* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-/* The code works as follows:
- * - create backup (detached) headers fo old and new device
- * - mark original device unusable
- * - maps two devices, one with old header one with new onto
- * the _same_ underlying device
- * - with direct-io reads old device and copy to new device in defined steps
- * - keps simple off in file (allows restart)
- * - there is several windows when corruption can happen
- *
- * null target
- * dmsetup create x --table "0 $(blockdev --getsz DEV) crypt cipher_null-ecb-null - 0 DEV 0"
- */
+#define _LARGEFILE64_SOURCE
+#define _FILE_OFFSET_BITS 64
+
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
static const char *opt_cipher = NULL;
static const char *opt_hash = NULL;
static const char *opt_key_file = NULL;
+static long opt_keyfile_size = 0;
+static long opt_keyfile_offset = 0;
static int opt_iteration_time = 1000;
static int opt_batch_mode = 0;
static int opt_version_mode = 0;
static int opt_random = 0;
static int opt_urandom = 0;
static int opt_bsize = 4;
-static int opt_new = 0;
static int opt_directio = 0;
static int opt_write_log = 0;
-static const char *opt_new_file = NULL;
+static int opt_tries = 3;
+static int opt_key_slot = CRYPT_ANY_SLOT;
static const char **action_argv;
-sigset_t signals_open;
+static volatile int quit = 0;
+
+#define MAX_SLOT 8
struct {
char *device;
char *device_uuid;
char crypt_path_new[PATH_MAX];
int log_fd;
- char *password;
- size_t passwordLen;
+ struct {
+ char *password;
+ size_t passwordLen;
+ } p[MAX_SLOT];
int keyslot;
+
+ struct timeval start_time, end_time;
+ uint64_t restart_bytest;
} rnc;
char MAGIC[] = {'L','U','K','S', 0xba, 0xbe};
_log(level, msg, usrptr);
}
+static void int_handler(int sig __attribute__((__unused__)))
+{
+ quit++;
+}
+
+static void set_int_block(int block)
+{
+ sigset_t signals_open;
+
+ sigemptyset(&signals_open);
+ sigaddset(&signals_open, SIGINT);
+ sigaddset(&signals_open, SIGTERM);
+ sigprocmask(block ? SIG_SETMASK : SIG_UNBLOCK, &signals_open, NULL);
+}
+
+static void set_int_handler(void)
+{
+ struct sigaction sigaction_open;
+
+ memset(&sigaction_open, 0, sizeof(struct sigaction));
+ sigaction_open.sa_handler = int_handler;
+ sigaction(SIGINT, &sigaction_open, 0);
+ sigaction(SIGTERM, &sigaction_open, 0);
+ set_int_block(0);
+}
+
/* The difference in seconds between two times in "timeval" format. */
double time_diff(struct timeval start, struct timeval end)
{
return r;
}
-static int create_empty_header(const char *new_file, uint64_t size)
+static int create_empty_header(const char *new_file, const char *old_file)
{
+ struct stat st;
+ size_t size;
int fd, r = 0;
char *buf;
+ if (stat(old_file, &st) == -1 || (st.st_mode & S_IFMT) != S_IFREG)
+ return -EINVAL;
+ size = st.st_size;
+
log_dbg("Creating empty file %s of size %lu.", new_file, (unsigned long)size);
if (!(buf = malloc(size)))
} else {
log_dbg("Log file %s exists, restarting.", rnc.log_file);
flags = opt_directio ? O_RDWR|O_DIRECT : O_RDWR;
- rnc.log_fd = open(rnc.log_file, O_RDWR|O_DIRECT);
+ rnc.log_fd = open(rnc.log_file, flags);
if (rnc.log_fd == -1)
return -EINVAL;
rnc.in_progress = 1;
goto out;
if ((r = crypt_activate_by_passphrase(cd, rnc.header_file_org,
- CRYPT_ANY_SLOT, rnc.password, rnc.passwordLen,
+ opt_key_slot, rnc.p[rnc.keyslot].password, rnc.p[rnc.keyslot].passwordLen,
CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_PRIVATE)) < 0)
goto out;
goto out;
if ((r = crypt_activate_by_passphrase(cd_new, rnc.header_file_new,
- CRYPT_ANY_SLOT, rnc.password, rnc.passwordLen,
+ opt_key_slot, rnc.p[rnc.keyslot].password, rnc.p[rnc.keyslot].passwordLen,
CRYPT_ACTIVATE_SHARED|CRYPT_ACTIVATE_PRIVATE)) < 0)
goto out;
+ r = 0;
out:
crypt_free(cd);
crypt_free(cd_new);
+ if (r < 0)
+ log_err("Activation of devices failed.\n");
return r;
}
struct crypt_device *cd = NULL, *cd_new = NULL;
struct crypt_params_luks1 params = {0};
char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
- int r;
+ int i, r;
log_dbg("Creating LUKS header backup for device %s.", rnc.device);
if ((r = crypt_init(&cd, rnc.device)) ||
if ((r = crypt_header_backup(cd, CRYPT_LUKS1, rnc.header_file_org)))
goto out;
- if ((r = create_empty_header(rnc.header_file_new,
- crypt_get_data_offset(cd) * 512)))
+ if ((r = create_empty_header(rnc.header_file_new, rnc.header_file_org)))
goto out;
params.hash = opt_hash ?: DEFAULT_LUKS1_HASH;
NULL, crypt_get_volume_key_size(cd), ¶ms)))
goto out;
- if ((r = crypt_keyslot_add_by_volume_key(cd_new, rnc.keyslot,
- NULL, 0, rnc.password, rnc.passwordLen)) < 0)
- goto out;
+ for (i = 0; i < MAX_SLOT; i++) {
+ if (!rnc.p[i].password)
+ continue;
+ if ((r = crypt_keyslot_add_by_volume_key(cd_new, i,
+ NULL, 0, rnc.p[i].password, rnc.p[i].passwordLen)) < 0)
+ goto out;
+ r = 0;
+ }
out:
crypt_free(cd);
{
struct crypt_device *cd = NULL;
+ log_dbg("Removing headers.");
+
if (crypt_init(&cd, NULL))
return;
crypt_set_log_callback(cd, _quiet_log, NULL);
struct crypt_device *cd = NULL;
int r;
+ log_dbg("Restoring header for %s.", backup);
+
r = crypt_init(&cd, rnc.device);
if (r == 0) {
return r;
}
+void print_progress(uint64_t bytes, int final)
+{
+ uint64_t mbytes = (bytes - rnc.restart_bytest) / 1024 / 1024;
+ struct timeval now_time;
+ double tdiff;
+
+ gettimeofday(&now_time, NULL);
+ if (!final && time_diff(rnc.end_time, now_time) < 0.5)
+ return;
+
+ rnc.end_time = now_time;
+
+ if (opt_batch_mode)
+ return;
+
+ tdiff = time_diff(rnc.start_time, rnc.end_time);
+ if (!tdiff)
+ return;
+
+ log_err("\33[2K\rProgress: %5.1f%%, time elapsed %3.1f seconds, %4"
+ PRIu64 " MB written, speed %5.1f MB/s%s",
+ (double)bytes / rnc.device_size * 100,
+ time_diff(rnc.start_time, rnc.end_time),
+ mbytes, (double)(mbytes) / tdiff,
+ final ? "\n" :"");
+}
+
static int copy_data_forward(int fd_old, int fd_new, size_t block_size, void *buf, uint64_t *bytes)
{
ssize_t s1, s2;
- int j;
- *bytes = 0;
- log_err("Reencrypting [");
- j = 0;
- while (rnc.device_offset < rnc.device_size) {
+ log_dbg("Reencrypting forward.");
+
+ rnc.restart_bytest = *bytes = rnc.device_offset;
+ while (!quit && rnc.device_offset < rnc.device_size) {
s1 = read(fd_old, buf, block_size);
if (s1 < 0 || (s1 != block_size && (rnc.device_offset + s1) != rnc.device_size)) {
log_err("Read error, expecting %d, got %d.\n", (int)block_size, (int)s1);
}
*bytes += (uint64_t)s2;
- if (rnc.device_offset > (j * (rnc.device_size / 10))) {
- log_err("-");
- j++;
- }
+ print_progress(*bytes, 0);
}
- log_err("] Done.\n");
- return 0;
+ return quit ? -EAGAIN : 0;
}
static int copy_data_backward(int fd_old, int fd_new, size_t block_size, void *buf, uint64_t *bytes)
{
- ssize_t s1, s2, working_offset, working_block;
- int j;
+ ssize_t s1, s2, working_block;
+ off64_t working_offset;
- *bytes = 0;
- log_err("Reencrypting [");
- j = 10;
+ log_dbg("Reencrypting backward.");
- while (rnc.device_offset) {
+ rnc.restart_bytest = *bytes = rnc.device_size - rnc.device_offset;
+ while (!quit && rnc.device_offset) {
if (rnc.device_offset < block_size) {
working_offset = 0;
working_block = rnc.device_offset;
working_block = block_size;
}
- if (lseek(fd_old, working_offset, SEEK_SET) < 0 ||
- lseek(fd_new, working_offset, SEEK_SET) < 0)
+ if (lseek64(fd_old, working_offset, SEEK_SET) < 0 ||
+ lseek64(fd_new, working_offset, SEEK_SET) < 0) {
+ log_err("Cannot seek to device offset.\n");
return -EIO;
-//log_err("off: %06d, size %06d\n", working_offset, block_size);
+ }
s1 = read(fd_old, buf, working_block);
if (s1 < 0 || (s1 != working_block)) {
}
*bytes += (uint64_t)s2;
- if (rnc.device_offset < (j * (rnc.device_size / 10))) {
- log_err("-");
- j--;
- }
+ print_progress(*bytes, 0);
}
- log_err("] Done.\n");
- return 0;
+ return quit ? -EAGAIN : 0;
}
static int copy_data(void)
int fd_old = -1, fd_new = -1;
int r = -EINVAL;
void *buf = NULL;
- struct timeval start_time, end_time;
- double tdiff;
uint64_t bytes = 0;
+ log_dbg("Data copy preparation.");
+
fd_old = open(rnc.crypt_path_org, O_RDONLY | (opt_directio ? O_DIRECT : 0));
if (fd_old == -1)
goto out;
if (fd_new == -1)
goto out;
- if (lseek(fd_old, rnc.device_offset, SEEK_SET) == -1)
+ if (lseek64(fd_old, rnc.device_offset, SEEK_SET) == -1)
goto out;
- if (lseek(fd_new, rnc.device_offset, SEEK_SET) == -1)
+ if (lseek64(fd_new, rnc.device_offset, SEEK_SET) == -1)
goto out;
/* Check size */
goto out;
}
+ set_int_handler();
// FIXME: all this should be in init
if (!rnc.in_progress && rnc.reencrypt_direction == BACKWARD)
rnc.device_offset = rnc.device_size;
- gettimeofday(&start_time, NULL);
+ gettimeofday(&rnc.start_time, NULL);
if (rnc.reencrypt_direction == FORWARD)
r = copy_data_forward(fd_old, fd_new, block_size, buf, &bytes);
else
r = copy_data_backward(fd_old, fd_new, block_size, buf, &bytes);
- gettimeofday(&end_time, NULL);
+ set_int_block(1);
+ print_progress(bytes, 1);
if (r < 0)
log_err("ERROR during reencryption.\n");
if (write_log() < 0)
log_err("Log write error, ignored.\n");
- tdiff = time_diff(start_time, end_time);
- log_err("Time elapsed %.2f seconds, %" PRIu64 " MB written, speed %.2f MB/s\n",
- tdiff, bytes / 1024 / 1024, (double)(bytes / 1024 / 1024) / tdiff);
out:
if (fd_old != -1)
close(fd_old);
struct crypt_device *cd = NULL;
int r;
+ log_dbg("Initialising UUID.");
+
/* Try to load LUKS from device */
if ((r = crypt_init(&cd, rnc.device)))
return r;
return r;
}
+static int init_passphrase1(struct crypt_device *cd, const char *msg, int slot_check)
+{
+ int r = -EINVAL, slot, retry_count;
+
+ slot = (slot_check == CRYPT_ANY_SLOT) ? 0 : slot_check;
+
+ retry_count = opt_tries ?: 1;
+ while (retry_count--) {
+ r = crypt_get_key(msg, &rnc.p[slot].password,
+ &rnc.p[slot].passwordLen,
+ 0, 0, NULL /*opt_key_file*/,
+ 0, 0, cd);
+ if (r < 0)
+ return r;
+
+ r = crypt_activate_by_passphrase(cd, NULL, slot_check,
+ rnc.p[slot].password, rnc.p[slot].passwordLen, 0);
+
+ if (r < 0) {
+ crypt_safe_free(rnc.p[slot].password);
+ rnc.p[slot].password = NULL;
+ rnc.p[slot].passwordLen = 0;
+ }
+ if (r < 0 && r != -EPERM)
+ return r;
+ if (r >= 0) {
+ rnc.keyslot = slot;
+ break;
+ }
+ log_err(_("No key available with this passphrase.\n"));
+ }
+ return r;
+}
+
+static int init_keyfile(struct crypt_device *cd, int slot_check)
+{
+ int r, slot;
+
+ slot = (slot_check == CRYPT_ANY_SLOT) ? 0 : slot_check;
+ r = crypt_get_key(NULL, &rnc.p[slot].password, &rnc.p[slot].passwordLen,
+ opt_keyfile_offset, opt_keyfile_size, opt_key_file, 0, 0, cd);
+ if (r < 0)
+ return r;
+
+ r = crypt_activate_by_passphrase(cd, NULL, slot_check,
+ rnc.p[slot].password, rnc.p[slot].passwordLen, 0);
+
+ /*
+ * Allow keyslot only if it is last slot or if user explicitly
+ * specify whch slot to use (IOW others will be disabled).
+ */
+ if (r >= 0 && opt_key_slot == CRYPT_ANY_SLOT &&
+ crypt_keyslot_status(cd, r) != CRYPT_SLOT_ACTIVE_LAST) {
+ log_err(_("Key file can be used only with --key-slot or with "
+ "exactly one key slot active.\n"));
+ r = -EINVAL;
+ }
+
+ if (r < 0) {
+ crypt_safe_free(rnc.p[slot].password);
+ rnc.p[slot].password = NULL;
+ rnc.p[slot].passwordLen = 0;
+ if (r == -EPERM)
+ log_err(_("No key available with this passphrase.\n"));
+ return r;
+ } else
+ rnc.keyslot = slot;
+
+ return r;
+}
+
static int initialize_passphrase(const char *device)
{
struct crypt_device *cd = NULL;
- int r;
+ crypt_keyslot_info ki;
+ char msg[256];
+ int i, r;
+
+ log_dbg("Passhrases initialization.");
if ((r = crypt_init(&cd, device)) ||
(r = crypt_load(cd, CRYPT_LUKS1, NULL)) ||
- (r = crypt_set_data_device(cd, rnc.device)))
- goto out;
-
- if ((r = crypt_get_key(_("Enter LUKS passphrase: "),
- &rnc.password, &rnc.passwordLen,
- 0, 0, opt_key_file,
- 0, 0, cd)) <0)
- goto out;
-
- if ((r = crypt_activate_by_passphrase(cd, NULL,
- CRYPT_ANY_SLOT, rnc.password, rnc.passwordLen, 0) < 0))
- goto out;
+ (r = crypt_set_data_device(cd, rnc.device))) {
+ crypt_free(cd);
+ return r;
+ }
- if (r >= 0) {
- rnc.keyslot = r;
- r = 0;
+ if (opt_key_file) {
+ r = init_keyfile(cd, opt_key_slot);
+ } else if (rnc.in_progress) {
+ r = init_passphrase1(cd, _("Enter any LUKS passphrase: "), CRYPT_ANY_SLOT);
+ } else for (i = 0; i < MAX_SLOT; i++) {
+ ki = crypt_keyslot_status(cd, i);
+ if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
+ continue;
+
+ snprintf(msg, sizeof(msg), _("Enter LUKS passphrase for key slot %u): "), i);
+ r = init_passphrase1(cd, msg, i);
+ if (r < 0)
+ break;
}
-out:
+
crypt_free(cd);
- return r;
+ return r > 0 ? 0 : r;
}
static int initialize_context(const char *device)
if (!(rnc.device = strndup(device, PATH_MAX)))
return -ENOMEM;
-/*
- if (opt_new_file && !create_uuid()) {
- log_err("Cannot create fake header.\n");
- return -EINVAL;
- }
-*/
+
if (initialize_uuid()) {
log_err("No header found on device.\n");
return -EINVAL;
remove_headers();
- /* Block ctrl+c */
- // FIXME: add some routine to handle it
- sigemptyset(&signals_open);
- sigaddset(&signals_open, SIGINT);
- sigprocmask(SIG_SETMASK, &signals_open, NULL);
-
return open_log();
}
static void destroy_context(void)
{
+ int i;
+
log_dbg("Destroying reencryption context.");
close_log();
unlink(rnc.header_file_new);
}
- crypt_safe_free(rnc.password);
+ for (i = 0; i < MAX_SLOT; i++)
+ crypt_safe_free(rnc.p[i].password);
free(rnc.device);
free(rnc.device_uuid);
-
- sigprocmask(SIG_UNBLOCK, &signals_open, NULL);
}
int run_reencrypt(const char *device)
{
int r = -EINVAL;
-
if (initialize_context(device))
goto out;
(r = device_magic(MAKE_UNUSABLE)))
goto out;
} else {
- if ((r = initialize_passphrase(rnc.header_file_org)))
+ if ((r = initialize_passphrase(rnc.header_file_new)))
goto out;
}
{ "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
{ "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
{ "block-size", 'B', POPT_ARG_INT, &opt_bsize, 0, N_("Reencryption block size"), N_("MB") },
- { "new-header", 'N', POPT_ARG_INT, &opt_new, 0, N_("Create new header, need size on the end of device"), N_("MB") },
- { "new-crypt", 'f', POPT_ARG_STRING, &opt_new_file, 0, N_("Log suffix for new reencryption file."), NULL },
{ "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
{ "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
{ "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
{ "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
{ "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
+ { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
{ "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
{ "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
{ "use-directio", '\0', POPT_ARG_NONE, &opt_directio, 0, N_("Use direct-io when accesing devices."), NULL },
{ "write-log", '\0', POPT_ARG_NONE, &opt_write_log, 0, N_("Update log file after every block."), NULL },
+ { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Use only this slot (others will be disabled)."), NULL },
+ { "keyfile-offset", '\0', POPT_ARG_LONG, &opt_keyfile_offset, 0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
+ { "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
POPT_TABLEEND
};
poptContext popt_context;
crypt_set_log_callback(NULL, _log, NULL);
log_err("WARNING: this is experimental code, it can completely break your data.\n");
+ set_int_block(1);
+
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
poptGetInvocationName(popt_context));
- if (opt_new && !opt_new_file)
- usage(popt_context, EXIT_FAILURE, _("You have to use -f with -N."),
- poptGetInvocationName(popt_context));
-
if (opt_debug) {
opt_verbose = 1;
crypt_set_debug_level(-1);
case -ENODEV: r = 4; break;
case -ENOMEM: r = 3; break;
case -EPERM: r = 2; break;
+ case -EAGAIN: log_err(_("Interrupted by a signal.\n"));
case -EINVAL:
case -ENOENT:
case -ENOSYS: