2 * Helper utilities for LUKS2 features
4 * Copyright (C) 2018-2023 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2018-2023 Milan Broz
6 * Copyright (C) 2018-2023 Ondrej Kozina
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "cryptsetup.h"
24 #include "cryptsetup_args.h"
25 #include "utils_luks.h"
27 extern const char *set_pbkdf;
29 const char *luksType(const char *type)
31 if (type && !strcmp(type, "luks2"))
34 if (type && !strcmp(type, "luks1"))
37 if (type && !strcmp(type, "luks"))
38 return CRYPT_LUKS; /* NULL */
43 return CRYPT_LUKS; /* NULL */
46 bool isLUKS1(const char *type)
48 return type && !strcmp(type, CRYPT_LUKS1);
51 bool isLUKS2(const char *type)
53 return type && !strcmp(type, CRYPT_LUKS2);
56 int verify_passphrase(int def)
58 /* Batch mode switch off verify - if not overridden by -y */
59 if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
61 else if (ARG_SET(OPT_BATCH_MODE_ID))
64 /* Non-tty input doesn't allow verify */
65 if (def && !isatty(STDIN_FILENO)) {
66 if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
67 log_err(_("Can't do passphrase verification on non-tty inputs."));
74 void set_activation_flags(uint32_t *flags)
76 if (ARG_SET(OPT_READONLY_ID))
77 *flags |= CRYPT_ACTIVATE_READONLY;
79 if (ARG_SET(OPT_ALLOW_DISCARDS_ID))
80 *flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
82 if (ARG_SET(OPT_PERF_SAME_CPU_CRYPT_ID))
83 *flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
85 if (ARG_SET(OPT_PERF_SUBMIT_FROM_CRYPT_CPUS_ID))
86 *flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
88 if (ARG_SET(OPT_PERF_NO_READ_WORKQUEUE_ID))
89 *flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE;
91 if (ARG_SET(OPT_PERF_NO_WRITE_WORKQUEUE_ID))
92 *flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
94 if (ARG_SET(OPT_INTEGRITY_NO_JOURNAL_ID))
95 *flags |= CRYPT_ACTIVATE_NO_JOURNAL;
97 /* In persistent mode, we use what is set on command line */
98 if (ARG_SET(OPT_PERSISTENT_ID))
99 *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
101 /* Only for LUKS2 but ignored elsewhere */
102 if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
103 (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
104 *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
106 if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
107 *flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;
110 if (ARG_SET(OPT_IV_LARGE_SECTORS_ID))
111 *flags |= CRYPT_ACTIVATE_IV_LARGE_SECTORS;
114 int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
116 const struct crypt_pbkdf_type *pbkdf_default;
117 struct crypt_pbkdf_type pbkdf = {};
119 pbkdf_default = crypt_get_pbkdf_default(dev_type);
123 pbkdf.type = set_pbkdf ?: pbkdf_default->type;
124 pbkdf.hash = ARG_STR(OPT_HASH_ID) ?: pbkdf_default->hash;
125 pbkdf.time_ms = ARG_UINT32(OPT_ITER_TIME_ID) ?: pbkdf_default->time_ms;
126 if (strcmp(pbkdf.type, CRYPT_KDF_PBKDF2)) {
127 pbkdf.max_memory_kb = ARG_UINT32(OPT_PBKDF_MEMORY_ID) ?: pbkdf_default->max_memory_kb;
128 pbkdf.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID) ?: pbkdf_default->parallel_threads;
131 if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID)) {
132 pbkdf.iterations = ARG_UINT32(OPT_PBKDF_FORCE_ITERATIONS_ID);
134 pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
137 return crypt_set_pbkdf_type(cd, &pbkdf);
140 int set_tries_tty(void)
142 return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
145 int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize)
147 uint32_t keysize_bits = ARG_UINT32(OPT_KEY_SIZE_ID);
149 #ifdef ENABLE_LUKS_ADJUST_XTS_KEYSIZE
150 if (!ARG_SET(OPT_KEY_SIZE_ID) && !strncmp(cipher_mode, "xts-", 4)) {
151 if (default_size_bits == 128)
153 else if (default_size_bits == 256)
157 return (keysize_bits ?: default_size_bits) / 8 + integrity_keysize;
161 * FIXME: 4MiBs is max LUKS2 mda length (including binary header).
162 * In future, read max allowed JSON size from config section.
164 #define LUKS2_MAX_MDA_SIZE 0x400000
165 int tools_read_json_file(const char *file, char **json, size_t *json_size, bool batch_mode)
171 block = tools_signals_blocked();
175 if (tools_is_stdin(file)) {
177 log_dbg("STDIN descriptor JSON read requested.");
179 log_dbg("File descriptor JSON read requested.");
180 fd = open(file, O_RDONLY);
182 log_err(_("Failed to open file %s in read-only mode."), file);
188 buf = malloc(LUKS2_MAX_MDA_SIZE);
194 if (isatty(fd) && !batch_mode)
195 log_std(_("Provide valid LUKS2 token JSON:\n"));
197 /* we expect JSON (string) */
199 ret = read_buffer_intr(fd, buf, LUKS2_MAX_MDA_SIZE - 1, &quit);
202 log_err(_("Failed to read JSON file."));
207 log_err(_("\nRead interrupted."));
211 *json_size = (size_t)ret;
213 *(*json + ret) = '\0';
217 if (fd >= 0 && fd != STDIN_FILENO)
220 memset(buf, 0, LUKS2_MAX_MDA_SIZE);
226 int tools_write_json_file(const char *file, const char *json)
232 if (!json || !(json_len = strlen(json)) || json_len >= LUKS2_MAX_MDA_SIZE)
235 block = tools_signals_blocked();
239 if (tools_is_stdin(file)) {
241 log_dbg("STDOUT descriptor JSON write requested.");
243 log_dbg("File descriptor JSON write requested.");
244 fd = open(file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
248 log_err(_("Failed to open file %s in write mode."), file ?: "");
254 ret = write_buffer_intr(fd, json, json_len, &quit);
257 log_err(_("\nWrite interrupted."));
260 if (ret < 0 || (size_t)ret != json_len) {
261 log_err(_("Failed to write JSON file."));
267 (void) write_buffer_intr(fd, "\n", 1, &quit);
271 if (fd >=0 && fd != STDOUT_FILENO)