r < 0) ? r : 0;
787 }
788
789 /* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
790 int crypt_luksOpen(struct crypt_options *options)
791 {
792         struct crypt_device *cd = NULL;
793         uint32_t flags = 0;
794         int r;
795
796         if (!options->name)
797                 return -EINVAL;
798
799         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
800         if (r)
801                 return r;
802
803         if (options->flags & CRYPT_FLAG_READONLY)
804                 flags |= CRYPT_ACTIVATE_READONLY;
805
806         if (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS)
807                 flags |= CRYPT_ACTIVATE_NO_UUID;
808
809         if (options->key_file)
810                 r = crypt_activate_by_keyfile(cd, options->name,
811                         CRYPT_ANY_SLOT, options->key_file, options->key_size,
812                         flags);
813         else
814                 r = crypt_activate_by_passphrase(cd, options->name,
815                         CRYPT_ANY_SLOT, options->passphrase,
816                         options->passphrase ? strlen(options->passphrase) : 0,
817                         flags);
818
819         crypt_free(cd);
820         return (r < 0) ? r : 0;
821 }
822
823 /* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
824 int crypt_luksKillSlot(struct crypt_options *options)
825 {
826         struct crypt_device *cd = NULL;
827         int r;
828
829         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
830         if (r)
831                 return r;
832
833         r = luks_remove_helper(cd, options->key_slot, options->key_file, NULL,
834                                options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
835
836         crypt_free(cd);
837         return (r < 0) ? r : 0;
838 }
839
840 /* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
841 int crypt_luksRemoveKey(struct crypt_options *options)
842 {
843         struct crypt_device *cd = NULL;
844         int r;
845
846         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
847         if (r)
848                 return r;
849
850         r = luks_remove_helper(cd, CRYPT_ANY_SLOT, options->key_file, options->new_key_file,
851                                options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);
852
853         crypt_free(cd);
854         return (r < 0) ? r : 0;
855 }
856
857
858 /* OPTIONS: device, new_key_file, key_file, key_slot, flags,
859             iteration_time, timeout, icb */
860 int crypt_luksAddKey(struct crypt_options *options)
861 {
862         struct crypt_device *cd = NULL;
863         int r = -EINVAL;
864
865         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
866         if (r)
867                 return r;
868
869         if (options->key_file || options->new_key_file)
870                 r = crypt_keyslot_add_by_keyfile(cd, options->key_slot,
871                                                  options->key_file, 0,
872                                                  options->new_key_file, 0);
873         else
874                 r = crypt_keyslot_add_by_passphrase(cd, options->key_slot,
875                                                     NULL, 0, NULL, 0);
876
877         crypt_free(cd);
878         return (r < 0) ? r : 0;
879 }
880
881 /* OPTIONS: device, icb */
882 int crypt_luksUUID(struct crypt_options *options)
883 {
884         struct crypt_device *cd = NULL;
885         char *uuid;
886         int r;
887
888         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
889         if (r)
890                 return r;
891
892         uuid = (char *)crypt_get_uuid(cd);
893         log_std(cd, uuid ?: "");
894         log_std(cd, "\n");
895         crypt_free(cd);
896         return 0;
897 }
898
899 /* OPTIONS: device, icb */
900 int crypt_isLuks(struct crypt_options *options)
901 {
902         struct crypt_device *cd = NULL;
903         int r;
904
905         log_dbg("Check device %s for LUKS header.", options->device);
906
907         r = init_crypto(cd);
908         if (r < 0)
909                 return r;
910
911         r = crypt_init(&cd, options->device);
912         if (r < 0)
913                 return -EINVAL;
914
915         /* Do print fail here, no need to crypt_load() */
916         r = LUKS_read_phdr(cd->device, &cd->hdr, 0, cd) ? -EINVAL : 0;
917
918         crypt_free(cd);
919         return r;
920 }
921
922 /* OPTIONS: device, icb */
923 int crypt_luksDump(struct crypt_options *options)
924 {
925         struct crypt_device *cd = NULL;
926         int r;
927
928         r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
929         if(r < 0)
930                 return r;
931
932         r = crypt_dump(cd);
933
934         crypt_free(cd);
935         return 0;
936 }
937
938 void crypt_get_error(char *buf, size_t size)
939 {
940         const char *error = get_error();
941
942         if (!buf || size < 1)
943                 set_error(NULL);
944         else if (error) {
945                 strncpy(buf, error, size - 1);
946                 buf[size - 1] = '\0';
947                 set_error(NULL);
948         } else
949                 buf[0] = '\0';
950 }
951
952 void crypt_put_options(struct crypt_options *options)
953 {
954         if (options->flags & CRYPT_FLAG_FREE_DEVICE) {
955                 free((char *)options->device);
956                 options->device = NULL;
957                 options->flags &= ~CRYPT_FLAG_FREE_DEVICE;
958         }
959         if (options->flags & CRYPT_FLAG_FREE_CIPHER) {
960                 free((char *)options->cipher);
961                 options->cipher = NULL;
962                 options->flags &= ~CRYPT_FLAG_FREE_CIPHER;
963         }
964 }
965
966 const char *crypt_get_dir(void)
967 {
968         return dm_get_dir();
969 }
970
971 /////////////////////////////////
972 //
973 // New API
974 //
975
976 int crypt_init(struct crypt_device **cd, const char *device)
977 {
978         struct crypt_device *h = NULL;
979
980         if (!cd)
981                 return -EINVAL;
982
983         log_dbg("Allocating crypt device %s context.", device);
984
985         if (device && !device_ready(NULL, device, O_RDONLY))
986                 return -ENOTBLK;
987
988         if (!(h = malloc(sizeof(struct crypt_device))))
989                 return -ENOMEM;
990
991         memset(h, 0, sizeof(*h));
992
993         if (device) {
994                 h->device = strdup(device);
995                 if (!h->device) {
996                         free(h);
997                         return -ENOMEM;
998                 }
999         } else
1000                 h->device = NULL;
1001
1002         if (dm_init(h, 1) < 0) {
1003                 free(h);
1004                 return -ENOSYS;
1005         }
1006
1007         h->iteration_time = 1000;
1008         h->password_verify = 0;
1009         h->tries = 3;
1010         h->rng_type = crypt_random_default_key_rng();
1011         *cd = h;
1012         return 0;
1013 }
1014
1015 int crypt_init_by_name(struct crypt_device **cd, const char *name)
1016 {
1017         crypt_status_info ci;
1018         struct crypt_active_device cad;
1019         char *device = NULL, *cipher_full = NULL, *device_uuid = NULL;
1020         char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
1021         char *key = NULL;
1022         int key_size = 0, r;
1023
1024
1025         log_dbg("Allocating crypt device context by device %s.", name);
1026
1027         ci = crypt_status(NULL, name);
1028         if (ci == CRYPT_INVALID)
1029                 return -ENODEV;
1030
1031         if (ci < CRYPT_ACTIVE) {
1032                 log_err(NULL, _("Device %s is not active.\n"), name);
1033                 return -ENODEV;
1034         }
1035
1036         r = dm_query_device(name, &device, &cad.size, &cad.iv_offset, &cad.offset,
1037                             &cipher_full, &key_size, &key, NULL, NULL,
1038                             &device_uuid);
1039         if (r < 0)
1040                 goto out;
1041
1042         /* Underlying device disappeared but mapping still active */
1043         if (!device)
1044                 log_verbose(NULL, _("Underlying device for crypt device %s disappeared.\n"),
1045                             name);
1046
1047         *cd = NULL;
1048         r = crypt_init(cd, device);
1049         if (r < 0)
1050                 goto out;
1051
1052         /* Try to initialise basic parameters from active device */
1053         if (device_uuid) {
1054                 if (!strncmp(CRYPT_PLAIN, device_uuid, sizeof(CRYPT_PLAIN)-1)) {
1055                         (*cd)->type = strdup(CRYPT_PLAIN);
1056                         (*cd)->plain_uuid = strdup(device_uuid);
1057                         (*cd)->plain_hdr.hash = NULL; /* no way to get this */
1058                         (*cd)->plain_hdr.offset = cad.offset;
1059                         (*cd)->plain_hdr.skip = cad.iv_offset;
1060                         (*cd)->volume_key = crypt_alloc_volume_key(key_size, key);
1061                         if (!(*cd)->volume_key) {
1062                                 r = -ENOMEM;
1063                                 goto out;
1064                         }
1065
1066                         r = crypt_parse_name_and_mode(cipher_full, cipher, cipher_mode);
1067                         if (!r) {
1068                                 (*cd)->plain_cipher = strdup(cipher);
1069                                 (*cd)->plain_cipher_mode = strdup(cipher_mode);
1070                         }
1071                 } else if (!strncmp(CRYPT_LUKS1, device_uuid, sizeof(CRYPT_LUKS1)-1)) {
1072                         if (device) {
1073                                 if (crypt_load(*cd, CRYPT_LUKS1, NULL) < 0 ||
1074                                     crypt_volume_key_verify(*cd, key, key_size) < 0) {
1075                                         log_dbg("LUKS device header does not match active device.");
1076                                         goto out;
1077                                 }
1078
1079                                 (*cd)->volume_key = crypt_alloc_volume_key(key_size, key);
1080                                 if (!(*cd)->volume_key) {
1081                                         r = -ENOMEM;
1082                                         goto out;
1083                                 }
1084                         }
1085                 }
1086         } else
1087                 log_dbg("Active device has no UUID set, some parameters are not set.");
1088
1089 out:
1090         if (r < 0) {
1091                 crypt_free(*cd);
1092                 *cd = NULL;
1093         }
1094         crypt_safe_free(key);
1095         free(device);
1096         free(cipher_full);
1097         free(device_uuid);
1098         return r;
1099 }
1100
1101 static int _crypt_format_plain(struct crypt_device *cd,
1102                                const char *cipher,
1103                                const char *cipher_mode,
1104                                const char *uuid,
1105                                size_t volume_key_size,
1106                                struct crypt_params_plain *params)
1107 {
1108         if (!cipher || !cipher_mode) {
1109                 log_err(cd, _("Invalid plain crypt parameters.\n"));
1110                 return -EINVAL;
1111         }
1112
1113         if (volume_key_size > 1024) {
1114                 log_err(cd, _("Invalid key size.\n"));
1115                 return -EINVAL;
1116         }
1117
1118         cd->volume_key = crypt_alloc_volume_key(volume_key_size, NULL);
1119         if (!cd->volume_key)
1120                 return -ENOMEM;
1121
1122         cd->plain_cipher = strdup(cipher);
1123         cd->plain_cipher_mode = strdup(cipher_mode);
1124
1125         if (uuid)
1126                 cd->plain_uuid = strdup(uuid);
1127
1128         if (params && params->hash)
1129                 cd->plain_hdr.hash = strdup(params->hash);
1130
1131         cd->plain_hdr.offset = params ? params->offset : 0;
1132         cd->plain_hdr.skip = params ? params->skip : 0;
1133
1134         if (!cd->plain_cipher || !cd->plain_cipher_mode)
1135                 return -ENOMEM;
1136
1137         return 0;
1138 }
1139
1140 static int _crypt_format_luks1(struct crypt_device *cd,
1141                                const char *cipher,
1142                                const char *cipher_mode,
1143                                const char *uuid,
1144                                const char *volume_key,
1145                                size_t volume_key_size,
1146                                struct crypt_params_luks1 *params)
1147 {
1148         int r;
1149         unsigned long required_alignment = DEFAULT_DISK_ALIGNMENT;
1150         unsigned long alignment_offset = 0;
1151
1152         if (!cd->device) {
1153                 log_err(cd, _("Can't format LUKS without device.\n"));
1154                 return -EINVAL;
1155         }
1156
1157         if (volume_key)
1158                 cd->volume_key = crypt_alloc_volume_key(volume_key_size,
1159                                                       volume_key);
1160         else
1161                 cd->volume_key = crypt_generate_volume_key(cd, volume_key_size);
1162
1163         if(!cd->volume_key)
1164                 return -ENOMEM;
1165
1166         if (params && params->data_alignment)
1167                 required_alignment = params->data_alignment * SECTOR_SIZE;
1168         else
1169                 get_topology_alignment(cd->device, &required_alignment,
1170                                        &alignment_offset, DEFAULT_DISK_ALIGNMENT);
1171
1172         r = LUKS_generate_phdr(&cd->hdr, cd->volume_key, cipher, cipher_mode,
1173                                (params && params->hash) ? params->hash : "sha1",
1174                                uuid, LUKS_STRIPES,
1175                                required_alignment / SECTOR_SIZE,
1176                                alignment_offset / SECTOR_SIZE,
1177                                cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1178         if(r < 0)
1179                 return r;
1180
1181         /* Wipe first 8 sectors - fs magic numbers etc. */
1182         r = wipe_device_header(cd->device, 8);
1183         if(r < 0) {
1184                 if (r == -EBUSY)
1185                         log_err(cd, _("Cannot format device %s which is still in use.\n"),
1186                                 cd->device);
1187                 else
1188                         log_err(cd, _("Cannot wipe header on device %s.\n"),
1189                                 cd->device);
1190
1191                 return r;
1192         }
1193
1194         r = LUKS_write_phdr(cd->device, &cd->hdr, cd);
1195
1196         return r;
1197 }
1198
1199 int crypt_format(struct crypt_device *cd,
1200         const char *type,
1201         const char *cipher,
1202         const char *cipher_mode,
1203         const char *uuid,
1204         const char *volume_key,
1205         size_t volume_key_size,
1206         void *params)
1207 {
1208         int r;
1209
1210         log_dbg("Formatting device %s as type %s.", cd->device ?: "(none)", cd->type ?: "(none)");
1211
1212         if (!type)
1213                 return -EINVAL;
1214
1215         r = init_crypto(cd);
1216         if (r < 0)
1217                 return r;
1218
1219         if (isPLAIN(type))
1220                 r = _crypt_format_plain(cd, cipher, cipher_mode,
1221                                         uuid, volume_key_size, params);
1222         else if (isLUKS(type))
1223                 r = _crypt_format_luks1(cd, cipher, cipher_mode,
1224                                         uuid, volume_key, volume_key_size, params);
1225         else {
1226                 /* FIXME: allow plugins here? */
1227                 log_err(cd, _("Unknown crypt device type %s requested.\n"), type);
1228                 r = -EINVAL;
1229         }
1230
1231         if (!r && !(cd->type = strdup(type)))
1232                 r = -ENOMEM;
1233
1234         if (r < 0) {
1235                 crypt_free_volume_key(cd->volume_key);
1236                 cd->volume_key = NULL;
1237         }
1238
1239         return r;
1240 }
1241
1242 int crypt_load(struct crypt_device *cd,
1243                const char *requested_type,
1244                void *params)
1245 {
1246         struct luks_phdr hdr;
1247         int r;
1248
1249         log_dbg("Trying to load %s crypt type from device %s.",
1250                 requested_type ?: "any", cd->device ?: "(none)");
1251
1252         if (!cd->device)
1253                 return -EINVAL;
1254
1255         if (requested_type && !isLUKS(requested_type))
1256                 return -EINVAL;
1257
1258         r = init_crypto(cd);
1259         if (r < 0)
1260                 return r;
1261
1262         r = LUKS_read_phdr(cd->device, &hdr, 1, cd);
1263
1264         if (!r) {
1265                 memcpy(&cd->hdr, &hdr, sizeof(hdr));
1266                 cd->type = strdup(requested_type);
1267                 if (!cd->type)
1268                         r = -ENOMEM;
1269         }
1270
1271         return r;
1272 }
1273
1274 int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
1275 {
1276         char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
1277         uint64_t size, skip, offset;
1278         int key_size, read_only, r;
1279
1280         /* Device context type must be initialised */
1281         if (!cd->type || !crypt_get_uuid(cd))
1282                 return -EINVAL;
1283
1284         r = dm_query_device(name, &device, &size, &skip, &offset,
1285                             &cipher, &key_size, &key, &read_only, NULL, &uuid);
1286         if (r < 0) {
1287                 log_err(NULL, _("Device %s is not active.\n"), name);
1288                 goto out;
1289         }
1290
1291         if (!uuid) {
1292                 r = -EINVAL;
1293                 goto out;
1294         }
1295
1296         r = device_check_and_adjust(cd, device, 0, &new_size, &offset, &read_only);
1297         if (r)
1298                 goto out;
1299
1300         if (new_size == size) {
1301                 log_dbg("Device has already requested size %" PRIu64
1302                         " sectors.", size);
1303                 r = 0;
1304                 goto out;
1305         }
1306
1307         log_dbg("Resizing device %s to %" PRIu64 " sectors.", name, new_size);
1308
1309         r = dm_create_device(name, device, cipher, cd->type,
1310                              crypt_get_uuid(cd), new_size, skip, offset,
1311                              key_size, key, read_only, 1);
1312 out:
1313         crypt_safe_free(key);
1314         free(cipher);
1315         free(device);
1316         free(uuid);
1317
1318         return r;
1319 }
1320
1321 int crypt_set_uuid(struct crypt_device *cd, const char *uuid)
1322 {
1323         if (!isLUKS(cd->type)) {
1324                 log_err(cd, _("This operation is not supported for this device type.\n"));
1325                 return  -EINVAL;
1326         }
1327
1328         if (uuid && !strncmp(uuid, cd->hdr.uuid, sizeof(cd->hdr.uuid))) {
1329                 log_dbg("UUID is the same as requested (%s) for device %s.",
1330                         uuid, cd->device);
1331                 return 0;
1332         }
1333
1334         if (uuid)
1335                 log_dbg("Requested new UUID change to %s for %s.", uuid, cd->device);
1336         else
1337                 log_dbg("Requested new UUID refresh for %s.", cd->device);
1338
1339         if (!crypt_confirm(cd, _("Do you really want to change UUID of device?")))
1340                 return -EPERM;
1341
1342         return LUKS_hdr_uuid_set(cd->device, &cd->hdr, uuid, cd);
1343 }
1344
1345 int crypt_header_backup(struct crypt_device *cd,
1346                         const char *requested_type,
1347                         const char *backup_file)
1348 {
1349         int r;
1350
1351         if ((requested_type && !isLUKS(requested_type)) || !backup_file)
1352                 return -EINVAL;
1353
1354         r = init_crypto(cd);
1355         if (r < 0)
1356                 return r;
1357
1358         log_dbg("Requested header backup of device %s (%s) to "
1359                 "file %s.", cd->device, requested_type, backup_file);
1360
1361         return LUKS_hdr_backup(backup_file, cd->device, &cd->hdr, cd);
1362 }
1363
1364 int crypt_header_restore(struct crypt_device *cd,
1365                          const char *requested_type,
1366                          const char *backup_file)
1367 {
1368         int r;
1369
1370         if (requested_type && !isLUKS(requested_type))
1371                 return -EINVAL;
1372
1373         /* Some hash functions need initialized gcrypt library */
1374         r = init_crypto(cd);
1375         if (r < 0)
1376                 return r;
1377
1378         log_dbg("Requested header restore to device %s (%s) from "
1379                 "file %s.", cd->device, requested_type, backup_file);
1380
1381         return LUKS_hdr_restore(backup_file, cd->device, &cd->hdr, cd);
1382 }
1383
1384 void crypt_free(struct crypt_device *cd)
1385 {
1386         if (cd) {
1387                 log_dbg("Releasing crypt device %s context.", cd->device);
1388
1389                 dm_exit();
1390                 crypt_free_volume_key(cd->volume_key);
1391
1392                 free(cd->device);
1393                 free(cd->type);
1394
1395                 /* used in plain device only */
1396                 free((char*)cd->plain_hdr.hash);
1397                 free(cd->plain_cipher);
1398                 free(cd->plain_cipher_mode);
1399                 free(cd->plain_uuid);
1400
1401                 free(cd);
1402         }
1403 }
1404
1405 int crypt_suspend(struct crypt_device *cd,
1406                   const char *name)
1407 {
1408         crypt_status_info ci;
1409         int r, suspended = 0;
1410
1411         log_dbg("Suspending volume %s.", name);
1412
1413         ci = crypt_status(NULL, name);
1414         if (ci < CRYPT_ACTIVE) {
1415                 log_err(cd, _("Volume %s is not active.\n"), name);
1416                 return -EINVAL;
1417         }
1418
1419         if (!cd && dm_init(NULL, 1) < 0)
1420                 return -ENOSYS;
1421
1422         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1423                             NULL, NULL, NULL, NULL, &suspended, NULL);
1424         if (r < 0)
1425                 goto out;
1426
1427         if (suspended) {
1428                 log_err(cd, _("Volume %s is already suspended.\n"), name);
1429                 r = -EINVAL;
1430                 goto out;
1431         }
1432
1433         r = dm_suspend_and_wipe_key(name);
1434         if (r == -ENOTSUP)
1435                 log_err(cd, "Suspend is not supported for device %s.\n", name);
1436         else if (r)
1437                 log_err(cd, "Error during suspending device %s.\n", name);
1438 out:
1439         if (!cd)
1440                 dm_exit();
1441         return r;
1442 }
1443
1444 int crypt_resume_by_passphrase(struct crypt_device *cd,
1445                                const char *name,
1446                                int keyslot,
1447                                const char *passphrase,
1448                                size_t passphrase_size)
1449 {
1450         struct volume_key *vk = NULL;
1451         int r, suspended = 0;
1452
1453         log_dbg("Resuming volume %s.", name);
1454
1455         if (!isLUKS(cd->type)) {
1456                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1457                 r = -EINVAL;
1458                 goto out;
1459         }
1460
1461         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1462                             NULL, NULL, NULL, NULL, &suspended, NULL);
1463         if (r < 0)
1464                 return r;
1465
1466         if (!suspended) {
1467                 log_err(cd, _("Volume %s is not suspended.\n"), name);
1468                 return -EINVAL;
1469         }
1470
1471         if (passphrase) {
1472                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1473                                            passphrase_size, &cd->hdr, &vk, cd);
1474         } else
1475                 r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
1476
1477         if (r >= 0) {
1478                 keyslot = r;
1479                 r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1480                 if (r == -ENOTSUP)
1481                         log_err(cd, "Resume is not supported for device %s.\n", name);
1482                 else if (r)
1483                         log_err(cd, "Error during resuming device %s.\n", name);
1484         } else
1485                 r = keyslot;
1486 out:
1487         crypt_free_volume_key(vk);
1488         return r < 0 ? r : keyslot;
1489 }
1490
1491 int crypt_resume_by_keyfile(struct crypt_device *cd,
1492                             const char *name,
1493                             int keyslot,
1494                             const char *keyfile,
1495                             size_t keyfile_size)
1496 {
1497         struct volume_key *vk = NULL;
1498         char *passphrase_read = NULL;
1499         unsigned int passphrase_size_read;
1500         int r, suspended = 0;
1501
1502         log_dbg("Resuming volume %s.", name);
1503
1504         if (!isLUKS(cd->type)) {
1505                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1506                 r = -EINVAL;
1507                 goto out;
1508         }
1509
1510         r = dm_query_device(name, NULL, NULL, NULL, NULL,
1511                             NULL, NULL, NULL, NULL, &suspended, NULL);
1512         if (r < 0)
1513                 return r;
1514
1515         if (!suspended) {
1516                 log_err(cd, _("Volume %s is not suspended.\n"), name);
1517                 return -EINVAL;
1518         }
1519
1520         if (!keyfile)
1521                 return -EINVAL;
1522
1523         r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1524                           &passphrase_size_read, keyfile, keyfile_size);
1525         if (r < 0)
1526                 goto out;
1527
1528         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1529                                    passphrase_size_read, &cd->hdr, &vk, cd);
1530         if (r < 0)
1531                 goto out;
1532
1533         keyslot = r;
1534         r = dm_resume_and_reinstate_key(name, vk->keylength, vk->key);
1535         if (r)
1536                 log_err(cd, "Error during resuming device %s.\n", name);
1537 out:
1538         crypt_safe_free(passphrase_read);
1539         crypt_free_volume_key(vk);
1540         return r < 0 ? r : keyslot;
1541 }
1542
1543 // slot manipulation
1544 int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
1545         int keyslot, // -1 any
1546         const char *passphrase, // NULL -> terminal
1547         size_t passphrase_size,
1548         const char *new_passphrase, // NULL -> terminal
1549         size_t new_passphrase_size)
1550 {
1551         struct volume_key *vk = NULL;
1552         char *password = NULL, *new_password = NULL;
1553         unsigned int passwordLen, new_passwordLen;
1554         int r;
1555
1556         log_dbg("Adding new keyslot, existing passphrase %sprovided,"
1557                 "new passphrase %sprovided.",
1558                 passphrase ? "" : "not ", new_passphrase  ? "" : "not ");
1559
1560         if (!isLUKS(cd->type)) {
1561                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1562                 return -EINVAL;
1563         }
1564
1565         r = keyslot_verify_or_find_empty(cd, &keyslot);
1566         if (r)
1567                 return r;
1568
1569         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1570                 /* No slots used, try to use pre-generated key in header */
1571                 if (cd->volume_key) {
1572                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1573                         r = vk ? 0 : -ENOMEM;
1574                 } else {
1575                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1576                         return -EINVAL;
1577                 }
1578         } else if (passphrase) {
1579                 /* Passphrase provided, use it to unlock existing keyslot */
1580                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, passphrase,
1581                                            passphrase_size, &cd->hdr, &vk, cd);
1582         } else {
1583                 /* Passphrase not provided, ask first and use it to unlock existing keyslot */
1584                 r = key_from_terminal(cd, _("Enter any passphrase: "),
1585                                       &password, &passwordLen, 0);
1586                 if (r < 0)
1587                         goto out;
1588
1589                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
1590                                            passwordLen, &cd->hdr, &vk, cd);
1591                 crypt_safe_free(password);
1592         }
1593
1594         if(r < 0)
1595                 goto out;
1596
1597         if (new_passphrase) {
1598                 new_password = (char *)new_passphrase;
1599                 new_passwordLen = new_passphrase_size;
1600         } else {
1601                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1602                                       &new_password, &new_passwordLen, 1);
1603                 if(r < 0)
1604                         goto out;
1605         }
1606
1607         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1608                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1609         if(r < 0) goto out;
1610
1611         r = 0;
1612 out:
1613         if (!new_passphrase)
1614                 crypt_safe_free(new_password);
1615         crypt_free_volume_key(vk);
1616         return r ?: keyslot;
1617 }
1618
1619 int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
1620         int keyslot,
1621         const char *keyfile,
1622         size_t keyfile_size,
1623         const char *new_keyfile,
1624         size_t new_keyfile_size)
1625 {
1626         struct volume_key *vk = NULL;
1627         char *password = NULL; unsigned int passwordLen;
1628         char *new_password = NULL; unsigned int new_passwordLen;
1629         int r;
1630
1631         log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
1632                 keyfile ?: "[none]", new_keyfile ?: "[none]");
1633
1634         if (!isLUKS(cd->type)) {
1635                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1636                 return -EINVAL;
1637         }
1638
1639         r = keyslot_verify_or_find_empty(cd, &keyslot);
1640         if (r)
1641                 return r;
1642
1643         if (!LUKS_keyslot_active_count(&cd->hdr)) {
1644                 /* No slots used, try to use pre-generated key in header */
1645                 if (cd->volume_key) {
1646                         vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1647                         r = vk ? 0 : -ENOMEM;
1648                 } else {
1649                         log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
1650                         return -EINVAL;
1651                 }
1652         } else {
1653                 /* Read password from file of (if NULL) from terminal */
1654                 if (keyfile)
1655                         r = key_from_file(cd, _("Enter any passphrase: "),
1656                                           &password, &passwordLen,
1657                                           keyfile, keyfile_size);
1658                 else
1659                         r = key_from_terminal(cd, _("Enter any passphrase: "),
1660                                               &password, &passwordLen, 0);
1661                 if (r < 0)
1662                         goto out;
1663
1664                 r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password, passwordLen,
1665                                            &cd->hdr, &vk, cd);
1666         }
1667
1668         if(r < 0)
1669                 goto out;
1670
1671         if (new_keyfile)
1672                 r = key_from_file(cd, _("Enter new passphrase for key slot: "),
1673                                   &new_password, &new_passwordLen, new_keyfile,
1674                                   new_keyfile_size);
1675         else
1676                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1677                                       &new_password, &new_passwordLen, 1);
1678         if (r < 0)
1679                 goto out;
1680
1681         r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
1682                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1683 out:
1684         crypt_safe_free(password);
1685         crypt_safe_free(new_password);
1686         crypt_free_volume_key(vk);
1687         return r < 0 ? r : keyslot;
1688 }
1689
1690 int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
1691         int keyslot,
1692         const char *volume_key,
1693         size_t volume_key_size,
1694         const char *passphrase,
1695         size_t passphrase_size)
1696 {
1697         struct volume_key *vk = NULL;
1698         int r = -EINVAL;
1699         char *new_password = NULL; unsigned int new_passwordLen;
1700
1701         log_dbg("Adding new keyslot %d using volume key.", keyslot);
1702
1703         if (!isLUKS(cd->type)) {
1704                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1705                 return -EINVAL;
1706         }
1707
1708         if (volume_key)
1709                 vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1710         else if (cd->volume_key)
1711                 vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
1712
1713         if (!vk)
1714                 return -ENOMEM;
1715
1716         r = LUKS_verify_volume_key(&cd->hdr, vk);
1717         if (r < 0) {
1718                 log_err(cd, _("Volume key does not match the volume.\n"));
1719                 goto out;
1720         }
1721
1722         r = keyslot_verify_or_find_empty(cd, &keyslot);
1723         if (r)
1724                 goto out;
1725
1726         if (!passphrase) {
1727                 r = key_from_terminal(cd, _("Enter new passphrase for key slot: "),
1728                                       &new_password, &new_passwordLen, 1);
1729                 if (r < 0)
1730                         goto out;
1731                 passphrase = new_password;
1732                 passphrase_size = new_passwordLen;
1733         }
1734
1735         r = LUKS_set_key(cd->device, keyslot, passphrase, passphrase_size,
1736                          &cd->hdr, vk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
1737 out:
1738         crypt_safe_free(new_password);
1739         crypt_free_volume_key(vk);
1740         return (r < 0) ? r : keyslot;
1741 }
1742
1743 int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
1744 {
1745         crypt_keyslot_info ki;
1746
1747         log_dbg("Destroying keyslot %d.", keyslot);
1748
1749         if (!isLUKS(cd->type)) {
1750                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1751                 return -EINVAL;
1752         }
1753
1754         ki = crypt_keyslot_status(cd, keyslot);
1755         if (ki == CRYPT_SLOT_INVALID) {
1756                 log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
1757                 return -EINVAL;
1758         }
1759
1760         if (ki == CRYPT_SLOT_INACTIVE) {
1761                 log_err(cd, _("Key slot %d is not used.\n"), keyslot);
1762                 return -EINVAL;
1763         }
1764
1765         return LUKS_del_key(cd->device, keyslot, &cd->hdr, cd);
1766 }
1767
1768 // activation/deactivation of device mapping
1769 int crypt_activate_by_passphrase(struct crypt_device *cd,
1770         const char *name,
1771         int keyslot,
1772         const char *passphrase,
1773         size_t passphrase_size,
1774         uint32_t flags)
1775 {
1776         crypt_status_info ci;
1777         struct volume_key *vk = NULL;
1778         char *read_passphrase = NULL;
1779         int r;
1780
1781         log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
1782                 name ? "Activating" : "Checking", name ?: "",
1783                 keyslot, passphrase ? "" : "[none] ");
1784
1785         if (name) {
1786                 ci = crypt_status(NULL, name);
1787                 if (ci == CRYPT_INVALID)
1788                         return -EINVAL;
1789                 else if (ci >= CRYPT_ACTIVE) {
1790                         log_err(cd, _("Device %s already exists.\n"), name);
1791                         return -EEXIST;
1792                 }
1793         }
1794
1795         /* plain, use hashed passphrase */
1796         if (isPLAIN(cd->type)) {
1797                 if (!passphrase) {
1798                         r = key_from_terminal(cd, NULL, &read_passphrase,
1799                                               &passphrase_size, 0);
1800                         if (r < 0)
1801                                 goto out;
1802                         passphrase = read_passphrase;
1803                 }
1804                 r = create_device_helper(cd, name, cd->plain_hdr.hash,
1805                                          cd->plain_cipher, cd->plain_cipher_mode,
1806                                          NULL, passphrase, passphrase_size,
1807                                          cd->volume_key->keylength, 0,
1808                                          cd->plain_hdr.skip, cd->plain_hdr.offset,
1809                                          cd->plain_uuid,
1810                                          flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1811                 keyslot = 0;
1812         } else if (isLUKS(cd->type)) {
1813                 /* provided passphrase, do not retry */
1814                 if (passphrase) {
1815                         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
1816                                                    passphrase_size, &cd->hdr, &vk, cd);
1817                 } else
1818                         r = volume_key_by_terminal_passphrase(cd, keyslot, &vk);
1819
1820                 if (r >= 0) {
1821                         keyslot = r;
1822                         if (name)
1823                                 r = open_from_hdr_and_vk(cd, vk, name, flags);
1824                 }
1825         } else
1826                 r = -EINVAL;
1827 out:
1828         crypt_safe_free(read_passphrase);
1829         crypt_free_volume_key(vk);
1830
1831         return r < 0  ? r : keyslot;
1832 }
1833
1834 int crypt_activate_by_keyfile(struct crypt_device *cd,
1835         const char *name,
1836         int keyslot,
1837         const char *keyfile,
1838         size_t keyfile_size,
1839         uint32_t flags)
1840 {
1841         crypt_status_info ci;
1842         struct volume_key *vk = NULL;
1843         char *passphrase_read = NULL;
1844         unsigned int passphrase_size_read;
1845         int r;
1846
1847         log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
1848                 name ?: "", keyslot, keyfile ?: "[none]");
1849
1850         if (!isLUKS(cd->type)) {
1851                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
1852                 return -EINVAL;
1853         }
1854
1855         if (name) {
1856                 ci = crypt_status(NULL, name);
1857                 if (ci == CRYPT_INVALID)
1858                         return -EINVAL;
1859                 else if (ci >= CRYPT_ACTIVE) {
1860                         log_err(cd, _("Device %s already exists.\n"), name);
1861                         return -EEXIST;
1862                 }
1863         }
1864
1865         if (!keyfile)
1866                 return -EINVAL;
1867
1868         r = key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
1869                           &passphrase_size_read, keyfile, keyfile_size);
1870         if (r < 0)
1871                 goto out;
1872
1873         r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
1874                                    passphrase_size_read, &cd->hdr, &vk, cd);
1875         if (r < 0)
1876                 goto out;
1877
1878         keyslot = r;
1879         if (name)
1880                 r = open_from_hdr_and_vk(cd, vk, name, flags);
1881 out:
1882         crypt_safe_free(passphrase_read);
1883         crypt_free_volume_key(vk);
1884
1885         return r < 0 ? r : keyslot;
1886 }
1887
1888 int crypt_activate_by_volume_key(struct crypt_device *cd,
1889         const char *name,
1890         const char *volume_key,
1891         size_t volume_key_size,
1892         uint32_t flags)
1893 {
1894         crypt_status_info ci;
1895         struct volume_key *vk;
1896         int r;
1897
1898         log_dbg("Activating volume %s by volume key.", name);
1899
1900         /* use key directly, no hash */
1901         if (isPLAIN(cd->type)) {
1902                 if (!volume_key || !volume_key_size || !cd->volume_key ||
1903                         volume_key_size != cd->volume_key->keylength) {
1904                         log_err(cd, _("Incorrect volume key specified for plain device.\n"));
1905                         return -EINVAL;
1906                 }
1907
1908                 return create_device_helper(cd, name, NULL,
1909                         cd->plain_cipher, cd->plain_cipher_mode, NULL, volume_key, volume_key_size,
1910                         cd->volume_key->keylength, 0, cd->plain_hdr.skip,
1911                         cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);
1912         }
1913
1914         if (!isLUKS(cd->type)) {
1915                 log_err(cd, _("Device type is not properly initialised.\n"));
1916                 return -EINVAL;
1917         }
1918
1919         if (name) {
1920                 ci = crypt_status(NULL, name);
1921                 if (ci == CRYPT_INVALID)
1922                         return -EINVAL;
1923                 else if (ci >= CRYPT_ACTIVE) {
1924                         log_err(cd, _("Device %s already exists.\n"), name);
1925                         return -EEXIST;
1926                 }
1927         }
1928
1929         /* If key is not provided, try to use internal key */
1930         if (!volume_key) {
1931                 if (!cd->volume_key) {
1932                         log_err(cd, _("Volume key does not match the volume.\n"));
1933                         return -EINVAL;
1934                 }
1935                 volume_key_size = cd->volume_key->keylength;
1936                 volume_key = cd->volume_key->key;
1937         }
1938
1939         vk = crypt_alloc_volume_key(volume_key_size, volume_key);
1940         if (!vk)
1941                 return -ENOMEM;
1942         r = LUKS_verify_volume_key(&cd->hdr, vk);
1943
1944         if (r == -EPERM)
1945                 log_err(cd, _("Volume key does not match the volume.\n"));
1946
1947         if (!r && name)
1948                 r = open_from_hdr_and_vk(cd, vk, name, flags);
1949
1950         crypt_free_volume_key(vk);
1951
1952         return r;
1953 }
1954
1955 int crypt_deactivate(struct crypt_device *cd, const char *name)
1956 {
1957         int r;
1958
1959         if (!name)
1960                 return -EINVAL;
1961
1962         log_dbg("Deactivating volume %s.", name);
1963
1964         if (!cd && dm_init(NULL, 1) < 0)
1965                 return -ENOSYS;
1966
1967         switch (crypt_status(cd, name)) {
1968                 case CRYPT_ACTIVE:
1969                         r = dm_remove_device(name, 0, 0);
1970                         break;
1971                 case CRYPT_BUSY:
1972                         log_err(cd, _("Device %s is busy.\n"), name);
1973                         r = -EBUSY;
1974                         break;
1975                 case CRYPT_INACTIVE:
1976                         log_err(cd, _("Device %s is not active.\n"), name);
1977                         r = -ENODEV;
1978                         break;
1979                 default:
1980                         log_err(cd, _("Invalid device %s.\n"), name);
1981                         r = -EINVAL;
1982         }
1983
1984         if (!cd)
1985                 dm_exit();
1986
1987         return r;
1988 }
1989
1990 int crypt_volume_key_get(struct crypt_device *cd,
1991         int keyslot,
1992         char *volume_key,
1993         size_t *volume_key_size,
1994         const char *passphrase,
1995         size_t passphrase_size)
1996 {
1997         struct volume_key *vk;
1998         char *processed_key = NULL;
1999         int r, key_len;
2000
2001         key_len = crypt_get_volume_key_size(cd);
2002         if (key_len > *volume_key_size) {
2003                 log_err(cd, _("Volume key buffer too small.\n"));
2004                 return -ENOMEM;
2005         }
2006
2007         if (isPLAIN(cd->type) && cd->plain_hdr.hash) {
2008                 processed_key = process_key(cd, cd->plain_hdr.hash, NULL, key_len,
2009                                             passphrase, passphrase_size);
2010                 if (!processed_key) {
2011                         log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
2012                         return -EINVAL;
2013                 }
2014                 memcpy(volume_key, processed_key, key_len);
2015                 *volume_key_size = key_len;
2016                 crypt_safe_free(processed_key);
2017                 return 0;
2018         }
2019
2020         if (isLUKS(cd->type)) {
2021                 r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
2022                                         passphrase_size, &cd->hdr, &vk, cd);
2023
2024                 if (r >= 0) {
2025                         memcpy(volume_key, vk->key, vk->keylength);
2026                         *volume_key_size = vk->keylength;
2027                 }
2028
2029                 crypt_free_volume_key(vk);
2030                 return r;
2031         }
2032
2033         log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
2034         return -EINVAL;
2035 }
2036
2037 int crypt_volume_key_verify(struct crypt_device *cd,
2038         const char *volume_key,
2039         size_t volume_key_size)
2040 {
2041         struct volume_key *vk;
2042         int r;
2043
2044         if (!isLUKS(cd->type)) {
2045                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2046                 return -EINVAL;
2047         }
2048
2049         vk = crypt_alloc_volume_key(volume_key_size, volume_key);
2050         if (!vk)
2051                 return -ENOMEM;
2052
2053         r = LUKS_verify_volume_key(&cd->hdr, vk);
2054
2055         if (r == -EPERM)
2056                 log_err(cd, _("Volume key does not match the volume.\n"));
2057
2058         crypt_free_volume_key(vk);
2059
2060         return r;
2061 }
2062
2063 void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
2064 {
2065         log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
2066         cd->timeout = timeout_sec;
2067 }
2068
2069 void crypt_set_password_retry(struct crypt_device *cd, int tries)
2070 {
2071         log_dbg("Password retry count set to %d.", tries);
2072         cd->tries = tries;
2073 }
2074
2075 void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
2076 {
2077         log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
2078         cd->iteration_time = iteration_time_ms;
2079 }
2080
2081 void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
2082 {
2083         log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
2084         cd->password_verify = password_verify ? 1 : 0;
2085 }
2086
2087 void crypt_set_rng_type(struct crypt_device *cd, int rng_type)
2088 {
2089         switch (rng_type) {
2090         case CRYPT_RNG_URANDOM:
2091         case CRYPT_RNG_RANDOM:
2092                 log_dbg("RNG set to %d (%s).", rng_type, rng_type ? "random" : "urandom");
2093                 cd->rng_type = rng_type;
2094         }
2095 }
2096
2097 int crypt_get_rng_type(struct crypt_device *cd)
2098 {
2099         if (!cd)
2100                 return -EINVAL;
2101
2102         return cd->rng_type;
2103 }
2104
2105 int crypt_memory_lock(struct crypt_device *cd, int lock)
2106 {
2107         return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
2108 }
2109
2110 // reporting
2111 crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
2112 {
2113         int r;
2114
2115         if (!cd && dm_init(NULL, 1) < 0)
2116                 return CRYPT_INVALID;
2117
2118         r = dm_status_device(name);
2119
2120         if (!cd)
2121                 dm_exit();
2122
2123         if (r < 0 && r != -ENODEV)
2124                 return CRYPT_INVALID;
2125
2126         if (r == 0)
2127                 return CRYPT_ACTIVE;
2128
2129         if (r > 0)
2130                 return CRYPT_BUSY;
2131
2132         return CRYPT_INACTIVE;
2133 }
2134
2135 static void hexprintICB(struct crypt_device *cd, char *d, int n)
2136 {
2137         int i;
2138         for(i = 0; i < n; i++)
2139                 log_std(cd, "%02hhx ", (char)d[i]);
2140 }
2141
2142 int crypt_dump(struct crypt_device *cd)
2143 {
2144         int i;
2145         if (!isLUKS(cd->type)) { //FIXME
2146                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2147                 return -EINVAL;
2148         }
2149
2150         log_std(cd, "LUKS header information for %s\n\n", cd->device);
2151         log_std(cd, "Version:       \t%d\n", cd->hdr.version);
2152         log_std(cd, "Cipher name:   \t%s\n", cd->hdr.cipherName);
2153         log_std(cd, "Cipher mode:   \t%s\n", cd->hdr.cipherMode);
2154         log_std(cd, "Hash spec:     \t%s\n", cd->hdr.hashSpec);
2155         log_std(cd, "Payload offset:\t%d\n", cd->hdr.payloadOffset);
2156         log_std(cd, "MK bits:       \t%d\n", cd->hdr.keyBytes * 8);
2157         log_std(cd, "MK digest:     \t");
2158         hexprintICB(cd, cd->hdr.mkDigest, LUKS_DIGESTSIZE);
2159         log_std(cd, "\n");
2160         log_std(cd, "MK salt:       \t");
2161         hexprintICB(cd, cd->hdr.mkDigestSalt, LUKS_SALTSIZE/2);
2162         log_std(cd, "\n               \t");
2163         hexprintICB(cd, cd->hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
2164         log_std(cd, "\n");
2165         log_std(cd, "MK iterations: \t%d\n", cd->hdr.mkDigestIterations);
2166         log_std(cd, "UUID:          \t%s\n\n", cd->hdr.uuid);
2167         for(i = 0; i < LUKS_NUMKEYS; i++) {
2168                 if(cd->hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
2169                         log_std(cd, "Key Slot %d: ENABLED\n",i);
2170                         log_std(cd, "\tIterations:         \t%d\n",
2171                                 cd->hdr.keyblock[i].passwordIterations);
2172                         log_std(cd, "\tSalt:               \t");
2173                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt,
2174                                     LUKS_SALTSIZE/2);
2175                         log_std(cd, "\n\t                      \t");
2176                         hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt +
2177                                     LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
2178                         log_std(cd, "\n");
2179
2180                         log_std(cd, "\tKey material offset:\t%d\n",
2181                                 cd->hdr.keyblock[i].keyMaterialOffset);
2182                         log_std(cd, "\tAF stripes:            \t%d\n",
2183                                 cd->hdr.keyblock[i].stripes);
2184                 }
2185                 else 
2186                         log_std(cd, "Key Slot %d: DISABLED\n", i);
2187         }
2188
2189         return 0;
2190 }
2191
2192 const char *crypt_get_cipher(struct crypt_device *cd)
2193 {
2194         if (isPLAIN(cd->type))
2195                 return cd->plain_cipher;
2196
2197         if (isLUKS(cd->type))
2198                 return cd->hdr.cipherName;
2199
2200         return NULL;
2201 }
2202
2203 const char *crypt_get_cipher_mode(struct crypt_device *cd)
2204 {
2205         if (isPLAIN(cd->type))
2206                 return cd->plain_cipher_mode;
2207
2208         if (isLUKS(cd->type))
2209                 return cd->hdr.cipherMode;
2210
2211         return NULL;
2212 }
2213
2214 const char *crypt_get_uuid(struct crypt_device *cd)
2215 {
2216         if (isLUKS(cd->type))
2217                 return cd->hdr.uuid;
2218
2219         if (isPLAIN(cd->type))
2220                 return cd->plain_uuid;
2221
2222         return NULL;
2223 }
2224
2225 const char *crypt_get_device_name(struct crypt_device *cd)
2226 {
2227         return cd->device;
2228 }
2229
2230 int crypt_get_volume_key_size(struct crypt_device *cd)
2231 {
2232         if (isPLAIN(cd->type) && cd->volume_key)
2233                 return cd->volume_key->keylength;
2234
2235         if (isLUKS(cd->type))
2236                 return cd->hdr.keyBytes;
2237
2238         return 0;
2239 }
2240
2241 uint64_t crypt_get_data_offset(struct crypt_device *cd)
2242 {
2243         if (isPLAIN(cd->type))
2244                 return cd->plain_hdr.offset;
2245
2246         if (isLUKS(cd->type))
2247                 return cd->hdr.payloadOffset;
2248
2249         return 0;
2250 }
2251
2252 crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
2253 {
2254         if (!isLUKS(cd->type)) {
2255                 log_err(cd, _("This operation is supported only for LUKS device.\n"));
2256                 return CRYPT_SLOT_INVALID;
2257         }
2258
2259         return LUKS_keyslot_info(&cd->hdr, keyslot);
2260 }
2261
2262 int crypt_keyslot_max(const char *type)
2263 {
2264         if (type && isLUKS(type))
2265                 return LUKS_NUMKEYS;
2266
2267         return -EINVAL;
2268 }
2269
2270 const char *crypt_get_type(struct crypt_device *cd)
2271 {
2272         return cd->type;
2273 }
2274
2275 int crypt_get_active_device(struct crypt_device *cd,
2276                             const char *name,
2277                             struct crypt_active_device *cad)
2278 {
2279         int r, readonly;
2280
2281         r = dm_query_device(name, NULL, &cad->size, &cad->iv_offset, &cad->offset,
2282                             NULL, NULL, NULL, &readonly, NULL, NULL);
2283         if (r < 0)
2284                 return r;
2285
2286         cad->flags = readonly ? CRYPT_ACTIVATE_READONLY : 0;
2287
2288         return 0;
2289 }
Domain: System / System Framework;