/*
* LUKS - Linux Unified Key Setup
*
- * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2023 Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
*/
#include <stdio.h>
-#include <fcntl.h>
+#include <string.h>
#include <errno.h>
+#include <sys/stat.h>
#include "luks.h"
+#include "af.h"
#include "internal.h"
static void _error_hint(struct crypt_device *ctx, const char *device,
- const char *cipher_spec, const char *mode, size_t keyLength)
+ const char *cipher, const char *mode, size_t keyLength)
{
+ char *c, cipher_spec[MAX_CIPHER_LEN * 3];
+
+ if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, mode) < 0)
+ return;
+
log_err(ctx, _("Failed to setup dm-crypt key mapping for device %s.\n"
- "Check that kernel supports %s cipher (check syslog for more info).\n"),
+ "Check that kernel supports %s cipher (check syslog for more info)."),
device, cipher_spec);
if (!strncmp(mode, "xts", 3) && (keyLength != 256 && keyLength != 512))
- log_err(ctx, _("Key size in XTS mode must be 256 or 512 bits.\n"));
+ log_err(ctx, _("Key size in XTS mode must be 256 or 512 bits."));
+ else if (!(c = strchr(mode, '-')) || strlen(c) < 4)
+ log_err(ctx, _("Cipher specification should be in [cipher]-[mode]-[iv] format."));
}
static int LUKS_endec_template(char *src, size_t srcLength,
const char *cipher, const char *cipher_mode,
struct volume_key *vk,
unsigned int sector,
- ssize_t (*func)(int, int, void *, size_t),
+ ssize_t (*func)(int, size_t, size_t, void *, size_t),
int mode,
struct crypt_device *ctx)
{
char name[PATH_MAX], path[PATH_MAX];
char cipher_spec[MAX_CIPHER_LEN * 3];
struct crypt_dm_active_device dmd = {
- .target = DM_CRYPT,
- .uuid = NULL,
- .flags = CRYPT_ACTIVATE_PRIVATE,
- .data_device = crypt_metadata_device(ctx),
- .u.crypt = {
- .cipher = cipher_spec,
- .vk = vk,
- .offset = sector,
- .iv_offset = 0,
- }
+ .flags = CRYPT_ACTIVATE_PRIVATE,
};
- int r, bsize, devfd = -1;
+ int r, devfd = -1, remove_dev = 0;
+ size_t bsize, keyslot_alignment, alignment;
+
+ log_dbg(ctx, "Using dmcrypt to access keyslot area.");
- bsize = device_block_size(dmd.data_device);
- if (bsize <= 0)
+ bsize = device_block_size(ctx, crypt_metadata_device(ctx));
+ alignment = device_alignment(crypt_metadata_device(ctx));
+ if (!bsize || !alignment)
return -EINVAL;
- dmd.size = size_round_up(srcLength, bsize) / SECTOR_SIZE;
+ if (bsize > LUKS_ALIGN_KEYSLOTS)
+ keyslot_alignment = LUKS_ALIGN_KEYSLOTS;
+ else
+ keyslot_alignment = bsize;
+ dmd.size = size_round_up(srcLength, keyslot_alignment) / SECTOR_SIZE;
if (mode == O_RDONLY)
dmd.flags |= CRYPT_ACTIVATE_READONLY;
if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, cipher_mode) < 0)
return -ENOMEM;
- r = device_block_adjust(ctx, dmd.data_device, DEV_OK,
- dmd.u.crypt.offset, &dmd.size, &dmd.flags);
+ r = device_block_adjust(ctx, crypt_metadata_device(ctx), DEV_OK,
+ sector, &dmd.size, &dmd.flags);
if (r < 0) {
- log_err(ctx, _("Device %s doesn't exist or access denied.\n"),
- device_path(dmd.data_device));
+ log_err(ctx, _("Device %s does not exist or access denied."),
+ device_path(crypt_metadata_device(ctx)));
return -EIO;
}
if (mode != O_RDONLY && dmd.flags & CRYPT_ACTIVATE_READONLY) {
- log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
- device_path(dmd.data_device));
+ log_err(ctx, _("Cannot write to device %s, permission denied."),
+ device_path(crypt_metadata_device(ctx)));
return -EACCES;
}
- r = dm_create_device(ctx, name, "TEMP", &dmd, 0);
+ r = dm_crypt_target_set(&dmd.segment, 0, dmd.size,
+ crypt_metadata_device(ctx), vk, cipher_spec, 0, sector,
+ NULL, 0, SECTOR_SIZE);
+ if (r)
+ goto out;
+
+ r = dm_create_device(ctx, name, "TEMP", &dmd);
if (r < 0) {
if (r != -EACCES && r != -ENOTSUP)
- _error_hint(ctx, device_path(dmd.data_device),
- cipher_spec, cipher_mode, vk->keylength * 8);
- return -EIO;
+ _error_hint(ctx, device_path(crypt_metadata_device(ctx)),
+ cipher, cipher_mode, vk->keylength * 8);
+ r = -EIO;
+ goto out;
}
+ remove_dev = 1;
devfd = open(path, mode | O_DIRECT | O_SYNC);
if (devfd == -1) {
- log_err(ctx, _("Failed to open temporary keystore device.\n"));
+ log_err(ctx, _("Failed to open temporary keystore device."));
r = -EIO;
goto out;
}
- r = func(devfd, bsize, src, srcLength);
+ r = func(devfd, bsize, alignment, src, srcLength);
if (r < 0) {
- log_err(ctx, _("Failed to access temporary keystore device.\n"));
+ log_err(ctx, _("Failed to access temporary keystore device."));
r = -EIO;
} else
r = 0;
out:
- if(devfd != -1)
+ dm_targets_free(ctx, &dmd);
+ if (devfd != -1)
close(devfd);
- dm_remove_device(ctx, name, 1, dmd.size);
+ if (remove_dev)
+ dm_remove_device(ctx, name, CRYPT_DEACTIVATE_FORCE);
return r;
}
unsigned int sector,
struct crypt_device *ctx)
{
- return LUKS_endec_template(src, srcLength, cipher, cipher_mode,
- vk, sector, write_blockwise, O_RDWR, ctx);
+ struct device *device = crypt_metadata_device(ctx);
+ struct crypt_storage *s;
+ int devfd, r = 0;
+
+ /* Only whole sector writes supported */
+ if (MISALIGNED_512(srcLength))
+ return -EINVAL;
+
+ /* Encrypt buffer */
+ r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
+
+ if (r)
+ log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).",
+ cipher, cipher_mode, r);
+
+ /* Fallback to old temporary dmcrypt device */
+ if (r == -ENOTSUP || r == -ENOENT)
+ return LUKS_endec_template(src, srcLength, cipher, cipher_mode,
+ vk, sector, write_blockwise, O_RDWR, ctx);
+
+ if (r) {
+ _error_hint(ctx, device_path(device), cipher, cipher_mode,
+ vk->keylength * 8);
+ return r;
+ }
+
+ log_dbg(ctx, "Using userspace crypto wrapper to access keyslot area.");
+
+ r = crypt_storage_encrypt(s, 0, srcLength, src);
+ crypt_storage_destroy(s);
+
+ if (r)
+ return r;
+
+ r = -EIO;
+
+ /* Write buffer to device */
+ if (device_is_locked(device))
+ devfd = device_open_locked(ctx, device, O_RDWR);
+ else
+ devfd = device_open(ctx, device, O_RDWR);
+ if (devfd < 0)
+ goto out;
+
+ if (write_lseek_blockwise(devfd, device_block_size(ctx, device),
+ device_alignment(device), src, srcLength,
+ sector * SECTOR_SIZE) < 0)
+ goto out;
+
+ r = 0;
+out:
+ device_sync(ctx, device);
+ if (r)
+ log_err(ctx, _("IO error while encrypting keyslot."));
+
+ return r;
}
int LUKS_decrypt_from_storage(char *dst, size_t dstLength,
unsigned int sector,
struct crypt_device *ctx)
{
- return LUKS_endec_template(dst, dstLength, cipher, cipher_mode,
- vk, sector, read_blockwise, O_RDONLY, ctx);
+ struct device *device = crypt_metadata_device(ctx);
+ struct crypt_storage *s;
+ struct stat st;
+ int devfd, r = 0;
+
+ /* Only whole sector reads supported */
+ if (MISALIGNED_512(dstLength))
+ return -EINVAL;
+
+ r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
+
+ if (r)
+ log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).",
+ cipher, cipher_mode, r);
+
+ /* Fallback to old temporary dmcrypt device */
+ if (r == -ENOTSUP || r == -ENOENT)
+ return LUKS_endec_template(dst, dstLength, cipher, cipher_mode,
+ vk, sector, read_blockwise, O_RDONLY, ctx);
+
+ if (r) {
+ _error_hint(ctx, device_path(device), cipher, cipher_mode,
+ vk->keylength * 8);
+ return r;
+ }
+
+ log_dbg(ctx, "Using userspace crypto wrapper to access keyslot area.");
+
+ /* Read buffer from device */
+ if (device_is_locked(device))
+ devfd = device_open_locked(ctx, device, O_RDONLY);
+ else
+ devfd = device_open(ctx, device, O_RDONLY);
+ if (devfd < 0) {
+ log_err(ctx, _("Cannot open device %s."), device_path(device));
+ crypt_storage_destroy(s);
+ return -EIO;
+ }
+
+ if (read_lseek_blockwise(devfd, device_block_size(ctx, device),
+ device_alignment(device), dst, dstLength,
+ sector * SECTOR_SIZE) < 0) {
+ if (!fstat(devfd, &st) && (st.st_size < (off_t)dstLength))
+ log_err(ctx, _("Device %s is too small."), device_path(device));
+ else
+ log_err(ctx, _("IO error while decrypting keyslot."));
+
+ crypt_storage_destroy(s);
+ return -EIO;
+ }
+
+ /* Decrypt buffer */
+ r = crypt_storage_decrypt(s, 0, dstLength, dst);
+ crypt_storage_destroy(s);
+
+ return r;
}
projects / platform / upstream / cryptsetup.git / blobdiff