X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=lib%2Fluks1%2Fkeyencryption.c;h=c1c82012df29b0aa8a457e0f9e323e6764678118;hb=refs%2Ftags%2Fupstream%2F2.6.1;hp=3b3cef84c5918e4ed619a87ef3de8d21a0090712;hpb=b016e65daa093a07d43890faee901e582b1219fa;p=platform%2Fupstream%2Fcryptsetup.git diff --git a/lib/luks1/keyencryption.c b/lib/luks1/keyencryption.c index 3b3cef8..c1c8201 100644 --- a/lib/luks1/keyencryption.c +++ b/lib/luks1/keyencryption.c @@ -1,12 +1,14 @@ /* * LUKS - Linux Unified Key Setup * - * Copyright (C) 2004-2006, Clemens Fruhwirth - * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved. + * Copyright (C) 2004-2006 Clemens Fruhwirth + * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved. + * Copyright (C) 2012-2023 Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -18,189 +20,249 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include #include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include +#include #include -#include - +#include #include "luks.h" +#include "af.h" #include "internal.h" -#define div_round_up(a,b) ({ \ - typeof(a) __a = (a); \ - typeof(b) __b = (b); \ - (__a - 1) / __b + 1; \ -}) +static void _error_hint(struct crypt_device *ctx, const char *device, + const char *cipher, const char *mode, size_t keyLength) +{ + char *c, cipher_spec[MAX_CIPHER_LEN * 3]; -static inline int round_up_modulo(int x, int m) { - return div_round_up(x, m) * m; -} + if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, mode) < 0) + return; -static const char *cleaner_name=NULL; -static uint64_t cleaner_size = 0; -static int devfd=-1; + log_err(ctx, _("Failed to setup dm-crypt key mapping for device %s.\n" + "Check that kernel supports %s cipher (check syslog for more info)."), + device, cipher_spec); -static int setup_mapping(const char *cipher, const char *name, - const char *device, - struct volume_key *vk, - unsigned int sector, size_t srcLength, - int mode, struct crypt_device *ctx) + if (!strncmp(mode, "xts", 3) && (keyLength != 256 && keyLength != 512)) + log_err(ctx, _("Key size in XTS mode must be 256 or 512 bits.")); + else if (!(c = strchr(mode, '-')) || strlen(c) < 4) + log_err(ctx, _("Cipher specification should be in [cipher]-[mode]-[iv] format.")); +} + +static int LUKS_endec_template(char *src, size_t srcLength, + const char *cipher, const char *cipher_mode, + struct volume_key *vk, + unsigned int sector, + ssize_t (*func)(int, size_t, size_t, void *, size_t), + int mode, + struct crypt_device *ctx) { - int device_sector_size = sector_size_for_device(device); + char name[PATH_MAX], path[PATH_MAX]; + char cipher_spec[MAX_CIPHER_LEN * 3]; struct crypt_dm_active_device dmd = { - .target = DM_CRYPT, - .uuid = NULL, - .size = 0, - .flags = 0, - .u.crypt = { - .device = device, - .cipher = cipher, - .vk = vk, - .offset = sector, - .iv_offset = 0, - } + .flags = CRYPT_ACTIVATE_PRIVATE, }; + int r, devfd = -1, remove_dev = 0; + size_t bsize, keyslot_alignment, alignment; - dmd.flags = CRYPT_ACTIVATE_PRIVATE; - if (mode == O_RDONLY) - dmd.flags |= CRYPT_ACTIVATE_READONLY; - /* - * we need to round this to nearest multiple of the underlying - * device's sector size, otherwise the mapping will be refused. - */ - if(device_sector_size < 0) { - log_err(ctx, _("Unable to obtain sector size for %s"), device); + log_dbg(ctx, "Using dmcrypt to access keyslot area."); + + bsize = device_block_size(ctx, crypt_metadata_device(ctx)); + alignment = device_alignment(crypt_metadata_device(ctx)); + if (!bsize || !alignment) return -EINVAL; - } - dmd.size = round_up_modulo(srcLength,device_sector_size)/SECTOR_SIZE; - cleaner_size = dmd.size; + if (bsize > LUKS_ALIGN_KEYSLOTS) + keyslot_alignment = LUKS_ALIGN_KEYSLOTS; + else + keyslot_alignment = bsize; + dmd.size = size_round_up(srcLength, keyslot_alignment) / SECTOR_SIZE; - return dm_create_device(name, "TEMP", &dmd, 0); -} + if (mode == O_RDONLY) + dmd.flags |= CRYPT_ACTIVATE_READONLY; -static void sigint_handler(int sig __attribute__((unused))) -{ - if(devfd >= 0) - close(devfd); - devfd = -1; - if(cleaner_name) - dm_remove_device(cleaner_name, 1, cleaner_size); + if (snprintf(name, sizeof(name), "temporary-cryptsetup-%d", getpid()) < 0) + return -ENOMEM; + if (snprintf(path, sizeof(path), "%s/%s", dm_get_dir(), name) < 0) + return -ENOMEM; + if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, cipher_mode) < 0) + return -ENOMEM; - signal(SIGINT, SIG_DFL); - kill(getpid(), SIGINT); -} - -static const char *_error_hint(char *cipherMode, size_t keyLength) -{ - const char *hint= ""; + r = device_block_adjust(ctx, crypt_metadata_device(ctx), DEV_OK, + sector, &dmd.size, &dmd.flags); + if (r < 0) { + log_err(ctx, _("Device %s does not exist or access denied."), + device_path(crypt_metadata_device(ctx))); + return -EIO; + } - if (!strncmp(cipherMode, "xts", 3) && (keyLength != 256 && keyLength != 512)) - hint = _("Key size in XTS mode must be 256 or 512 bits.\n"); + if (mode != O_RDONLY && dmd.flags & CRYPT_ACTIVATE_READONLY) { + log_err(ctx, _("Cannot write to device %s, permission denied."), + device_path(crypt_metadata_device(ctx))); + return -EACCES; + } - return hint; -} + r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, + crypt_metadata_device(ctx), vk, cipher_spec, 0, sector, + NULL, 0, SECTOR_SIZE); + if (r) + goto out; -/* This function is not reentrant safe, as it installs a signal - handler and global vars for cleaning */ -static int LUKS_endec_template(char *src, size_t srcLength, - struct luks_phdr *hdr, - struct volume_key *vk, - const char *device, - unsigned int sector, - ssize_t (*func)(int, void *, size_t), - int mode, - struct crypt_device *ctx) -{ - char *name = NULL; - char *fullpath = NULL; - char *dmCipherSpec = NULL; - const char *dmDir = dm_get_dir(); - int r = -1; - - if(dmDir == NULL) { - log_err(ctx, _("Failed to obtain device mapper directory.")); - return -1; - } - if(asprintf(&name,"temporary-cryptsetup-%d",getpid()) == -1 || - asprintf(&fullpath,"%s/%s",dmDir,name) == -1 || - asprintf(&dmCipherSpec,"%s-%s",hdr->cipherName, hdr->cipherMode) == -1) { - r = -ENOMEM; - goto out1; - } - - signal(SIGINT, sigint_handler); - cleaner_name = name; - - r = setup_mapping(dmCipherSpec, name, device, - vk, sector, srcLength, mode, ctx); - if(r < 0) { - log_err(ctx, _("Failed to setup dm-crypt key mapping for device %s.\n" - "Check that kernel supports %s cipher (check syslog for more info).\n%s"), - device, dmCipherSpec, - _error_hint(hdr->cipherMode, vk->keylength * 8)); + r = dm_create_device(ctx, name, "TEMP", &dmd); + if (r < 0) { + if (r != -EACCES && r != -ENOTSUP) + _error_hint(ctx, device_path(crypt_metadata_device(ctx)), + cipher, cipher_mode, vk->keylength * 8); r = -EIO; - goto out1; + goto out; } + remove_dev = 1; - devfd = open(fullpath, mode | O_DIRECT | O_SYNC); /* devfd is a global var */ - if(devfd == -1) { - log_err(ctx, _("Failed to open temporary keystore device.\n")); + devfd = open(path, mode | O_DIRECT | O_SYNC); + if (devfd == -1) { + log_err(ctx, _("Failed to open temporary keystore device.")); r = -EIO; - goto out2; + goto out; } - r = func(devfd,src,srcLength); - if(r < 0) { - log_err(ctx, _("Failed to access temporary keystore device.\n")); + r = func(devfd, bsize, alignment, src, srcLength); + if (r < 0) { + log_err(ctx, _("Failed to access temporary keystore device.")); r = -EIO; - goto out3; - } - - r = 0; - out3: - close(devfd); - devfd = -1; - out2: - dm_remove_device(cleaner_name, 1, cleaner_size); - out1: - signal(SIGINT, SIG_DFL); - cleaner_name = NULL; - cleaner_size = 0; - free(dmCipherSpec); - free(fullpath); - free(name); + } else + r = 0; + out: + dm_targets_free(ctx, &dmd); + if (devfd != -1) + close(devfd); + if (remove_dev) + dm_remove_device(ctx, name, CRYPT_DEACTIVATE_FORCE); return r; } int LUKS_encrypt_to_storage(char *src, size_t srcLength, - struct luks_phdr *hdr, + const char *cipher, + const char *cipher_mode, struct volume_key *vk, - const char *device, unsigned int sector, struct crypt_device *ctx) { - return LUKS_endec_template(src,srcLength,hdr,vk, device, - sector, write_blockwise, O_RDWR, ctx); + struct device *device = crypt_metadata_device(ctx); + struct crypt_storage *s; + int devfd, r = 0; + + /* Only whole sector writes supported */ + if (MISALIGNED_512(srcLength)) + return -EINVAL; + + /* Encrypt buffer */ + r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false); + + if (r) + log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).", + cipher, cipher_mode, r); + + /* Fallback to old temporary dmcrypt device */ + if (r == -ENOTSUP || r == -ENOENT) + return LUKS_endec_template(src, srcLength, cipher, cipher_mode, + vk, sector, write_blockwise, O_RDWR, ctx); + + if (r) { + _error_hint(ctx, device_path(device), cipher, cipher_mode, + vk->keylength * 8); + return r; + } + + log_dbg(ctx, "Using userspace crypto wrapper to access keyslot area."); + + r = crypt_storage_encrypt(s, 0, srcLength, src); + crypt_storage_destroy(s); + + if (r) + return r; + + r = -EIO; + + /* Write buffer to device */ + if (device_is_locked(device)) + devfd = device_open_locked(ctx, device, O_RDWR); + else + devfd = device_open(ctx, device, O_RDWR); + if (devfd < 0) + goto out; + + if (write_lseek_blockwise(devfd, device_block_size(ctx, device), + device_alignment(device), src, srcLength, + sector * SECTOR_SIZE) < 0) + goto out; + + r = 0; +out: + device_sync(ctx, device); + if (r) + log_err(ctx, _("IO error while encrypting keyslot.")); + + return r; } int LUKS_decrypt_from_storage(char *dst, size_t dstLength, - struct luks_phdr *hdr, + const char *cipher, + const char *cipher_mode, struct volume_key *vk, - const char *device, unsigned int sector, struct crypt_device *ctx) { - return LUKS_endec_template(dst,dstLength,hdr,vk, device, - sector, read_blockwise, O_RDONLY, ctx); + struct device *device = crypt_metadata_device(ctx); + struct crypt_storage *s; + struct stat st; + int devfd, r = 0; + + /* Only whole sector reads supported */ + if (MISALIGNED_512(dstLength)) + return -EINVAL; + + r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false); + + if (r) + log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).", + cipher, cipher_mode, r); + + /* Fallback to old temporary dmcrypt device */ + if (r == -ENOTSUP || r == -ENOENT) + return LUKS_endec_template(dst, dstLength, cipher, cipher_mode, + vk, sector, read_blockwise, O_RDONLY, ctx); + + if (r) { + _error_hint(ctx, device_path(device), cipher, cipher_mode, + vk->keylength * 8); + return r; + } + + log_dbg(ctx, "Using userspace crypto wrapper to access keyslot area."); + + /* Read buffer from device */ + if (device_is_locked(device)) + devfd = device_open_locked(ctx, device, O_RDONLY); + else + devfd = device_open(ctx, device, O_RDONLY); + if (devfd < 0) { + log_err(ctx, _("Cannot open device %s."), device_path(device)); + crypt_storage_destroy(s); + return -EIO; + } + + if (read_lseek_blockwise(devfd, device_block_size(ctx, device), + device_alignment(device), dst, dstLength, + sector * SECTOR_SIZE) < 0) { + if (!fstat(devfd, &st) && (st.st_size < (off_t)dstLength)) + log_err(ctx, _("Device %s is too small."), device_path(device)); + else + log_err(ctx, _("IO error while decrypting keyslot.")); + + crypt_storage_destroy(s); + return -EIO; + } + + /* Decrypt buffer */ + r = crypt_storage_decrypt(s, 0, dstLength, dst); + crypt_storage_destroy(s); + + return r; }