2 * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
4 * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2012-2015, Milan Broz
7 * This file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this file; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #include "libcryptsetup.h"
33 /* TCRYPT PBKDF variants */
35 unsigned int legacy:1;
36 unsigned int veracrypt:1;
39 unsigned int iterations;
41 { 0, 0, "pbkdf2", "ripemd160", 2000 },
42 { 0, 0, "pbkdf2", "ripemd160", 1000 },
43 { 0, 0, "pbkdf2", "sha512", 1000 },
44 { 0, 0, "pbkdf2", "whirlpool", 1000 },
45 { 1, 0, "pbkdf2", "sha1", 2000 },
46 { 0, 1, "pbkdf2", "sha512", 500000 },
47 { 0, 1, "pbkdf2", "ripemd160", 655331 },
48 { 0, 1, "pbkdf2", "ripemd160", 327661 }, // boot only
49 { 0, 1, "pbkdf2", "whirlpool", 500000 },
50 { 0, 1, "pbkdf2", "sha256", 500000 }, // VeraCrypt 1.0f
51 { 0, 1, "pbkdf2", "sha256", 200000 }, // boot only
52 { 0, 0, NULL, NULL, 0 }
57 unsigned int key_size;
59 unsigned int key_offset;
60 unsigned int iv_offset; /* or tweak key offset */
61 unsigned int key_extra_size;
65 unsigned int legacy:1;
66 unsigned int chain_count;
67 unsigned int chain_key_size;
68 const char *long_name;
70 struct tcrypt_alg cipher[3];
73 /* TCRYPT cipher variants */
74 static struct tcrypt_algs tcrypt_cipher[] = {
76 {0,1,64,"aes","xts-plain64",
77 {{"aes", 64,16,0,32,0}}},
78 {0,1,64,"serpent","xts-plain64",
79 {{"serpent",64,16,0,32,0}}},
80 {0,1,64,"twofish","xts-plain64",
81 {{"twofish",64,16,0,32,0}}},
82 {0,2,128,"twofish-aes","xts-plain64",
83 {{"twofish",64,16, 0,64,0},
84 {"aes", 64,16,32,96,0}}},
85 {0,3,192,"serpent-twofish-aes","xts-plain64",
86 {{"serpent",64,16, 0, 96,0},
87 {"twofish",64,16,32,128,0},
88 {"aes", 64,16,64,160,0}}},
89 {0,2,128,"aes-serpent","xts-plain64",
90 {{"aes", 64,16, 0,64,0},
91 {"serpent",64,16,32,96,0}}},
92 {0,3,192,"aes-twofish-serpent","xts-plain64",
93 {{"aes", 64,16, 0, 96,0},
94 {"twofish",64,16,32,128,0},
95 {"serpent",64,16,64,160,0}}},
96 {0,2,128,"serpent-twofish","xts-plain64",
97 {{"serpent",64,16, 0,64,0},
98 {"twofish",64,16,32,96,0}}},
101 {0,1,48,"aes","lrw-benbi",
102 {{"aes", 48,16,32,0,0}}},
103 {0,1,48,"serpent","lrw-benbi",
104 {{"serpent",48,16,32,0,0}}},
105 {0,1,48,"twofish","lrw-benbi",
106 {{"twofish",48,16,32,0,0}}},
107 {0,2,96,"twofish-aes","lrw-benbi",
108 {{"twofish",48,16,32,0,0},
109 {"aes", 48,16,64,0,0}}},
110 {0,3,144,"serpent-twofish-aes","lrw-benbi",
111 {{"serpent",48,16,32,0,0},
112 {"twofish",48,16,64,0,0},
113 {"aes", 48,16,96,0,0}}},
114 {0,2,96,"aes-serpent","lrw-benbi",
115 {{"aes", 48,16,32,0,0},
116 {"serpent",48,16,64,0,0}}},
117 {0,3,144,"aes-twofish-serpent","lrw-benbi",
118 {{"aes", 48,16,32,0,0},
119 {"twofish",48,16,64,0,0},
120 {"serpent",48,16,96,0,0}}},
121 {0,2,96,"serpent-twofish", "lrw-benbi",
122 {{"serpent",48,16,32,0,0},
123 {"twofish",48,16,64,0,0}}},
125 /* Kernel LRW block size is fixed to 16 bytes for GF(2^128)
126 * thus cannot be used with blowfish where block is 8 bytes.
127 * There also no GF(2^64) support.
128 {1,1,64,"blowfish_le","lrw-benbi",
129 {{"blowfish_le",64,8,32,0,0}}},
130 {1,2,112,"blowfish_le-aes","lrw-benbi",
131 {{"blowfish_le",64, 8,32,0,0},
132 {"aes", 48,16,88,0,0}}},
133 {1,3,160,"serpent-blowfish_le-aes","lrw-benbi",
134 {{"serpent", 48,16, 32,0,0},
135 {"blowfish_le",64, 8, 64,0,0},
136 {"aes", 48,16,120,0,0}}},*/
139 * CBC + "outer" CBC (both with whitening)
140 * chain_key_size: alg_keys_bytes + IV_seed_bytes + whitening_bytes
142 {1,1,32+16+16,"aes","cbc-tcw",
143 {{"aes", 32,16,32,0,32}}},
144 {1,1,32+16+16,"serpent","cbc-tcw",
145 {{"serpent",32,16,32,0,32}}},
146 {1,1,32+16+16,"twofish","cbc-tcw",
147 {{"twofish",32,16,32,0,32}}},
148 {1,2,64+16+16,"twofish-aes","cbci-tcrypt",
149 {{"twofish",32,16,32,0,0},
150 {"aes", 32,16,64,0,32}}},
151 {1,3,96+16+16,"serpent-twofish-aes","cbci-tcrypt",
152 {{"serpent",32,16,32,0,0},
153 {"twofish",32,16,64,0,0},
154 {"aes", 32,16,96,0,32}}},
155 {1,2,64+16+16,"aes-serpent","cbci-tcrypt",
156 {{"aes", 32,16,32,0,0},
157 {"serpent",32,16,64,0,32}}},
158 {1,3,96+16+16,"aes-twofish-serpent", "cbci-tcrypt",
159 {{"aes", 32,16,32,0,0},
160 {"twofish",32,16,64,0,0},
161 {"serpent",32,16,96,0,32}}},
162 {1,2,64+16+16,"serpent-twofish", "cbci-tcrypt",
163 {{"serpent",32,16,32,0,0},
164 {"twofish",32,16,64,0,32}}},
165 {1,1,16+8+16,"cast5","cbc-tcw",
166 {{"cast5", 16,8,32,0,24}}},
167 {1,1,24+8+16,"des3_ede","cbc-tcw",
168 {{"des3_ede",24,8,32,0,24}}},
169 {1,1,56+8+16,"blowfish_le","cbc-tcrypt",
170 {{"blowfish_le",56,8,32,0,24}}},
171 {1,2,88+16+16,"blowfish_le-aes","cbc-tcrypt",
172 {{"blowfish_le",56, 8,32,0,0},
173 {"aes", 32,16,88,0,32}}},
174 {1,3,120+16+16,"serpent-blowfish_le-aes","cbc-tcrypt",
175 {{"serpent", 32,16, 32,0,0},
176 {"blowfish_le",56, 8, 64,0,0},
177 {"aes", 32,16,120,0,32}}},
181 static int TCRYPT_hdr_from_disk(struct tcrypt_phdr *hdr,
182 struct crypt_params_tcrypt *params,
183 int kdf_index, int cipher_index)
188 /* Check CRC32 of header */
189 size = TCRYPT_HDR_LEN - sizeof(hdr->d.keys) - sizeof(hdr->d.header_crc32);
190 crc32 = crypt_crc32(~0, (unsigned char*)&hdr->d, size) ^ ~0;
191 if (be16_to_cpu(hdr->d.version) > 3 &&
192 crc32 != be32_to_cpu(hdr->d.header_crc32)) {
193 log_dbg("TCRYPT header CRC32 mismatch.");
197 /* Check CRC32 of keys */
198 crc32 = crypt_crc32(~0, (unsigned char*)hdr->d.keys, sizeof(hdr->d.keys)) ^ ~0;
199 if (crc32 != be32_to_cpu(hdr->d.keys_crc32)) {
200 log_dbg("TCRYPT keys CRC32 mismatch.");
204 /* Convert header to cpu format */
205 hdr->d.version = be16_to_cpu(hdr->d.version);
206 hdr->d.version_tc = be16_to_cpu(hdr->d.version_tc);
208 hdr->d.keys_crc32 = be32_to_cpu(hdr->d.keys_crc32);
210 hdr->d.hidden_volume_size = be64_to_cpu(hdr->d.hidden_volume_size);
211 hdr->d.volume_size = be64_to_cpu(hdr->d.volume_size);
213 hdr->d.mk_offset = be64_to_cpu(hdr->d.mk_offset);
214 if (!hdr->d.mk_offset)
215 hdr->d.mk_offset = 512;
217 hdr->d.mk_size = be64_to_cpu(hdr->d.mk_size);
219 hdr->d.flags = be32_to_cpu(hdr->d.flags);
221 hdr->d.sector_size = be32_to_cpu(hdr->d.sector_size);
222 if (!hdr->d.sector_size)
223 hdr->d.sector_size = 512;
225 hdr->d.header_crc32 = be32_to_cpu(hdr->d.header_crc32);
228 params->passphrase = NULL;
229 params->passphrase_size = 0;
230 params->hash_name = tcrypt_kdf[kdf_index].hash;
231 params->key_size = tcrypt_cipher[cipher_index].chain_key_size;
232 params->cipher = tcrypt_cipher[cipher_index].long_name;
233 params->mode = tcrypt_cipher[cipher_index].mode;
239 * Kernel implements just big-endian version of blowfish, hack it here
241 static void TCRYPT_swab_le(char *buf)
243 uint32_t *l = (uint32_t*)&buf[0];
244 uint32_t *r = (uint32_t*)&buf[4];
249 static int decrypt_blowfish_le_cbc(struct tcrypt_alg *alg,
250 const char *key, char *buf)
252 int bs = alg->iv_size;
253 char iv[bs], iv_old[bs];
254 struct crypt_cipher *cipher = NULL;
257 assert(bs == 2*sizeof(uint32_t));
259 r = crypt_cipher_init(&cipher, "blowfish", "ecb",
260 &key[alg->key_offset], alg->key_size);
264 memcpy(iv, &key[alg->iv_offset], alg->iv_size);
265 for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
266 memcpy(iv_old, &buf[i], bs);
267 TCRYPT_swab_le(&buf[i]);
268 r = crypt_cipher_decrypt(cipher, &buf[i], &buf[i],
270 TCRYPT_swab_le(&buf[i]);
273 for (j = 0; j < bs; j++)
275 memcpy(iv, iv_old, bs);
278 crypt_cipher_destroy(cipher);
279 crypt_memzero(iv, bs);
280 crypt_memzero(iv_old, bs);
284 static void TCRYPT_remove_whitening(char *buf, const char *key)
288 for (j = 0; j < TCRYPT_HDR_LEN; j++)
289 buf[j] ^= key[j % 8];
292 static void TCRYPT_copy_key(struct tcrypt_alg *alg, const char *mode,
293 char *out_key, const char *key)
296 if (!strncmp(mode, "xts", 3)) {
297 ks2 = alg->key_size / 2;
298 memcpy(out_key, &key[alg->key_offset], ks2);
299 memcpy(&out_key[ks2], &key[alg->iv_offset], ks2);
300 } else if (!strncmp(mode, "lrw", 3)) {
301 ks2 = alg->key_size - TCRYPT_LRW_IKEY_LEN;
302 memcpy(out_key, &key[alg->key_offset], ks2);
303 memcpy(&out_key[ks2], key, TCRYPT_LRW_IKEY_LEN);
304 } else if (!strncmp(mode, "cbc", 3)) {
305 memcpy(out_key, &key[alg->key_offset], alg->key_size);
307 memcpy(&out_key[alg->key_size], &key[alg->iv_offset],
308 alg->key_extra_size);
312 static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
313 const char *key,struct tcrypt_phdr *hdr)
315 char backend_key[TCRYPT_HDR_KEY_LEN];
316 char iv[TCRYPT_HDR_IV_LEN] = {};
317 char mode_name[MAX_CIPHER_LEN];
318 struct crypt_cipher *cipher;
319 char *c, *buf = (char*)&hdr->e;
322 /* Remove IV if present */
323 strncpy(mode_name, mode, MAX_CIPHER_LEN);
324 c = strchr(mode_name, '-');
328 if (!strncmp(mode, "lrw", 3))
329 iv[alg->iv_size - 1] = 1;
330 else if (!strncmp(mode, "cbc", 3)) {
331 TCRYPT_remove_whitening(buf, &key[8]);
332 if (!strcmp(alg->name, "blowfish_le"))
333 return decrypt_blowfish_le_cbc(alg, key, buf);
334 memcpy(iv, &key[alg->iv_offset], alg->iv_size);
337 TCRYPT_copy_key(alg, mode, backend_key, key);
338 r = crypt_cipher_init(&cipher, alg->name, mode_name,
339 backend_key, alg->key_size);
341 r = crypt_cipher_decrypt(cipher, buf, buf, TCRYPT_HDR_LEN,
343 crypt_cipher_destroy(cipher);
346 crypt_memzero(backend_key, sizeof(backend_key));
347 crypt_memzero(iv, TCRYPT_HDR_IV_LEN);
352 * For chanined ciphers and CBC mode we need "outer" decryption.
353 * Backend doesn't provide this, so implement it here directly using ECB.
355 static int TCRYPT_decrypt_cbci(struct tcrypt_algs *ciphers,
356 const char *key, struct tcrypt_phdr *hdr)
358 struct crypt_cipher *cipher[ciphers->chain_count];
359 unsigned int bs = ciphers->cipher[0].iv_size;
360 char *buf = (char*)&hdr->e, iv[bs], iv_old[bs];
364 TCRYPT_remove_whitening(buf, &key[8]);
366 memcpy(iv, &key[ciphers->cipher[0].iv_offset], bs);
368 /* Initialize all ciphers in chain in ECB mode */
369 for (j = 0; j < ciphers->chain_count; j++)
371 for (j = 0; j < ciphers->chain_count; j++) {
372 r = crypt_cipher_init(&cipher[j], ciphers->cipher[j].name, "ecb",
373 &key[ciphers->cipher[j].key_offset],
374 ciphers->cipher[j].key_size);
379 /* Implements CBC with chained ciphers in loop inside */
380 for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
381 memcpy(iv_old, &buf[i], bs);
382 for (j = ciphers->chain_count; j > 0; j--) {
383 r = crypt_cipher_decrypt(cipher[j - 1], &buf[i], &buf[i],
388 for (j = 0; j < bs; j++)
390 memcpy(iv, iv_old, bs);
393 for (j = 0; j < ciphers->chain_count; j++)
395 crypt_cipher_destroy(cipher[j]);
397 crypt_memzero(iv, bs);
398 crypt_memzero(iv_old, bs);
402 static int TCRYPT_decrypt_hdr(struct crypt_device *cd, struct tcrypt_phdr *hdr,
403 const char *key, uint32_t flags)
405 struct tcrypt_phdr hdr2;
406 int i, j, r = -EINVAL;
408 for (i = 0; tcrypt_cipher[i].chain_count; i++) {
409 if (!(flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_cipher[i].legacy)
411 log_dbg("TCRYPT: trying cipher %s-%s",
412 tcrypt_cipher[i].long_name, tcrypt_cipher[i].mode);
414 memcpy(&hdr2.e, &hdr->e, TCRYPT_HDR_LEN);
416 if (!strncmp(tcrypt_cipher[i].mode, "cbci", 4))
417 r = TCRYPT_decrypt_cbci(&tcrypt_cipher[i], key, &hdr2);
418 else for (j = tcrypt_cipher[i].chain_count - 1; j >= 0 ; j--) {
419 if (!tcrypt_cipher[i].cipher[j].name)
421 r = TCRYPT_decrypt_hdr_one(&tcrypt_cipher[i].cipher[j],
422 tcrypt_cipher[i].mode, key, &hdr2);
428 log_dbg("TCRYPT: returned error %d, skipped.", r);
435 if (!strncmp(hdr2.d.magic, TCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
436 log_dbg("TCRYPT: Signature magic detected.");
437 memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
441 if ((flags & CRYPT_TCRYPT_VERA_MODES) &&
442 !strncmp(hdr2.d.magic, VCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
443 log_dbg("TCRYPT: Signature magic detected (Veracrypt).");
444 memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
451 crypt_memzero(&hdr2, sizeof(hdr2));
455 static int TCRYPT_pool_keyfile(struct crypt_device *cd,
456 unsigned char pool[TCRYPT_KEY_POOL_LEN],
459 unsigned char data[TCRYPT_KEYFILE_LEN];
460 int i, j, fd, data_size;
463 log_dbg("TCRYPT: using keyfile %s.", keyfile);
465 fd = open(keyfile, O_RDONLY);
467 log_err(cd, _("Failed to open key file.\n"));
471 /* FIXME: add while */
472 data_size = read(fd, data, TCRYPT_KEYFILE_LEN);
475 log_err(cd, _("Error reading keyfile %s.\n"), keyfile);
479 for (i = 0, j = 0, crc = ~0U; i < data_size; i++) {
480 crc = crypt_crc32(crc, &data[i], 1);
481 pool[j++] += (unsigned char)(crc >> 24);
482 pool[j++] += (unsigned char)(crc >> 16);
483 pool[j++] += (unsigned char)(crc >> 8);
484 pool[j++] += (unsigned char)(crc);
485 j %= TCRYPT_KEY_POOL_LEN;
488 crypt_memzero(&crc, sizeof(crc));
489 crypt_memzero(data, TCRYPT_KEYFILE_LEN);
494 static int TCRYPT_init_hdr(struct crypt_device *cd,
495 struct tcrypt_phdr *hdr,
496 struct crypt_params_tcrypt *params)
498 unsigned char pwd[TCRYPT_KEY_POOL_LEN] = {};
499 size_t passphrase_size;
501 unsigned int i, skipped = 0;
504 if (posix_memalign((void*)&key, crypt_getpagesize(), TCRYPT_HDR_KEY_LEN))
507 if (params->keyfiles_count)
508 passphrase_size = TCRYPT_KEY_POOL_LEN;
510 passphrase_size = params->passphrase_size;
512 if (params->passphrase_size > TCRYPT_KEY_POOL_LEN) {
513 log_err(cd, _("Maximum TCRYPT passphrase length (%d) exceeded.\n"),
514 TCRYPT_KEY_POOL_LEN);
518 /* Calculate pool content from keyfiles */
519 for (i = 0; i < params->keyfiles_count; i++) {
520 r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i]);
525 /* If provided password, combine it with pool */
526 for (i = 0; i < params->passphrase_size; i++)
527 pwd[i] += params->passphrase[i];
529 for (i = 0; tcrypt_kdf[i].name; i++) {
530 if (!(params->flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_kdf[i].legacy)
532 if (!(params->flags & CRYPT_TCRYPT_VERA_MODES) && tcrypt_kdf[i].veracrypt)
534 /* Derive header key */
535 log_dbg("TCRYPT: trying KDF: %s-%s-%d.",
536 tcrypt_kdf[i].name, tcrypt_kdf[i].hash, tcrypt_kdf[i].iterations);
537 r = crypt_pbkdf(tcrypt_kdf[i].name, tcrypt_kdf[i].hash,
538 (char*)pwd, passphrase_size,
539 hdr->salt, TCRYPT_HDR_SALT_LEN,
540 key, TCRYPT_HDR_KEY_LEN,
541 tcrypt_kdf[i].iterations);
542 if (r < 0 && crypt_hash_size(tcrypt_kdf[i].hash) < 0) {
543 log_verbose(cd, _("PBKDF2 hash algorithm %s not available, skipping.\n"),
551 r = TCRYPT_decrypt_hdr(cd, hdr, key, params->flags);
560 if ((r < 0 && r != -EPERM && skipped && skipped == i) || r == -ENOTSUP) {
561 log_err(cd, _("Required kernel crypto interface not available.\n"));
563 log_err(cd, _("Ensure you have algif_skcipher kernel module loaded.\n"));
569 r = TCRYPT_hdr_from_disk(hdr, params, i, r);
571 log_dbg("TCRYPT: Magic: %s, Header version: %d, req. %d, sector %d"
572 ", mk_offset %" PRIu64 ", hidden_size %" PRIu64
573 ", volume size %" PRIu64, tcrypt_kdf[i].veracrypt ?
574 VCRYPT_HDR_MAGIC : TCRYPT_HDR_MAGIC,
575 (int)hdr->d.version, (int)hdr->d.version_tc, (int)hdr->d.sector_size,
576 hdr->d.mk_offset, hdr->d.hidden_volume_size, hdr->d.volume_size);
577 log_dbg("TCRYPT: Header cipher %s-%s, key size %zu",
578 params->cipher, params->mode, params->key_size);
581 crypt_memzero(pwd, TCRYPT_KEY_POOL_LEN);
583 crypt_memzero(key, TCRYPT_HDR_KEY_LEN);
588 int TCRYPT_read_phdr(struct crypt_device *cd,
589 struct tcrypt_phdr *hdr,
590 struct crypt_params_tcrypt *params)
592 struct device *base_device, *device = crypt_metadata_device(cd);
593 ssize_t hdr_size = sizeof(struct tcrypt_phdr);
594 char *base_device_path;
595 int devfd = 0, r, bs;
597 assert(sizeof(struct tcrypt_phdr) == 512);
599 log_dbg("Reading TCRYPT header of size %zu bytes from device %s.",
600 hdr_size, device_path(device));
602 bs = device_block_size(device);
606 if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER &&
607 crypt_dev_is_partition(device_path(device))) {
608 base_device_path = crypt_get_base_device(device_path(device));
610 log_dbg("Reading TCRYPT system header from device %s.", base_device_path ?: "?");
611 if (!base_device_path)
614 r = device_alloc(&base_device, base_device_path);
617 devfd = device_open(base_device, O_RDONLY);
618 free(base_device_path);
619 device_free(base_device);
621 devfd = device_open(device, O_RDONLY);
624 log_err(cd, _("Cannot open device %s.\n"), device_path(device));
629 if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
630 if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
631 read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) {
632 r = TCRYPT_init_hdr(cd, hdr, params);
634 } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
635 if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
636 if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
637 read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
638 r = TCRYPT_init_hdr(cd, hdr, params);
640 if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET, SEEK_SET) >= 0 &&
641 read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
642 r = TCRYPT_init_hdr(cd, hdr, params);
644 lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_OLD, SEEK_END) >= 0 &&
645 read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
646 r = TCRYPT_init_hdr(cd, hdr, params);
648 } else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
649 if (lseek(devfd, TCRYPT_HDR_OFFSET_BCK, SEEK_END) >= 0 &&
650 read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
651 r = TCRYPT_init_hdr(cd, hdr, params);
652 } else if (read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
653 r = TCRYPT_init_hdr(cd, hdr, params);
657 memset(hdr, 0, sizeof (*hdr));
661 static struct tcrypt_algs *TCRYPT_get_algs(const char *cipher, const char *mode)
665 if (!cipher || !mode)
668 for (i = 0; tcrypt_cipher[i].chain_count; i++)
669 if (!strcmp(tcrypt_cipher[i].long_name, cipher) &&
670 !strcmp(tcrypt_cipher[i].mode, mode))
671 return &tcrypt_cipher[i];
676 int TCRYPT_activate(struct crypt_device *cd,
678 struct tcrypt_phdr *hdr,
679 struct crypt_params_tcrypt *params,
682 char cipher[MAX_CIPHER_LEN], dm_name[PATH_MAX], dm_dev_name[PATH_MAX];
684 struct device *device = NULL, *part_device = NULL;
688 struct tcrypt_algs *algs;
689 enum devcheck device_check;
690 struct crypt_dm_active_device dmd = {
693 .data_device = crypt_data_device(cd),
696 .offset = crypt_get_data_offset(cd),
697 .iv_offset = crypt_get_iv_offset(cd),
701 if (!hdr->d.version) {
702 log_dbg("TCRYPT: this function is not supported without encrypted header load.");
706 if (hdr->d.sector_size && hdr->d.sector_size != SECTOR_SIZE) {
707 log_err(cd, _("Activation is not supported for %d sector size.\n"),
712 if (strstr(params->mode, "-tcrypt")) {
713 log_err(cd, _("Kernel doesn't support activation for this TCRYPT legacy mode.\n"));
717 if (strstr(params->mode, "-tcw"))
718 req_flags = DM_TCW_SUPPORTED;
720 req_flags = DM_PLAIN64_SUPPORTED;
722 algs = TCRYPT_get_algs(params->cipher, params->mode);
726 if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
728 else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER)
729 dmd.size = hdr->d.hidden_volume_size / hdr->d.sector_size;
731 dmd.size = hdr->d.volume_size / hdr->d.sector_size;
733 if (dmd.flags & CRYPT_ACTIVATE_SHARED)
734 device_check = DEV_SHARED;
736 device_check = DEV_EXCL;
738 if ((params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) &&
739 !crypt_dev_is_partition(device_path(dmd.data_device))) {
740 part_path = crypt_get_partition_device(device_path(dmd.data_device),
741 dmd.u.crypt.offset, dmd.size);
743 if (!device_alloc(&part_device, part_path)) {
744 log_verbose(cd, _("Activating TCRYPT system encryption for partition %s.\n"),
746 dmd.data_device = part_device;
747 dmd.u.crypt.offset = 0;
752 * System encryption use the whole device mapping, there can
753 * be active partitions.
755 device_check = DEV_SHARED;
758 r = device_block_adjust(cd, dmd.data_device, device_check,
759 dmd.u.crypt.offset, &dmd.size, &dmd.flags);
763 /* Frome here, key size for every cipher must be the same */
764 dmd.u.crypt.vk = crypt_alloc_volume_key(algs->cipher[0].key_size +
765 algs->cipher[0].key_extra_size, NULL);
769 for (i = algs->chain_count; i > 0; i--) {
771 strncpy(dm_name, name, sizeof(dm_name));
774 snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1);
775 dmd.flags = flags | CRYPT_ACTIVATE_PRIVATE;
778 snprintf(cipher, sizeof(cipher), "%s-%s",
779 algs->cipher[i-1].name, algs->mode);
781 TCRYPT_copy_key(&algs->cipher[i-1], algs->mode,
782 dmd.u.crypt.vk->key, hdr->d.keys);
784 if (algs->chain_count != i) {
785 snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d",
786 dm_get_dir(), name, i);
787 r = device_alloc(&device, dm_dev_name);
790 dmd.data_device = device;
791 dmd.u.crypt.offset = 0;
794 log_dbg("Trying to activate TCRYPT device %s using cipher %s.",
795 dm_name, dmd.u.crypt.cipher);
796 r = dm_create_device(cd, dm_name, CRYPT_TCRYPT, &dmd, 0);
805 if (r < 0 && !(dm_flags() & req_flags)) {
806 log_err(cd, _("Kernel doesn't support TCRYPT compatible mapping.\n"));
810 device_free(part_device);
811 crypt_free_volume_key(dmd.u.crypt.vk);
815 static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
816 const char *base_uuid, int index)
818 struct crypt_dm_active_device dmd = {};
819 char dm_name[PATH_MAX];
822 if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
825 r = dm_status_device(cd, dm_name);
829 r = dm_query_device(cd, dm_name, DM_ACTIVE_UUID, &dmd);
830 if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid)))
831 r = dm_remove_device(cd, dm_name, 0, 0);
833 free(CONST_CAST(void*)dmd.uuid);
837 int TCRYPT_deactivate(struct crypt_device *cd, const char *name)
839 struct crypt_dm_active_device dmd = {};
842 r = dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd);
848 r = dm_remove_device(cd, name, 0, 0);
852 r = TCRYPT_remove_one(cd, name, dmd.uuid, 1);
856 r = TCRYPT_remove_one(cd, name, dmd.uuid, 2);
860 free(CONST_CAST(void*)dmd.uuid);
861 return (r == -ENODEV) ? 0 : r;
864 static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
865 const char *base_uuid, int index,
866 size_t *key_size, char *cipher,
867 uint64_t *data_offset, struct device **device)
869 struct crypt_dm_active_device dmd = {};
870 char dm_name[PATH_MAX], *c;
873 if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
876 r = dm_status_device(cd, dm_name);
880 r = dm_query_device(cd, dm_name, DM_ACTIVE_DEVICE |
882 DM_ACTIVE_CRYPT_CIPHER |
883 DM_ACTIVE_CRYPT_KEYSIZE, &dmd);
886 if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid))) {
887 if ((c = strchr(dmd.u.crypt.cipher, '-')))
890 strncat(cipher, dmd.u.crypt.cipher, MAX_CIPHER_LEN);
891 *key_size += dmd.u.crypt.vk->keylength;
892 *data_offset = dmd.u.crypt.offset * SECTOR_SIZE;
893 device_free(*device);
894 *device = dmd.data_device;
896 device_free(dmd.data_device);
900 free(CONST_CAST(void*)dmd.uuid);
901 free(CONST_CAST(void*)dmd.u.crypt.cipher);
902 crypt_free_volume_key(dmd.u.crypt.vk);
906 int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
907 const struct crypt_dm_active_device *dmd,
908 struct device **device,
909 struct crypt_params_tcrypt *tcrypt_params,
910 struct tcrypt_phdr *tcrypt_hdr)
912 struct tcrypt_algs *algs;
913 char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN], *tmp;
917 memset(tcrypt_params, 0, sizeof(*tcrypt_params));
918 memset(tcrypt_hdr, 0, sizeof(*tcrypt_hdr));
919 tcrypt_hdr->d.sector_size = SECTOR_SIZE;
920 tcrypt_hdr->d.mk_offset = dmd->u.crypt.offset * SECTOR_SIZE;
922 strncpy(cipher, dmd->u.crypt.cipher, MAX_CIPHER_LEN);
923 tmp = strchr(cipher, '-');
927 strncpy(mode, ++tmp, MAX_CIPHER_LEN);
929 key_size = dmd->u.crypt.vk->keylength;
930 r = TCRYPT_status_one(cd, name, dmd->uuid, 1, &key_size,
931 cipher, &tcrypt_hdr->d.mk_offset, device);
933 r = TCRYPT_status_one(cd, name, dmd->uuid, 2, &key_size,
934 cipher, &tcrypt_hdr->d.mk_offset, device);
936 if (r < 0 && r != -ENODEV)
939 algs = TCRYPT_get_algs(cipher, mode);
940 if (!algs || key_size != algs->chain_key_size)
943 tcrypt_params->key_size = algs->chain_key_size;
944 tcrypt_params->cipher = algs->long_name;
945 tcrypt_params->mode = algs->mode;
949 uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
950 struct tcrypt_phdr *hdr,
951 struct crypt_params_tcrypt *params)
955 /* No real header loaded, initialized by active device */
959 /* Mapping through whole device, not partition! */
960 if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
961 if (crypt_dev_is_partition(device_path(crypt_metadata_device(cd))))
966 if (params->mode && !strncmp(params->mode, "xts", 3)) {
967 if (hdr->d.version < 3)
970 if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
971 if (hdr->d.version > 3)
972 return (hdr->d.mk_offset / hdr->d.sector_size);
973 if (device_size(crypt_metadata_device(cd), &size) < 0)
975 return (size - hdr->d.hidden_volume_size +
976 (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
981 if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
982 if (device_size(crypt_metadata_device(cd), &size) < 0)
984 return (size - hdr->d.hidden_volume_size +
985 (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
989 return hdr->d.mk_offset / hdr->d.sector_size;
992 uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
993 struct tcrypt_phdr *hdr,
994 struct crypt_params_tcrypt *params)
998 if (params->mode && !strncmp(params->mode, "xts", 3))
999 iv_offset = TCRYPT_get_data_offset(cd, hdr, params);
1000 else if (params->mode && !strncmp(params->mode, "lrw", 3))
1003 iv_offset = hdr->d.mk_offset / hdr->d.sector_size;
1005 if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
1006 iv_offset += crypt_dev_partition_offset(device_path(crypt_metadata_device(cd)));
1011 int TCRYPT_get_volume_key(struct crypt_device *cd,
1012 struct tcrypt_phdr *hdr,
1013 struct crypt_params_tcrypt *params,
1014 struct volume_key **vk)
1016 struct tcrypt_algs *algs;
1017 unsigned int i, key_index;
1019 if (!hdr->d.version) {
1020 log_err(cd, _("This function is not supported without TCRYPT header load."));
1024 algs = TCRYPT_get_algs(params->cipher, params->mode);
1028 *vk = crypt_alloc_volume_key(params->key_size, NULL);
1032 for (i = 0, key_index = 0; i < algs->chain_count; i++) {
1033 TCRYPT_copy_key(&algs->cipher[i], algs->mode,
1034 &(*vk)->key[key_index], hdr->d.keys);
1035 key_index += algs->cipher[i].key_size;
1041 int TCRYPT_dump(struct crypt_device *cd,
1042 struct tcrypt_phdr *hdr,
1043 struct crypt_params_tcrypt *params)
1045 log_std(cd, "%s header information for %s\n",
1046 hdr->d.magic[0] == 'T' ? "TCRYPT" : "VERACRYPT",
1047 device_path(crypt_metadata_device(cd)));
1048 if (hdr->d.version) {
1049 log_std(cd, "Version: \t%d\n", hdr->d.version);
1050 log_std(cd, "Driver req.:\t%x.%x\n", hdr->d.version_tc >> 8,
1051 hdr->d.version_tc & 0xFF);
1053 log_std(cd, "Sector size:\t%" PRIu32 "\n", hdr->d.sector_size);
1054 log_std(cd, "MK offset:\t%" PRIu64 "\n", hdr->d.mk_offset);
1055 log_std(cd, "PBKDF2 hash:\t%s\n", params->hash_name);
1057 log_std(cd, "Cipher chain:\t%s\n", params->cipher);
1058 log_std(cd, "Cipher mode:\t%s\n", params->mode);
1059 log_std(cd, "MK bits: \t%zu\n", params->key_size * 8);