8 #include "libcryptsetup.h"
13 /* callbacks definitions */
14 void (*log)(int class, const char *msg, void *usrptr);
19 static void (*_default_log)(int class, char *msg) = NULL;
20 static int _debug_level = 0;
22 void crypt_set_debug_level(int level)
27 void set_default_log(void (*log)(int class, char *msg))
32 void logger(struct crypt_device *cd, int class, const char *file,
33 int line, const char *format, ...)
38 va_start(argp, format);
40 if (vasprintf(&target, format, argp) > 0) {
43 cd->log(class, target, cd->log_usrptr);
44 else if (_default_log)
45 _default_log(class, target);
47 } else if (_debug_level)
48 printf("# %s:%d %s\n", file ?: "?", line, target);
50 } else if (_debug_level)
51 printf("# %s\n", target);
59 static void hexprintICB(struct crypt_device *cd, char *d, int n)
62 for(i = 0; i < n; i++)
63 log_std(cd, "%02hhx ", (char)d[i]);
67 * Password processing behaviour matrix of process_key
69 * from binary file: check if there is sufficently large key material
70 * interactive & from fd: hash if requested, otherwise crop or pad with '0'
72 static char *process_key(struct crypt_device *cd, const char *hash_name,
73 const char *key_file, size_t key_size,
74 const char *pass, size_t passLen)
76 char *key = safe_alloc(key_size);
77 memset(key, 0, key_size);
79 /* key is coming from binary file */
80 if (key_file && strcmp(key_file, "-")) {
81 if(passLen < key_size) {
82 log_err(cd, _("Cannot not read %d bytes from key file %s.\n"),
87 memcpy(key, pass, key_size);
91 /* key is coming from tty, fd or binary stdin */
93 if (hash(NULL, hash_name, key, key_size, pass, passLen) < 0) {
94 log_err(cd, _("Key processing error.\n"));
98 } else if (passLen > key_size) {
99 memcpy(key, pass, key_size);
101 memcpy(key, pass, passLen);
107 int parse_into_name_and_mode(const char *nameAndMode, char *name, char *mode)
109 /* Token content stringification, see info cpp/stringification */
111 #define xstr(s) str(s)
112 #define scanpattern1 "%" xstr(LUKS_CIPHERNAME_L) "[^-]-%" xstr(LUKS_CIPHERMODE_L) "s"
113 #define scanpattern2 "%" xstr(LUKS_CIPHERNAME_L) "[^-]"
117 if(sscanf(nameAndMode,scanpattern1, name, mode) != 2) {
118 if((r = sscanf(nameAndMode,scanpattern2,name)) == 1)
119 strncpy(mode,"cbc-plain",10);
132 /* keyslot helpers */
133 static int keyslot_is_valid(struct crypt_device *cd, int keySlotIndex)
135 if(keySlotIndex >= LUKS_NUMKEYS || keySlotIndex < 0) {
136 log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
137 keySlotIndex, LUKS_NUMKEYS - 1);
144 /* Select free keyslot or verifies that the one specified is empty */
145 static int keyslot_from_option(struct crypt_device *cd, int keySlotOption, struct luks_phdr *hdr) {
146 if(keySlotOption >= 0) {
147 if(!keyslot_is_valid(cd, keySlotOption))
149 else if(hdr->keyblock[keySlotOption].active != LUKS_KEY_DISABLED) {
150 log_err(cd, _("Key slot %d is full, please select another one.\n"),
154 return keySlotOption;
158 /* Find empty key slot */
159 for(i=0; i<LUKS_NUMKEYS; i++) {
160 if(hdr->keyblock[i].active == LUKS_KEY_DISABLED) break;
162 if(i==LUKS_NUMKEYS) {
163 log_err(cd, _("All key slots full.\n"));
170 static int device_check_and_adjust(struct crypt_device *cd,
172 uint64_t *size, uint64_t *offset,
175 struct device_infos infos;
177 if (get_device_infos(device, &infos, cd) < 0) {
178 log_err(cd, _("Cannot get info about device %s.\n"), device);
185 log_err(cd, _("Device %s has zero size.\n"), device);
188 if (*size <= *offset) {
189 log_err(cd, _("Device %s is too small.\n"), device);
201 static int create_device_helper(int reload, struct crypt_options *options)
203 struct crypt_device *cd = NULL;
206 char *processed_key = NULL;
210 r = dm_status_device(options->name);
216 log_err(cd, _("Device %s already exists.\n"), options->name);
223 if (options->key_size < 0 || options->key_size > 1024) {
224 log_err(cd, _("Invalid key size %d.\n"), options->key_size);
228 read_only = (options->flags & CRYPT_FLAG_READONLY);
229 r = device_check_and_adjust(cd, options->device, &options->size, &options->offset, &read_only);
233 get_key("Enter passphrase: ", &key, &keyLen, options->key_size,
234 options->key_file, options->timeout, options->flags, NULL);
236 log_err(cd, "Key reading error");
240 processed_key = process_key(cd, options->hash, options->key_file, options->key_size, key, keyLen);
246 r = dm_create_device(options->name, options->device, options->cipher,
247 NULL, options->size, options->skip, options->offset,
248 options->key_size, processed_key,
251 safe_free(processed_key);
256 static int luks_remove_helper(struct crypt_device *cd,
257 struct crypt_options *options, int supply_it)
259 struct luks_masterkey *mk;
260 struct luks_phdr hdr;
262 unsigned int passwordLen;
263 const char *device = options->device;
268 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
273 get_key("Enter LUKS passphrase to be deleted: ",&password,&passwordLen, 0, options->new_key_file,
274 options->timeout, options->flags, cd);
276 r = -EINVAL; goto out;
279 keyIndex = LUKS_open_key_with_hdr(device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
281 log_err(cd, "No remaining key available with this passphrase.\n");
282 r = -EPERM; goto out;
284 log_std(cd ,"key slot %d selected for deletion.\n", keyIndex);
289 keyIndex = options->key_slot;
290 if (!keyslot_is_valid(cd, keyIndex)) {
291 r = -EINVAL; goto out;
295 if (LUKS_keyslot_info(&hdr, keyIndex) == SLOT_INACTIVE) {
296 log_err(cd, _("Key %d not active. Can't wipe.\n"), keyIndex);
301 last_slot = (LUKS_keyslot_info(&hdr, keyIndex) == SLOT_ACTIVE_LAST);
302 if(last_slot && !(options->icb->yesDialog(_("This is the last keyslot. Device will become unusable after purging this key.")))) {
303 r = -EINVAL; goto out;
306 if(options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY) {
307 options->flags &= ~CRYPT_FLAG_VERIFY_ON_DELKEY;
308 get_key("Enter any remaining LUKS passphrase: ",&password,&passwordLen, 0, options->key_file,
309 options->timeout, options->flags, cd);
311 r = -EINVAL; goto out;
314 r = LUKS_read_phdr(device, &hdr, 1, cd);
316 options->icb->log(CRYPT_LOG_ERROR,"Failed to access device.\n");
321 hdr.keyblock[keyIndex].active = LUKS_KEY_DISABLED;
323 openedIndex = LUKS_open_key_with_hdr(device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
325 if (openedIndex >= 0) {
326 LUKS_dealloc_masterkey(mk);
329 if(openedIndex < 0) {
330 log_err(cd, "No remaining key available with this passphrase.\n");
331 r = -EPERM; goto out;
333 log_std(cd, "key slot %d verified.\n", openedIndex);
335 r = LUKS_del_key(device, keyIndex, cd);
344 /* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
345 * offset, size, skip, timeout, tries, passphrase_fd (ignored),
347 int crypt_create_device(struct crypt_options *options)
349 return create_device_helper(0, options);
352 /* OPTIONS: same as create above */
353 int crypt_update_device(struct crypt_options *options)
355 return create_device_helper(1, options);
358 /* OPTIONS: name, size, icb */
359 int crypt_resize_device(struct crypt_options *options)
361 struct crypt_device *cd = NULL;
362 char *device, *cipher, *key = NULL;
363 uint64_t size, skip, offset;
364 int key_size, read_only, r;
366 r = dm_query_device(options->name, &device, &size, &skip, &offset,
367 &cipher, &key_size, &key, &read_only);
371 size = options->size;
372 r = device_check_and_adjust(cd, device, &size, &offset, &read_only);
376 r = dm_create_device(options->name, device, cipher, NULL, size, skip, offset,
377 key_size, key, read_only, 1);
386 /* OPTIONS: name, icb */
387 int crypt_query_device(struct crypt_options *options)
391 r = dm_status_device(options->name);
395 r = dm_query_device(options->name, (char **)&options->device, &options->size,
396 &options->skip, &options->offset, (char **)&options->cipher,
397 &options->key_size, NULL, &read_only);
403 options->flags |= CRYPT_FLAG_READONLY;
405 options->flags |= CRYPT_FLAG_FREE_DEVICE;
406 options->flags |= CRYPT_FLAG_FREE_CIPHER;
411 /* OPTIONS: name, icb */
412 int crypt_remove_device(struct crypt_options *options)
416 r = dm_status_device(options->name);
420 log_err(NULL, "Device busy");
424 return dm_remove_device(options->name, 0, 0);
427 /* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
428 * new_key_file, iteration_time, timeout, flags, icb */
429 int crypt_luksFormat(struct crypt_options *options)
431 struct crypt_device *cd = NULL;
432 struct luks_phdr header;
433 struct luks_masterkey *mk=NULL;
435 char cipherName[LUKS_CIPHERNAME_L];
436 char cipherMode[LUKS_CIPHERMODE_L];
437 unsigned int passwordLen;
438 uint64_t PBKDF2perSecond = 0;
441 if (!device_ready(cd, options->device, O_RDWR | O_EXCL))
444 mk = LUKS_generate_masterkey(options->key_size);
445 if(NULL == mk) return -ENOMEM; // FIXME This may be misleading, since we don't know what went wrong
448 #define printoffset(entry) \
449 logger(options, CRYPT_LOG_ERROR, \
450 "offset of " #entry " = %d\n", (char *)(&header.entry)-(char *)(&header))
452 log_err("sizeof phdr %d, sizeof key slot %d\n",
453 sizeof(struct luks_phdr),
454 sizeof(header.keyblock[0]));
457 printoffset(version);
458 printoffset(cipherName);
459 printoffset(cipherMode);
460 printoffset(hashSpec);
461 printoffset(payloadOffset);
462 printoffset(keyBytes);
463 printoffset(mkDigest);
464 printoffset(mkDigestSalt);
465 printoffset(mkDigestIterations);
469 r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
471 log_err(cd, _("No known cipher specification pattern detected.\n"));
475 r = LUKS_generate_phdr(&header, mk, cipherName, cipherMode, options->hash, NULL, LUKS_STRIPES, options->align_payload, NULL);
478 keyIndex = keyslot_from_option(NULL, options->key_slot, &header);
479 if(keyIndex == -EINVAL) {
480 r = -EINVAL; goto out;
483 get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->new_key_file,
484 options->timeout, options->flags, NULL);
486 r = -EINVAL; goto out;
489 /* Wipe first 8 sectors - fs magic numbers etc. */
490 r = wipe_device_header(options->device, 8);
493 /* Set key, also writes phdr */
494 r = LUKS_set_key(options->device, keyIndex, password, passwordLen, &header, mk,
495 options->iteration_time, &PBKDF2perSecond, NULL);
500 LUKS_dealloc_masterkey(mk);
505 /* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
506 int crypt_luksOpen(struct crypt_options *options)
508 struct crypt_device *cd = NULL;
509 struct luks_masterkey *mk=NULL;
510 struct luks_phdr hdr;
513 unsigned int passwordLen;
514 char *dmCipherSpec = NULL;
516 int r, tries = options->tries;
517 int excl = (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS) ? 0 : O_EXCL ;
519 r = dm_status_device(options->name);
521 log_err(cd, "Device %s already exists.", options->name);
525 if (!device_ready(cd, options->device, O_RDONLY | excl))
528 if(asprintf(&prompt, "Enter LUKS passphrase for %s: ", options->device) < 0)
534 if(options->passphrase) {
535 passwordLen = strlen(options->passphrase);
536 password = safe_alloc(passwordLen + 1);
537 strncpy(password, options->passphrase, passwordLen + 1);
540 get_key(prompt, &password, &passwordLen, options->key_size, options->key_file,
541 options->timeout, options->flags, cd);
549 r = -EINVAL; goto out;
552 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
556 r = LUKS_open_key_with_hdr(options->device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
558 log_err(cd, "No key available with this passphrase.\n");
562 log_err(NULL, "key slot %d unlocked.\n", r);
565 options->offset = hdr.payloadOffset;
566 if (asprintf(&dmCipherSpec, "%s-%s", hdr.cipherName, hdr.cipherMode) < 0) {
570 options->cipher = dmCipherSpec;
571 options->key_size = mk->keyLength;
575 read_only = (options->flags & CRYPT_FLAG_READONLY);
576 r = device_check_and_adjust(cd, options->device, &options->size, &options->offset, &read_only);
580 /* FIXME: code allows multiple crypt mapping, cannot use uuid then.
581 * anyway, it is dangerous and can corrupt data. Remove it in next version! */
582 r = dm_create_device(options->name, options->device, options->cipher,
583 excl ? hdr.uuid : NULL, options->size,
584 0, options->offset, mk->keyLength, mk->key,
585 options->flags & CRYPT_FLAG_READONLY, 0);
593 LUKS_dealloc_masterkey(mk);
594 if (r == -EPERM && tries > 0)
602 /* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
603 int crypt_luksKillSlot(struct crypt_options *options)
605 return luks_remove_helper(NULL, options, 0);
608 /* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
609 int crypt_luksRemoveKey(struct crypt_options *options)
611 return luks_remove_helper(NULL, options, 1);
614 /* OPTIONS: device, new_key_file, key_file, key_slot, flags,
615 iteration_time, timeout, icb */
616 int crypt_luksAddKey(struct crypt_options *options)
618 struct crypt_device *cd = NULL;
619 struct luks_masterkey *mk=NULL;
620 struct luks_phdr hdr;
621 char *password=NULL; unsigned int passwordLen;
622 unsigned int keyIndex;
623 uint64_t PBKDF2perSecond = 0;
624 const char *device = options->device;
627 if (!device_ready(cd, options->device, O_RDWR))
630 r = LUKS_read_phdr(device, &hdr, 1, cd);
634 keyIndex = keyslot_from_option(cd, options->key_slot, &hdr);
635 if(keyIndex == -EINVAL) {
636 r = -EINVAL; goto out;
639 get_key("Enter any LUKS passphrase: ",
645 options->flags & ~(CRYPT_FLAG_VERIFY | CRYPT_FLAG_VERIFY_IF_POSSIBLE), cd);
648 r = -EINVAL; goto out;
650 r = LUKS_open_key_with_hdr(device, CRYPT_ANY_SLOT, password, passwordLen, &hdr, &mk, cd);
652 options->icb->log(CRYPT_LOG_ERROR,"No key available with this passphrase.\n");
653 r = -EPERM; goto out;
657 get_key("Enter new passphrase for key slot: ",
661 options->new_key_file,
665 r = -EINVAL; goto out;
668 r = LUKS_set_key(device, keyIndex, password, passwordLen, &hdr, mk, options->iteration_time, &PBKDF2perSecond, cd);
674 LUKS_dealloc_masterkey(mk);
678 /* OPTIONS: device, icb */
679 int crypt_luksUUID(struct crypt_options *options)
681 struct crypt_device *cd = NULL;
682 struct luks_phdr hdr;
685 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
688 options->icb->log(CRYPT_LOG_NORMAL,hdr.uuid);
689 options->icb->log(CRYPT_LOG_NORMAL,"\n");
693 /* OPTIONS: device, icb */
694 int crypt_isLuks(struct crypt_options *options)
696 struct crypt_device *cd = NULL;
697 struct luks_phdr hdr;
698 return LUKS_read_phdr(options->device, &hdr, 0, cd);
701 /* OPTIONS: device, icb */
702 int crypt_luksDump(struct crypt_options *options)
704 struct crypt_device *cd = NULL;
705 struct luks_phdr hdr;
708 r = LUKS_read_phdr(options->device, &hdr, 1, cd);
711 log_std(cd, "LUKS header information for %s\n\n", options->device);
712 log_std(cd, "Version: \t%d\n", hdr.version);
713 log_std(cd, "Cipher name: \t%s\n", hdr.cipherName);
714 log_std(cd, "Cipher mode: \t%s\n", hdr.cipherMode);
715 log_std(cd, "Hash spec: \t%s\n", hdr.hashSpec);
716 log_std(cd, "Payload offset:\t%d\n", hdr.payloadOffset);
717 log_std(cd, "MK bits: \t%d\n", hdr.keyBytes * 8);
718 log_std(cd, "MK digest: \t");
719 hexprintICB(cd, hdr.mkDigest, LUKS_DIGESTSIZE);
721 log_std(cd, "MK salt: \t");
722 hexprintICB(cd, hdr.mkDigestSalt, LUKS_SALTSIZE/2);
723 log_std(cd, "\n \t");
724 hexprintICB(cd, hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
726 log_std(cd, "MK iterations: \t%d\n", hdr.mkDigestIterations);
727 log_std(cd, "UUID: \t%s\n\n", hdr.uuid);
728 for(i = 0; i < LUKS_NUMKEYS; i++) {
729 if(hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
730 log_std(cd, "Key Slot %d: ENABLED\n",i);
731 log_std(cd, "\tIterations: \t%d\n",
732 hdr.keyblock[i].passwordIterations);
733 log_std(cd, "\tSalt: \t");
734 hexprintICB(cd, hdr.keyblock[i].passwordSalt,
736 log_std(cd, "\n\t \t");
737 hexprintICB(cd, hdr.keyblock[i].passwordSalt +
738 LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
741 log_std(cd, "\tKey material offset:\t%d\n",
742 hdr.keyblock[i].keyMaterialOffset);
743 log_std(cd, "\tAF stripes: \t%d\n",
744 hdr.keyblock[i].stripes);
747 log_std(cd, "Key Slot %d: DISABLED\n", i);
752 void crypt_get_error(char *buf, size_t size)
754 const char *error = get_error();
756 if (!buf || size < 1)
759 strncpy(buf, error, size - 1);
760 buf[size - 1] = '\0';
766 void crypt_put_options(struct crypt_options *options)
768 if (options->flags & CRYPT_FLAG_FREE_DEVICE) {
769 free((char *)options->device);
770 options->device = NULL;
771 options->flags &= ~CRYPT_FLAG_FREE_DEVICE;
773 if (options->flags & CRYPT_FLAG_FREE_CIPHER) {
774 free((char *)options->cipher);
775 options->cipher = NULL;
776 options->flags &= ~CRYPT_FLAG_FREE_CIPHER;
780 const char *crypt_get_dir(void)