projects / platform / upstream / cryptsetup.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Sanity check for some options.
[platform/upstream/cryptsetup.git] / lib / setup.c
diff --git a/lib/setup.c b/lib/setup.c
index 9637ace..024e2ba 100644 (file)
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -38,8 +38,10 @@ struct crypt_device {
        char *device;
        char *metadata_device;
 
-       char *backing_file;
-       int loop_fd;
+       /* loopback automatic detach helpers */
+       int loop_device_fd;
+       int loop_metadata_device_fd;
+
        struct volume_key *volume_key;
        uint64_t timeout;
        uint64_t iteration_time;
@@ -68,7 +70,8 @@ struct crypt_device {
        /* used in CRYPT_VERITY */
        struct crypt_params_verity verity_hdr;
        char *verity_root_hash;
-       uint64_t verity_root_hash_size;
+       unsigned int verity_root_hash_size;
+       char *verity_uuid;
 
        /* callbacks definitions */
        void (*log)(int level, const char *msg, void *usrptr);
@@ -355,16 +358,23 @@ int crypt_confirm(struct crypt_device *cd, const char *msg)
 static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
                              size_t *key_len, int force_verify)
 {
-       char *prompt = NULL;
+       char *prompt = NULL, *device_name;
        int r;
 
        *key = NULL;
-       if(!msg && asprintf(&prompt, _("Enter passphrase for %s: "),
-                           cd->backing_file ?: crypt_get_device_name(cd)) < 0)
-               return -ENOMEM;
-
-       if (!msg)
+       if(!msg) {
+               if (crypt_loop_device(crypt_get_device_name(cd)))
+                       device_name = crypt_loop_backing_file(crypt_get_device_name(cd));
+               else
+                       device_name = strdup(crypt_get_device_name(cd));
+               if (!device_name)
+                       return -ENOMEM;
+               r = asprintf(&prompt, _("Enter passphrase for %s: "), device_name);
+               free(device_name);
+               if (r < 0)
+                       return -ENOMEM;
                msg = prompt;
+       }
 
        if (cd->password) {
                *key = crypt_safe_alloc(DEFAULT_PASSPHRASE_SIZE_MAX);
@@ -494,10 +504,48 @@ const char *crypt_get_dir(void)
        return dm_get_dir();
 }
 
+static int set_device_or_loop(const char *device_org, char **device, int *loop_fd)
+{
+       int r, readonly = 0;
+
+       if (!device_org)
+               return 0;
+
+       r = device_ready(NULL, device_org, O_RDONLY);
+       if (r == -ENOTBLK) {
+               *device = crypt_loop_get_device();
+               log_dbg("Not a block device, %s%s.", *device ?
+                       "using free loop device " : "no free loop device found",
+                       *device ?: "");
+               if (!*device) {
+                       log_err(NULL, _("Cannot find a free loopback device.\n"));
+                       return -ENOSYS;
+               }
+
+               /* Keep the loop open, dettached on last close. */
+               *loop_fd = crypt_loop_attach(*device, device_org, 0, 1, &readonly);
+               if (*loop_fd == -1) {
+                       log_err(NULL, _("Attaching loopback device failed "
+                               "(loop device with autoclear flag is required).\n"));
+                       return -EINVAL;
+               }
+
+               r = device_ready(NULL, *device, O_RDONLY);
+       }
+
+       if (r < 0)
+               return -ENOTBLK;
+
+       if (!*device && device_org && !(*device = strdup(device_org)))
+               return -ENOMEM;
+
+       return 0;
+}
+
 int crypt_init(struct crypt_device **cd, const char *device)
 {
        struct crypt_device *h = NULL;
-       int r, readonly = 0;
+       int r;
 
        if (!cd)
                return -EINVAL;
@@ -508,44 +556,12 @@ int crypt_init(struct crypt_device **cd, const char *device)
                return -ENOMEM;
 
        memset(h, 0, sizeof(*h));
-       h->loop_fd = -1;
-
-       if (device) {
-               r = device_ready(NULL, device, O_RDONLY);
-               if (r == -ENOTBLK) {
-                       h->device = crypt_loop_get_device();
-                       log_dbg("Not a block device, %s%s.",
-                               h->device ? "using free loop device " :
-                                        "no free loop device found",
-                               h->device ?: "");
-                       if (!h->device) {
-                               log_err(NULL, _("Cannot find a free loopback device.\n"));
-                               r = -ENOSYS;
-                               goto bad;
-                       }
-
-                       /* Keep the loop open, dettached on last close. */
-                       h->loop_fd = crypt_loop_attach(h->device, device, 0, 1, &readonly);
-                       if (h->loop_fd == -1) {
-                               log_err(NULL, _("Attaching loopback device failed "
-                                       "(loop device with autoclear flag is required).\n"));
-                               r = -EINVAL;
-                               goto bad;
-                       }
+       h->loop_device_fd = -1;
+       h->loop_metadata_device_fd = -1;
 
-                       h->backing_file = crypt_loop_backing_file(h->device);
-                       r = device_ready(NULL, h->device, O_RDONLY);
-               }
-               if (r < 0) {
-                       r = -ENOTBLK;
-                       goto bad;
-               }
-       }
-
-       if (!h->device && device && !(h->device = strdup(device))) {
-               r = -ENOMEM;
+       r = set_device_or_loop(device, &h->device, &h->loop_device_fd);
+       if (r < 0)
                goto bad;
-       }
 
        if (dm_init(h, 1) < 0) {
                r = -ENOSYS;
@@ -561,10 +577,9 @@ int crypt_init(struct crypt_device **cd, const char *device)
 bad:
 
        if (h) {
-               if (h->loop_fd != -1)
-                       close(h->loop_fd);
+               if (h->loop_device_fd != -1)
+                       close(h->loop_device_fd);
                free(h->device);
-               free(h->backing_file);
        }
        free(h);
        return r;
@@ -583,7 +598,7 @@ static int crypt_check_data_device_size(struct crypt_device *cd)
                return r;
 
        if (size < size_min) {
-               log_err(cd, _("LUKS header detected but device %s is too small.\n"),
+               log_err(cd, _("Header detected but device %s is too small.\n"),
                        crypt_get_device_name(cd));
                return -EINVAL;
        }
@@ -593,8 +608,8 @@ static int crypt_check_data_device_size(struct crypt_device *cd)
 
 int crypt_set_data_device(struct crypt_device *cd, const char *device)
 {
-       char *data_device;
-       int r;
+       char *data_device = NULL;
+       int r, loop_fd = -1;
 
        log_dbg("Setting ciphertext data device to %s.", device ?: "(none)");
 
@@ -607,19 +622,21 @@ int crypt_set_data_device(struct crypt_device *cd, const char *device)
        if (!cd->device || !device)
                return -EINVAL;
 
-       r = device_ready(NULL, device, O_RDONLY);
+       r = set_device_or_loop(device, &data_device, &loop_fd);
        if (r < 0)
                return r;
 
-       if (!(data_device = strdup(device)))
-               return -ENOMEM;
-
-       if (!cd->metadata_device)
+       if (!cd->metadata_device) {
                cd->metadata_device = cd->device;
-       else
+               cd->loop_metadata_device_fd = cd->loop_device_fd;
+       } else {
                free(cd->device);
+               if (cd->loop_device_fd != -1)
+                       close(cd->loop_device_fd);
+       }
 
        cd->device = data_device;
+       cd->loop_device_fd = loop_fd;
 
        return crypt_check_data_device_size(cd);
 }
@@ -660,7 +677,8 @@ static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verit
        if (params)
                sb_offset = params->hash_area_offset;
 
-       r = VERITY_read_sb(cd, mdata_device(cd), sb_offset, &cd->verity_hdr);
+       r = VERITY_read_sb(cd, mdata_device(cd), sb_offset,
+                          &cd->verity_uuid, &cd->verity_hdr);
        if (r < 0)
                return r;
 
@@ -671,7 +689,10 @@ static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verit
            (r = crypt_set_data_device(cd, params->data_device)) < 0)
                return r;
 
+       /* Hash availability checked in sb load */
        cd->verity_root_hash_size = crypt_hash_size(cd->verity_hdr.hash_name);
+       if (cd->verity_root_hash_size > 4096)
+               return -EINVAL;
 
        if (!cd->type && !(cd->type = strdup(CRYPT_VERITY)))
                return -ENOMEM;
@@ -765,8 +786,8 @@ static int _init_by_name_verity(struct crypt_device *cd, const char *name)
                goto out;
 
        if (isVERITY(cd->type)) {
+               cd->verity_uuid = dmd.uuid ? strdup(dmd.uuid) : NULL;
                cd->verity_hdr.flags = CRYPT_VERITY_NO_HEADER; //FIXME
-               //cd->verity_uuid = dmd.uuid ? strdup(dmd.uuid) : NULL;
                cd->verity_hdr.data_size = params.data_size;
                cd->verity_root_hash_size = dmd.u.verity.root_hash_size;
                cd->verity_root_hash = NULL;
@@ -776,7 +797,7 @@ static int _init_by_name_verity(struct crypt_device *cd, const char *name)
                cd->verity_hdr.data_block_size = params.data_block_size;
                cd->verity_hdr.hash_block_size = params.hash_block_size;
                cd->verity_hdr.hash_area_offset = dmd.u.verity.hash_offset;
-               cd->verity_hdr.version = params.version;
+               cd->verity_hdr.hash_type = params.hash_type;
                cd->verity_hdr.flags = params.flags;
                cd->verity_hdr.salt_size = params.salt_size;
                cd->verity_hdr.salt = params.salt;
@@ -858,13 +879,6 @@ int crypt_init_by_name_and_header(struct crypt_device **cd,
 
        /* Try to initialise basic parameters from active device */
 
-       if (!(*cd)->backing_file && dmd.data_device &&
-           crypt_loop_device(dmd.data_device) &&
-           !((*cd)->backing_file = crypt_loop_backing_file(dmd.data_device))) {
-               r = -ENOMEM;
-               goto out;
-       }
-
        if (dmd.target == DM_CRYPT)
                r = _init_by_name_crypt(*cd, name);
        else if (dmd.target == DM_VERITY)
@@ -901,6 +915,9 @@ static int _crypt_format_plain(struct crypt_device *cd,
                return -EINVAL;
        }
 
+       if (!(cd->type = strdup(CRYPT_PLAIN)))
+               return -ENOMEM;
+
        cd->plain_key_size = volume_key_size;
        cd->volume_key = crypt_alloc_volume_key(volume_key_size, NULL);
        if (!cd->volume_key)
@@ -942,6 +959,9 @@ static int _crypt_format_luks1(struct crypt_device *cd,
                return -EINVAL;
        }
 
+       if (!(cd->type = strdup(CRYPT_LUKS1)))
+               return -ENOMEM;
+
        if (volume_key)
                cd->volume_key = crypt_alloc_volume_key(volume_key_size,
                                                      volume_key);
@@ -1006,6 +1026,9 @@ static int _crypt_format_loopaes(struct crypt_device *cd,
                return -EINVAL;
        }
 
+       if (!(cd->type = strdup(CRYPT_LOOPAES)))
+               return -ENOMEM;
+
        cd->loopaes_key_size = volume_key_size;
 
        cd->loopaes_cipher = strdup(cipher ?: DEFAULT_LOOPAES_CIPHER);
@@ -1023,9 +1046,10 @@ static int _crypt_format_loopaes(struct crypt_device *cd,
 }
 
 static int _crypt_format_verity(struct crypt_device *cd,
+                                const char *uuid,
                                 struct crypt_params_verity *params)
 {
-       int r = 0;
+       int r = 0, hash_size;
        uint64_t data_device_size;
 
        if (!mdata_device(cd)) {
@@ -1036,17 +1060,30 @@ static int _crypt_format_verity(struct crypt_device *cd,
        if (!params || !params->data_device)
                return -EINVAL;
 
-       if (params->version > 1)
+       if (params->hash_type > VERITY_MAX_HASH_TYPE) {
+               log_err(cd, _("Unsupported VERITY hash type %d.\n"), params->hash_type);
+               return -EINVAL;
+       }
+
+       if (VERITY_BLOCK_SIZE_OK(params->data_block_size) ||
+           VERITY_BLOCK_SIZE_OK(params->hash_block_size)) {
+               log_err(cd, _("Unsupported VERITY block size.\n"));
+               return -EINVAL;
+       }
+
+       if (params->hash_area_offset % 512) {
+               log_err(cd, _("Unsupported VERITY hash offset.\n"));
                return -EINVAL;
+       }
+
+       if (!(cd->type = strdup(CRYPT_VERITY)))
+               return -ENOMEM;
 
-       /* set data device */
-       cd->type = CRYPT_VERITY;
        r = crypt_set_data_device(cd, params->data_device);
-       cd->type = NULL;
        if (r)
                return r;
        if (!params->data_size) {
-               r = device_size(params->data_device, &data_device_size);
+               r = device_size(cd->device, &data_device_size);
                if (r < 0)
                        return r;
 
@@ -1054,10 +1091,13 @@ static int _crypt_format_verity(struct crypt_device *cd,
        } else
                cd->verity_hdr.data_size = params->data_size;
 
-
-       cd->verity_root_hash_size = crypt_hash_size(params->hash_name);
-       if (!cd->verity_root_hash_size)
+       hash_size = crypt_hash_size(params->hash_name);
+       if (hash_size <= 0) {
+               log_err(cd, _("Hash algorithm %s not supported.\n"),
+                       params->hash_name);
                return -EINVAL;
+       }
+       cd->verity_root_hash_size = hash_size;
 
        cd->verity_root_hash = malloc(cd->verity_root_hash_size);
        if (!cd->verity_root_hash)
@@ -1069,7 +1109,7 @@ static int _crypt_format_verity(struct crypt_device *cd,
        cd->verity_hdr.data_block_size = params->data_block_size;
        cd->verity_hdr.hash_block_size = params->hash_block_size;
        cd->verity_hdr.hash_area_offset = params->hash_area_offset;
-       cd->verity_hdr.version = params->version;
+       cd->verity_hdr.hash_type = params->hash_type;
        cd->verity_hdr.flags = params->flags;
        cd->verity_hdr.salt_size = params->salt_size;
        cd->verity_hdr.salt = malloc(params->salt_size);
@@ -1080,26 +1120,29 @@ static int _crypt_format_verity(struct crypt_device *cd,
                r = crypt_random_get(cd, CONST_CAST(char*)cd->verity_hdr.salt,
                                     params->salt_size, CRYPT_RND_SALT);
        if (r)
-               goto out;
+               return r;
 
        if (params->flags & CRYPT_VERITY_CREATE_HASH) {
                r = VERITY_create(cd, &cd->verity_hdr, cd->device, mdata_device(cd),
                                  cd->verity_root_hash, cd->verity_root_hash_size);
                if (r)
-                       goto out;
+                       return r;
        }
 
-       if (!(params->flags & CRYPT_VERITY_NO_HEADER))
+       if (!(params->flags & CRYPT_VERITY_NO_HEADER)) {
+               if (uuid)
+                       cd->verity_uuid = strdup(uuid);
+               else {
+                       r = VERITY_UUID_generate(cd, &cd->verity_uuid);
+                       if (r)
+                               return r;
+               }
+
                r = VERITY_write_sb(cd, mdata_device(cd),
                                    cd->verity_hdr.hash_area_offset,
+                                   cd->verity_uuid,
                                    &cd->verity_hdr);
-out:
-       if (r) {
-               free(cd->verity_root_hash);
-               free(CONST_CAST(char*)cd->verity_hdr.hash_name);
-               free(CONST_CAST(char*)cd->verity_hdr.salt);
        }
-
        return r;
 }
 
@@ -1137,17 +1180,15 @@ int crypt_format(struct crypt_device *cd,
        else if (isLOOPAES(type))
                r = _crypt_format_loopaes(cd, cipher, uuid, volume_key_size, params);
        else if (isVERITY(type))
-               r = _crypt_format_verity(cd, params);
+               r = _crypt_format_verity(cd, uuid, params);
        else {
-               /* FIXME: allow plugins here? */
                log_err(cd, _("Unknown crypt device type %s requested.\n"), type);
                r = -EINVAL;
        }
 
-       if (!r && !(cd->type = strdup(type)))
-               r = -ENOMEM;
-
        if (r < 0) {
+               free(cd->type);
+               cd->type = NULL;
                crypt_free_volume_key(cd->volume_key);
                cd->volume_key = NULL;
        }
@@ -1183,16 +1224,6 @@ int crypt_load(struct crypt_device *cd,
        } else
                return -EINVAL;
 
-       if (r < 0)
-               return r;
-
-       /* cd->type and header must be set in context */
-       r = crypt_check_data_device_size(cd);
-       if (r < 0) {
-               free(cd->type);
-               cd->type = NULL;
-       }
-
        return r;
 }
 
@@ -1327,7 +1358,6 @@ int crypt_header_restore(struct crypt_device *cd,
        if (requested_type && !isLUKS(requested_type))
                return -EINVAL;
 
-       /* Some hash functions need initialized gcrypt library */
        r = init_crypto(cd);
        if (r < 0)
                return r;
@@ -1343,15 +1373,16 @@ void crypt_free(struct crypt_device *cd)
        if (cd) {
                log_dbg("Releasing crypt device %s context.", mdata_device(cd));
 
-               if (cd->loop_fd != -1)
-                       close(cd->loop_fd);
+               if (cd->loop_device_fd != -1)
+                       close(cd->loop_device_fd);
+               if (cd->loop_metadata_device_fd != -1)
+                       close(cd->loop_metadata_device_fd);
 
                dm_exit();
                crypt_free_volume_key(cd->volume_key);
 
                free(cd->device);
                free(cd->metadata_device);
-               free(cd->backing_file);
                free(cd->type);
 
                /* used in plain device only */
@@ -1369,6 +1400,7 @@ void crypt_free(struct crypt_device *cd)
                free(CONST_CAST(void*)cd->verity_hdr.hash_name);
                free(CONST_CAST(void*)cd->verity_hdr.salt);
                free(cd->verity_root_hash);
+               free(cd->verity_uuid);
 
                free(cd);
        }
@@ -1946,7 +1978,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
        struct volume_key *vk = NULL;
        int r = -EINVAL;
 
-       log_dbg("Activating volume %s by volume key.", name);
+       log_dbg("Activating volume %s by volume key.", name ?: "[none]");
 
        if (name) {
                ci = crypt_status(NULL, name);
@@ -2255,7 +2287,8 @@ static int _luks_dump(struct crypt_device *cd)
 static int _verity_dump(struct crypt_device *cd)
 {
        log_std(cd, "VERITY header information for %s\n", mdata_device(cd));
-       log_std(cd, "Version:         \t%u\n", cd->verity_hdr.version);
+       log_std(cd, "UUID:            \t%s\n", cd->verity_uuid ?: "");
+       log_std(cd, "Hash type:       \t%u\n", cd->verity_hdr.hash_type);
        log_std(cd, "Data blocks:     \t%" PRIu64 "\n", cd->verity_hdr.data_size);
        log_std(cd, "Data block size: \t%u\n", cd->verity_hdr.data_block_size);
        log_std(cd, "Hash block size: \t%u\n", cd->verity_hdr.hash_block_size);
@@ -2324,6 +2357,9 @@ const char *crypt_get_uuid(struct crypt_device *cd)
        if (isLOOPAES(cd->type))
                return cd->loopaes_uuid;
 
+       if (isVERITY(cd->type))
+               return cd->verity_uuid;
+
        return NULL;
 }
 
@@ -2415,7 +2451,7 @@ int crypt_get_verity_info(struct crypt_device *cd,
        vp->hash_block_size = cd->verity_hdr.hash_block_size;
        vp->data_size = cd->verity_hdr.data_size;
        vp->hash_area_offset = cd->verity_hdr.hash_area_offset;
-       vp->version = cd->verity_hdr.version;
+       vp->hash_type = cd->verity_hdr.hash_type;
        vp->flags = cd->verity_hdr.flags & CRYPT_VERITY_NO_HEADER;
        return 0;
 }
Domain: System / System Framework;