X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=src%2Fcryptsetup.c;h=8fc4d6c12e80bd65c7e97a08877c65804264e807;hb=ad21d48762fa70838d4ab4fbe8fe2a2e8a4dcef1;hp=252f03100ceebd3d947a51f2e9205b15bf8f81f3;hpb=46de69d0e671617705f8dcffac6bff15ce805c7a;p=platform%2Fupstream%2Fcryptsetup.git diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 252f031..8fc4d6c 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -1,10 +1,10 @@ /* * cryptsetup - setup cryptographic volumes for dm-crypt * - * Copyright (C) 2004, Christophe Saout + * Copyright (C) 2004, Jana Saout * Copyright (C) 2004-2007, Clemens Fruhwirth - * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved. - * Copyright (C) 2009-2012, Milan Broz + * Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved. + * Copyright (C) 2009-2015, Milan Broz * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -57,14 +57,26 @@ static int opt_urandom = 0; static int opt_dump_master_key = 0; static int opt_shared = 0; static int opt_allow_discards = 0; +static int opt_perf_same_cpu_crypt = 0; +static int opt_perf_submit_from_crypt_cpus = 0; static int opt_test_passphrase = 0; static int opt_tcrypt_hidden = 0; static int opt_tcrypt_system = 0; +static int opt_tcrypt_backup = 0; +static int opt_veracrypt = 0; static const char **action_argv; static int action_argc; static const char *null_action_argv[] = {NULL, NULL}; +static const char *uuid_or_device_header(const char **data_device) +{ + if (data_device) + *data_device = opt_header_device ? action_argv[0] : NULL; + + return uuid_or_device(opt_header_device ?: action_argv[0]); +} + static int _verify_passphrase(int def) { /* Batch mode switch off verify - if not overrided by -y */ @@ -83,6 +95,21 @@ static int _verify_passphrase(int def) return def; } +static void _set_activation_flags(uint32_t *flags) +{ + if (opt_readonly) + *flags |= CRYPT_ACTIVATE_READONLY; + + if (opt_allow_discards) + *flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS; + + if (opt_perf_same_cpu_crypt) + *flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT; + + if (opt_perf_submit_from_crypt_cpus) + *flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS; +} + static int action_open_plain(void) { struct crypt_device *cd = NULL; @@ -97,19 +124,9 @@ static int action_open_plain(void) size_t passwordLen; size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8; uint32_t activate_flags = 0; + int keyfile_limited = 0; int r; - if (params.hash && !strcmp(params.hash, "plain")) - params.hash = NULL; - - /* FIXME: temporary hack */ - if (opt_key_file && strcmp(opt_key_file, "-")) - params.hash = NULL; - - if ((opt_keyfile_offset || opt_keyfile_size) && opt_key_file) - log_std(_("Ignoring keyfile offset and size options, keyfile read " - "size is always the same as encryption key size.\n")); - r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN), cipher, NULL, cipher_mode); if (r < 0) { @@ -117,6 +134,24 @@ static int action_open_plain(void) goto out; } + if (opt_key_file && strcmp(opt_key_file, "-") != 0) + keyfile_limited = 1; + + /* FIXME: temporary hack, no hashing for keyfiles in plain mode */ + if (opt_key_file && keyfile_limited) { + params.hash = NULL; + if (!opt_batch_mode && opt_hash) + log_std(_("WARNING: The --hash parameter is being ignored " + "in plain mode with keyfile specified.\n")); + } + + if (params.hash && !strcmp(params.hash, "plain")) + params.hash = NULL; + + if (!opt_batch_mode && !params.hash && opt_key_file && keyfile_limited && opt_keyfile_size) + log_std(_("WARNING: The --keyfile-size option is being ignored, " + "the read size is the same as the encryption key size.\n")); + if ((r = crypt_init(&cd, action_argv[0]))) goto out; @@ -132,22 +167,22 @@ static int action_open_plain(void) if (r < 0) goto out; - if (opt_readonly) - activate_flags |= CRYPT_ACTIVATE_READONLY; - if (opt_shared) activate_flags |= CRYPT_ACTIVATE_SHARED; - if (opt_allow_discards) - activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS; + _set_activation_flags(&activate_flags); - if (opt_key_file) - /* With hashing, read the whole keyfile */ + if (opt_key_file) { + /* If no hash, key is read directly, read size is always key_size + * (possible opt_keyfile_size is ignored. + * If hash is specified, opt_keyfile_size is applied. + * The opt_keyfile_offset is applied always. + */ r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT, opt_key_file, - params.hash ? 0 : key_size, 0, + params.hash ? opt_keyfile_size : key_size, opt_keyfile_offset, activate_flags); - else { + } else { r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen, opt_keyfile_offset, opt_keyfile_size, @@ -184,11 +219,7 @@ static int action_open_loopaes(void) return -EINVAL; } - if (opt_readonly) - activate_flags |= CRYPT_ACTIVATE_READONLY; - - if (opt_allow_discards) - activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS; + _set_activation_flags(&activate_flags); if ((r = crypt_init(&cd, action_argv[0]))) goto out; @@ -201,23 +232,68 @@ static int action_open_loopaes(void) r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size, - opt_keyfile_size, activate_flags); + opt_keyfile_offset, activate_flags); out: crypt_free(cd); return r; } +static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *params) +{ + int r, tries = opt_tries, eperm = 0; + + do { + /* TCRYPT header is encrypted, get passphrase now */ + r = tools_get_key(_("Enter passphrase: "), + CONST_CAST(char**)¶ms->passphrase, + ¶ms->passphrase_size, 0, 0, NULL, opt_timeout, + _verify_passphrase(0), 0, cd); + if (r < 0) + continue; + + if (opt_tcrypt_hidden) + params->flags |= CRYPT_TCRYPT_HIDDEN_HEADER; + + if (opt_tcrypt_system) + params->flags |= CRYPT_TCRYPT_SYSTEM_HEADER; + + if (opt_tcrypt_backup) + params->flags |= CRYPT_TCRYPT_BACKUP_HEADER; + + r = crypt_load(cd, CRYPT_TCRYPT, params); + + if (r == -EPERM) { + log_err(_("No device header detected with this passphrase.\n")); + eperm = 1; + } + + if (r < 0) { + crypt_safe_free(CONST_CAST(char*)params->passphrase); + params->passphrase = NULL; + params->passphrase_size = 0; + } + check_signal(&r); + } while (r == -EPERM && (--tries > 0)); + + /* Report wrong passphrase if at least one try failed */ + if (eperm && r == -EPIPE) + r = -EPERM; + + return r; +} + static int action_open_tcrypt(void) { struct crypt_device *cd = NULL; struct crypt_params_tcrypt params = { .keyfiles = opt_keyfiles, .keyfiles_count = opt_keyfiles_count, - .flags = CRYPT_TCRYPT_LEGACY_MODES, + .flags = CRYPT_TCRYPT_LEGACY_MODES | + (opt_veracrypt ? CRYPT_TCRYPT_VERA_MODES : 0), }; const char *activated_name; - uint32_t flags = 0; + uint32_t activate_flags = 0; int r; activated_name = opt_test_passphrase ? NULL : action_argv[1]; @@ -225,33 +301,15 @@ static int action_open_tcrypt(void) if ((r = crypt_init(&cd, action_argv[0]))) goto out; - /* TCRYPT header is encrypted, get passphrase now */ - r = tools_get_key(_("Enter passphrase: "), - CONST_CAST(char**)¶ms.passphrase, - ¶ms.passphrase_size, 0, 0, NULL, opt_timeout, - _verify_passphrase(0), 0, cd); + r = tcrypt_load(cd, ¶ms); if (r < 0) goto out; - if (opt_tcrypt_hidden) - params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER; - - if (opt_tcrypt_system) - params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER; - - r = crypt_load(cd, CRYPT_TCRYPT, ¶ms); - check_signal(&r); - if (r < 0) - goto out; - - if (opt_readonly) - flags |= CRYPT_ACTIVATE_READONLY; + _set_activation_flags(&activate_flags); if (activated_name) - r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, flags); + r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, activate_flags); out: - if (r == -EPERM) - log_err(_("No device header detected with this passphrase.\n")); crypt_free(cd); crypt_safe_free(CONST_CAST(char*)params.passphrase); return r; @@ -305,29 +363,15 @@ static int action_tcryptDump(void) struct crypt_params_tcrypt params = { .keyfiles = opt_keyfiles, .keyfiles_count = opt_keyfiles_count, - .flags = CRYPT_TCRYPT_LEGACY_MODES, + .flags = CRYPT_TCRYPT_LEGACY_MODES | + (opt_veracrypt ? CRYPT_TCRYPT_VERA_MODES : 0), }; int r; if ((r = crypt_init(&cd, action_argv[0]))) goto out; - /* TCRYPT header is encrypted, get passphrase now */ - r = tools_get_key(_("Enter passphrase: "), - CONST_CAST(char**)¶ms.passphrase, - ¶ms.passphrase_size, 0, 0, NULL, opt_timeout, - _verify_passphrase(0), 0, cd); - if (r < 0) - goto out; - - if (opt_tcrypt_hidden) - params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER; - - if (opt_tcrypt_system) - params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER; - - r = crypt_load(cd, CRYPT_TCRYPT, ¶ms); - check_signal(&r); + r = tcrypt_load(cd, ¶ms); if (r < 0) goto out; @@ -336,8 +380,6 @@ static int action_tcryptDump(void) else r = crypt_dump(cd); out: - if (r == -EPERM) - log_err(_("No device header detected with this passphrase.\n")); crypt_free(cd); crypt_safe_free(CONST_CAST(char*)params.passphrase); return r; @@ -404,10 +446,10 @@ static int action_status(void) ci == CRYPT_BUSY ? " and is in use" : ""); r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device); - if (r < 0 || !crypt_get_type(cd)) + if (r < 0) goto out; - log_std(" type: %s\n", crypt_get_type(cd)); + log_std(" type: %s\n", crypt_get_type(cd) ?: "n/a"); r = crypt_get_active_device(cd, action_argv[0], &cad); if (r < 0) @@ -428,8 +470,13 @@ static int action_status(void) log_std(" skipped: %" PRIu64 " sectors\n", cad.iv_offset); log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write"); - if (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) - log_std(" flags: discards\n"); + if (cad.flags & (CRYPT_ACTIVATE_ALLOW_DISCARDS| + CRYPT_ACTIVATE_ALLOW_DISCARDS| + CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)) + log_std(" flags: %s%s%s\n", + (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? "discards " : "", + (cad.flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT) ? "same_cpu_crypt " : "", + (cad.flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) ? "submit_from_crypt_cpus" : ""); } out: crypt_free(cd); @@ -453,6 +500,29 @@ static int action_benchmark_kdf(const char *hash) return r; } +static int benchmark_cipher_loop(const char *cipher, const char *cipher_mode, + size_t volume_key_size, size_t iv_size, + double *encryption_mbs, double *decryption_mbs) +{ + int r, buffer_size = 1024 * 1024; + + do { + r = crypt_benchmark(NULL, cipher, cipher_mode, + volume_key_size, iv_size, buffer_size, + encryption_mbs, decryption_mbs); + if (r == -ERANGE) { + if (buffer_size < 1024 * 1024 * 65) + buffer_size *= 2; + else { + log_err(_("Result of benchmark is not reliable.\n")); + r = -ENOENT; + } + } + } while (r == -ERANGE); + + return r; +} + static int action_benchmark(void) { static struct { @@ -475,14 +545,13 @@ static int action_benchmark(void) { "twofish", "xts", 64, 16 }, { NULL, NULL, 0, 0 } }; - static char *bkdfs[] = { + static const char *bkdfs[] = { "sha1", "sha256", "sha512", "ripemd160", "whirlpool", NULL }; char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN]; double enc_mbr = 0, dec_mbr = 0; int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS); int iv_size = 16, skipped = 0; - int buffer_size = 1024 * 1024; char *c; int i, r; @@ -504,12 +573,15 @@ static int action_benchmark(void) strstr(cipher, "cast5")) iv_size = 8; - r = crypt_benchmark(NULL, cipher, cipher_mode, - key_size / 8, iv_size, buffer_size, - &enc_mbr, &dec_mbr); + if (!strcmp(cipher_mode, "ecb")) + iv_size = 0; + + r = benchmark_cipher_loop(cipher, cipher_mode, + key_size / 8, iv_size, + &enc_mbr, &dec_mbr); if (!r) { - log_std(N_("# Algorithm | Key | Encryption | Decryption\n")); - log_std("%8s-%s %4db %5.1f MiB/s %5.1f MiB/s\n", + log_std(N_("# Algorithm | Key | Encryption | Decryption\n")); + log_std("%8s-%s %4db %6.1f MiB/s %6.1f MiB/s\n", cipher, cipher_mode, key_size, enc_mbr, dec_mbr); } else if (r == -ENOENT) log_err(_("Cipher %s is not available.\n"), opt_cipher); @@ -521,24 +593,24 @@ static int action_benchmark(void) break; } for (i = 0; bciphers[i].cipher; i++) { - r = crypt_benchmark(NULL, bciphers[i].cipher, bciphers[i].mode, + r = benchmark_cipher_loop(bciphers[i].cipher, bciphers[i].mode, bciphers[i].key_size, bciphers[i].iv_size, - buffer_size, &enc_mbr, &dec_mbr); + &enc_mbr, &dec_mbr); check_signal(&r); if (r == -ENOTSUP || r == -EINTR) break; if (r == -ENOENT) skipped++; if (i == 0) - log_std(N_("# Algorithm | Key | Encryption | Decryption\n")); + log_std(N_("# Algorithm | Key | Encryption | Decryption\n")); snprintf(cipher, MAX_CIPHER_LEN, "%s-%s", bciphers[i].cipher, bciphers[i].mode); if (!r) - log_std("%12s %4db %5.1f MiB/s %5.1f MiB/s\n", + log_std("%12s %4zub %6.1f MiB/s %6.1f MiB/s\n", cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr); else - log_std("%12s %4db %12s %12s\n", cipher, + log_std("%12s %4zub %13s %13s\n", cipher, bciphers[i].key_size*8, _("N/A"), _("N/A")); } if (skipped && skipped == i) @@ -657,7 +729,7 @@ static int action_luksFormat(void) else if (opt_urandom) crypt_set_rng_type(cd, CRYPT_RNG_URANDOM); - r = tools_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, + r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen, opt_keyfile_offset, opt_keyfile_size, opt_key_file, opt_timeout, _verify_passphrase(1), 1, cd); if (r < 0) @@ -691,16 +763,10 @@ static int action_open_luks(void) struct crypt_device *cd = NULL; const char *data_device, *header_device, *activated_name; char *key = NULL; - uint32_t flags = 0; + uint32_t activate_flags = 0; int r, keysize; - if (opt_header_device) { - header_device = uuid_or_device(opt_header_device); - data_device = action_argv[0]; - } else { - header_device = uuid_or_device(action_argv[0]); - data_device = NULL; - } + header_device = uuid_or_device_header(&data_device); activated_name = opt_test_passphrase ? NULL : action_argv[1]; @@ -727,11 +793,7 @@ static int action_open_luks(void) if (opt_iteration_time) crypt_set_iteration_time(cd, opt_iteration_time); - if (opt_readonly) - flags |= CRYPT_ACTIVATE_READONLY; - - if (opt_allow_discards) - flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS; + _set_activation_flags(&activate_flags); if (opt_master_key_file) { keysize = crypt_get_volume_key_size(cd); @@ -739,15 +801,15 @@ static int action_open_luks(void) if (r < 0) goto out; r = crypt_activate_by_volume_key(cd, activated_name, - key, keysize, flags); + key, keysize, activate_flags); } else if (opt_key_file) { crypt_set_password_retry(cd, 1); r = crypt_activate_by_keyfile_offset(cd, activated_name, opt_key_slot, opt_key_file, opt_keyfile_size, - opt_keyfile_offset, flags); + opt_keyfile_offset, activate_flags); } else r = crypt_activate_by_passphrase(cd, activated_name, - opt_key_slot, NULL, 0, flags); + opt_key_slot, NULL, 0, activate_flags); out: crypt_safe_free(key); crypt_free(cd); @@ -804,7 +866,7 @@ static int action_luksKillSlot(void) struct crypt_device *cd = NULL; int r; - if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; crypt_set_confirm_callback(cd, yesDialog, NULL); @@ -828,7 +890,7 @@ static int action_luksKillSlot(void) if (!opt_batch_mode) { r = verify_keyslot(cd, opt_key_slot, _("This is the last keyslot. Device will become unusable after purging this key."), - _("Enter any remaining LUKS passphrase: "), + _("Enter any remaining passphrase: "), opt_key_file, opt_keyfile_offset, opt_keyfile_size); if (r < 0) goto out; @@ -847,7 +909,7 @@ static int action_luksRemoveKey(void) size_t passwordLen; int r; - if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; crypt_set_confirm_callback(cd, yesDialog, NULL); @@ -856,7 +918,7 @@ static int action_luksRemoveKey(void) if ((r = crypt_load(cd, CRYPT_LUKS1, NULL))) goto out; - r = tools_get_key(_("Enter LUKS passphrase to be deleted: "), + r = tools_get_key(_("Enter passphrase to be deleted: "), &password, &passwordLen, opt_keyfile_offset, opt_keyfile_size, opt_key_file, opt_timeout, @@ -898,7 +960,7 @@ static int action_luksAddKey(void) size_t password_size = 0, password_new_size = 0; struct crypt_device *cd = NULL; - if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; crypt_set_confirm_callback(cd, yesDialog, NULL); @@ -917,15 +979,28 @@ static int action_luksAddKey(void) r = _read_mk(opt_master_key_file, &key, keysize); if (r < 0) goto out; - //FIXME: process keyfile arg - r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot, - key, keysize, NULL, 0); + + r = crypt_volume_key_verify(cd, key, keysize); + check_signal(&r); + if (r < 0) + goto out; + + r = tools_get_key(_("Enter new passphrase for key slot: "), + &password_new, &password_new_size, + opt_new_keyfile_offset, opt_new_keyfile_size, + opt_new_key_file, opt_timeout, + _verify_passphrase(1), 1, cd); + if (r < 0) + goto out; + + r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot, key, keysize, + password_new, password_new_size); } else if (opt_key_file || opt_new_key_file) { r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot, opt_key_file, opt_keyfile_size, opt_keyfile_offset, opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset); } else { - r = tools_get_key(_("Enter any passphrase: "), + r = tools_get_key(_("Enter any existing passphrase: "), &password, &password_size, 0, 0, NULL, opt_timeout, _verify_passphrase(0), 0, cd); @@ -941,7 +1016,7 @@ static int action_luksAddKey(void) r = tools_get_key(_("Enter new passphrase for key slot: "), &password_new, &password_new_size, 0, 0, NULL, - opt_timeout, _verify_passphrase(0), 1, cd); + opt_timeout, _verify_passphrase(1), 1, cd); if (r < 0) goto out; @@ -965,7 +1040,7 @@ static int action_luksChangeKey(void) size_t password_size = 0, password_new_size = 0; int r; - if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; if ((r = crypt_load(cd, CRYPT_LUKS1, NULL))) @@ -974,7 +1049,7 @@ static int action_luksChangeKey(void) if (opt_iteration_time) crypt_set_iteration_time(cd, opt_iteration_time); - r = tools_get_key(_("Enter LUKS passphrase to be changed: "), + r = tools_get_key(_("Enter passphrase to be changed: "), &password, &password_size, opt_keyfile_offset, opt_keyfile_size, opt_key_file, opt_timeout, _verify_passphrase(0), 0, cd); @@ -988,11 +1063,11 @@ static int action_luksChangeKey(void) if (r < 0) goto out; - r = tools_get_key(_("Enter new LUKS passphrase: "), + r = tools_get_key(_("Enter new passphrase: "), &password_new, &password_new_size, opt_new_keyfile_offset, opt_new_keyfile_size, opt_new_key_file, - opt_timeout, _verify_passphrase(0), 1, cd); + opt_timeout, _verify_passphrase(1), 1, cd); if (r < 0) goto out; @@ -1010,7 +1085,13 @@ static int action_isLuks(void) struct crypt_device *cd = NULL; int r; - if ((r = crypt_init(&cd, action_argv[0]))) + /* FIXME: argc > max should be checked for other operations as well */ + if (action_argc > 1) { + log_err(_("Only one device argument for isLuks operation is supported.\n")); + return -ENODEV; + } + + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; crypt_set_log_callback(cd, quiet_log, NULL); @@ -1026,7 +1107,7 @@ static int action_luksUUID(void) const char *existing_uuid = NULL; int r; - if ((r = crypt_init(&cd, action_argv[0]))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; crypt_set_confirm_callback(cd, yesDialog, NULL); @@ -1067,7 +1148,7 @@ static int luksDump_with_volume_key(struct crypt_device *cd) if (!vk) return -ENOMEM; - r = tools_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, + r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen, opt_keyfile_offset, opt_keyfile_size, opt_key_file, opt_timeout, 0, 0, cd); if (r < 0) @@ -1105,7 +1186,7 @@ static int action_luksDump(void) struct crypt_device *cd = NULL; int r; - if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; if ((r = crypt_load(cd, CRYPT_LUKS1, NULL))) @@ -1125,7 +1206,7 @@ static int action_luksSuspend(void) struct crypt_device *cd = NULL; int r; - r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device); + r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device)); if (!r) r = crypt_suspend(cd, action_argv[0]); @@ -1138,7 +1219,7 @@ static int action_luksResume(void) struct crypt_device *cd = NULL; int r; - if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device))) + if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device)))) goto out; crypt_set_timeout(cd, opt_timeout); @@ -1166,7 +1247,7 @@ static int action_luksBackup(void) return -EINVAL; } - if ((r = crypt_init(&cd, uuid_or_device(action_argv[0])))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; crypt_set_confirm_callback(cd, yesDialog, NULL); @@ -1187,7 +1268,7 @@ static int action_luksRestore(void) return -EINVAL; } - if ((r = crypt_init(&cd, action_argv[0]))) + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) goto out; crypt_set_confirm_callback(cd, yesDialog, NULL); @@ -1227,6 +1308,47 @@ args: return -EINVAL; } +static int action_luksErase(void) +{ + struct crypt_device *cd = NULL; + crypt_keyslot_info ki; + char *msg = NULL; + int i, r; + + if ((r = crypt_init(&cd, uuid_or_device_header(NULL)))) + goto out; + + crypt_set_confirm_callback(cd, yesDialog, NULL); + + if ((r = crypt_load(cd, CRYPT_LUKS1, NULL))) + goto out; + + if(asprintf(&msg, _("This operation will erase all keyslots on device %s.\n" + "Device will become unusable after this operation."), + uuid_or_device_header(NULL)) == -1) { + r = -ENOMEM; + goto out; + } + + if (!yesDialog(msg, NULL)) { + r = -EPERM; + goto out; + } + + for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) { + ki = crypt_keyslot_status(cd, i); + if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST) { + r = crypt_keyslot_destroy(cd, i); + if (r < 0) + goto out; + } + } +out: + free(msg); + crypt_free(cd); + return r; +} + static struct action_type { const char *type; int (*handler)(void); @@ -1241,6 +1363,7 @@ static struct action_type { { "status", action_status, 1, 0, N_(""), N_("show device status") }, { "benchmark", action_benchmark, 0, 0, N_(""), N_("benchmark cipher") }, { "repair", action_luksRepair, 1, 1, N_(""), N_("try to repair on-disk metadata") }, + { "erase", action_luksErase , 1, 1, N_(""), N_("erase all keyslots (remove encryption key)") }, { "luksFormat", action_luksFormat, 1, 1, N_(" []"), N_("formats a LUKS device") }, { "luksAddKey", action_luksAddKey, 1, 1, N_(" []"), N_("add key to LUKS device") }, { "luksRemoveKey",action_luksRemoveKey,1, 1, N_(" []"), N_("removes supplied key or key file from LUKS device") }, @@ -1384,8 +1507,12 @@ int main(int argc, const char **argv) { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL }, { "tcrypt-hidden", '\0', POPT_ARG_NONE, &opt_tcrypt_hidden, 0, N_("Use hidden header (hidden TCRYPT device)."), NULL }, { "tcrypt-system", '\0', POPT_ARG_NONE, &opt_tcrypt_system, 0, N_("Device is system TCRYPT drive (with bootloader)."), NULL }, + { "tcrypt-backup", '\0', POPT_ARG_NONE, &opt_tcrypt_backup, 0, N_("Use backup (secondary) TCRYPT header."), NULL }, + { "veracrypt", '\0', POPT_ARG_NONE, &opt_veracrypt, 0, N_("Scan also for VeraCrypt compatible device."), NULL }, { "type", 'M', POPT_ARG_STRING, &opt_type, 0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL }, { "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL }, + { "perf-same_cpu_crypt",'\0', POPT_ARG_NONE, &opt_perf_same_cpu_crypt, 0, N_("Use dm-crypt same_cpu_crypt performance compatibility option."), NULL }, + { "perf-submit_from_crypt_cpus",'\0', POPT_ARG_NONE, &opt_perf_submit_from_crypt_cpus,0,N_("Use dm-crypt submit_from_crypt_cpus performance compatibility option."), NULL }, POPT_TABLEEND }; poptContext popt_context; @@ -1399,8 +1526,6 @@ int main(int argc, const char **argv) bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); - crypt_fips_self_check(NULL); - popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0); poptSetOtherOptionHelp(popt_context, _("[OPTION...] ")); @@ -1442,6 +1567,10 @@ int main(int argc, const char **argv) if (r < -1) usage(popt_context, EXIT_FAILURE, poptStrerror(r), poptBadOption(popt_context, POPT_BADOPTION_NOALIAS)); + + if (crypt_fips_mode()) + crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n")); + if (opt_version_mode) { log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION); poptFreeContext(popt_context); @@ -1484,12 +1613,17 @@ int main(int argc, const char **argv) } else if (!strcmp(aname, "tcryptOpen")) { aname = "open"; opt_type = "tcrypt"; + } else if (!strcmp(aname, "tcryptDump")) { + opt_type = "tcrypt"; } else if (!strcmp(aname, "remove") || !strcmp(aname, "plainClose") || !strcmp(aname, "luksClose") || !strcmp(aname, "loopaesClose") || !strcmp(aname, "tcryptClose")) { aname = "close"; + } else if (!strcmp(aname, "luksErase")) { + aname = "erase"; + opt_type = "luks"; } for(action = action_types; action->type; action++) @@ -1500,7 +1634,7 @@ int main(int argc, const char **argv) usage(popt_context, EXIT_FAILURE, _("Unknown action."), poptGetInvocationName(popt_context)); - if(action_argc < action->required_action_argc) + if (action_argc < action->required_action_argc) help_args(action, popt_context); /* FIXME: rewrite this from scratch */ @@ -1585,10 +1719,20 @@ int main(int argc, const char **argv) _("Option --offset is supported only for open of plain and loopaes devices.\n"), poptGetInvocationName(popt_context)); - if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") && + if ((opt_tcrypt_hidden || opt_tcrypt_system || opt_tcrypt_backup) && strcmp(aname, "tcryptDump") && (strcmp(aname, "open") || strcmp(opt_type, "tcrypt"))) usage(popt_context, EXIT_FAILURE, - _("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"), + _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"), + poptGetInvocationName(popt_context)); + + if (opt_tcrypt_hidden && opt_allow_discards) + usage(popt_context, EXIT_FAILURE, + _("Option --tcrypt-hidden cannot be combined with --allow-discards.\n"), + poptGetInvocationName(popt_context)); + + if (opt_veracrypt && strcmp(opt_type, "tcrypt")) + usage(popt_context, EXIT_FAILURE, + _("Option --veracrypt is supported only for TCRYPT device type.\n"), poptGetInvocationName(popt_context)); if (opt_debug) {