lib/tcrypt/tcrypt.c

   1 /*
   2  * TCRYPT (TrueCrypt-compatible) volume handling
   3  *
   4  * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
   5  * Copyright (C) 2012, Milan Broz
   6  *
   7  * This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * version 2 as published by the Free Software Foundation.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  19  */
  20
  21 #include <errno.h>
  22 #include <stdio.h>
  23 #include <stdlib.h>
  24 #include <string.h>
  25 #include <fcntl.h>
  26 #include <assert.h>
  27
  28 #include "libcryptsetup.h"
  29 #include "tcrypt.h"
  30 #include "internal.h"
  31
  32 /* TCRYPT PBKDF variants */
  33 static struct {
  34         unsigned int legacy:1;
  35         const char *name;
  36         const char *hash;
  37         unsigned int iterations;
  38 } tcrypt_kdf[] = {
  39         { 0, "pbkdf2", "ripemd160", 2000 },
  40         { 0, "pbkdf2", "ripemd160", 1000 },
  41         { 0, "pbkdf2", "sha512",    1000 },
  42         { 0, "pbkdf2", "whirlpool", 1000 },
  43         { 1, "pbkdf2", "sha1",      2000 },
  44         { 0, NULL,     NULL,           0 }
  45 };
  46
  47 struct tcrypt_alg {
  48                 const char *name;
  49                 unsigned int key_size;
  50                 unsigned int iv_size;
  51                 unsigned int key_offset;
  52                 unsigned int iv_offset; /* or tweak key offset */
  53 };
  54
  55 struct tcrypt_algs {
  56         unsigned int legacy:1;
  57         unsigned int chain_count;
  58         unsigned int chain_key_size;
  59         const char *long_name;
  60         const char *mode;
  61         struct tcrypt_alg cipher[3];
  62 };
  63
  64 /* TCRYPT cipher variants */
  65 static struct tcrypt_algs tcrypt_cipher[] = {
  66 /* XTS mode */
  67 {0,1,64,"aes","xts-plain64",
  68         {{"aes",    64,16,0,32}}},
  69 {0,1,64,"serpent","xts-plain64",
  70         {{"serpent",64,16,0,32}}},
  71 {0,1,64,"twofish","xts-plain64",
  72         {{"twofish",64,16,0,32}}},
  73 {0,2,128,"twofish-aes","xts-plain64",
  74         {{"twofish",64,16, 0,64},
  75          {"aes",    64,16,32,96}}},
  76 {0,3,192,"serpent-twofish-aes","xts-plain64",
  77         {{"serpent",64,16, 0, 96},
  78          {"twofish",64,16,32,128},
  79          {"aes",    64,16,64,160}}},
  80 {0,2,128,"aes-serpent","xts-plain64",
  81         {{"aes",    64,16, 0,64},
  82          {"serpent",64,16,32,96}}},
  83 {0,3,192,"aes-twofish-serpent","xts-plain64",
  84         {{"aes",    64,16, 0, 96},
  85          {"twofish",64,16,32,128},
  86          {"serpent",64,16,64,160}}},
  87 {0,2,128,"serpent-twofish","xts-plain64",
  88         {{"serpent",64,16, 0,64},
  89          {"twofish",64,16,32,96}}},
  90 /* LRW mode */
  91 {0,1,48,"aes","lrw-benbi",
  92         {{"aes",    48,16,32,0}}},
  93 {0,1,48,"serpent","lrw-benbi",
  94         {{"serpent",48,16,32,0}}},
  95 {0,1,48,"twofish","lrw-benbi",
  96         {{"twofish",48,16,32,0}}},
  97 {0,2,96,"twofish-aes","lrw-benbi",
  98         {{"twofish",48,16,32,0},
  99          {"aes",    48,16,64,0}}},
 100 {0,3,144,"serpent-twofish-aes","lrw-benbi",
 101         {{"serpent",48,16,32,0},
 102          {"twofish",48,16,64,0},
 103          {"aes",    48,16,96,0}}},
 104 {0,2,96,"aes-serpent","lrw-benbi",
 105         {{"aes",    48,16,32,0},
 106          {"serpent",48,16,64,0}}},
 107 {0,3,144,"aes-twofish-serpent","lrw-benbi",
 108         {{"aes",    48,16,32,0},
 109          {"twofish",48,16,64,0},
 110          {"serpent",48,16,96,0}}},
 111 {0,2,96,"serpent-twofish", "lrw-benbi",
 112         {{"serpent",48,16,32,0},
 113          {"twofish",48,16,64,0}}},
 114 /* Kernel LRW block size is fixed to 16 bytes for GF(2^128)
 115  * thus cannot be used with blowfish where block is 8 bytes.
 116  * There also no GF(2^64) support.
 117 {1,1,64,"blowfish_le","lrw-benbi",
 118          {{"blowfish_le",64,8,32,0}}},
 119 {1,2,112,"blowfish_le-aes","lrw-benbi",
 120          {{"blowfish_le",64, 8,32,0},
 121           {"aes",        48,16,88,0}}},
 122 {1,3,160,"serpent-blowfish_le-aes","lrw-benbi",
 123           {{"serpent",    48,16, 32,0},
 124            {"blowfish_le",64, 8, 64,0},
 125            {"aes",        48,16,120,0}}},*/
 126 /* CBC + "outer" CBC (both with whitening) */
 127 {1,1,32,"aes","cbc-tcrypt",
 128         {{"aes",    32,16,32,0}}},
 129 {1,1,32,"serpent","cbc-tcrypt",
 130         {{"serpent",32,16,32,0}}},
 131 {1,1,32,"twofish","cbc-tcrypt",
 132         {{"twofish",32,16,32,0}}},
 133 {1,2,64,"twofish-aes","cbci-tcrypt",
 134         {{"twofish",32,16,32,0},
 135          {"aes",    32,16,64,0}}},
 136 {1,3,96,"serpent-twofish-aes","cbci-tcrypt",
 137         {{"serpent",32,16,32,0},
 138          {"twofish",32,16,64,0},
 139          {"aes",    32,16,96,0}}},
 140 {1,2,64,"aes-serpent","cbci-tcrypt",
 141         {{"aes",    32,16,32,0},
 142          {"serpent",32,16,64,0}}},
 143 {1,3,96,"aes-twofish-serpent", "cbci-tcrypt",
 144         {{"aes",    32,16,32,0},
 145          {"twofish",32,16,64,0},
 146          {"serpent",32,16,96,0}}},
 147 {1,2,64,"serpent-twofish", "cbci-tcrypt",
 148         {{"serpent",32,16,32,0},
 149          {"twofish",32,16,64,0}}},
 150 {1,1,16,"cast5","cbc-tcrypt",
 151         {{"cast5",   16,8,32,0}}},
 152 {1,1,24,"des3_ede","cbc-tcrypt",
 153         {{"des3_ede",24,8,32,0}}},
 154 {1,1,56,"blowfish_le","cbc-tcrypt",
 155         {{"blowfish_le",56,8,32,0}}},
 156 {1,2,88,"blowfish_le-aes","cbc-tcrypt",
 157         {{"blowfish_le",56, 8,32,0},
 158          {"aes",        32,16,88,0}}},
 159 {1,3,120,"serpent-blowfish_le-aes","cbc-tcrypt",
 160         {{"serpent",    32,16, 32,0},
 161          {"blowfish_le",56, 8, 64,0},
 162          {"aes",        32,16,120,0}}},
 163 {}
 164 };
 165
 166 static int TCRYPT_hdr_from_disk(struct tcrypt_phdr *hdr,
 167                                 struct crypt_params_tcrypt *params,
 168                                 int kdf_index, int cipher_index)
 169 {
 170         uint32_t crc32;
 171         size_t size;
 172
 173         /* Check CRC32 of header */
 174         size = TCRYPT_HDR_LEN - sizeof(hdr->d.keys) - sizeof(hdr->d.header_crc32);
 175         crc32 = crypt_crc32(~0, (unsigned char*)&hdr->d, size) ^ ~0;
 176         if (be16_to_cpu(hdr->d.version) > 3 &&
 177             crc32 != be32_to_cpu(hdr->d.header_crc32)) {
 178                 log_dbg("TCRYPT header CRC32 mismatch.");
 179                 return -EINVAL;
 180         }
 181
 182         /* Check CRC32 of keys */
 183         crc32 = crypt_crc32(~0, (unsigned char*)hdr->d.keys, sizeof(hdr->d.keys)) ^ ~0;
 184         if (crc32 != be32_to_cpu(hdr->d.keys_crc32)) {
 185                 log_dbg("TCRYPT keys CRC32 mismatch.");
 186                 return -EINVAL;
 187         }
 188
 189         /* Convert header to cpu format */
 190         hdr->d.version  =  be16_to_cpu(hdr->d.version);
 191         hdr->d.version_tc = le16_to_cpu(hdr->d.version_tc);
 192
 193         hdr->d.keys_crc32 = be32_to_cpu(hdr->d.keys_crc32);
 194
 195         hdr->d.hidden_volume_size = be64_to_cpu(hdr->d.hidden_volume_size);
 196         hdr->d.volume_size        = be64_to_cpu(hdr->d.volume_size);
 197
 198         hdr->d.mk_offset = be64_to_cpu(hdr->d.mk_offset);
 199         if (!hdr->d.mk_offset)
 200                 hdr->d.mk_offset = 512;
 201
 202         hdr->d.mk_size = be64_to_cpu(hdr->d.mk_size);
 203
 204         hdr->d.flags = be32_to_cpu(hdr->d.flags);
 205
 206         hdr->d.sector_size = be32_to_cpu(hdr->d.sector_size);
 207         if (!hdr->d.sector_size)
 208                 hdr->d.sector_size = 512;
 209
 210         hdr->d.header_crc32 = be32_to_cpu(hdr->d.header_crc32);
 211
 212         /* Set params */
 213         params->passphrase = NULL;
 214         params->passphrase_size = 0;
 215         params->hash_name  = tcrypt_kdf[kdf_index].hash;
 216         params->key_size = tcrypt_cipher[cipher_index].chain_key_size;
 217         params->cipher = tcrypt_cipher[cipher_index].long_name;
 218         params->mode = tcrypt_cipher[cipher_index].mode;
 219
 220         return 0;
 221 }
 222
 223 /*
 224  * Kernel implements just big-endian version of blowfish, hack it here
 225  */
 226 static void TCRYPT_swab_le(char *buf)
 227 {
 228         uint32_t *l = (uint32_t*)&buf[0];
 229         uint32_t *r = (uint32_t*)&buf[4];
 230         *l = swab32(*l);
 231         *r = swab32(*r);
 232 }
 233
 234 static int decrypt_blowfish_le_cbc(struct tcrypt_alg *alg,
 235                                    const char *key, char *buf)
 236 {
 237         int bs = alg->iv_size;
 238         char iv[bs], iv_old[bs];
 239         struct crypt_cipher *cipher = NULL;
 240         int i, j, r;
 241
 242         assert(bs == 2*sizeof(uint32_t));
 243
 244         r = crypt_cipher_init(&cipher, "blowfish", "ecb",
 245                               &key[alg->key_offset], alg->key_size);
 246         if (r < 0)
 247                 return r;
 248
 249         memcpy(iv, &key[alg->iv_offset], alg->iv_size);
 250         for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
 251                 memcpy(iv_old, &buf[i], bs);
 252                 TCRYPT_swab_le(&buf[i]);
 253                 r = crypt_cipher_decrypt(cipher, &buf[i], &buf[i],
 254                                           bs, NULL, 0);
 255                 TCRYPT_swab_le(&buf[i]);
 256                 if (r < 0)
 257                         break;
 258                 for (j = 0; j < bs; j++)
 259                         buf[i + j] ^= iv[j];
 260                 memcpy(iv, iv_old, bs);
 261         }
 262
 263         crypt_cipher_destroy(cipher);
 264         memset(iv, 0, bs);
 265         memset(iv_old, 0, bs);
 266         return r;
 267 }
 268
 269 static void TCRYPT_remove_whitening(char *buf, const char *key)
 270 {
 271         int j;
 272
 273         for (j = 0; j < TCRYPT_HDR_LEN; j++)
 274                 buf[j] ^= key[j % 8];
 275 }
 276
 277 static void TCRYPT_copy_key(struct tcrypt_alg *alg, const char *mode,
 278                              char *out_key, const char *key)
 279 {
 280         int ks2;
 281         if (!strncmp(mode, "xts", 3)) {
 282                 ks2 = alg->key_size / 2;
 283                 memcpy(out_key, &key[alg->key_offset], ks2);
 284                 memcpy(&out_key[ks2], &key[alg->iv_offset], ks2);
 285         } else if (!strncmp(mode, "lrw", 3)) {
 286                 ks2 = alg->key_size - TCRYPT_LRW_IKEY_LEN;
 287                 memcpy(out_key, &key[alg->key_offset], ks2);
 288                 memcpy(&out_key[ks2], key, TCRYPT_LRW_IKEY_LEN);
 289         } else if (!strncmp(mode, "cbc", 3)) {
 290                 memcpy(out_key, &key[alg->key_offset], alg->key_size);
 291         }
 292 }
 293
 294 static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
 295                                    const char *key,struct tcrypt_phdr *hdr)
 296 {
 297         char backend_key[TCRYPT_HDR_KEY_LEN];
 298         char iv[TCRYPT_HDR_IV_LEN] = {};
 299         char mode_name[MAX_CIPHER_LEN];
 300         struct crypt_cipher *cipher;
 301         char *c, *buf = (char*)&hdr->e;
 302         int r;
 303
 304         /* Remove IV if present */
 305         strncpy(mode_name, mode, MAX_CIPHER_LEN);
 306         c = strchr(mode_name, '-');
 307         if (c)
 308                 *c = '\0';
 309
 310         if (!strncmp(mode, "lrw", 3))
 311                 iv[alg->iv_size - 1] = 1;
 312         else if (!strncmp(mode, "cbc", 3)) {
 313                 TCRYPT_remove_whitening(buf, &key[8]);
 314                 if (!strcmp(alg->name, "blowfish_le"))
 315                         return decrypt_blowfish_le_cbc(alg, key, buf);
 316                 memcpy(iv, &key[alg->iv_offset], alg->iv_size);
 317         }
 318
 319         TCRYPT_copy_key(alg, mode, backend_key, key);
 320         r = crypt_cipher_init(&cipher, alg->name, mode_name,
 321                               backend_key, alg->key_size);
 322         if (!r) {
 323                 r = crypt_cipher_decrypt(cipher, buf, buf, TCRYPT_HDR_LEN,
 324                                          iv, alg->iv_size);
 325                 crypt_cipher_destroy(cipher);
 326         }
 327
 328         memset(backend_key, 0, sizeof(backend_key));
 329         memset(iv, 0, TCRYPT_HDR_IV_LEN);
 330         return r;
 331 }
 332
 333 /*
 334  * For chanined ciphers and CBC mode we need "outer" decryption.
 335  * Backend doesn't provide this, so implement it here directly using ECB.
 336  */
 337 static int TCRYPT_decrypt_cbci(struct tcrypt_algs *ciphers,
 338                                 const char *key, struct tcrypt_phdr *hdr)
 339 {
 340         struct crypt_cipher *cipher[ciphers->chain_count];
 341         unsigned int bs = ciphers->cipher[0].iv_size;
 342         char *buf = (char*)&hdr->e, iv[bs], iv_old[bs];
 343         unsigned int i, j;
 344         int r = -EINVAL;
 345
 346         TCRYPT_remove_whitening(buf, &key[8]);
 347
 348         memcpy(iv, &key[ciphers->cipher[0].iv_offset], bs);
 349
 350         /* Initialize all ciphers in chain in ECB mode */
 351         for (j = 0; j < ciphers->chain_count; j++)
 352                 cipher[j] = NULL;
 353         for (j = 0; j < ciphers->chain_count; j++) {
 354                 r = crypt_cipher_init(&cipher[j], ciphers->cipher[j].name, "ecb",
 355                                       &key[ciphers->cipher[j].key_offset],
 356                                       ciphers->cipher[j].key_size);
 357                 if (r < 0)
 358                         goto out;
 359         }
 360
 361         /* Implements CBC with chained ciphers in loop inside */
 362         for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
 363                 memcpy(iv_old, &buf[i], bs);
 364                 for (j = ciphers->chain_count; j > 0; j--) {
 365                         r = crypt_cipher_decrypt(cipher[j - 1], &buf[i], &buf[i],
 366                                                   bs, NULL, 0);
 367                         if (r < 0)
 368                                 goto out;
 369                 }
 370                 for (j = 0; j < bs; j++)
 371                         buf[i + j] ^= iv[j];
 372                 memcpy(iv, iv_old, bs);
 373         }
 374 out:
 375         for (j = 0; j < ciphers->chain_count; j++)
 376                 if (cipher[j])
 377                         crypt_cipher_destroy(cipher[j]);
 378
 379         memset(iv, 0, bs);
 380         memset(iv_old, 0, bs);
 381         return r;
 382 }
 383
 384 static int TCRYPT_decrypt_hdr(struct crypt_device *cd, struct tcrypt_phdr *hdr,
 385                                const char *key, int legacy_modes)
 386 {
 387         struct tcrypt_phdr hdr2;
 388         int i, j, r = -EINVAL;
 389
 390         for (i = 0; tcrypt_cipher[i].chain_count; i++) {
 391                 if (!legacy_modes && tcrypt_cipher[i].legacy)
 392                         continue;
 393                 log_dbg("TCRYPT:  trying cipher %s-%s",
 394                         tcrypt_cipher[i].long_name, tcrypt_cipher[i].mode);
 395
 396                 memcpy(&hdr2.e, &hdr->e, TCRYPT_HDR_LEN);
 397
 398                 if (!strncmp(tcrypt_cipher[i].mode, "cbci", 4))
 399                         r = TCRYPT_decrypt_cbci(&tcrypt_cipher[i], key, &hdr2);
 400                 else for (j = tcrypt_cipher[i].chain_count - 1; j >= 0 ; j--) {
 401                         if (!tcrypt_cipher[i].cipher[j].name)
 402                                 continue;
 403                         r = TCRYPT_decrypt_hdr_one(&tcrypt_cipher[i].cipher[j],
 404                                             tcrypt_cipher[i].mode, key, &hdr2);
 405                         if (r < 0)
 406                                 break;
 407                 }
 408
 409                 if (r < 0) {
 410                         log_dbg("TCRYPT:   returned error %d, skipped.", r);
 411                         if (r == -ENOTSUP)
 412                                 break;
 413                         r = -ENOENT;
 414                         continue;
 415                 }
 416
 417                 if (!strncmp(hdr2.d.magic, TCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
 418                         log_dbg("TCRYPT: Signature magic detected.");
 419                         memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
 420                         r = i;
 421                         break;
 422                 }
 423                 r = -EPERM;
 424         }
 425
 426         memset(&hdr2, 0, sizeof(hdr2));
 427         return r;
 428 }
 429
 430 static int TCRYPT_pool_keyfile(struct crypt_device *cd,
 431                                 unsigned char pool[TCRYPT_KEY_POOL_LEN],
 432                                 const char *keyfile)
 433 {
 434         unsigned char data[TCRYPT_KEYFILE_LEN];
 435         int i, j, fd, data_size;
 436         uint32_t crc;
 437
 438         log_dbg("TCRYPT: using keyfile %s.", keyfile);
 439
 440         fd = open(keyfile, O_RDONLY);
 441         if (fd < 0) {
 442                 log_err(cd, _("Failed to open key file.\n"));
 443                 return -EIO;
 444         }
 445
 446         /* FIXME: add while */
 447         data_size = read(fd, data, TCRYPT_KEYFILE_LEN);
 448         close(fd);
 449         if (data_size < 0) {
 450                 log_err(cd, _("Error reading keyfile %s.\n"), keyfile);
 451                 return -EIO;
 452         }
 453
 454         for (i = 0, j = 0, crc = ~0U; i < data_size; i++) {
 455                 crc = crypt_crc32(crc, &data[i], 1);
 456                 pool[j++] += (unsigned char)(crc >> 24);
 457                 pool[j++] += (unsigned char)(crc >> 16);
 458                 pool[j++] += (unsigned char)(crc >>  8);
 459                 pool[j++] += (unsigned char)(crc);
 460                 j %= TCRYPT_KEY_POOL_LEN;
 461         }
 462
 463         memset(&crc, 0, sizeof(crc));
 464         memset(data, 0, TCRYPT_KEYFILE_LEN);
 465
 466         return 0;
 467 }
 468
 469 static int TCRYPT_init_hdr(struct crypt_device *cd,
 470                            struct tcrypt_phdr *hdr,
 471                            struct crypt_params_tcrypt *params)
 472 {
 473         unsigned char pwd[TCRYPT_KEY_POOL_LEN] = {};
 474         size_t passphrase_size;
 475         char *key;
 476         unsigned int i, skipped = 0;
 477         int r = -EINVAL, legacy_modes;
 478
 479         if (posix_memalign((void*)&key, crypt_getpagesize(), TCRYPT_HDR_KEY_LEN))
 480                 return -ENOMEM;
 481
 482         if (params->keyfiles_count)
 483                 passphrase_size = TCRYPT_KEY_POOL_LEN;
 484         else
 485                 passphrase_size = params->passphrase_size;
 486
 487         /* Calculate pool content from keyfiles */
 488         for (i = 0; i < params->keyfiles_count; i++) {
 489                 r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i]);
 490                 if (r < 0)
 491                         goto out;
 492         }
 493
 494         /* If provided password, combine it with pool */
 495         for (i = 0; i < params->passphrase_size; i++)
 496                 pwd[i] += params->passphrase[i];
 497
 498         legacy_modes = params->flags & CRYPT_TCRYPT_LEGACY_MODES ? 1 : 0;
 499         for (i = 0; tcrypt_kdf[i].name; i++) {
 500                 if (!legacy_modes && tcrypt_kdf[i].legacy)
 501                         continue;
 502                 /* Derive header key */
 503                 log_dbg("TCRYPT: trying KDF: %s-%s-%d.",
 504                         tcrypt_kdf[i].name, tcrypt_kdf[i].hash, tcrypt_kdf[i].iterations);
 505                 r = crypt_pbkdf(tcrypt_kdf[i].name, tcrypt_kdf[i].hash,
 506                                 (char*)pwd, passphrase_size,
 507                                 hdr->salt, TCRYPT_HDR_SALT_LEN,
 508                                 key, TCRYPT_HDR_KEY_LEN,
 509                                 tcrypt_kdf[i].iterations);
 510                 if (r < 0)
 511                         break;
 512
 513                 /* Decrypt header */
 514                 r = TCRYPT_decrypt_hdr(cd, hdr, key, legacy_modes);
 515                 if (r == -ENOENT) {
 516                         skipped++;
 517                         continue;
 518                 }
 519                 if (r != -EPERM)
 520                         break;
 521         }
 522
 523         if ((skipped && skipped == i) || r == -ENOTSUP)
 524                 log_err(cd, _("Required kernel crypto interface not available.\n"
 525                               "Ensure you have algif_skcipher kernel module loaded.\n"));
 526         if (r < 0)
 527                 goto out;
 528
 529         r = TCRYPT_hdr_from_disk(hdr, params, i, r);
 530         if (!r) {
 531                 log_dbg("TCRYPT: Header version: %d, req. %d, sector %d"
 532                         ", mk_offset %" PRIu64 ", hidden_size %" PRIu64
 533                         ", volume size %" PRIu64, (int)hdr->d.version,
 534                         (int)hdr->d.version_tc, (int)hdr->d.sector_size,
 535                         hdr->d.mk_offset, hdr->d.hidden_volume_size, hdr->d.volume_size);
 536                 log_dbg("TCRYPT: Header cipher %s-%s, key size %d",
 537                         params->cipher, params->mode, params->key_size);
 538         }
 539 out:
 540         memset(pwd, 0, TCRYPT_KEY_POOL_LEN);
 541         if (key)
 542                 memset(key, 0, TCRYPT_HDR_KEY_LEN);
 543         free(key);
 544         return r;
 545 }
 546
 547 int TCRYPT_read_phdr(struct crypt_device *cd,
 548                      struct tcrypt_phdr *hdr,
 549                      struct crypt_params_tcrypt *params)
 550 {
 551         struct device *device = crypt_metadata_device(cd);
 552         ssize_t hdr_size = sizeof(struct tcrypt_phdr);
 553         int devfd = 0, r, bs;
 554
 555         assert(sizeof(struct tcrypt_phdr) == 512);
 556
 557         log_dbg("Reading TCRYPT header of size %d bytes from device %s.",
 558                 hdr_size, device_path(device));
 559
 560         bs = device_block_size(device);
 561         if (bs < 0)
 562                 return bs;
 563
 564         devfd = open(device_path(device), O_RDONLY | O_DIRECT);
 565         if (devfd == -1) {
 566                 log_err(cd, _("Cannot open device %s.\n"), device_path(device));
 567                 return -EINVAL;
 568         }
 569
 570         r = -EIO;
 571         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
 572                 if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
 573                     read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 574                         r = TCRYPT_init_hdr(cd, hdr, params);
 575         } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 576                 if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 577                         if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
 578                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 579                                 r = TCRYPT_init_hdr(cd, hdr, params);
 580                 } else {
 581                         if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET, SEEK_SET) >= 0 &&
 582                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 583                                 r = TCRYPT_init_hdr(cd, hdr, params);
 584                         if (r &&
 585                             lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_OLD, SEEK_END) >= 0 &&
 586                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 587                                 r = TCRYPT_init_hdr(cd, hdr, params);
 588                 }
 589         } else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 590                 if (lseek(devfd, TCRYPT_HDR_OFFSET_BCK, SEEK_END) >= 0 &&
 591                             read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 592                         r = TCRYPT_init_hdr(cd, hdr, params);
 593         } else if (read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
 594                 r = TCRYPT_init_hdr(cd, hdr, params);
 595
 596         close(devfd);
 597         if (r < 0)
 598                 memset(hdr, 0, sizeof (*hdr));
 599         return r;
 600 }
 601
 602 static struct tcrypt_algs *TCRYPT_get_algs(const char *cipher, const char *mode)
 603 {
 604         int i;
 605
 606         if (!cipher || !mode)
 607                 return NULL;
 608
 609         for (i = 0; tcrypt_cipher[i].chain_count; i++)
 610                 if (!strcmp(tcrypt_cipher[i].long_name, cipher) &&
 611                     !strcmp(tcrypt_cipher[i].mode, mode))
 612                     return &tcrypt_cipher[i];
 613
 614         return NULL;
 615 }
 616
 617 int TCRYPT_activate(struct crypt_device *cd,
 618                      const char *name,
 619                      struct tcrypt_phdr *hdr,
 620                      struct crypt_params_tcrypt *params,
 621                      uint32_t flags)
 622 {
 623         char cipher[MAX_CIPHER_LEN], dm_name[PATH_MAX], dm_dev_name[PATH_MAX];
 624         struct device *device = NULL;
 625         unsigned int i;
 626         int r;
 627         struct tcrypt_algs *algs;
 628         struct crypt_dm_active_device dmd = {
 629                 .target = DM_CRYPT,
 630                 .size   = 0,
 631                 .data_device = crypt_data_device(cd),
 632                 .u.crypt  = {
 633                         .cipher = cipher,
 634                         .offset = crypt_get_data_offset(cd),
 635                         .iv_offset = crypt_get_iv_offset(cd),
 636                 }
 637         };
 638
 639         if (!hdr->d.version) {
 640                 log_dbg("TCRYPT: this function is not supported without encrypted header load.");
 641                 return -ENOTSUP;
 642         }
 643
 644         if (hdr->d.sector_size && hdr->d.sector_size != SECTOR_SIZE) {
 645                 log_err(cd, _("Activation is not supported for %d sector size.\n"),
 646                         hdr->d.sector_size);
 647                 return -ENOTSUP;
 648         }
 649
 650         if (strstr(params->mode, "-tcrypt")) {
 651                 log_err(cd, _("Kernel doesn't support activation for this TCRYPT legacy mode.\n"));
 652                 return -ENOTSUP;
 653         }
 654
 655         algs = TCRYPT_get_algs(params->cipher, params->mode);
 656         if (!algs)
 657                 return -EINVAL;
 658
 659         if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER)
 660                 dmd.size = hdr->d.hidden_volume_size / hdr->d.sector_size;
 661         else
 662                 dmd.size = hdr->d.volume_size / hdr->d.sector_size;
 663
 664         r = device_block_adjust(cd, dmd.data_device, DEV_EXCL,
 665                                 dmd.u.crypt.offset, &dmd.size, &dmd.flags);
 666         if (r)
 667                 return r;
 668
 669         /* Frome here, key size for every cipher must be the same */
 670         dmd.u.crypt.vk = crypt_alloc_volume_key(algs->cipher[0].key_size, NULL);
 671         if (!dmd.u.crypt.vk)
 672                 return -ENOMEM;
 673
 674         for (i = algs->chain_count; i > 0; i--) {
 675                 if (i == 1) {
 676                         strncpy(dm_name, name, sizeof(dm_name));
 677                         dmd.flags = flags;
 678                 } else {
 679                         snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1);
 680                         dmd.flags = flags | CRYPT_ACTIVATE_PRIVATE;
 681                 }
 682
 683                 snprintf(cipher, sizeof(cipher), "%s-%s",
 684                          algs->cipher[i-1].name, algs->mode);
 685
 686                 TCRYPT_copy_key(&algs->cipher[i-1], algs->mode,
 687                                 dmd.u.crypt.vk->key, hdr->d.keys);
 688
 689                 if (algs->chain_count != i) {
 690                         snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d",
 691                                  dm_get_dir(), name, i);
 692                         r = device_alloc(&device, dm_dev_name);
 693                         if (r)
 694                                 break;
 695                         dmd.data_device = device;
 696                         dmd.u.crypt.offset = 0;
 697                 }
 698
 699                 log_dbg("Trying to activate TCRYPT device %s using cipher %s.",
 700                         dm_name, dmd.u.crypt.cipher);
 701                 r = dm_create_device(cd, dm_name, CRYPT_TCRYPT, &dmd, 0);
 702
 703                 device_free(device);
 704                 device = NULL;
 705
 706                 if (r)
 707                         break;
 708         }
 709
 710         if (!r && !(dm_flags() & DM_PLAIN64_SUPPORTED)) {
 711                 log_err(cd, _("Kernel doesn't support plain64 IV.\n"));
 712                 r = -ENOTSUP;
 713         }
 714
 715         crypt_free_volume_key(dmd.u.crypt.vk);
 716         return r;
 717 }
 718
 719 static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
 720                       const char *base_uuid, int index)
 721 {
 722         struct crypt_dm_active_device dmd = {};
 723         char dm_name[PATH_MAX];
 724         int r;
 725
 726         if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
 727                 return -ENOMEM;
 728
 729         r = dm_status_device(cd, dm_name);
 730         if (r < 0)
 731                 return r;
 732
 733         r = dm_query_device(cd, dm_name, DM_ACTIVE_UUID, &dmd);
 734         if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid)))
 735                 r = dm_remove_device(cd, dm_name, 0, 0);
 736
 737         free(CONST_CAST(void*)dmd.uuid);
 738         return r;
 739 }
 740
 741 int TCRYPT_deactivate(struct crypt_device *cd, const char *name)
 742 {
 743         struct crypt_dm_active_device dmd = {};
 744         int r;
 745
 746         r = dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd);
 747         if (r < 0)
 748                 return r;
 749         if (!dmd.uuid)
 750                 return -EINVAL;
 751
 752         r = dm_remove_device(cd, name, 0, 0);
 753         if (r < 0)
 754                 goto out;
 755
 756         r = TCRYPT_remove_one(cd, name, dmd.uuid, 1);
 757         if (r < 0)
 758                 goto out;
 759
 760         r = TCRYPT_remove_one(cd, name, dmd.uuid, 2);
 761         if (r < 0)
 762                 goto out;
 763 out:
 764         free(CONST_CAST(void*)dmd.uuid);
 765         return (r == -ENODEV) ? 0 : r;
 766 }
 767
 768 static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
 769                               const char *base_uuid, int index,
 770                               size_t *key_size, char *cipher,
 771                               uint64_t *data_offset, struct device **device)
 772 {
 773         struct crypt_dm_active_device dmd = {};
 774         char dm_name[PATH_MAX], *c;
 775         int r;
 776
 777         if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
 778                 return -ENOMEM;
 779
 780         r = dm_status_device(cd, dm_name);
 781         if (r < 0)
 782                 return r;
 783
 784         r = dm_query_device(cd, dm_name, DM_ACTIVE_DEVICE |
 785                                           DM_ACTIVE_UUID |
 786                                           DM_ACTIVE_CRYPT_CIPHER |
 787                                           DM_ACTIVE_CRYPT_KEYSIZE, &dmd);
 788         if (r > 0)
 789                 r = 0;
 790         if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid))) {
 791                 if ((c = strchr(dmd.u.crypt.cipher, '-')))
 792                         *c = '\0';
 793                 strcat(cipher, "-");
 794                 strncat(cipher, dmd.u.crypt.cipher, MAX_CIPHER_LEN);
 795                 *key_size += dmd.u.crypt.vk->keylength;
 796                 *data_offset = dmd.u.crypt.offset * SECTOR_SIZE;
 797                 device_free(*device);
 798                 *device = dmd.data_device;
 799         } else {
 800                 device_free(dmd.data_device);
 801                 r = -ENODEV;
 802         }
 803
 804         free(CONST_CAST(void*)dmd.uuid);
 805         free(CONST_CAST(void*)dmd.u.crypt.cipher);
 806         crypt_free_volume_key(dmd.u.crypt.vk);
 807         return r;
 808 }
 809
 810 int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
 811                         const struct crypt_dm_active_device *dmd,
 812                         struct device **device,
 813                         struct crypt_params_tcrypt *tcrypt_params,
 814                         struct tcrypt_phdr *tcrypt_hdr)
 815 {
 816         struct tcrypt_algs *algs;
 817         char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN], *tmp;
 818         size_t key_size;
 819         int r;
 820
 821         memset(tcrypt_params, 0, sizeof(*tcrypt_params));
 822         memset(tcrypt_hdr, 0, sizeof(*tcrypt_hdr));
 823         tcrypt_hdr->d.sector_size = SECTOR_SIZE;
 824         tcrypt_hdr->d.mk_offset = dmd->u.crypt.offset * SECTOR_SIZE;
 825
 826         strncpy(cipher, dmd->u.crypt.cipher, MAX_CIPHER_LEN);
 827         tmp = strchr(cipher, '-');
 828         if (!tmp)
 829                 return -EINVAL;
 830         *tmp = '\0';
 831         strncpy(mode, ++tmp, MAX_CIPHER_LEN);
 832
 833         key_size = dmd->u.crypt.vk->keylength;
 834         r = TCRYPT_status_one(cd, name, dmd->uuid, 1, &key_size,
 835                               cipher, &tcrypt_hdr->d.mk_offset, device);
 836         if (!r)
 837                 r = TCRYPT_status_one(cd, name, dmd->uuid, 2, &key_size,
 838                                       cipher, &tcrypt_hdr->d.mk_offset, device);
 839
 840         if (r < 0 && r != -ENODEV)
 841                 return r;
 842
 843         algs = TCRYPT_get_algs(cipher, mode);
 844         if (!algs || key_size != algs->chain_key_size)
 845                 return -EINVAL;
 846
 847         tcrypt_params->key_size = algs->chain_key_size;
 848         tcrypt_params->cipher = algs->long_name;
 849         tcrypt_params->mode = algs->mode;
 850         return 0;
 851 }
 852
 853 uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 854                                  struct tcrypt_phdr *hdr,
 855                                  struct crypt_params_tcrypt *params)
 856 {
 857         uint64_t size;
 858
 859         /* No real header loaded, initialized by active device */
 860         if (!hdr->d.version)
 861                 goto hdr_offset;
 862
 863         /* Mapping through whole device, not partition! */
 864         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
 865                 goto hdr_offset;
 866
 867         if (params->mode && !strncmp(params->mode, "xts", 3)) {
 868                 if (hdr->d.version < 3)
 869                         return 1;
 870
 871                 if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 872                         if (hdr->d.version > 3)
 873                                 return (hdr->d.mk_offset / hdr->d.sector_size);
 874                         if (device_size(crypt_metadata_device(cd), &size) < 0)
 875                                 return 0;
 876                         return (size - hdr->d.hidden_volume_size +
 877                                 (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
 878                 }
 879                 goto hdr_offset;
 880         }
 881
 882         if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 883                 if (device_size(crypt_metadata_device(cd), &size) < 0)
 884                         return 0;
 885                 return (size - hdr->d.hidden_volume_size +
 886                         (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
 887         }
 888
 889 hdr_offset:
 890         return hdr->d.mk_offset / hdr->d.sector_size;
 891 }
 892
 893 uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
 894                               struct tcrypt_phdr *hdr,
 895                               struct crypt_params_tcrypt *params
 896 )
 897 {
 898         if (params->mode && !strncmp(params->mode, "xts", 3))
 899                 return TCRYPT_get_data_offset(cd, hdr, params);
 900         else if (params->mode && !strncmp(params->mode, "lrw", 3))
 901                 return 0;
 902
 903         return hdr->d.mk_offset / hdr->d.sector_size;
 904 }
 905
 906 int TCRYPT_get_volume_key(struct crypt_device *cd,
 907                           struct tcrypt_phdr *hdr,
 908                           struct crypt_params_tcrypt *params,
 909                           struct volume_key **vk)
 910 {
 911         struct tcrypt_algs *algs;
 912         unsigned int i, key_index;
 913
 914         if (!hdr->d.version) {
 915                 log_err(cd, _("This function is not supported without TCRYPT header load."));
 916                 return -ENOTSUP;
 917         }
 918
 919         algs = TCRYPT_get_algs(params->cipher, params->mode);
 920         if (!algs)
 921                 return -EINVAL;
 922
 923         *vk = crypt_alloc_volume_key(params->key_size, NULL);
 924         if (!*vk)
 925                 return -ENOMEM;
 926
 927         for (i = 0, key_index = 0; i < algs->chain_count; i++) {
 928                 TCRYPT_copy_key(&algs->cipher[i], algs->mode,
 929                                 &(*vk)->key[key_index], hdr->d.keys);
 930                 key_index += algs->cipher[i].key_size;
 931         }
 932
 933         return 0;
 934 }
 935
 936 int TCRYPT_dump(struct crypt_device *cd,
 937                 struct tcrypt_phdr *hdr,
 938                 struct crypt_params_tcrypt *params)
 939 {
 940         log_std(cd, "TCRYPT header information for %s\n",
 941                 device_path(crypt_metadata_device(cd)));
 942         if (hdr->d.version) {
 943                 log_std(cd, "Version:       \t%d\n", hdr->d.version);
 944                 log_std(cd, "Driver req.:\t%d\n", hdr->d.version_tc);
 945
 946                 log_std(cd, "Sector size:\t%" PRIu32 "\n", hdr->d.sector_size);
 947                 log_std(cd, "MK offset:\t%" PRIu64 "\n", hdr->d.mk_offset);
 948                 log_std(cd, "PBKDF2 hash:\t%s\n", params->hash_name);
 949         }
 950         log_std(cd, "Cipher chain:\t%s\n", params->cipher);
 951         log_std(cd, "Cipher mode:\t%s\n", params->mode);
 952         log_std(cd, "MK bits:       \t%d\n", params->key_size * 8);
 953         return 0;
 954 }