lib/tcrypt/tcrypt.c

   1 /*
   2  * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
   3  *
   4  * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
   5  * Copyright (C) 2012-2015, Milan Broz
   6  *
   7  * This file is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU Lesser General Public
   9  * License as published by the Free Software Foundation; either
  10  * version 2.1 of the License, or (at your option) any later version.
  11  *
  12  * This file is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  15  * Lesser General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU Lesser General Public
  18  * License along with this file; if not, write to the Free Software
  19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  20  */
  21
  22 #include <errno.h>
  23 #include <stdio.h>
  24 #include <stdlib.h>
  25 #include <string.h>
  26 #include <fcntl.h>
  27 #include <assert.h>
  28
  29 #include "libcryptsetup.h"
  30 #include "tcrypt.h"
  31 #include "internal.h"
  32
  33 /* TCRYPT PBKDF variants */
  34 static struct {
  35         unsigned int legacy:1;
  36         unsigned int veracrypt:1;
  37         const char *name;
  38         const char *hash;
  39         unsigned int iterations;
  40 } tcrypt_kdf[] = {
  41         { 0, 0, "pbkdf2", "ripemd160", 2000 },
  42         { 0, 0, "pbkdf2", "ripemd160", 1000 },
  43         { 0, 0, "pbkdf2", "sha512",    1000 },
  44         { 0, 0, "pbkdf2", "whirlpool", 1000 },
  45         { 1, 0, "pbkdf2", "sha1",      2000 },
  46         { 0, 1, "pbkdf2", "sha512",    500000 },
  47         { 0, 1, "pbkdf2", "ripemd160", 655331 },
  48         { 0, 1, "pbkdf2", "ripemd160", 327661 }, // boot only
  49         { 0, 1, "pbkdf2", "whirlpool", 500000 },
  50         { 0, 1, "pbkdf2", "sha256",    500000 }, // VeraCrypt 1.0f
  51         { 0, 1, "pbkdf2", "sha256",    200000 }, // boot only
  52         { 0, 0, NULL,     NULL,        0 }
  53 };
  54
  55 struct tcrypt_alg {
  56                 const char *name;
  57                 unsigned int key_size;
  58                 unsigned int iv_size;
  59                 unsigned int key_offset;
  60                 unsigned int iv_offset; /* or tweak key offset */
  61                 unsigned int key_extra_size;
  62 };
  63
  64 struct tcrypt_algs {
  65         unsigned int legacy:1;
  66         unsigned int chain_count;
  67         unsigned int chain_key_size;
  68         const char *long_name;
  69         const char *mode;
  70         struct tcrypt_alg cipher[3];
  71 };
  72
  73 /* TCRYPT cipher variants */
  74 static struct tcrypt_algs tcrypt_cipher[] = {
  75 /* XTS mode */
  76 {0,1,64,"aes","xts-plain64",
  77         {{"aes",    64,16,0,32,0}}},
  78 {0,1,64,"serpent","xts-plain64",
  79         {{"serpent",64,16,0,32,0}}},
  80 {0,1,64,"twofish","xts-plain64",
  81         {{"twofish",64,16,0,32,0}}},
  82 {0,2,128,"twofish-aes","xts-plain64",
  83         {{"twofish",64,16, 0,64,0},
  84          {"aes",    64,16,32,96,0}}},
  85 {0,3,192,"serpent-twofish-aes","xts-plain64",
  86         {{"serpent",64,16, 0, 96,0},
  87          {"twofish",64,16,32,128,0},
  88          {"aes",    64,16,64,160,0}}},
  89 {0,2,128,"aes-serpent","xts-plain64",
  90         {{"aes",    64,16, 0,64,0},
  91          {"serpent",64,16,32,96,0}}},
  92 {0,3,192,"aes-twofish-serpent","xts-plain64",
  93         {{"aes",    64,16, 0, 96,0},
  94          {"twofish",64,16,32,128,0},
  95          {"serpent",64,16,64,160,0}}},
  96 {0,2,128,"serpent-twofish","xts-plain64",
  97         {{"serpent",64,16, 0,64,0},
  98          {"twofish",64,16,32,96,0}}},
  99
 100 /* LRW mode */
 101 {0,1,48,"aes","lrw-benbi",
 102         {{"aes",    48,16,32,0,0}}},
 103 {0,1,48,"serpent","lrw-benbi",
 104         {{"serpent",48,16,32,0,0}}},
 105 {0,1,48,"twofish","lrw-benbi",
 106         {{"twofish",48,16,32,0,0}}},
 107 {0,2,96,"twofish-aes","lrw-benbi",
 108         {{"twofish",48,16,32,0,0},
 109          {"aes",    48,16,64,0,0}}},
 110 {0,3,144,"serpent-twofish-aes","lrw-benbi",
 111         {{"serpent",48,16,32,0,0},
 112          {"twofish",48,16,64,0,0},
 113          {"aes",    48,16,96,0,0}}},
 114 {0,2,96,"aes-serpent","lrw-benbi",
 115         {{"aes",    48,16,32,0,0},
 116          {"serpent",48,16,64,0,0}}},
 117 {0,3,144,"aes-twofish-serpent","lrw-benbi",
 118         {{"aes",    48,16,32,0,0},
 119          {"twofish",48,16,64,0,0},
 120          {"serpent",48,16,96,0,0}}},
 121 {0,2,96,"serpent-twofish", "lrw-benbi",
 122         {{"serpent",48,16,32,0,0},
 123          {"twofish",48,16,64,0,0}}},
 124
 125 /* Kernel LRW block size is fixed to 16 bytes for GF(2^128)
 126  * thus cannot be used with blowfish where block is 8 bytes.
 127  * There also no GF(2^64) support.
 128 {1,1,64,"blowfish_le","lrw-benbi",
 129          {{"blowfish_le",64,8,32,0,0}}},
 130 {1,2,112,"blowfish_le-aes","lrw-benbi",
 131          {{"blowfish_le",64, 8,32,0,0},
 132           {"aes",        48,16,88,0,0}}},
 133 {1,3,160,"serpent-blowfish_le-aes","lrw-benbi",
 134           {{"serpent",    48,16, 32,0,0},
 135            {"blowfish_le",64, 8, 64,0,0},
 136            {"aes",        48,16,120,0,0}}},*/
 137
 138 /*
 139  * CBC + "outer" CBC (both with whitening)
 140  * chain_key_size: alg_keys_bytes + IV_seed_bytes + whitening_bytes
 141  */
 142 {1,1,32+16+16,"aes","cbc-tcw",
 143         {{"aes",    32,16,32,0,32}}},
 144 {1,1,32+16+16,"serpent","cbc-tcw",
 145         {{"serpent",32,16,32,0,32}}},
 146 {1,1,32+16+16,"twofish","cbc-tcw",
 147         {{"twofish",32,16,32,0,32}}},
 148 {1,2,64+16+16,"twofish-aes","cbci-tcrypt",
 149         {{"twofish",32,16,32,0,0},
 150          {"aes",    32,16,64,0,32}}},
 151 {1,3,96+16+16,"serpent-twofish-aes","cbci-tcrypt",
 152         {{"serpent",32,16,32,0,0},
 153          {"twofish",32,16,64,0,0},
 154          {"aes",    32,16,96,0,32}}},
 155 {1,2,64+16+16,"aes-serpent","cbci-tcrypt",
 156         {{"aes",    32,16,32,0,0},
 157          {"serpent",32,16,64,0,32}}},
 158 {1,3,96+16+16,"aes-twofish-serpent", "cbci-tcrypt",
 159         {{"aes",    32,16,32,0,0},
 160          {"twofish",32,16,64,0,0},
 161          {"serpent",32,16,96,0,32}}},
 162 {1,2,64+16+16,"serpent-twofish", "cbci-tcrypt",
 163         {{"serpent",32,16,32,0,0},
 164          {"twofish",32,16,64,0,32}}},
 165 {1,1,16+8+16,"cast5","cbc-tcw",
 166         {{"cast5",   16,8,32,0,24}}},
 167 {1,1,24+8+16,"des3_ede","cbc-tcw",
 168         {{"des3_ede",24,8,32,0,24}}},
 169 {1,1,56+8+16,"blowfish_le","cbc-tcrypt",
 170         {{"blowfish_le",56,8,32,0,24}}},
 171 {1,2,88+16+16,"blowfish_le-aes","cbc-tcrypt",
 172         {{"blowfish_le",56, 8,32,0,0},
 173          {"aes",        32,16,88,0,32}}},
 174 {1,3,120+16+16,"serpent-blowfish_le-aes","cbc-tcrypt",
 175         {{"serpent",    32,16, 32,0,0},
 176          {"blowfish_le",56, 8, 64,0,0},
 177          {"aes",        32,16,120,0,32}}},
 178 {}
 179 };
 180
 181 static int TCRYPT_hdr_from_disk(struct tcrypt_phdr *hdr,
 182                                 struct crypt_params_tcrypt *params,
 183                                 int kdf_index, int cipher_index)
 184 {
 185         uint32_t crc32;
 186         size_t size;
 187
 188         /* Check CRC32 of header */
 189         size = TCRYPT_HDR_LEN - sizeof(hdr->d.keys) - sizeof(hdr->d.header_crc32);
 190         crc32 = crypt_crc32(~0, (unsigned char*)&hdr->d, size) ^ ~0;
 191         if (be16_to_cpu(hdr->d.version) > 3 &&
 192             crc32 != be32_to_cpu(hdr->d.header_crc32)) {
 193                 log_dbg("TCRYPT header CRC32 mismatch.");
 194                 return -EINVAL;
 195         }
 196
 197         /* Check CRC32 of keys */
 198         crc32 = crypt_crc32(~0, (unsigned char*)hdr->d.keys, sizeof(hdr->d.keys)) ^ ~0;
 199         if (crc32 != be32_to_cpu(hdr->d.keys_crc32)) {
 200                 log_dbg("TCRYPT keys CRC32 mismatch.");
 201                 return -EINVAL;
 202         }
 203
 204         /* Convert header to cpu format */
 205         hdr->d.version  =  be16_to_cpu(hdr->d.version);
 206         hdr->d.version_tc = be16_to_cpu(hdr->d.version_tc);
 207
 208         hdr->d.keys_crc32 = be32_to_cpu(hdr->d.keys_crc32);
 209
 210         hdr->d.hidden_volume_size = be64_to_cpu(hdr->d.hidden_volume_size);
 211         hdr->d.volume_size        = be64_to_cpu(hdr->d.volume_size);
 212
 213         hdr->d.mk_offset = be64_to_cpu(hdr->d.mk_offset);
 214         if (!hdr->d.mk_offset)
 215                 hdr->d.mk_offset = 512;
 216
 217         hdr->d.mk_size = be64_to_cpu(hdr->d.mk_size);
 218
 219         hdr->d.flags = be32_to_cpu(hdr->d.flags);
 220
 221         hdr->d.sector_size = be32_to_cpu(hdr->d.sector_size);
 222         if (!hdr->d.sector_size)
 223                 hdr->d.sector_size = 512;
 224
 225         hdr->d.header_crc32 = be32_to_cpu(hdr->d.header_crc32);
 226
 227         /* Set params */
 228         params->passphrase = NULL;
 229         params->passphrase_size = 0;
 230         params->hash_name  = tcrypt_kdf[kdf_index].hash;
 231         params->key_size = tcrypt_cipher[cipher_index].chain_key_size;
 232         params->cipher = tcrypt_cipher[cipher_index].long_name;
 233         params->mode = tcrypt_cipher[cipher_index].mode;
 234
 235         return 0;
 236 }
 237
 238 /*
 239  * Kernel implements just big-endian version of blowfish, hack it here
 240  */
 241 static void TCRYPT_swab_le(char *buf)
 242 {
 243         uint32_t *l = (uint32_t*)&buf[0];
 244         uint32_t *r = (uint32_t*)&buf[4];
 245         *l = swab32(*l);
 246         *r = swab32(*r);
 247 }
 248
 249 static int decrypt_blowfish_le_cbc(struct tcrypt_alg *alg,
 250                                    const char *key, char *buf)
 251 {
 252         int bs = alg->iv_size;
 253         char iv[bs], iv_old[bs];
 254         struct crypt_cipher *cipher = NULL;
 255         int i, j, r;
 256
 257         assert(bs == 2*sizeof(uint32_t));
 258
 259         r = crypt_cipher_init(&cipher, "blowfish", "ecb",
 260                               &key[alg->key_offset], alg->key_size);
 261         if (r < 0)
 262                 return r;
 263
 264         memcpy(iv, &key[alg->iv_offset], alg->iv_size);
 265         for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
 266                 memcpy(iv_old, &buf[i], bs);
 267                 TCRYPT_swab_le(&buf[i]);
 268                 r = crypt_cipher_decrypt(cipher, &buf[i], &buf[i],
 269                                           bs, NULL, 0);
 270                 TCRYPT_swab_le(&buf[i]);
 271                 if (r < 0)
 272                         break;
 273                 for (j = 0; j < bs; j++)
 274                         buf[i + j] ^= iv[j];
 275                 memcpy(iv, iv_old, bs);
 276         }
 277
 278         crypt_cipher_destroy(cipher);
 279         crypt_memzero(iv, bs);
 280         crypt_memzero(iv_old, bs);
 281         return r;
 282 }
 283
 284 static void TCRYPT_remove_whitening(char *buf, const char *key)
 285 {
 286         int j;
 287
 288         for (j = 0; j < TCRYPT_HDR_LEN; j++)
 289                 buf[j] ^= key[j % 8];
 290 }
 291
 292 static void TCRYPT_copy_key(struct tcrypt_alg *alg, const char *mode,
 293                              char *out_key, const char *key)
 294 {
 295         int ks2;
 296         if (!strncmp(mode, "xts", 3)) {
 297                 ks2 = alg->key_size / 2;
 298                 memcpy(out_key, &key[alg->key_offset], ks2);
 299                 memcpy(&out_key[ks2], &key[alg->iv_offset], ks2);
 300         } else if (!strncmp(mode, "lrw", 3)) {
 301                 ks2 = alg->key_size - TCRYPT_LRW_IKEY_LEN;
 302                 memcpy(out_key, &key[alg->key_offset], ks2);
 303                 memcpy(&out_key[ks2], key, TCRYPT_LRW_IKEY_LEN);
 304         } else if (!strncmp(mode, "cbc", 3)) {
 305                 memcpy(out_key, &key[alg->key_offset], alg->key_size);
 306                 /* IV + whitening */
 307                 memcpy(&out_key[alg->key_size], &key[alg->iv_offset],
 308                        alg->key_extra_size);
 309         }
 310 }
 311
 312 static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
 313                                    const char *key,struct tcrypt_phdr *hdr)
 314 {
 315         char backend_key[TCRYPT_HDR_KEY_LEN];
 316         char iv[TCRYPT_HDR_IV_LEN] = {};
 317         char mode_name[MAX_CIPHER_LEN];
 318         struct crypt_cipher *cipher;
 319         char *c, *buf = (char*)&hdr->e;
 320         int r;
 321
 322         /* Remove IV if present */
 323         strncpy(mode_name, mode, MAX_CIPHER_LEN);
 324         c = strchr(mode_name, '-');
 325         if (c)
 326                 *c = '\0';
 327
 328         if (!strncmp(mode, "lrw", 3))
 329                 iv[alg->iv_size - 1] = 1;
 330         else if (!strncmp(mode, "cbc", 3)) {
 331                 TCRYPT_remove_whitening(buf, &key[8]);
 332                 if (!strcmp(alg->name, "blowfish_le"))
 333                         return decrypt_blowfish_le_cbc(alg, key, buf);
 334                 memcpy(iv, &key[alg->iv_offset], alg->iv_size);
 335         }
 336
 337         TCRYPT_copy_key(alg, mode, backend_key, key);
 338         r = crypt_cipher_init(&cipher, alg->name, mode_name,
 339                               backend_key, alg->key_size);
 340         if (!r) {
 341                 r = crypt_cipher_decrypt(cipher, buf, buf, TCRYPT_HDR_LEN,
 342                                          iv, alg->iv_size);
 343                 crypt_cipher_destroy(cipher);
 344         }
 345
 346         crypt_memzero(backend_key, sizeof(backend_key));
 347         crypt_memzero(iv, TCRYPT_HDR_IV_LEN);
 348         return r;
 349 }
 350
 351 /*
 352  * For chanined ciphers and CBC mode we need "outer" decryption.
 353  * Backend doesn't provide this, so implement it here directly using ECB.
 354  */
 355 static int TCRYPT_decrypt_cbci(struct tcrypt_algs *ciphers,
 356                                 const char *key, struct tcrypt_phdr *hdr)
 357 {
 358         struct crypt_cipher *cipher[ciphers->chain_count];
 359         unsigned int bs = ciphers->cipher[0].iv_size;
 360         char *buf = (char*)&hdr->e, iv[bs], iv_old[bs];
 361         unsigned int i, j;
 362         int r = -EINVAL;
 363
 364         TCRYPT_remove_whitening(buf, &key[8]);
 365
 366         memcpy(iv, &key[ciphers->cipher[0].iv_offset], bs);
 367
 368         /* Initialize all ciphers in chain in ECB mode */
 369         for (j = 0; j < ciphers->chain_count; j++)
 370                 cipher[j] = NULL;
 371         for (j = 0; j < ciphers->chain_count; j++) {
 372                 r = crypt_cipher_init(&cipher[j], ciphers->cipher[j].name, "ecb",
 373                                       &key[ciphers->cipher[j].key_offset],
 374                                       ciphers->cipher[j].key_size);
 375                 if (r < 0)
 376                         goto out;
 377         }
 378
 379         /* Implements CBC with chained ciphers in loop inside */
 380         for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
 381                 memcpy(iv_old, &buf[i], bs);
 382                 for (j = ciphers->chain_count; j > 0; j--) {
 383                         r = crypt_cipher_decrypt(cipher[j - 1], &buf[i], &buf[i],
 384                                                   bs, NULL, 0);
 385                         if (r < 0)
 386                                 goto out;
 387                 }
 388                 for (j = 0; j < bs; j++)
 389                         buf[i + j] ^= iv[j];
 390                 memcpy(iv, iv_old, bs);
 391         }
 392 out:
 393         for (j = 0; j < ciphers->chain_count; j++)
 394                 if (cipher[j])
 395                         crypt_cipher_destroy(cipher[j]);
 396
 397         crypt_memzero(iv, bs);
 398         crypt_memzero(iv_old, bs);
 399         return r;
 400 }
 401
 402 static int TCRYPT_decrypt_hdr(struct crypt_device *cd, struct tcrypt_phdr *hdr,
 403                                const char *key, uint32_t flags)
 404 {
 405         struct tcrypt_phdr hdr2;
 406         int i, j, r = -EINVAL;
 407
 408         for (i = 0; tcrypt_cipher[i].chain_count; i++) {
 409                 if (!(flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_cipher[i].legacy)
 410                         continue;
 411                 log_dbg("TCRYPT:  trying cipher %s-%s",
 412                         tcrypt_cipher[i].long_name, tcrypt_cipher[i].mode);
 413
 414                 memcpy(&hdr2.e, &hdr->e, TCRYPT_HDR_LEN);
 415
 416                 if (!strncmp(tcrypt_cipher[i].mode, "cbci", 4))
 417                         r = TCRYPT_decrypt_cbci(&tcrypt_cipher[i], key, &hdr2);
 418                 else for (j = tcrypt_cipher[i].chain_count - 1; j >= 0 ; j--) {
 419                         if (!tcrypt_cipher[i].cipher[j].name)
 420                                 continue;
 421                         r = TCRYPT_decrypt_hdr_one(&tcrypt_cipher[i].cipher[j],
 422                                             tcrypt_cipher[i].mode, key, &hdr2);
 423                         if (r < 0)
 424                                 break;
 425                 }
 426
 427                 if (r < 0) {
 428                         log_dbg("TCRYPT:   returned error %d, skipped.", r);
 429                         if (r == -ENOTSUP)
 430                                 break;
 431                         r = -ENOENT;
 432                         continue;
 433                 }
 434
 435                 if (!strncmp(hdr2.d.magic, TCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
 436                         log_dbg("TCRYPT: Signature magic detected.");
 437                         memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
 438                         r = i;
 439                         break;
 440                 }
 441                 if ((flags & CRYPT_TCRYPT_VERA_MODES) &&
 442                      !strncmp(hdr2.d.magic, VCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
 443                         log_dbg("TCRYPT: Signature magic detected (Veracrypt).");
 444                         memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
 445                         r = i;
 446                         break;
 447                 }
 448                 r = -EPERM;
 449         }
 450
 451         crypt_memzero(&hdr2, sizeof(hdr2));
 452         return r;
 453 }
 454
 455 static int TCRYPT_pool_keyfile(struct crypt_device *cd,
 456                                 unsigned char pool[TCRYPT_KEY_POOL_LEN],
 457                                 const char *keyfile)
 458 {
 459         unsigned char data[TCRYPT_KEYFILE_LEN];
 460         int i, j, fd, data_size;
 461         uint32_t crc;
 462
 463         log_dbg("TCRYPT: using keyfile %s.", keyfile);
 464
 465         fd = open(keyfile, O_RDONLY);
 466         if (fd < 0) {
 467                 log_err(cd, _("Failed to open key file.\n"));
 468                 return -EIO;
 469         }
 470
 471         /* FIXME: add while */
 472         data_size = read(fd, data, TCRYPT_KEYFILE_LEN);
 473         close(fd);
 474         if (data_size < 0) {
 475                 log_err(cd, _("Error reading keyfile %s.\n"), keyfile);
 476                 return -EIO;
 477         }
 478
 479         for (i = 0, j = 0, crc = ~0U; i < data_size; i++) {
 480                 crc = crypt_crc32(crc, &data[i], 1);
 481                 pool[j++] += (unsigned char)(crc >> 24);
 482                 pool[j++] += (unsigned char)(crc >> 16);
 483                 pool[j++] += (unsigned char)(crc >>  8);
 484                 pool[j++] += (unsigned char)(crc);
 485                 j %= TCRYPT_KEY_POOL_LEN;
 486         }
 487
 488         crypt_memzero(&crc, sizeof(crc));
 489         crypt_memzero(data, TCRYPT_KEYFILE_LEN);
 490
 491         return 0;
 492 }
 493
 494 static int TCRYPT_init_hdr(struct crypt_device *cd,
 495                            struct tcrypt_phdr *hdr,
 496                            struct crypt_params_tcrypt *params)
 497 {
 498         unsigned char pwd[TCRYPT_KEY_POOL_LEN] = {};
 499         size_t passphrase_size;
 500         char *key;
 501         unsigned int i, skipped = 0;
 502         int r = -EPERM;
 503
 504         if (posix_memalign((void*)&key, crypt_getpagesize(), TCRYPT_HDR_KEY_LEN))
 505                 return -ENOMEM;
 506
 507         if (params->keyfiles_count)
 508                 passphrase_size = TCRYPT_KEY_POOL_LEN;
 509         else
 510                 passphrase_size = params->passphrase_size;
 511
 512         if (params->passphrase_size > TCRYPT_KEY_POOL_LEN) {
 513                 log_err(cd, _("Maximum TCRYPT passphrase length (%d) exceeded.\n"),
 514                               TCRYPT_KEY_POOL_LEN);
 515                 goto out;
 516         }
 517
 518         /* Calculate pool content from keyfiles */
 519         for (i = 0; i < params->keyfiles_count; i++) {
 520                 r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i]);
 521                 if (r < 0)
 522                         goto out;
 523         }
 524
 525         /* If provided password, combine it with pool */
 526         for (i = 0; i < params->passphrase_size; i++)
 527                 pwd[i] += params->passphrase[i];
 528
 529         for (i = 0; tcrypt_kdf[i].name; i++) {
 530                 if (!(params->flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_kdf[i].legacy)
 531                         continue;
 532                 if (!(params->flags & CRYPT_TCRYPT_VERA_MODES) && tcrypt_kdf[i].veracrypt)
 533                         continue;
 534                 /* Derive header key */
 535                 log_dbg("TCRYPT: trying KDF: %s-%s-%d.",
 536                         tcrypt_kdf[i].name, tcrypt_kdf[i].hash, tcrypt_kdf[i].iterations);
 537                 r = crypt_pbkdf(tcrypt_kdf[i].name, tcrypt_kdf[i].hash,
 538                                 (char*)pwd, passphrase_size,
 539                                 hdr->salt, TCRYPT_HDR_SALT_LEN,
 540                                 key, TCRYPT_HDR_KEY_LEN,
 541                                 tcrypt_kdf[i].iterations);
 542                 if (r < 0 && crypt_hash_size(tcrypt_kdf[i].hash) < 0) {
 543                         log_verbose(cd, _("PBKDF2 hash algorithm %s not available, skipping.\n"),
 544                                       tcrypt_kdf[i].hash);
 545                         continue;
 546                 }
 547                 if (r < 0)
 548                         break;
 549
 550                 /* Decrypt header */
 551                 r = TCRYPT_decrypt_hdr(cd, hdr, key, params->flags);
 552                 if (r == -ENOENT) {
 553                         skipped++;
 554                         r = -EPERM;
 555                 }
 556                 if (r != -EPERM)
 557                         break;
 558         }
 559
 560         if ((r < 0 && r != -EPERM && skipped && skipped == i) || r == -ENOTSUP) {
 561                 log_err(cd, _("Required kernel crypto interface not available.\n"));
 562 #ifdef ENABLE_AF_ALG
 563                 log_err(cd, _("Ensure you have algif_skcipher kernel module loaded.\n"));
 564 #endif
 565         }
 566         if (r < 0)
 567                 goto out;
 568
 569         r = TCRYPT_hdr_from_disk(hdr, params, i, r);
 570         if (!r) {
 571                 log_dbg("TCRYPT: Magic: %s, Header version: %d, req. %d, sector %d"
 572                         ", mk_offset %" PRIu64 ", hidden_size %" PRIu64
 573                         ", volume size %" PRIu64, tcrypt_kdf[i].veracrypt ?
 574                         VCRYPT_HDR_MAGIC : TCRYPT_HDR_MAGIC,
 575                         (int)hdr->d.version, (int)hdr->d.version_tc, (int)hdr->d.sector_size,
 576                         hdr->d.mk_offset, hdr->d.hidden_volume_size, hdr->d.volume_size);
 577                 log_dbg("TCRYPT: Header cipher %s-%s, key size %zu",
 578                         params->cipher, params->mode, params->key_size);
 579         }
 580 out:
 581         crypt_memzero(pwd, TCRYPT_KEY_POOL_LEN);
 582         if (key)
 583                 crypt_memzero(key, TCRYPT_HDR_KEY_LEN);
 584         free(key);
 585         return r;
 586 }
 587
 588 int TCRYPT_read_phdr(struct crypt_device *cd,
 589                      struct tcrypt_phdr *hdr,
 590                      struct crypt_params_tcrypt *params)
 591 {
 592         struct device *base_device, *device = crypt_metadata_device(cd);
 593         ssize_t hdr_size = sizeof(struct tcrypt_phdr);
 594         char *base_device_path;
 595         int devfd = 0, r, bs;
 596
 597         assert(sizeof(struct tcrypt_phdr) == 512);
 598
 599         log_dbg("Reading TCRYPT header of size %zu bytes from device %s.",
 600                 hdr_size, device_path(device));
 601
 602         bs = device_block_size(device);
 603         if (bs < 0)
 604                 return bs;
 605
 606         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER &&
 607             crypt_dev_is_partition(device_path(device))) {
 608                 base_device_path = crypt_get_base_device(device_path(device));
 609
 610                 log_dbg("Reading TCRYPT system header from device %s.", base_device_path ?: "?");
 611                 if (!base_device_path)
 612                         return -EINVAL;
 613
 614                 r = device_alloc(&base_device, base_device_path);
 615                 if (r < 0)
 616                         return r;
 617                 devfd = device_open(base_device, O_RDONLY);
 618                 free(base_device_path);
 619                 device_free(base_device);
 620         } else
 621                 devfd = device_open(device, O_RDONLY);
 622
 623         if (devfd == -1) {
 624                 log_err(cd, _("Cannot open device %s.\n"), device_path(device));
 625                 return -EINVAL;
 626         }
 627
 628         r = -EIO;
 629         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
 630                 if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
 631                     read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) {
 632                         r = TCRYPT_init_hdr(cd, hdr, params);
 633                 }
 634         } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 635                 if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 636                         if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
 637                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 638                                 r = TCRYPT_init_hdr(cd, hdr, params);
 639                 } else {
 640                         if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET, SEEK_SET) >= 0 &&
 641                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 642                                 r = TCRYPT_init_hdr(cd, hdr, params);
 643                         if (r &&
 644                             lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_OLD, SEEK_END) >= 0 &&
 645                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 646                                 r = TCRYPT_init_hdr(cd, hdr, params);
 647                 }
 648         } else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 649                 if (lseek(devfd, TCRYPT_HDR_OFFSET_BCK, SEEK_END) >= 0 &&
 650                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 651                         r = TCRYPT_init_hdr(cd, hdr, params);
 652         } else if (read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 653                 r = TCRYPT_init_hdr(cd, hdr, params);
 654
 655         close(devfd);
 656         if (r < 0)
 657                 memset(hdr, 0, sizeof (*hdr));
 658         return r;
 659 }
 660
 661 static struct tcrypt_algs *TCRYPT_get_algs(const char *cipher, const char *mode)
 662 {
 663         int i;
 664
 665         if (!cipher || !mode)
 666                 return NULL;
 667
 668         for (i = 0; tcrypt_cipher[i].chain_count; i++)
 669                 if (!strcmp(tcrypt_cipher[i].long_name, cipher) &&
 670                     !strcmp(tcrypt_cipher[i].mode, mode))
 671                     return &tcrypt_cipher[i];
 672
 673         return NULL;
 674 }
 675
 676 int TCRYPT_activate(struct crypt_device *cd,
 677                      const char *name,
 678                      struct tcrypt_phdr *hdr,
 679                      struct crypt_params_tcrypt *params,
 680                      uint32_t flags)
 681 {
 682         char cipher[MAX_CIPHER_LEN], dm_name[PATH_MAX], dm_dev_name[PATH_MAX];
 683         char *part_path;
 684         struct device *device = NULL, *part_device = NULL;
 685         unsigned int i;
 686         int r;
 687         uint32_t req_flags;
 688         struct tcrypt_algs *algs;
 689         enum devcheck device_check;
 690         struct crypt_dm_active_device dmd = {
 691                 .target = DM_CRYPT,
 692                 .size   = 0,
 693                 .data_device = crypt_data_device(cd),
 694                 .u.crypt  = {
 695                         .cipher = cipher,
 696                         .offset = crypt_get_data_offset(cd),
 697                         .iv_offset = crypt_get_iv_offset(cd),
 698                 }
 699         };
 700
 701         if (!hdr->d.version) {
 702                 log_dbg("TCRYPT: this function is not supported without encrypted header load.");
 703                 return -ENOTSUP;
 704         }
 705
 706         if (hdr->d.sector_size && hdr->d.sector_size != SECTOR_SIZE) {
 707                 log_err(cd, _("Activation is not supported for %d sector size.\n"),
 708                         hdr->d.sector_size);
 709                 return -ENOTSUP;
 710         }
 711
 712         if (strstr(params->mode, "-tcrypt")) {
 713                 log_err(cd, _("Kernel doesn't support activation for this TCRYPT legacy mode.\n"));
 714                 return -ENOTSUP;
 715         }
 716
 717         if (strstr(params->mode, "-tcw"))
 718                 req_flags = DM_TCW_SUPPORTED;
 719         else
 720                 req_flags = DM_PLAIN64_SUPPORTED;
 721
 722         algs = TCRYPT_get_algs(params->cipher, params->mode);
 723         if (!algs)
 724                 return -EINVAL;
 725
 726         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
 727                 dmd.size = 0;
 728         else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER)
 729                 dmd.size = hdr->d.hidden_volume_size / hdr->d.sector_size;
 730         else
 731                 dmd.size = hdr->d.volume_size / hdr->d.sector_size;
 732
 733         if (dmd.flags & CRYPT_ACTIVATE_SHARED)
 734                 device_check = DEV_SHARED;
 735         else
 736                 device_check = DEV_EXCL;
 737
 738         if ((params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) &&
 739              !crypt_dev_is_partition(device_path(dmd.data_device))) {
 740                 part_path = crypt_get_partition_device(device_path(dmd.data_device),
 741                                                        dmd.u.crypt.offset, dmd.size);
 742                 if (part_path) {
 743                         if (!device_alloc(&part_device, part_path)) {
 744                                 log_verbose(cd, _("Activating TCRYPT system encryption for partition %s.\n"),
 745                                             part_path);
 746                                 dmd.data_device = part_device;
 747                                 dmd.u.crypt.offset = 0;
 748                         }
 749                         free(part_path);
 750                 } else
 751                         /*
 752                          * System encryption use the whole device mapping, there can
 753                          * be active partitions.
 754                          */
 755                         device_check = DEV_SHARED;
 756         }
 757
 758         r = device_block_adjust(cd, dmd.data_device, device_check,
 759                                 dmd.u.crypt.offset, &dmd.size, &dmd.flags);
 760         if (r)
 761                 return r;
 762
 763         /* Frome here, key size for every cipher must be the same */
 764         dmd.u.crypt.vk = crypt_alloc_volume_key(algs->cipher[0].key_size +
 765                                                 algs->cipher[0].key_extra_size, NULL);
 766         if (!dmd.u.crypt.vk)
 767                 return -ENOMEM;
 768
 769         for (i = algs->chain_count; i > 0; i--) {
 770                 if (i == 1) {
 771                         strncpy(dm_name, name, sizeof(dm_name));
 772                         dmd.flags = flags;
 773                 } else {
 774                         snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1);
 775                         dmd.flags = flags | CRYPT_ACTIVATE_PRIVATE;
 776                 }
 777
 778                 snprintf(cipher, sizeof(cipher), "%s-%s",
 779                          algs->cipher[i-1].name, algs->mode);
 780
 781                 TCRYPT_copy_key(&algs->cipher[i-1], algs->mode,
 782                                 dmd.u.crypt.vk->key, hdr->d.keys);
 783
 784                 if (algs->chain_count != i) {
 785                         snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d",
 786                                  dm_get_dir(), name, i);
 787                         r = device_alloc(&device, dm_dev_name);
 788                         if (r)
 789                                 break;
 790                         dmd.data_device = device;
 791                         dmd.u.crypt.offset = 0;
 792                 }
 793
 794                 log_dbg("Trying to activate TCRYPT device %s using cipher %s.",
 795                         dm_name, dmd.u.crypt.cipher);
 796                 r = dm_create_device(cd, dm_name, CRYPT_TCRYPT, &dmd, 0);
 797
 798                 device_free(device);
 799                 device = NULL;
 800
 801                 if (r)
 802                         break;
 803         }
 804
 805         if (r < 0 && !(dm_flags() & req_flags)) {
 806                 log_err(cd, _("Kernel doesn't support TCRYPT compatible mapping.\n"));
 807                 r = -ENOTSUP;
 808         }
 809
 810         device_free(part_device);
 811         crypt_free_volume_key(dmd.u.crypt.vk);
 812         return r;
 813 }
 814
 815 static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
 816                       const char *base_uuid, int index)
 817 {
 818         struct crypt_dm_active_device dmd = {};
 819         char dm_name[PATH_MAX];
 820         int r;
 821
 822         if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
 823                 return -ENOMEM;
 824
 825         r = dm_status_device(cd, dm_name);
 826         if (r < 0)
 827                 return r;
 828
 829         r = dm_query_device(cd, dm_name, DM_ACTIVE_UUID, &dmd);
 830         if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid)))
 831                 r = dm_remove_device(cd, dm_name, 0, 0);
 832
 833         free(CONST_CAST(void*)dmd.uuid);
 834         return r;
 835 }
 836
 837 int TCRYPT_deactivate(struct crypt_device *cd, const char *name)
 838 {
 839         struct crypt_dm_active_device dmd = {};
 840         int r;
 841
 842         r = dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd);
 843         if (r < 0)
 844                 return r;
 845         if (!dmd.uuid)
 846                 return -EINVAL;
 847
 848         r = dm_remove_device(cd, name, 0, 0);
 849         if (r < 0)
 850                 goto out;
 851
 852         r = TCRYPT_remove_one(cd, name, dmd.uuid, 1);
 853         if (r < 0)
 854                 goto out;
 855
 856         r = TCRYPT_remove_one(cd, name, dmd.uuid, 2);
 857         if (r < 0)
 858                 goto out;
 859 out:
 860         free(CONST_CAST(void*)dmd.uuid);
 861         return (r == -ENODEV) ? 0 : r;
 862 }
 863
 864 static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
 865                               const char *base_uuid, int index,
 866                               size_t *key_size, char *cipher,
 867                               uint64_t *data_offset, struct device **device)
 868 {
 869         struct crypt_dm_active_device dmd = {};
 870         char dm_name[PATH_MAX], *c;
 871         int r;
 872
 873         if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
 874                 return -ENOMEM;
 875
 876         r = dm_status_device(cd, dm_name);
 877         if (r < 0)
 878                 return r;
 879
 880         r = dm_query_device(cd, dm_name, DM_ACTIVE_DEVICE |
 881                                           DM_ACTIVE_UUID |
 882                                           DM_ACTIVE_CRYPT_CIPHER |
 883                                           DM_ACTIVE_CRYPT_KEYSIZE, &dmd);
 884         if (r > 0)
 885                 r = 0;
 886         if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid))) {
 887                 if ((c = strchr(dmd.u.crypt.cipher, '-')))
 888                         *c = '\0';
 889                 strcat(cipher, "-");
 890                 strncat(cipher, dmd.u.crypt.cipher, MAX_CIPHER_LEN);
 891                 *key_size += dmd.u.crypt.vk->keylength;
 892                 *data_offset = dmd.u.crypt.offset * SECTOR_SIZE;
 893                 device_free(*device);
 894                 *device = dmd.data_device;
 895         } else {
 896                 device_free(dmd.data_device);
 897                 r = -ENODEV;
 898         }
 899
 900         free(CONST_CAST(void*)dmd.uuid);
 901         free(CONST_CAST(void*)dmd.u.crypt.cipher);
 902         crypt_free_volume_key(dmd.u.crypt.vk);
 903         return r;
 904 }
 905
 906 int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
 907                         const struct crypt_dm_active_device *dmd,
 908                         struct device **device,
 909                         struct crypt_params_tcrypt *tcrypt_params,
 910                         struct tcrypt_phdr *tcrypt_hdr)
 911 {
 912         struct tcrypt_algs *algs;
 913         char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN], *tmp;
 914         size_t key_size;
 915         int r;
 916
 917         memset(tcrypt_params, 0, sizeof(*tcrypt_params));
 918         memset(tcrypt_hdr, 0, sizeof(*tcrypt_hdr));
 919         tcrypt_hdr->d.sector_size = SECTOR_SIZE;
 920         tcrypt_hdr->d.mk_offset = dmd->u.crypt.offset * SECTOR_SIZE;
 921
 922         strncpy(cipher, dmd->u.crypt.cipher, MAX_CIPHER_LEN);
 923         tmp = strchr(cipher, '-');
 924         if (!tmp)
 925                 return -EINVAL;
 926         *tmp = '\0';
 927         strncpy(mode, ++tmp, MAX_CIPHER_LEN);
 928
 929         key_size = dmd->u.crypt.vk->keylength;
 930         r = TCRYPT_status_one(cd, name, dmd->uuid, 1, &key_size,
 931                               cipher, &tcrypt_hdr->d.mk_offset, device);
 932         if (!r)
 933                 r = TCRYPT_status_one(cd, name, dmd->uuid, 2, &key_size,
 934                                       cipher, &tcrypt_hdr->d.mk_offset, device);
 935
 936         if (r < 0 && r != -ENODEV)
 937                 return r;
 938
 939         algs = TCRYPT_get_algs(cipher, mode);
 940         if (!algs || key_size != algs->chain_key_size)
 941                 return -EINVAL;
 942
 943         tcrypt_params->key_size = algs->chain_key_size;
 944         tcrypt_params->cipher = algs->long_name;
 945         tcrypt_params->mode = algs->mode;
 946         return 0;
 947 }
 948
 949 uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 950                                  struct tcrypt_phdr *hdr,
 951                                  struct crypt_params_tcrypt *params)
 952 {
 953         uint64_t size;
 954
 955         /* No real header loaded, initialized by active device */
 956         if (!hdr->d.version)
 957                 goto hdr_offset;
 958
 959         /* Mapping through whole device, not partition! */
 960         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
 961                 if (crypt_dev_is_partition(device_path(crypt_metadata_device(cd))))
 962                         return 0;
 963                 goto hdr_offset;
 964         }
 965
 966         if (params->mode && !strncmp(params->mode, "xts", 3)) {
 967                 if (hdr->d.version < 3)
 968                         return 1;
 969
 970                 if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 971                         if (hdr->d.version > 3)
 972                                 return (hdr->d.mk_offset / hdr->d.sector_size);
 973                         if (device_size(crypt_metadata_device(cd), &size) < 0)
 974                                 return 0;
 975                         return (size - hdr->d.hidden_volume_size +
 976                                 (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
 977                 }
 978                 goto hdr_offset;
 979         }
 980
 981         if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 982                 if (device_size(crypt_metadata_device(cd), &size) < 0)
 983                         return 0;
 984                 return (size - hdr->d.hidden_volume_size +
 985                         (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
 986         }
 987
 988 hdr_offset:
 989         return hdr->d.mk_offset / hdr->d.sector_size;
 990 }
 991
 992 uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
 993                               struct tcrypt_phdr *hdr,
 994                               struct crypt_params_tcrypt *params)
 995 {
 996         uint64_t iv_offset;
 997
 998         if (params->mode && !strncmp(params->mode, "xts", 3))
 999                 iv_offset = TCRYPT_get_data_offset(cd, hdr, params);
1000         else if (params->mode && !strncmp(params->mode, "lrw", 3))
1001                 iv_offset = 0;
1002         else
1003                 iv_offset = hdr->d.mk_offset / hdr->d.sector_size;
1004
1005         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
1006                 iv_offset += crypt_dev_partition_offset(device_path(crypt_metadata_device(cd)));
1007
1008         return iv_offset;
1009 }
1010
1011 int TCRYPT_get_volume_key(struct crypt_device *cd,
1012                           struct tcrypt_phdr *hdr,
1013                           struct crypt_params_tcrypt *params,
1014                           struct volume_key **vk)
1015 {
1016         struct tcrypt_algs *algs;
1017         unsigned int i, key_index;
1018
1019         if (!hdr->d.version) {
1020                 log_err(cd, _("This function is not supported without TCRYPT header load."));
1021                 return -ENOTSUP;
1022         }
1023
1024         algs = TCRYPT_get_algs(params->cipher, params->mode);
1025         if (!algs)
1026                 return -EINVAL;
1027
1028         *vk = crypt_alloc_volume_key(params->key_size, NULL);
1029         if (!*vk)
1030                 return -ENOMEM;
1031
1032         for (i = 0, key_index = 0; i < algs->chain_count; i++) {
1033                 TCRYPT_copy_key(&algs->cipher[i], algs->mode,
1034                                 &(*vk)->key[key_index], hdr->d.keys);
1035                 key_index += algs->cipher[i].key_size;
1036         }
1037
1038         return 0;
1039 }
1040
1041 int TCRYPT_dump(struct crypt_device *cd,
1042                 struct tcrypt_phdr *hdr,
1043                 struct crypt_params_tcrypt *params)
1044 {
1045         log_std(cd, "%s header information for %s\n",
1046                 hdr->d.magic[0] == 'T' ? "TCRYPT" : "VERACRYPT",
1047                 device_path(crypt_metadata_device(cd)));
1048         if (hdr->d.version) {
1049                 log_std(cd, "Version:       \t%d\n", hdr->d.version);
1050                 log_std(cd, "Driver req.:\t%x.%x\n", hdr->d.version_tc >> 8,
1051                                                     hdr->d.version_tc & 0xFF);
1052
1053                 log_std(cd, "Sector size:\t%" PRIu32 "\n", hdr->d.sector_size);
1054                 log_std(cd, "MK offset:\t%" PRIu64 "\n", hdr->d.mk_offset);
1055                 log_std(cd, "PBKDF2 hash:\t%s\n", params->hash_name);
1056         }
1057         log_std(cd, "Cipher chain:\t%s\n", params->cipher);
1058         log_std(cd, "Cipher mode:\t%s\n", params->mode);
1059         log_std(cd, "MK bits:       \t%zu\n", params->key_size * 8);
1060         return 0;
1061 }