lib/tcrypt/tcrypt.c

   1 /*
   2  * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
   3  *
   4  * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
   5  * Copyright (C) 2012-2020 Milan Broz
   6  *
   7  * This file is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU Lesser General Public
   9  * License as published by the Free Software Foundation; either
  10  * version 2.1 of the License, or (at your option) any later version.
  11  *
  12  * This file is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  15  * Lesser General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU Lesser General Public
  18  * License along with this file; if not, write to the Free Software
  19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  20  */
  21
  22 #include <errno.h>
  23 #include <stdio.h>
  24 #include <stdlib.h>
  25 #include <string.h>
  26 #include <assert.h>
  27
  28 #include "libcryptsetup.h"
  29 #include "tcrypt.h"
  30 #include "internal.h"
  31
  32 /* TCRYPT PBKDF variants */
  33 static const struct {
  34         unsigned int legacy:1;
  35         unsigned int veracrypt:1;
  36         const char *name;
  37         const char *hash;
  38         unsigned int iterations;
  39         uint32_t veracrypt_pim_const;
  40         uint32_t veracrypt_pim_mult;
  41 } tcrypt_kdf[] = {
  42         { 0, 0, "pbkdf2", "ripemd160",   2000, 0, 0 },
  43         { 0, 0, "pbkdf2", "ripemd160",   1000, 0, 0 },
  44         { 0, 0, "pbkdf2", "sha512",      1000, 0, 0 },
  45         { 0, 0, "pbkdf2", "whirlpool",   1000, 0, 0 },
  46         { 1, 0, "pbkdf2", "sha1",        2000, 0, 0 },
  47         { 0, 1, "pbkdf2", "sha512",    500000, 15000, 1000 },
  48         { 0, 1, "pbkdf2", "whirlpool", 500000, 15000, 1000 },
  49         { 0, 1, "pbkdf2", "sha256",    500000, 15000, 1000 }, // VeraCrypt 1.0f
  50         { 0, 1, "pbkdf2", "sha256",    200000,     0, 2048 }, // boot only
  51         { 0, 1, "pbkdf2", "ripemd160", 655331, 15000, 1000 },
  52         { 0, 1, "pbkdf2", "ripemd160", 327661,     0, 2048 }, // boot only
  53         { 0, 1, "pbkdf2", "stribog512",500000, 15000, 1000 },
  54 //      { 0, 1, "pbkdf2", "stribog512",200000,     0, 2048 }, // boot only
  55         { 0, 0,     NULL,        NULL,      0,     0,    0 }
  56 };
  57
  58 struct tcrypt_alg {
  59                 const char *name;
  60                 unsigned int key_size;
  61                 unsigned int iv_size;
  62                 unsigned int key_offset;
  63                 unsigned int iv_offset; /* or tweak key offset */
  64                 unsigned int key_extra_size;
  65 };
  66
  67 struct tcrypt_algs {
  68         unsigned int legacy:1;
  69         unsigned int chain_count;
  70         unsigned int chain_key_size;
  71         const char *long_name;
  72         const char *mode;
  73         struct tcrypt_alg cipher[3];
  74 };
  75
  76 /* TCRYPT cipher variants */
  77 static struct tcrypt_algs tcrypt_cipher[] = {
  78 /* XTS mode */
  79 {0,1,64,"aes","xts-plain64",
  80         {{"aes",    64,16,0,32,0}}},
  81 {0,1,64,"serpent","xts-plain64",
  82         {{"serpent",64,16,0,32,0}}},
  83 {0,1,64,"twofish","xts-plain64",
  84         {{"twofish",64,16,0,32,0}}},
  85 {0,2,128,"twofish-aes","xts-plain64",
  86         {{"twofish",64,16, 0,64,0},
  87          {"aes",    64,16,32,96,0}}},
  88 {0,3,192,"serpent-twofish-aes","xts-plain64",
  89         {{"serpent",64,16, 0, 96,0},
  90          {"twofish",64,16,32,128,0},
  91          {"aes",    64,16,64,160,0}}},
  92 {0,2,128,"aes-serpent","xts-plain64",
  93         {{"aes",    64,16, 0,64,0},
  94          {"serpent",64,16,32,96,0}}},
  95 {0,3,192,"aes-twofish-serpent","xts-plain64",
  96         {{"aes",    64,16, 0, 96,0},
  97          {"twofish",64,16,32,128,0},
  98          {"serpent",64,16,64,160,0}}},
  99 {0,2,128,"serpent-twofish","xts-plain64",
 100         {{"serpent",64,16, 0,64,0},
 101          {"twofish",64,16,32,96,0}}},
 102 {0,1,64,"camellia","xts-plain64",
 103         {{"camellia",    64,16,0,32,0}}},
 104 {0,1,64,"kuznyechik","xts-plain64",
 105         {{"kuznyechik",  64,16,0,32,0}}},
 106 {0,2,128,"kuznyechik-camellia","xts-plain64",
 107         {{"kuznyechik",64,16, 0,64,0},
 108          {"camellia",  64,16,32,96,0}}},
 109 {0,2,128,"twofish-kuznyechik","xts-plain64",
 110         {{"twofish",   64,16, 0,64,0},
 111          {"kuznyechik",64,16,32,96,0}}},
 112 {0,2,128,"serpent-camellia","xts-plain64",
 113         {{"serpent",   64,16, 0,64,0},
 114          {"camellia",  64,16,32,96,0}}},
 115 {0,2,128,"aes-kuznyechik","xts-plain64",
 116         {{"aes",       64,16, 0,64,0},
 117          {"kuznyechik",64,16,32,96,0}}},
 118 {0,3,192,"camellia-serpent-kuznyechik","xts-plain64",
 119         {{"camellia",  64,16, 0, 96,0},
 120          {"serpent",   64,16,32,128,0},
 121          {"kuznyechik",64,16,64,160,0}}},
 122
 123 /* LRW mode */
 124 {0,1,48,"aes","lrw-benbi",
 125         {{"aes",    48,16,32,0,0}}},
 126 {0,1,48,"serpent","lrw-benbi",
 127         {{"serpent",48,16,32,0,0}}},
 128 {0,1,48,"twofish","lrw-benbi",
 129         {{"twofish",48,16,32,0,0}}},
 130 {0,2,96,"twofish-aes","lrw-benbi",
 131         {{"twofish",48,16,32,0,0},
 132          {"aes",    48,16,64,0,0}}},
 133 {0,3,144,"serpent-twofish-aes","lrw-benbi",
 134         {{"serpent",48,16,32,0,0},
 135          {"twofish",48,16,64,0,0},
 136          {"aes",    48,16,96,0,0}}},
 137 {0,2,96,"aes-serpent","lrw-benbi",
 138         {{"aes",    48,16,32,0,0},
 139          {"serpent",48,16,64,0,0}}},
 140 {0,3,144,"aes-twofish-serpent","lrw-benbi",
 141         {{"aes",    48,16,32,0,0},
 142          {"twofish",48,16,64,0,0},
 143          {"serpent",48,16,96,0,0}}},
 144 {0,2,96,"serpent-twofish", "lrw-benbi",
 145         {{"serpent",48,16,32,0,0},
 146          {"twofish",48,16,64,0,0}}},
 147
 148 /* Kernel LRW block size is fixed to 16 bytes for GF(2^128)
 149  * thus cannot be used with blowfish where block is 8 bytes.
 150  * There also no GF(2^64) support.
 151 {1,1,64,"blowfish_le","lrw-benbi",
 152          {{"blowfish_le",64,8,32,0,0}}},
 153 {1,2,112,"blowfish_le-aes","lrw-benbi",
 154          {{"blowfish_le",64, 8,32,0,0},
 155           {"aes",        48,16,88,0,0}}},
 156 {1,3,160,"serpent-blowfish_le-aes","lrw-benbi",
 157           {{"serpent",    48,16, 32,0,0},
 158            {"blowfish_le",64, 8, 64,0,0},
 159            {"aes",        48,16,120,0,0}}},*/
 160
 161 /*
 162  * CBC + "outer" CBC (both with whitening)
 163  * chain_key_size: alg_keys_bytes + IV_seed_bytes + whitening_bytes
 164  */
 165 {1,1,32+16+16,"aes","cbc-tcw",
 166         {{"aes",    32,16,32,0,32}}},
 167 {1,1,32+16+16,"serpent","cbc-tcw",
 168         {{"serpent",32,16,32,0,32}}},
 169 {1,1,32+16+16,"twofish","cbc-tcw",
 170         {{"twofish",32,16,32,0,32}}},
 171 {1,2,64+16+16,"twofish-aes","cbci-tcrypt",
 172         {{"twofish",32,16,32,0,0},
 173          {"aes",    32,16,64,0,32}}},
 174 {1,3,96+16+16,"serpent-twofish-aes","cbci-tcrypt",
 175         {{"serpent",32,16,32,0,0},
 176          {"twofish",32,16,64,0,0},
 177          {"aes",    32,16,96,0,32}}},
 178 {1,2,64+16+16,"aes-serpent","cbci-tcrypt",
 179         {{"aes",    32,16,32,0,0},
 180          {"serpent",32,16,64,0,32}}},
 181 {1,3,96+16+16,"aes-twofish-serpent", "cbci-tcrypt",
 182         {{"aes",    32,16,32,0,0},
 183          {"twofish",32,16,64,0,0},
 184          {"serpent",32,16,96,0,32}}},
 185 {1,2,64+16+16,"serpent-twofish", "cbci-tcrypt",
 186         {{"serpent",32,16,32,0,0},
 187          {"twofish",32,16,64,0,32}}},
 188 {1,1,16+8+16,"cast5","cbc-tcw",
 189         {{"cast5",   16,8,32,0,24}}},
 190 {1,1,24+8+16,"des3_ede","cbc-tcw",
 191         {{"des3_ede",24,8,32,0,24}}},
 192 {1,1,56+8+16,"blowfish_le","cbc-tcrypt",
 193         {{"blowfish_le",56,8,32,0,24}}},
 194 {1,2,88+16+16,"blowfish_le-aes","cbc-tcrypt",
 195         {{"blowfish_le",56, 8,32,0,0},
 196          {"aes",        32,16,88,0,32}}},
 197 {1,3,120+16+16,"serpent-blowfish_le-aes","cbc-tcrypt",
 198         {{"serpent",    32,16, 32,0,0},
 199          {"blowfish_le",56, 8, 64,0,0},
 200          {"aes",        32,16,120,0,32}}},
 201 {}
 202 };
 203
 204 static int TCRYPT_hdr_from_disk(struct crypt_device *cd,
 205                                 struct tcrypt_phdr *hdr,
 206                                 struct crypt_params_tcrypt *params,
 207                                 int kdf_index, int cipher_index)
 208 {
 209         uint32_t crc32;
 210         size_t size;
 211
 212         /* Check CRC32 of header */
 213         size = TCRYPT_HDR_LEN - sizeof(hdr->d.keys) - sizeof(hdr->d.header_crc32);
 214         crc32 = crypt_crc32(~0, (unsigned char*)&hdr->d, size) ^ ~0;
 215         if (be16_to_cpu(hdr->d.version) > 3 &&
 216             crc32 != be32_to_cpu(hdr->d.header_crc32)) {
 217                 log_dbg(cd, "TCRYPT header CRC32 mismatch.");
 218                 return -EINVAL;
 219         }
 220
 221         /* Check CRC32 of keys */
 222         crc32 = crypt_crc32(~0, (unsigned char*)hdr->d.keys, sizeof(hdr->d.keys)) ^ ~0;
 223         if (crc32 != be32_to_cpu(hdr->d.keys_crc32)) {
 224                 log_dbg(cd, "TCRYPT keys CRC32 mismatch.");
 225                 return -EINVAL;
 226         }
 227
 228         /* Convert header to cpu format */
 229         hdr->d.version  =  be16_to_cpu(hdr->d.version);
 230         hdr->d.version_tc = be16_to_cpu(hdr->d.version_tc);
 231
 232         hdr->d.keys_crc32 = be32_to_cpu(hdr->d.keys_crc32);
 233
 234         hdr->d.hidden_volume_size = be64_to_cpu(hdr->d.hidden_volume_size);
 235         hdr->d.volume_size        = be64_to_cpu(hdr->d.volume_size);
 236
 237         hdr->d.mk_offset = be64_to_cpu(hdr->d.mk_offset);
 238         if (!hdr->d.mk_offset)
 239                 hdr->d.mk_offset = 512;
 240
 241         hdr->d.mk_size = be64_to_cpu(hdr->d.mk_size);
 242
 243         hdr->d.flags = be32_to_cpu(hdr->d.flags);
 244
 245         hdr->d.sector_size = be32_to_cpu(hdr->d.sector_size);
 246         if (!hdr->d.sector_size)
 247                 hdr->d.sector_size = 512;
 248
 249         hdr->d.header_crc32 = be32_to_cpu(hdr->d.header_crc32);
 250
 251         /* Set params */
 252         params->passphrase = NULL;
 253         params->passphrase_size = 0;
 254         params->hash_name  = tcrypt_kdf[kdf_index].hash;
 255         params->key_size = tcrypt_cipher[cipher_index].chain_key_size;
 256         params->cipher = tcrypt_cipher[cipher_index].long_name;
 257         params->mode = tcrypt_cipher[cipher_index].mode;
 258
 259         return 0;
 260 }
 261
 262 /*
 263  * Kernel implements just big-endian version of blowfish, hack it here
 264  */
 265 static void TCRYPT_swab_le(char *buf)
 266 {
 267         uint32_t *l = (uint32_t*)&buf[0];
 268         uint32_t *r = (uint32_t*)&buf[4];
 269         *l = swab32(*l);
 270         *r = swab32(*r);
 271 }
 272
 273 static int decrypt_blowfish_le_cbc(struct tcrypt_alg *alg,
 274                                    const char *key, char *buf)
 275 {
 276         int bs = alg->iv_size;
 277         char iv[bs], iv_old[bs];
 278         struct crypt_cipher *cipher = NULL;
 279         int i, j, r;
 280
 281         assert(bs == 2*sizeof(uint32_t));
 282
 283         r = crypt_cipher_init(&cipher, "blowfish", "ecb",
 284                               &key[alg->key_offset], alg->key_size);
 285         if (r < 0)
 286                 return r;
 287
 288         memcpy(iv, &key[alg->iv_offset], alg->iv_size);
 289         for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
 290                 memcpy(iv_old, &buf[i], bs);
 291                 TCRYPT_swab_le(&buf[i]);
 292                 r = crypt_cipher_decrypt(cipher, &buf[i], &buf[i],
 293                                           bs, NULL, 0);
 294                 TCRYPT_swab_le(&buf[i]);
 295                 if (r < 0)
 296                         break;
 297                 for (j = 0; j < bs; j++)
 298                         buf[i + j] ^= iv[j];
 299                 memcpy(iv, iv_old, bs);
 300         }
 301
 302         crypt_cipher_destroy(cipher);
 303         crypt_safe_memzero(iv, bs);
 304         crypt_safe_memzero(iv_old, bs);
 305         return r;
 306 }
 307
 308 static void TCRYPT_remove_whitening(char *buf, const char *key)
 309 {
 310         int j;
 311
 312         for (j = 0; j < TCRYPT_HDR_LEN; j++)
 313                 buf[j] ^= key[j % 8];
 314 }
 315
 316 static void TCRYPT_copy_key(struct tcrypt_alg *alg, const char *mode,
 317                              char *out_key, const char *key)
 318 {
 319         int ks2;
 320         if (!strncmp(mode, "xts", 3)) {
 321                 ks2 = alg->key_size / 2;
 322                 memcpy(out_key, &key[alg->key_offset], ks2);
 323                 memcpy(&out_key[ks2], &key[alg->iv_offset], ks2);
 324         } else if (!strncmp(mode, "lrw", 3)) {
 325                 ks2 = alg->key_size - TCRYPT_LRW_IKEY_LEN;
 326                 memcpy(out_key, &key[alg->key_offset], ks2);
 327                 memcpy(&out_key[ks2], key, TCRYPT_LRW_IKEY_LEN);
 328         } else if (!strncmp(mode, "cbc", 3)) {
 329                 memcpy(out_key, &key[alg->key_offset], alg->key_size);
 330                 /* IV + whitening */
 331                 memcpy(&out_key[alg->key_size], &key[alg->iv_offset],
 332                        alg->key_extra_size);
 333         }
 334 }
 335
 336 static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
 337                                    const char *key,struct tcrypt_phdr *hdr)
 338 {
 339         char backend_key[TCRYPT_HDR_KEY_LEN];
 340         char iv[TCRYPT_HDR_IV_LEN] = {};
 341         char mode_name[MAX_CIPHER_LEN + 1];
 342         struct crypt_cipher *cipher;
 343         char *c, *buf = (char*)&hdr->e;
 344         int r;
 345
 346         /* Remove IV if present */
 347         mode_name[MAX_CIPHER_LEN] = '\0';
 348         strncpy(mode_name, mode, MAX_CIPHER_LEN);
 349         c = strchr(mode_name, '-');
 350         if (c)
 351                 *c = '\0';
 352
 353         if (!strncmp(mode, "lrw", 3))
 354                 iv[alg->iv_size - 1] = 1;
 355         else if (!strncmp(mode, "cbc", 3)) {
 356                 TCRYPT_remove_whitening(buf, &key[8]);
 357                 if (!strcmp(alg->name, "blowfish_le"))
 358                         return decrypt_blowfish_le_cbc(alg, key, buf);
 359                 memcpy(iv, &key[alg->iv_offset], alg->iv_size);
 360         }
 361
 362         TCRYPT_copy_key(alg, mode, backend_key, key);
 363         r = crypt_cipher_init(&cipher, alg->name, mode_name,
 364                               backend_key, alg->key_size);
 365         if (!r) {
 366                 r = crypt_cipher_decrypt(cipher, buf, buf, TCRYPT_HDR_LEN,
 367                                          iv, alg->iv_size);
 368                 crypt_cipher_destroy(cipher);
 369         }
 370
 371         crypt_safe_memzero(backend_key, sizeof(backend_key));
 372         crypt_safe_memzero(iv, TCRYPT_HDR_IV_LEN);
 373         return r;
 374 }
 375
 376 /*
 377  * For chained ciphers and CBC mode we need "outer" decryption.
 378  * Backend doesn't provide this, so implement it here directly using ECB.
 379  */
 380 static int TCRYPT_decrypt_cbci(struct tcrypt_algs *ciphers,
 381                                 const char *key, struct tcrypt_phdr *hdr)
 382 {
 383         struct crypt_cipher *cipher[ciphers->chain_count];
 384         unsigned int bs = ciphers->cipher[0].iv_size;
 385         char *buf = (char*)&hdr->e, iv[bs], iv_old[bs];
 386         unsigned int i, j;
 387         int r = -EINVAL;
 388
 389         TCRYPT_remove_whitening(buf, &key[8]);
 390
 391         memcpy(iv, &key[ciphers->cipher[0].iv_offset], bs);
 392
 393         /* Initialize all ciphers in chain in ECB mode */
 394         for (j = 0; j < ciphers->chain_count; j++)
 395                 cipher[j] = NULL;
 396         for (j = 0; j < ciphers->chain_count; j++) {
 397                 r = crypt_cipher_init(&cipher[j], ciphers->cipher[j].name, "ecb",
 398                                       &key[ciphers->cipher[j].key_offset],
 399                                       ciphers->cipher[j].key_size);
 400                 if (r < 0)
 401                         goto out;
 402         }
 403
 404         /* Implements CBC with chained ciphers in loop inside */
 405         for (i = 0; i < TCRYPT_HDR_LEN; i += bs) {
 406                 memcpy(iv_old, &buf[i], bs);
 407                 for (j = ciphers->chain_count; j > 0; j--) {
 408                         r = crypt_cipher_decrypt(cipher[j - 1], &buf[i], &buf[i],
 409                                                   bs, NULL, 0);
 410                         if (r < 0)
 411                                 goto out;
 412                 }
 413                 for (j = 0; j < bs; j++)
 414                         buf[i + j] ^= iv[j];
 415                 memcpy(iv, iv_old, bs);
 416         }
 417 out:
 418         for (j = 0; j < ciphers->chain_count; j++)
 419                 if (cipher[j])
 420                         crypt_cipher_destroy(cipher[j]);
 421
 422         crypt_safe_memzero(iv, bs);
 423         crypt_safe_memzero(iv_old, bs);
 424         return r;
 425 }
 426
 427 static int TCRYPT_decrypt_hdr(struct crypt_device *cd, struct tcrypt_phdr *hdr,
 428                                const char *key, uint32_t flags)
 429 {
 430         struct tcrypt_phdr hdr2;
 431         int i, j, r = -EINVAL;
 432
 433         for (i = 0; tcrypt_cipher[i].chain_count; i++) {
 434                 if (!(flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_cipher[i].legacy)
 435                         continue;
 436                 log_dbg(cd, "TCRYPT:  trying cipher %s-%s",
 437                         tcrypt_cipher[i].long_name, tcrypt_cipher[i].mode);
 438
 439                 memcpy(&hdr2.e, &hdr->e, TCRYPT_HDR_LEN);
 440
 441                 if (!strncmp(tcrypt_cipher[i].mode, "cbci", 4))
 442                         r = TCRYPT_decrypt_cbci(&tcrypt_cipher[i], key, &hdr2);
 443                 else for (j = tcrypt_cipher[i].chain_count - 1; j >= 0 ; j--) {
 444                         if (!tcrypt_cipher[i].cipher[j].name)
 445                                 continue;
 446                         r = TCRYPT_decrypt_hdr_one(&tcrypt_cipher[i].cipher[j],
 447                                             tcrypt_cipher[i].mode, key, &hdr2);
 448                         if (r < 0)
 449                                 break;
 450                 }
 451
 452                 if (r < 0) {
 453                         log_dbg(cd, "TCRYPT:   returned error %d, skipped.", r);
 454                         if (r == -ENOTSUP)
 455                                 break;
 456                         r = -ENOENT;
 457                         continue;
 458                 }
 459
 460                 if (!strncmp(hdr2.d.magic, TCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
 461                         log_dbg(cd, "TCRYPT: Signature magic detected.");
 462                         memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
 463                         r = i;
 464                         break;
 465                 }
 466                 if ((flags & CRYPT_TCRYPT_VERA_MODES) &&
 467                      !strncmp(hdr2.d.magic, VCRYPT_HDR_MAGIC, TCRYPT_HDR_MAGIC_LEN)) {
 468                         log_dbg(cd, "TCRYPT: Signature magic detected (Veracrypt).");
 469                         memcpy(&hdr->e, &hdr2.e, TCRYPT_HDR_LEN);
 470                         r = i;
 471                         break;
 472                 }
 473                 r = -EPERM;
 474         }
 475
 476         crypt_safe_memzero(&hdr2, sizeof(hdr2));
 477         return r;
 478 }
 479
 480 static int TCRYPT_pool_keyfile(struct crypt_device *cd,
 481                                 unsigned char pool[VCRYPT_KEY_POOL_LEN],
 482                                 const char *keyfile, int keyfiles_pool_length)
 483 {
 484         unsigned char *data;
 485         int i, j, fd, data_size, r = -EIO;
 486         uint32_t crc;
 487
 488         log_dbg(cd, "TCRYPT: using keyfile %s.", keyfile);
 489
 490         data = malloc(TCRYPT_KEYFILE_LEN);
 491         if (!data)
 492                 return -ENOMEM;
 493         memset(data, 0, TCRYPT_KEYFILE_LEN);
 494
 495         fd = open(keyfile, O_RDONLY);
 496         if (fd < 0) {
 497                 log_err(cd, _("Failed to open key file."));
 498                 goto out;
 499         }
 500
 501         data_size = read_buffer(fd, data, TCRYPT_KEYFILE_LEN);
 502         close(fd);
 503         if (data_size < 0) {
 504                 log_err(cd, _("Error reading keyfile %s."), keyfile);
 505                 goto out;
 506         }
 507
 508         for (i = 0, j = 0, crc = ~0U; i < data_size; i++) {
 509                 crc = crypt_crc32(crc, &data[i], 1);
 510                 pool[j++] += (unsigned char)(crc >> 24);
 511                 pool[j++] += (unsigned char)(crc >> 16);
 512                 pool[j++] += (unsigned char)(crc >>  8);
 513                 pool[j++] += (unsigned char)(crc);
 514                 j %= keyfiles_pool_length;
 515         }
 516         r = 0;
 517 out:
 518         crypt_safe_memzero(&crc, sizeof(crc));
 519         crypt_safe_memzero(data, TCRYPT_KEYFILE_LEN);
 520         free(data);
 521
 522         return r;
 523 }
 524
 525 static int TCRYPT_init_hdr(struct crypt_device *cd,
 526                            struct tcrypt_phdr *hdr,
 527                            struct crypt_params_tcrypt *params)
 528 {
 529         unsigned char pwd[VCRYPT_KEY_POOL_LEN] = {};
 530         size_t passphrase_size, max_passphrase_size;
 531         char *key;
 532         unsigned int i, skipped = 0, iterations;
 533         int r = -EPERM, keyfiles_pool_length;
 534
 535         if (posix_memalign((void*)&key, crypt_getpagesize(), TCRYPT_HDR_KEY_LEN))
 536                 return -ENOMEM;
 537
 538         if (params->flags & CRYPT_TCRYPT_VERA_MODES &&
 539             params->passphrase_size > TCRYPT_KEY_POOL_LEN) {
 540                 /* Really. Keyfile pool length depends on passphrase size in Veracrypt. */
 541                 max_passphrase_size = VCRYPT_KEY_POOL_LEN;
 542                 keyfiles_pool_length = VCRYPT_KEY_POOL_LEN;
 543         } else {
 544                 max_passphrase_size = TCRYPT_KEY_POOL_LEN;
 545                 keyfiles_pool_length = TCRYPT_KEY_POOL_LEN;
 546         }
 547
 548         if (params->keyfiles_count)
 549                 passphrase_size = max_passphrase_size;
 550         else
 551                 passphrase_size = params->passphrase_size;
 552
 553         if (params->passphrase_size > max_passphrase_size) {
 554                 log_err(cd, _("Maximum TCRYPT passphrase length (%zu) exceeded."),
 555                               max_passphrase_size);
 556                 goto out;
 557         }
 558
 559         /* Calculate pool content from keyfiles */
 560         for (i = 0; i < params->keyfiles_count; i++) {
 561                 r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i], keyfiles_pool_length);
 562                 if (r < 0)
 563                         goto out;
 564         }
 565
 566         /* If provided password, combine it with pool */
 567         for (i = 0; i < params->passphrase_size; i++)
 568                 pwd[i] += params->passphrase[i];
 569
 570         for (i = 0; tcrypt_kdf[i].name; i++) {
 571                 if (!(params->flags & CRYPT_TCRYPT_LEGACY_MODES) && tcrypt_kdf[i].legacy)
 572                         continue;
 573                 if (!(params->flags & CRYPT_TCRYPT_VERA_MODES) && tcrypt_kdf[i].veracrypt)
 574                         continue;
 575                 if ((params->flags & CRYPT_TCRYPT_VERA_MODES) && params->veracrypt_pim) {
 576                         /* Do not try TrueCrypt modes if we have PIM value */
 577                         if (!tcrypt_kdf[i].veracrypt)
 578                                 continue;
 579                         /* adjust iterations to given PIM cmdline parameter */
 580                         iterations = tcrypt_kdf[i].veracrypt_pim_const +
 581                                     (tcrypt_kdf[i].veracrypt_pim_mult * params->veracrypt_pim);
 582                 } else
 583                         iterations = tcrypt_kdf[i].iterations;
 584
 585                 /* Derive header key */
 586                 log_dbg(cd, "TCRYPT: trying KDF: %s-%s-%d%s.",
 587                         tcrypt_kdf[i].name, tcrypt_kdf[i].hash, tcrypt_kdf[i].iterations,
 588                         params->veracrypt_pim && tcrypt_kdf[i].veracrypt ? "-PIM" : "");
 589                 r = crypt_pbkdf(tcrypt_kdf[i].name, tcrypt_kdf[i].hash,
 590                                 (char*)pwd, passphrase_size,
 591                                 hdr->salt, TCRYPT_HDR_SALT_LEN,
 592                                 key, TCRYPT_HDR_KEY_LEN,
 593                                 iterations, 0, 0);
 594                 if (r < 0) {
 595                         log_verbose(cd, _("PBKDF2 hash algorithm %s not available, skipping."),
 596                                       tcrypt_kdf[i].hash);
 597                         continue;
 598                 }
 599
 600                 /* Decrypt header */
 601                 r = TCRYPT_decrypt_hdr(cd, hdr, key, params->flags);
 602                 if (r == -ENOENT) {
 603                         skipped++;
 604                         r = -EPERM;
 605                 }
 606                 if (r != -EPERM)
 607                         break;
 608         }
 609
 610         if ((r < 0 && r != -EPERM && skipped && skipped == i) || r == -ENOTSUP) {
 611                 log_err(cd, _("Required kernel crypto interface not available."));
 612 #ifdef ENABLE_AF_ALG
 613                 log_err(cd, _("Ensure you have algif_skcipher kernel module loaded."));
 614 #endif
 615         }
 616         if (r < 0)
 617                 goto out;
 618
 619         r = TCRYPT_hdr_from_disk(cd, hdr, params, i, r);
 620         if (!r) {
 621                 log_dbg(cd, "TCRYPT: Magic: %s, Header version: %d, req. %d, sector %d"
 622                         ", mk_offset %" PRIu64 ", hidden_size %" PRIu64
 623                         ", volume size %" PRIu64, tcrypt_kdf[i].veracrypt ?
 624                         VCRYPT_HDR_MAGIC : TCRYPT_HDR_MAGIC,
 625                         (int)hdr->d.version, (int)hdr->d.version_tc, (int)hdr->d.sector_size,
 626                         hdr->d.mk_offset, hdr->d.hidden_volume_size, hdr->d.volume_size);
 627                 log_dbg(cd, "TCRYPT: Header cipher %s-%s, key size %zu",
 628                         params->cipher, params->mode, params->key_size);
 629         }
 630 out:
 631         crypt_safe_memzero(pwd, TCRYPT_KEY_POOL_LEN);
 632         if (key)
 633                 crypt_safe_memzero(key, TCRYPT_HDR_KEY_LEN);
 634         free(key);
 635         return r;
 636 }
 637
 638 int TCRYPT_read_phdr(struct crypt_device *cd,
 639                      struct tcrypt_phdr *hdr,
 640                      struct crypt_params_tcrypt *params)
 641 {
 642         struct device *base_device = NULL, *device = crypt_metadata_device(cd);
 643         ssize_t hdr_size = sizeof(struct tcrypt_phdr);
 644         char *base_device_path;
 645         int devfd, r;
 646
 647         assert(sizeof(struct tcrypt_phdr) == 512);
 648
 649         log_dbg(cd, "Reading TCRYPT header of size %zu bytes from device %s.",
 650                 hdr_size, device_path(device));
 651
 652         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER &&
 653             crypt_dev_is_partition(device_path(device))) {
 654                 base_device_path = crypt_get_base_device(device_path(device));
 655
 656                 log_dbg(cd, "Reading TCRYPT system header from device %s.", base_device_path ?: "?");
 657                 if (!base_device_path)
 658                         return -EINVAL;
 659
 660                 r = device_alloc(cd, &base_device, base_device_path);
 661                 free(base_device_path);
 662                 if (r < 0)
 663                         return r;
 664                 devfd = device_open(cd, base_device, O_RDONLY);
 665         } else
 666                 devfd = device_open(cd, device, O_RDONLY);
 667
 668         if (devfd < 0) {
 669                 device_free(cd, base_device);
 670                 log_err(cd, _("Cannot open device %s."), device_path(device));
 671                 return -EINVAL;
 672         }
 673
 674         r = -EIO;
 675         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
 676                 if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 677                         device_alignment(device), hdr, hdr_size,
 678                         TCRYPT_HDR_SYSTEM_OFFSET) == hdr_size) {
 679                         r = TCRYPT_init_hdr(cd, hdr, params);
 680                 }
 681         } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 682                 if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 683                         if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 684                                 device_alignment(device), hdr, hdr_size,
 685                                 TCRYPT_HDR_HIDDEN_OFFSET_BCK) == hdr_size)
 686                                 r = TCRYPT_init_hdr(cd, hdr, params);
 687                 } else {
 688                         if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 689                                 device_alignment(device), hdr, hdr_size,
 690                                 TCRYPT_HDR_HIDDEN_OFFSET) == hdr_size)
 691                                 r = TCRYPT_init_hdr(cd, hdr, params);
 692                         if (r && read_lseek_blockwise(devfd, device_block_size(cd, device),
 693                                 device_alignment(device), hdr, hdr_size,
 694                                 TCRYPT_HDR_HIDDEN_OFFSET_OLD) == hdr_size)
 695                                 r = TCRYPT_init_hdr(cd, hdr, params);
 696                 }
 697         } else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 698                 if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 699                         device_alignment(device), hdr, hdr_size,
 700                         TCRYPT_HDR_OFFSET_BCK) == hdr_size)
 701                         r = TCRYPT_init_hdr(cd, hdr, params);
 702         } else if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 703                         device_alignment(device), hdr, hdr_size, 0) == hdr_size)
 704                 r = TCRYPT_init_hdr(cd, hdr, params);
 705
 706         device_free(cd, base_device);
 707         if (r < 0)
 708                 memset(hdr, 0, sizeof (*hdr));
 709         return r;
 710 }
 711
 712 static struct tcrypt_algs *TCRYPT_get_algs(const char *cipher, const char *mode)
 713 {
 714         int i;
 715
 716         if (!cipher || !mode)
 717                 return NULL;
 718
 719         for (i = 0; tcrypt_cipher[i].chain_count; i++)
 720                 if (!strcmp(tcrypt_cipher[i].long_name, cipher) &&
 721                     !strcmp(tcrypt_cipher[i].mode, mode))
 722                     return &tcrypt_cipher[i];
 723
 724         return NULL;
 725 }
 726
 727 int TCRYPT_activate(struct crypt_device *cd,
 728                      const char *name,
 729                      struct tcrypt_phdr *hdr,
 730                      struct crypt_params_tcrypt *params,
 731                      uint32_t flags)
 732 {
 733         char dm_name[PATH_MAX], dm_dev_name[PATH_MAX], cipher_spec[MAX_CIPHER_LEN*2+1];
 734         char *part_path;
 735         unsigned int i;
 736         int r;
 737         uint32_t req_flags, dmc_flags;
 738         struct tcrypt_algs *algs;
 739         enum devcheck device_check;
 740         uint64_t offset = crypt_get_data_offset(cd);
 741         struct volume_key *vk = NULL;
 742         struct device  *ptr_dev = crypt_data_device(cd), *device = NULL, *part_device = NULL;
 743         struct crypt_dm_active_device dmd = {
 744                 .flags = flags
 745         };
 746
 747         if (!hdr->d.version) {
 748                 log_dbg(cd, "TCRYPT: this function is not supported without encrypted header load.");
 749                 return -ENOTSUP;
 750         }
 751
 752         if (hdr->d.sector_size && hdr->d.sector_size != SECTOR_SIZE) {
 753                 log_err(cd, _("Activation is not supported for %d sector size."),
 754                         hdr->d.sector_size);
 755                 return -ENOTSUP;
 756         }
 757
 758         if (strstr(params->mode, "-tcrypt")) {
 759                 log_err(cd, _("Kernel does not support activation for this TCRYPT legacy mode."));
 760                 return -ENOTSUP;
 761         }
 762
 763         if (strstr(params->mode, "-tcw"))
 764                 req_flags = DM_TCW_SUPPORTED;
 765         else
 766                 req_flags = DM_PLAIN64_SUPPORTED;
 767
 768         algs = TCRYPT_get_algs(params->cipher, params->mode);
 769         if (!algs)
 770                 return -EINVAL;
 771
 772         if (hdr->d.sector_size == 0)
 773                 return -EINVAL;
 774
 775         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
 776                 dmd.size = 0;
 777         else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER)
 778                 dmd.size = hdr->d.hidden_volume_size / hdr->d.sector_size;
 779         else
 780                 dmd.size = hdr->d.volume_size / hdr->d.sector_size;
 781
 782         if (dmd.flags & CRYPT_ACTIVATE_SHARED)
 783                 device_check = DEV_OK;
 784         else
 785                 device_check = DEV_EXCL;
 786
 787         if ((params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) &&
 788              !crypt_dev_is_partition(device_path(crypt_data_device(cd)))) {
 789                 part_path = crypt_get_partition_device(device_path(crypt_data_device(cd)),
 790                                                        crypt_get_data_offset(cd), dmd.size);
 791                 if (part_path) {
 792                         if (!device_alloc(cd, &part_device, part_path)) {
 793                                 log_verbose(cd, _("Activating TCRYPT system encryption for partition %s."),
 794                                             part_path);
 795                                 ptr_dev = part_device;
 796                                 offset = 0;
 797                         }
 798                         free(part_path);
 799                 } else
 800                         /*
 801                          * System encryption use the whole device mapping, there can
 802                          * be active partitions.
 803                          */
 804                         device_check = DEV_OK;
 805         }
 806
 807         r = device_block_adjust(cd, ptr_dev, device_check,
 808                                 offset, &dmd.size, &dmd.flags);
 809         if (r)
 810                 goto out;
 811
 812         /* From here, key size for every cipher must be the same */
 813         vk = crypt_alloc_volume_key(algs->cipher[0].key_size +
 814                                     algs->cipher[0].key_extra_size, NULL);
 815         if (!vk) {
 816                 r = -ENOMEM;
 817                 goto out;
 818         }
 819
 820         for (i = algs->chain_count; i > 0; i--) {
 821                 if (i == 1) {
 822                         dm_name[sizeof(dm_name)-1] = '\0';
 823                         strncpy(dm_name, name, sizeof(dm_name)-1);
 824                         dmd.flags = flags;
 825                 } else {
 826                         snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1);
 827                         dmd.flags = flags | CRYPT_ACTIVATE_PRIVATE;
 828                 }
 829
 830                 TCRYPT_copy_key(&algs->cipher[i-1], algs->mode,
 831                                 vk->key, hdr->d.keys);
 832
 833                 if (algs->chain_count != i) {
 834                         snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d",
 835                                  dm_get_dir(), name, i);
 836                         r = device_alloc(cd, &device, dm_dev_name);
 837                         if (r)
 838                                 break;
 839                         ptr_dev = device;
 840                         offset = 0;
 841                 }
 842
 843                 r = snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", algs->cipher[i-1].name, algs->mode);
 844                 if (r < 0 || (size_t)r >= sizeof(cipher_spec)) {
 845                         r = -ENOMEM;
 846                         break;
 847                 }
 848
 849                 r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, ptr_dev, vk,
 850                                 cipher_spec, crypt_get_iv_offset(cd), offset,
 851                                 crypt_get_integrity(cd),
 852                                 crypt_get_integrity_tag_size(cd),
 853                                 crypt_get_sector_size(cd));
 854                 if (r)
 855                         break;
 856
 857                 log_dbg(cd, "Trying to activate TCRYPT device %s using cipher %s.",
 858                         dm_name, dmd.segment.u.crypt.cipher);
 859                 r = dm_create_device(cd, dm_name, CRYPT_TCRYPT, &dmd);
 860
 861                 dm_targets_free(cd, &dmd);
 862                 device_free(cd, device);
 863                 device = NULL;
 864
 865                 if (r)
 866                         break;
 867         }
 868
 869         if (r < 0 &&
 870             (dm_flags(cd, DM_CRYPT, &dmc_flags) || ((dmc_flags & req_flags) != req_flags))) {
 871                 log_err(cd, _("Kernel does not support TCRYPT compatible mapping."));
 872                 r = -ENOTSUP;
 873         }
 874
 875 out:
 876         crypt_free_volume_key(vk);
 877         device_free(cd, device);
 878         device_free(cd, part_device);
 879         return r;
 880 }
 881
 882 static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
 883                       const char *base_uuid, int index, uint32_t flags)
 884 {
 885         struct crypt_dm_active_device dmd;
 886         char dm_name[PATH_MAX];
 887         int r;
 888
 889         if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
 890                 return -ENOMEM;
 891
 892         r = dm_status_device(cd, dm_name);
 893         if (r < 0)
 894                 return r;
 895
 896         r = dm_query_device(cd, dm_name, DM_ACTIVE_UUID, &dmd);
 897         if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid)))
 898                 r = dm_remove_device(cd, dm_name, flags);
 899
 900         free(CONST_CAST(void*)dmd.uuid);
 901         return r;
 902 }
 903
 904 int TCRYPT_deactivate(struct crypt_device *cd, const char *name, uint32_t flags)
 905 {
 906         struct crypt_dm_active_device dmd;
 907         int r;
 908
 909         r = dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd);
 910         if (r < 0)
 911                 return r;
 912         if (!dmd.uuid)
 913                 return -EINVAL;
 914
 915         r = dm_remove_device(cd, name, flags);
 916         if (r < 0)
 917                 goto out;
 918
 919         r = TCRYPT_remove_one(cd, name, dmd.uuid, 1, flags);
 920         if (r < 0)
 921                 goto out;
 922
 923         r = TCRYPT_remove_one(cd, name, dmd.uuid, 2, flags);
 924 out:
 925         free(CONST_CAST(void*)dmd.uuid);
 926         return (r == -ENODEV) ? 0 : r;
 927 }
 928
 929 static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
 930                              const char *base_uuid, int index,
 931                              size_t *key_size, char *cipher,
 932                              struct tcrypt_phdr *tcrypt_hdr,
 933                              struct device **device)
 934 {
 935         struct crypt_dm_active_device dmd;
 936         struct dm_target *tgt = &dmd.segment;
 937         char dm_name[PATH_MAX], *c;
 938         int r;
 939
 940         if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
 941                 return -ENOMEM;
 942
 943         r = dm_status_device(cd, dm_name);
 944         if (r < 0)
 945                 return r;
 946
 947         r = dm_query_device(cd, dm_name, DM_ACTIVE_DEVICE |
 948                                           DM_ACTIVE_UUID |
 949                                           DM_ACTIVE_CRYPT_CIPHER |
 950                                           DM_ACTIVE_CRYPT_KEYSIZE, &dmd);
 951         if (r < 0)
 952                 return r;
 953         if (!single_segment(&dmd) || tgt->type != DM_CRYPT) {
 954                 r = -ENOTSUP;
 955                 goto out;
 956         }
 957
 958         r = 0;
 959
 960         if (!strncmp(dmd.uuid, base_uuid, strlen(base_uuid))) {
 961                 if ((c = strchr(tgt->u.crypt.cipher, '-')))
 962                         *c = '\0';
 963                 strcat(cipher, "-");
 964                 strncat(cipher, tgt->u.crypt.cipher, MAX_CIPHER_LEN);
 965                 *key_size += tgt->u.crypt.vk->keylength;
 966                 tcrypt_hdr->d.mk_offset = tgt->u.crypt.offset * SECTOR_SIZE;
 967                 device_free(cd, *device);
 968                 MOVE_REF(*device, tgt->data_device);
 969         } else
 970                 r = -ENODEV;
 971 out:
 972         dm_targets_free(cd, &dmd);
 973         free(CONST_CAST(void*)dmd.uuid);
 974         return r;
 975 }
 976
 977 int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
 978                         const char *uuid,
 979                         const struct dm_target *tgt,
 980                         struct device **device,
 981                         struct crypt_params_tcrypt *tcrypt_params,
 982                         struct tcrypt_phdr *tcrypt_hdr)
 983 {
 984         struct tcrypt_algs *algs;
 985         char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN+1], *tmp;
 986         size_t key_size;
 987         int r;
 988
 989         memset(tcrypt_params, 0, sizeof(*tcrypt_params));
 990         memset(tcrypt_hdr, 0, sizeof(*tcrypt_hdr));
 991         tcrypt_hdr->d.sector_size = SECTOR_SIZE;
 992         tcrypt_hdr->d.mk_offset = tgt->u.crypt.offset * SECTOR_SIZE;
 993
 994         strncpy(cipher, tgt->u.crypt.cipher, MAX_CIPHER_LEN);
 995         tmp = strchr(cipher, '-');
 996         if (!tmp)
 997                 return -EINVAL;
 998         *tmp = '\0';
 999         mode[MAX_CIPHER_LEN] = '\0';
1000         strncpy(mode, ++tmp, MAX_CIPHER_LEN);
1001
1002         key_size = tgt->u.crypt.vk->keylength;
1003         r = TCRYPT_status_one(cd, name, uuid, 1, &key_size,
1004                               cipher, tcrypt_hdr, device);
1005         if (!r)
1006                 r = TCRYPT_status_one(cd, name, uuid, 2, &key_size,
1007                                       cipher, tcrypt_hdr, device);
1008
1009         if (r < 0 && r != -ENODEV)
1010                 return r;
1011
1012         algs = TCRYPT_get_algs(cipher, mode);
1013         if (!algs || key_size != algs->chain_key_size)
1014                 return -EINVAL;
1015
1016         tcrypt_params->key_size = algs->chain_key_size;
1017         tcrypt_params->cipher = algs->long_name;
1018         tcrypt_params->mode = algs->mode;
1019         return 0;
1020 }
1021
1022 uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
1023                                  struct tcrypt_phdr *hdr,
1024                                  struct crypt_params_tcrypt *params)
1025 {
1026         uint64_t size;
1027
1028         /* No real header loaded, initialized by active device */
1029         if (!hdr->d.version)
1030                 goto hdr_offset;
1031
1032         /* Mapping through whole device, not partition! */
1033         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
1034                 if (crypt_dev_is_partition(device_path(crypt_metadata_device(cd))))
1035                         return 0;
1036                 goto hdr_offset;
1037         }
1038
1039         if (params->mode && !strncmp(params->mode, "xts", 3)) {
1040                 if (hdr->d.version < 3)
1041                         return 1;
1042
1043                 if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
1044                         if (hdr->d.version > 3)
1045                                 return (hdr->d.mk_offset / hdr->d.sector_size);
1046                         if (device_size(crypt_metadata_device(cd), &size) < 0)
1047                                 return 0;
1048                         return (size - hdr->d.hidden_volume_size +
1049                                 (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
1050                 }
1051                 goto hdr_offset;
1052         }
1053
1054         if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
1055                 if (device_size(crypt_metadata_device(cd), &size) < 0)
1056                         return 0;
1057                 return (size - hdr->d.hidden_volume_size +
1058                         (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
1059         }
1060
1061 hdr_offset:
1062         return hdr->d.mk_offset / hdr->d.sector_size;
1063 }
1064
1065 uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
1066                               struct tcrypt_phdr *hdr,
1067                               struct crypt_params_tcrypt *params)
1068 {
1069         uint64_t iv_offset;
1070
1071         if (params->mode && !strncmp(params->mode, "xts", 3))
1072                 iv_offset = TCRYPT_get_data_offset(cd, hdr, params);
1073         else if (params->mode && !strncmp(params->mode, "lrw", 3))
1074                 iv_offset = 0;
1075         else
1076                 iv_offset = hdr->d.mk_offset / hdr->d.sector_size;
1077
1078         if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
1079                 iv_offset += crypt_dev_partition_offset(device_path(crypt_metadata_device(cd)));
1080
1081         return iv_offset;
1082 }
1083
1084 int TCRYPT_get_volume_key(struct crypt_device *cd,
1085                           struct tcrypt_phdr *hdr,
1086                           struct crypt_params_tcrypt *params,
1087                           struct volume_key **vk)
1088 {
1089         struct tcrypt_algs *algs;
1090         unsigned int i, key_index;
1091
1092         if (!hdr->d.version) {
1093                 log_err(cd, _("This function is not supported without TCRYPT header load."));
1094                 return -ENOTSUP;
1095         }
1096
1097         algs = TCRYPT_get_algs(params->cipher, params->mode);
1098         if (!algs)
1099                 return -EINVAL;
1100
1101         *vk = crypt_alloc_volume_key(params->key_size, NULL);
1102         if (!*vk)
1103                 return -ENOMEM;
1104
1105         for (i = 0, key_index = 0; i < algs->chain_count; i++) {
1106                 TCRYPT_copy_key(&algs->cipher[i], algs->mode,
1107                                 &(*vk)->key[key_index], hdr->d.keys);
1108                 key_index += algs->cipher[i].key_size;
1109         }
1110
1111         return 0;
1112 }
1113
1114 int TCRYPT_dump(struct crypt_device *cd,
1115                 struct tcrypt_phdr *hdr,
1116                 struct crypt_params_tcrypt *params)
1117 {
1118         log_std(cd, "%s header information for %s\n",
1119                 hdr->d.magic[0] == 'T' ? "TCRYPT" : "VERACRYPT",
1120                 device_path(crypt_metadata_device(cd)));
1121         if (hdr->d.version) {
1122                 log_std(cd, "Version:       \t%d\n", hdr->d.version);
1123                 log_std(cd, "Driver req.:\t%x.%x\n", hdr->d.version_tc >> 8,
1124                                                     hdr->d.version_tc & 0xFF);
1125
1126                 log_std(cd, "Sector size:\t%" PRIu32 "\n", hdr->d.sector_size);
1127                 log_std(cd, "MK offset:\t%" PRIu64 "\n", hdr->d.mk_offset);
1128                 log_std(cd, "PBKDF2 hash:\t%s\n", params->hash_name);
1129         }
1130         log_std(cd, "Cipher chain:\t%s\n", params->cipher);
1131         log_std(cd, "Cipher mode:\t%s\n", params->mode);
1132         log_std(cd, "MK bits:       \t%zu\n", params->key_size * 8);
1133         return 0;
1134 }