Release 1.2.0

git-svn-id: https://cryptsetup.googlecode.com/svn/tags/v1_2_0@405 36d66b0a-2a48-0410-832c-cd162a569da5

AUTHORS

@@ -1,2 +1,3 @@
 Christophe Saout <christophe@saout.de>
 Clemens Fruhwirth <clemens@endorphin.org>
+Milan Broz <asi@ucw.cz>

ChangeLog

@@ -1,3 +1,87 @@
+2010-12-20  Milan Broz  <mbroz@redhat.com>
+	* Version 1.2.0.
+
+2010-11-25  Milan Broz  <mbroz@redhat.com>
+	* Fix crypt_activate_by_keyfile() to work with PLAIN devices.
+	* Fix create command to properly handle keyfile size.
+
+2010-11-16  Milan Broz  <mbroz@redhat.com>
+	* Version 1.2.0-rc1.
+
+2010-11-13  Milan Broz  <mbroz@redhat.com>
+	* Fix password callback call.
+	* Fix default plain password entry from terminal in activate_by_passphrase.
+	* Add --dump-master-key option for luksDump to allow volume key dump.
+	* Allow to activate by internally cached volume key
+	  (format/activate without keyslots active - used for temporary devices).
+	* Initialize volume key from active device in crypt_init_by_name()
+	* Fix cryptsetup binary exitcodes.
+	* Increase library version (still binary compatible with 1.1.x release).
+
+2010-11-01  Milan Broz  <mbroz@redhat.com>
+	* No longer support luksDelKey, reload and --non-exclusive.
+	* Remove some obsolete info from man page.
+	* Add crypt_get_type(), crypt_resize(), crypt_keyslot_max()
+	and crypt_get_active_device() to API.
+	* Rewrite all implementations in cryptsetup to new API.
+	* Fix luksRemoveKey to behave as documented (do not ask
+	for remaining keyslot passphrase).
+	* Add more regression tests for commands.
+	* Disallow mapping of device which is already in use (mapped or mounted).
+	* Disallow luksFormat on device in use.
+
+2010-10-27  Milan Broz  <mbroz@redhat.com>
+	* Rewrite cryptsetup luksFormat, luksOpen, luksAddKey to use new API
+	  to allow adding new features.
+	* Implement --use-random and --use-urandom for luksFormat to allow
+	  setting of RNG for volume key generator.
+	* Add crypt_set_rng_type() and crypt_get_rng_type() to API.
+	* Add crypt_set_uuid() to API.
+	* Allow UUID setting in luksFormat and luksUUID (--uuid parameter).
+	* Add --keyfile-size and --new-keyfile-size (in bytes) size and disallow overloading
+	  of --key-size for limiting keyfile reads.
+	* Fix luksFormat to properly use key file with --master-key-file switch.
+	* Fix possible double free when handling master key file.
+
+2010-10-17  Milan Broz  <mbroz@redhat.com>
+	* Add crypt_get_device_name() to API (get underlying device name).
+	* Change detection for static libraries.
+	* Fix pkg-config use in automake scripts.
+	* Remove --disable-shared-library switch and handle static library build
+	  by common libtool logic (using --enable-static).
+	* Add --enable-static-cryptsetup option to build cryptsetup.static binary
+	  together with shared build.
+
+2010-08-05  Milan Broz  <mbroz@redhat.com>
+	* Wipe iteration and salt after KillSlot in LUKS header.
+	* Rewrite file differ test to C (and fix it to really work).
+	* Switch to 1MiB default alignment of data.
+	  For more info see https://bugzilla.redhat.com/show_bug.cgi?id=621684
+	* Do not query non-existent device twice (cryptsetup status /dev/nonexistent).
+	* Check if requested hash is supported before writing LUKS header.
+
+2010-07-28  Arno Wagner <arno@wagner.name>
+	* Add FAQ (Frequently Asked Questions) file to distribution.
+
+2010-07-03  Milan Broz  <mbroz@redhat.com>
+	* Fix udev support for old libdevmapper with not compatible definition.
+	* Version 1.1.3.
+
+2010-06-01  Milan Broz  <mbroz@redhat.com>
+	* Fix device alignment ioctl calls parameters.
+	* Fix activate_by_* API calls to handle NULL device name as documented.
+
+2010-05-30  Milan Broz  <mbroz@redhat.com>
+	* Version 1.1.2.
+
+2010-05-27  Milan Broz  <mbroz@redhat.com>
+	* Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile.
+	* Support --key-file/-d option for luksFormat.
+	* Fix description of --key-file and add --verbose and --debug options to man page.
+	* Add verbose log level and move unlocking message there.
+	* Remove device even if underlying device disappeared.
+	* Fix (deprecated) reload device command to accept new device argument.
+
 2010-05-23  Milan Broz  <mbroz@redhat.com>
 	* Fix luksClose operation for stacked DM devices.
 	* Version 1.1.1.

FAQ

@@ -0,0 +1,933 @@
+Sections 
+
+1. General Questions
+2. Setup
+3. Common Problems
+4. Troubleshooting
+5. Security Aspects
+6. Backup and Data Recovery
+7. Issues with Specific Versions of cryptsetup
+A. Contributors
+
+
+1. General Questions 
+
+
+ * What is this?
+
+  This is the FAQ (Frequently Asked Questions) for cryptsetup. It
+  covers Linux disk encryption with plain dm-crypt (one passphrase,
+  no management, no descriptor on disk) and LUKS (multiple user keys
+  with one master key, anti-forensics, descriptor block at start of
+  device, ...). The latest version should usually be available at
+  http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
+
+  ATTENTION: If you are going to read just one thing, make it the
+  section on Backup and Data Recovery. By far the most questions on
+  the cryptsetup mailing list are from people that just managed to
+  somehow format or overwrite the start of their LUKS partitions. In
+  most cases, there is nothing that can be done to help these poor
+  souls recover their data. Make sure you understand the problem and
+  limitations imposed by the LUKS security model BEFORE you face such
+  a disaster!
+
+
+ * Who wrote this?
+
+  Current FAQ maintainer is Arno Wagner <arno@wagner.name>. Other
+  contributors are listed at the end. If you want to contribute, send
+  your article, including a descriptive headline, to the maintainer,
+  or the dm-crypt mailing list with something like "FAQ ..." in the
+  subject. Please note that by contributing to this FAQ, you accept
+  the license described below.
+
+  This work is under the "Attribution-Share Alike 3.0 Unported"
+  license, which means distribution is unlimited, you may create
+  derived works, but attributions to original authors and this
+  license statement must be retained and the derived work must be
+  under the same license. See
+  http://creativecommons.org/licenses/by-sa/3.0/ for more details of
+  the license.
+
+  Side note: I did text license research some time ago and I think
+  this license is best suited for the purpose at hand and creates the
+  least problems.
+
+
+ * Where is the project website?
+
+  There is the project website at http://code.google.com/p/cryptsetup/
+  Please do not post questions there, nobody will read them. Use
+  the mailing-list instead.
+
+
+ * Is there a mailing-list?
+
+  Instructions on how to subscribe to the mailing-list are at on the
+  project website. People are generally helpful and friendly on the
+  list.
+
+  The question of how to unsubscribe from the list does crop up
+  sometimes. For this you need your list management URL, which is
+  sent to you initially and once at the start of each month. Go to
+  the URL mentioned in the email and select "unsubscribe". This page
+  also allows you to request a password reminder.
+
+  Alternatively, you can send an Email to dm-crypt-request@saout.de
+  with just the word "help" in the subject or message body. Make sure
+  to send it from your list address.
+
+
+2. Setup 
+
+
+ * Can I encrypt an already existing, non-empty partition to use LUKS?
+
+  There is no converter, and it is not really needed. The way to do
+  this is to make a backup of the device in question, securely wipe
+  the device (as LUKS device initialization does not clear away old
+  data), do a luksFormat, optionally overwrite the encrypted device,
+  create a new filesystem and restore your backup on the now
+  encrypted device. Also refer to sections "Security Aspects" and
+  "Backup and Data Recovery".
+
+  For backup, plain GNU tar works well and backs up anything likely
+  to be in a filesystem.
+
+
+ * How do I use LUKS with a loop-device?
+
+  Just the same as with any block device. If you want, for example,
+  to use a 100MiB file as LUKS container, do something like this:
+
+      head -c 100M /dev/zero > luksfile  # create empty file
+      losetup /dev/loop0 luksfile        # map luksfile to /dev/loop0
+      cryptsetup luksFormat /dev/loop0   # create LUKS on loop device
+ 
+  Afterwards just use /dev/loop0 as a you would use a LUKS partition.
+  To unmap the file when done, use "losetup -d /dev/loop0".
+
+
+ * When I add a new key-slot to LUKS, it asks for a passphrase but
+   then complains about there not being a key-slot with that
+   passphrase?
+
+  That is as intended. You are asked a passphrase of an existing
+  key-slot first, before you can enter the passphrase for the new
+  key-slot. Otherwise you could break the encryption by just adding a
+  new key-slot. This way, you have to know the passphrase of one of
+  the already configured key-slots in order to be able to configure a
+  new key-slot.
+
+
+ * How do I read a dm-crypt key from file?
+
+  Note that the file will still be hashed first, just like keyboard
+  input. Use the --key-file option, like this:
+
+      cryptsetup create --key-file keyfile e1 /dev/loop0
+ 
+
+ * How do I read a LUKS slot key from file?
+
+  What you really do here is to read a passphrase from file, just as
+  you would with manual entry of a passphrase for a key-slot. You can
+  add a new passphrase to a free key-slot, set the passphrase of an
+  specific key-slot or put an already configured passphrase into a
+  file. In the last case make sure no trailing newline (0x0a) is
+  contained in the key file, or the passphrase will not work because
+  the whole file is used as input.
+
+  To add a new passphrase to a free key slot from file, use something
+  like this:
+
+      cryptsetup luksAddKey /dev/loop0 keyfile
+ 
+  To add a new passphrase to a specific key-slot, use something like
+  this:
+
+      cryptsetup luksAddKey --key-slot 7 /dev/loop0 keyfile
+ 
+  To supply a key from file to any LUKS command, use the --key-file
+  option, e.g. like this:
+
+      cryptsetup luksOpen --key-file keyfile /dev/loop0 e1
+ 
+
+ * How do I read the LUKS master key from file?
+
+  The question you should ask yourself first, is why you would want
+  to do this. The only legitimate reason I can think of is if you
+  want to have two LUKS devices with the same master key. Even then,
+  I think it would be preferable to just use key-slots with the same
+  passphrase, or to use plain dm-crypt instead. If you really have a
+  good reason, please tell me. If I am convinced, I will add how to
+  do this here.
+
+
+ * What are the security requirements for a key read from file?
+
+  A file-stored key or passphrase has the same security requirements
+  as one entered interactively, however you can use random bytes and
+  thereby use bytes you cannot type on the keyboard. You can use any
+  file you like as key file, for example a plain text file with a
+  human readable passphrase. To generate a file with random bytes,
+  use something like this:
+
+      head -c 256 /dev/random > keyfile
+ 
+
+ * If I map a journaled file system using dm-crypt/LUKS, does it still
+   provide its usual transactional guarantees?
+
+  As far as I know it does (but I may be wrong), but please note that
+  these "guarantees" are far weaker than they appear to be. For
+  example, you not not get a hard flush to disk surface even on a
+  call to fsync. In addition, the HDD itself may do independent
+  write reordering. Some other things can go wrong as well. The
+  filesystem developers are aware of these problems and typically
+  can make it work anyways. That said, dm-crypt/LUKS should not make
+  things worse.
+
+  Personally, I have several instances of ext3 on dm-crypt and have
+  not noticed any specific problems.
+
+  Update: I did run into frequent small freezes (1-2 sec) when putting
+  a vmware image on ext3 over dm-crypt. This does indicate that the
+  transactional guarantees are in place, but at a cost. When I went
+  back to ext2, the problem went away. This also seems to have gotten
+  better with kernel 2.6.36 and the reworking of filesystem flush
+  locking. Kernel 2.6.37 is expected to improve this even further.
+
+
+ * Can I use LUKS or cryptsetup with a more secure (external) medium
+   for key storage, e.g. TPM or a smartcard?
+
+  Yes, see the answers on using a file-supplied key. You do have to
+  write the glue-logic yourself though. Basically you can have
+  cryptsetup read the key from STDIN and write it there with your
+  own tool that in turn gets the key from the more secure key
+  storage.
+
+
+ * Can I resize a dm-crypt or LUKS partition?
+
+  Yes, you can, as neither dm-crypt nor LUKS stores partition size.
+  Whether you should is a different question. Personally I recommend
+  backup, recreation of the encrypted partition with new size,
+  recreation of the filesystem and restore. This gets around the
+  tricky business of resizing the filesystem. The backup is really
+  non-optional here, as a lot can go wrong, resulting in partial or
+  complete data loss. Using something like gparted to resize an
+  encrypted partition is slow, but pretty safe and should be fine.
+  This will not change the size of the filesystem hidden under the
+  encryption though.
+
+  You also need to be aware of size-based limitations. The one
+  currently relevant is that aes-xts-plain should not be used for
+  encrypted container sizes larger than 2TiB. Use aes-xts-plain64
+  for that.
+
+
+3. Common Problems 
+
+
+ * My dm-crypt/LUKS mapping does not work! What general steps are
+   there to investigate the problem?
+
+  If you get a specific error message, investigate what it claims
+  first. If not, you may want to check the following things.
+
+  - Check that "/dev", including "/dev/mapper/control" is there. If it
+  is missing, you may have a problem with the "/dev" tree itself or
+  you may have broken udev rules.
+
+  - Check that you have the device mapper and the crypt target in your
+  kernel. The output of "dmsetup targets" should list a "crypt"
+  target. If it is not there or the command fails, add device mapper
+  and crypt-target to the kernel.
+
+  - Check that the hash-functions and ciphers you want to use are in
+  the kernel. The output of "cat /proc/crypto" needs to list them.
+
+
+ * My dm-crypt mapping suddenly stopped when upgrading cryptsetup.
+
+  The default cipher, hash or mode may have changed (the mode changed
+  from 1.0.x to 1.1.x). See under "Issues With Specific Versions of
+  cryptsetup".
+
+
+ * When I call cryptsetup from cron/CGI, I get errors about unknown
+   features?
+
+  If you get errors about unknown parameters or the like that are not
+  present when cryptsetup is called from the shell, make sure you
+  have no older version of cryptsetup on your system that then gets
+  called by cron/CGI.For example some distributions install
+  cryptsetup into /usr/sbin, while a manual install could go to
+  /usr/local/sbin. As a debugging aid, call "cryptsetup --version"
+  from cron/CGI or the non-shell mechanism to be sure you have the
+  right version.
+
+
+ * Unlocking a LUKS device takes very long. Why?
+
+  The iteration time for a key-slot (see Section 5 for an explanation
+  what iteration does) is calculated when setting a passphrase. By
+  default it is 1 second on the machine where the passphrase is set.
+  If you set a passphrase on a fast machine and then unlock it on a
+  slow machine, the unlocking time can be much longer. Also take into
+  account that up to 8 key-slots have to be tried in order to find the
+  right one.
+
+  If this is problem, you can add another key-slot using the slow
+  machine with the same passphrase and then remove the old key-slot.
+  The new key-slot will have an iteration count adjusted to 1 second
+  on the slow machine. Use luksKeyAdd and then luksKillSlot or
+  luksRemoveKey.
+
+  However, this operation will not change volume key iteration count
+  (MK iterations in output of "cryptsetup luksDump"). In order to
+  change that, you will have to backup the data in the LUKS
+  container, luksFormat on the slow machine and restore the data.
+  Note that in the original LUKS specification this value was fixed
+  to 10, but it is now derived from the PBKDF2 benchmark as well and
+  set to iterations in 0.125 sec or 1000, whichever is larger.
+
+
+ * "blkid" sees a LUKS UUID and an ext2/swap UUID on the same device.
+   What is wrong?
+
+  Some old versions of cryptsetup have a bug where the header does
+  not get completely wiped during LUKS format and an older ext2/swap
+  signature remains on the device. This confuses blkid.
+
+  Fix: Wipe the unused header areas by doing a backup and restore of
+  the header with cryptsetup 1.1.x:
+
+      cryptsetup luksHeaderBackup --header-backup-file <file> <device>
+      cryptsetup luksHeaderRestore --header-backup-file <file> <device>
+ 
+  If you cannot use a 1.1.x cryptsetup, you can also do a manual wipe
+  of the area in question with the command below. Be very, VERY,
+  careful and make sure to do a backup of the header before. If you
+  get this wrong, your device may become permanently inaccessible.
+
+      dd if=/dev/zero of=<device> bs=512 seek=2 count=6
+   
+
+ * cryptsetup segfaults on Gentoo amd64 hardened ...
+
+  There seems to be some inteference between the hardening and and
+  the way cryptsetup benchmarks PBKDF2. The solution to this is
+  currently not quite clear for an encrypted root filesystem.     For
+  other uses, you can apparently specify USE="dynamic" as compile
+  flag, see http://bugs.gentoo.org/show_bug.cgi?id=283470
+
+
+4. Troubleshooting 
+
+
+ * Can a bad RAM module cause problems?
+
+  LUKS and dm-crypt can give the RAM quite a workout, especially when
+  combined with software RAID. In particular the combination RAID5 +
+  LUKS + XFS seems to uncover RAM problems that never caused obvious
+  problems before. Symptoms vary, but often the problem manifest
+  itself when copying large amounts of data, typically several times
+  larger than your main memory.
+
+  Side note: One thing you should always do on large data movements is
+  to run a verify, for example with the "-d" option of "tar" or by
+  doing a set of MD5 checksums on the source or target with
+
+      find . -type f -exec md5sum \{\} \; > checksum-file
+ 
+  and then a "md5sum -c checksum-file" on the other side. If you get
+  mismatches here, RAM is the primary suspect. A lesser suspect is
+  an overclocked CPU. I have found countless hardware problems in
+  verify runs after copying or making backups. Bit errors are much
+  more common than most people think.
+
+  Some RAM issues are even worse and corrupt structures in one of the
+  layers. This typically results in lockups, CPU state dumps in the
+  system logs, kernel panic or other things. It is quite possible to
+  have the problem with an encrypted device, but not with an
+  otherwise the same unencrypted device. The reason for that is that
+  encryption has an error amplification property: You flip one bit
+  in an encrypted data block, and the decrypted version has half of
+  its bits flipped. This is an important security property for modern
+  ciphers. With the usual modes in cryptsetup (CBC, ESSIV, XTS), you
+  get up to a completely changed 512 byte block per bit error. A
+  corrupt block causes a lot more havoc than the occasionally
+  flipped single bit and can result various obscure errors.
+
+  Note however that a verify run on copying between encrypted or
+  unencrypted devices can also show you corruption when the copying
+  itself did not report any problems. If you find defect RAM, assume
+  all backups and copied data to be suspect, unless you did a verify.
+
+
+ * How do I test RAM?
+
+  First you should know that overclocking often makes memory problems
+  worse. So if you overclock (which I strongly recommend against in a
+  system holding data that has some worth), run the tests with the
+  overclocking active.
+
+  There are two good options. One is Memtest86+ and the other is
+  "memtester" by Charles Cazabon. Memtest86+ requires a reboot and
+  then takes over the machine, while memtester runs from a
+  root-shell. Both use different testing methods and I have found
+  problems fast with each one that the other needed long to find. I
+  recommend running the following procedure until the first error is
+  found:
+
+  - Run Memtest86+ for one cycle
+
+  - Run memterster for one cycle (shut down as many other applications
+  as possible)
+
+  - Run Memtest86+ for 24h or more
+
+  - Run memtester for 24h or more
+
+  If all that does not produce error messages, your RAM may be sound,
+  but I have had one weak bit that Memtest86+ needed around 60 hours
+  to find. If you can reproduce the original problem reliably, a good
+  additional test may be to remove half of the RAM (if you have more
+  than one module) and try whether the problem is still there and if
+  so, try with the other half. If you just have one module, get a
+  different one and try with that. If you do overclocking, reduce
+  the settings to the most conservative ones available and try with
+  that.
+
+
+5. Security Aspects 
+
+
+ * Should I initialize (overwrite) a new LUKS/dm-crypt partition?
+
+  If you just create a filesystem on it, most of the old data will
+  still be there. If the old data is sensitive, you should overwrite
+  it before encrypting. In any case, not initializing will leave the
+  old data there until the specific sector gets written. That may
+  enable an attacker to determine how much and where on the
+  partition data was written. If you think this is a risk, you can
+  prevent this by overwriting the encrypted device (here assumed to
+  be named "e1") with zeros like this:
+
+      dd_rescue -w /dev/zero /dev/mapper/e1
+ 
+  or alternatively with one of the following more standard commands:
+
+      cat /dev/zero > /dev/mapper/e1
+      dd if=/dev/zero of=/dev/mapper/e1
+       
+
+ * How do I securely erase a LUKS (or other) partition?
+
+  For LUKS, if you are in a desperate hurry, overwrite the first few
+  kilobytes of the LUKS partition. This erases the master key salt
+  and makes access impossible. However a LUKS header backup or full
+  backup will still grant access to most or all data, so make sure
+  that an attacker does not have access to backups or destroy them as
+  well.
+
+  To do this right, overwrite the whole LUKS partition with a single
+  pass of zeros. This is enough for current HDDs. For SSDs you may
+  want to erase the whole drive several times to be sure data is not
+  retained by wear leveling. This is possibly still insecure as SSD
+  technology is not fully understood in this regard. Still, due to
+  the anti-forensic properties of the LUKS key-slots, a single
+  overwrite of an SSD could be enough. If in doubt, use physical
+  destruction in addition. Keep in mind to also erase all backups.
+
+  Example for a zero-overwrite erase of partition sda10 done with
+  dd_rescue:
+
+      dd_rescue -w /dev/zero /dev/sda10   
+ 
+
+ * How do I securely erase a backup of a LUKS partition or header?
+
+  That depends on the medium it is stored on. For HDD and SSD, use
+  overwrite with zeros. For an SSD, you may want to overwrite the
+  complete SSD several times and use physical destruction in addition,
+  see last item. Treat USB flash drives the same as SSDs. For
+  re-writable CD/DVD, a single overwrite should also be enough, due
+  to the anti-forensic properties of the LUKS keyslots. For
+  write-once media, use physical destruction. For low security
+  requirements, just cut the CD/DVD into several parts. For high
+  security needs, shred or burn the medium. If your backup is on
+  magnetic tape, I advise physical destruction by shredding or
+  burning. The problem with magnetic tape is that it has a higher
+  dynamic range than HDDs and older data may well be recoverable
+  after overwrites. Also write-head alignment issues can lead to
+  data not actually being deleted at all during overwrites.
+
+
+ * What about backup? Does it compromise security?
+
+  That depends. See next section.
+
+
+ * Why is all my data gone if I overwrite the LUKS header?
+
+  Overwriting the LUKS header in part or in full is the most common
+  reason why access to LUKS containers is lost permanently.
+  Overwriting can be done in a number of fashions, like creating a
+  new filesystem on the raw LUKS partition, making the raw partition
+  part of a raid array and just writing to the raw partition.
+
+  The LUKS header contains a 256 bit "salt" value and without that no
+  decryption is possible. While the salt is not secret, it is
+  key-grade material and cannot be reconstructed. This is a
+  cryptographically strong "cannot". From observations on the
+  cryptsetup mailing-list, people typically go though the usual
+  stages of grief (Denial, Anger, Bargaining, Depression, Acceptance)
+  when this happens to them. Observed times vary between 1 day and 2
+  weeks to complete the cycle. Seeking help on the mailing-list is
+  fine. Even if we usually cannot help with getting back your data,
+  most people found the feedback comforting.
+
+  If your header does not contain an intact salt, best go directly
+  to the last one ("Acceptance") and think about what to do now.
+  There is one exception that I know of: If your LUKS container is
+  still open, then it may be possible to extract the master key from
+  the running system. Ask on the mailing-list on how to do that and
+  make sure nobody switches off the machine.
+
+
+ * What is a "salt"?
+
+  A salt is a random key-grade value added to the passphrase before
+  it is processed. It is not kept secret. The reason for using salts
+  is as follows: If an attacker wants to crack the password for a
+  single LUKS container, then every possible passphrase has to be
+  tried. Typically an attacker will not try every binary value, but
+  will try words and sentences from a dictionary.
+
+  If an attacker wants to attack several LUKS containers with the
+  same dictionary, then a different approach makes sense: Compute the
+  resulting slot-key for each dictionary element and store it on
+  disk. Then the test for each entry is just the slow unlocking with
+  the slot key (say 0.00001 sec) instead of calculating the slot-key
+  first (1 sec). For a single attack, this does not help. But if you
+  have more than one container to attack, this helps tremendously,
+  also because you can prepare your table before you even have the
+  container to attack! The calculation is also very simple to
+  parallelize. You could, for example, use the night-time unused CPU
+  power of your desktop PCs for this.
+
+  This is where the salt comes in. If the salt is combined with the
+  passphrase (in the simplest form, just appended to it), you
+  suddenly need a separate table for each salt value. With a
+  reasonably-sized salt value (256 bit, e.g.) this is quite
+  infeasible.
+
+
+ * Is LUKS secure with a low-entropy (bad) passphrase?
+
+  This needs a bit of theory. The quality of your passphrase is
+  directly related to its entropy (information theoretic, not
+  thermodynamic). The entropy says how many bits of "uncertainty" or
+  "randomness" are in you passphrase. In other words, that is how
+  difficult guessing the passphrase is.
+
+  Example: A random English sentence has about 1 bit of entropy per
+  character. A random lowercase (or uppercase) character has about
+  4.7 bit of entropy.
+
+  Now, if n is the number of bits of entropy in your passphrase and t
+  is the time it takes to process a passphrase in order to open the
+  LUKS container, then an attacker has to spend at maximum
+
+  attack_time_max = 2^n * t 
+ 
+  time for a successful attack and on average half that. There is no
+  way getting around that relationship. However, there is one thing
+  that does help, namely increasing t, the time it takes to use a
+  passphrase, see next FAQ item.
+
+  Still, if you want good security, a high-entropy passphrase is the
+  only option. Use at least 64 bits for secret stuff. That is 64
+  characters of English text (but only if randomly chosen) or a
+  combination of 12 truly random letters and digits.
+
+  For passphrase generation, do not use lines from very well-known
+  texts (religious texts, Harry potter, etc.) as they are to easy to
+  guess. For example, the total Harry Potter has about 1'500'000
+  words (my estimation). Trying every 64 character sequence starting
+  and ending at a word boundary would take only something like 20
+  days on a single CPU and is entirely feasible.
+
+  On the other hand, choosing 1.5 lines from, say, the Wheel of Time
+  is in itself not more secure, but the book selection adds quite a
+  bit of entropy. (Now that I have mentioned it here, don't use tWoT
+  either!) If you add 2 or 3 typos or switch some words around, then
+  this is good passphrase material.
+
+
+ * What is "iteration count" and why is decreasing it a bad idea?
+
+  Iteration count is the number of PBKDF2 iterations a passphrase is
+  put through before it is used to unlock a key-slot. Iterations are
+  done with the explicit purpose to increase the time that it takes
+  to unlock a key-slot. This provides some protection against use of
+  low-entropy passphrases.
+
+  The idea is that an attacker has to try all possible passphrases.
+  Even if the attacker knows the passphrase is low-entropy (see last
+  item), it is possible to make each individual try take longer. The
+  way to do this is to repeatedly hash the passphrase for a certain
+  time. The attacker then has to spend the same time (given the same
+  computing power) as the user per try. With LUKS, the default is 1
+  second of PBKDF2 hashing.
+
+  Example 1: Lets assume we have a really bad passphrase (e.g. a
+  girlfriends name) with 10 bits of entropy. With the same CPU, an
+  attacker would need to spend around 500 seconds on average to
+  break that passphrase. Without iteration, it would be more like
+  0.0001 seconds on a modern CPU.
+
+  Example 2: The user did a bit better and has 32 chars of English
+  text. That would give use about 32 bits of entropy. With 1 second
+  iteration, that means an attacker on the same CPU needs around 136
+  years. That is pretty impressive for such a weak passphrase.
+  Without the iterations, it would be more like 50 days on a modern
+  CPU, and possibly far less.
+
+  In addition, the attacker can both parallelize and use special
+  hardware like GPUs to speed up the attack. The attack can also
+  happen quite some time after the luksFormat operation and CPUs can
+  have become faster and cheaper. For that reason you want a bit of
+  extra security. Anyways, in Example 1 your are screwed. In example
+  2, not necessarily. Even if the attack is faster, it still has a
+  certain cost associated with it, say 10000 EUR/USD with iteration
+  and 1 EUR/USD without iteration. The first can be prohibitively
+  expensive, while the second is something you try even without
+  solid proof that the decryption will yield something useful.
+
+  The numbers above are mostly made up, but show the idea. Of course
+  the best thing is to have a high-entropy passphrase.
+
+  Would a 100 sec iteration time be even better? Yes and no.
+  Cryptographically it would be a lot better, namely 100 times better.
+  However, usability is a very important factor for security
+  technology and one that gets overlooked surprisingly often. For
+  LUKS, if you have to wait 2 minutes to unlock the LUKS container,
+  most people will not bother and use less secure storage instead. It
+  is better to have less protection against low-entropy passphrases
+  and people actually use LUKS, than having them do without
+  encryption altogether.
+
+  Now, what about decreasing the iteration time? This is generally a
+  very bad idea, unless you know and can enforce that the users only
+  use high-entropy passphrases. If you decrease the iteration time
+  without ensuring that, then you put your users at increased risk,
+  and considering how often LUKS containers are unlocked in a
+  typical work-flow, you do so without a good reason. Don't do it.
+  The iteration time is already low enough that some users will
+  still chose passphrases with entropy low enough that they are
+  vulnerable. Lowering it even further increases this danger
+  significantly.
+
+
+ * Is LUKS with default parameters less secure on a slow CPU?
+
+  Unfortunately, yes. However the only aspect affected is the
+  protection for low-entropy passphrase or master-key. All other
+  security aspects are independent of CPU speed.
+
+  The master key is less critical, as you really have to work at it
+  to give it low entropy. One possibility is to supply the master key
+  yourself. If that key is low-entropy, then you get what you
+  deserve. The other known possibility is to use /dev/urandom for
+  key generation in an entropy-startved situation (e.g. automatic
+  installation on an embedded device without network and other entropy
+  sources).
+
+  For the passphrase, don't use a low-entropy passphrase. If your
+  passphrase is good, then a slow CPU will not matter. If you insist
+  on a low-entropy passphrase on a slow CPU, use something like
+  "--iter-time=10" or higher and wait a long time on each LUKS unlock
+  and pray that the attacker does not find out in which way exactly
+  your passphrase is low entropy. This also applies to low-entropy
+  passphrases on fast CPUs. Technology can do only so much to
+  compensate for problems in front of the keyboard.
+
+
+ * Why was the default aes-cbc-plain replaced with aes-cbc-essiv?
+
+  The problem is that cbc-plain has a fingerprint vulnerability, where
+  a specially crafted file placed into the crypto-container can be
+  recognized from the outside. The issue here is that for cbc-plain
+  the initialization vector (IV) is the sector number. The IV gets
+  XORed to the first data chunk of the sector to be encrypted. If you
+  make sure that the first data block to be stored in a sector
+  contains the sector number as well, the first data block to be
+  encrypted is all zeros and always encrypted to the same ciphertext.
+  This also works if the first data chunk just has a constant XOR
+  with the sector number. By having several shifted patterns you can
+  take care of the case of a non-power-of-two start sector number of
+  the file.
+
+  This mechanism allows you to create a pattern of sectors that have
+  the same first ciphertext block and signal one bit per sector to the
+  outside, allowing you to e.g. mark media files that way for
+  recognition without decryption. For large files this is a
+  practical attack. For small ones, you do not have enough blocks to
+  signal and take care of different file starting offsets.
+
+  In order to prevent this attack, the default was changed to
+  cbc-essiv. ESSIV uses a keyed hash of the sector number, with the
+  encryption key as key. This makes the IV unpredictable without
+  knowing the encryption key and the watermarking attack fails.
+
+
+ * Are there any problems with "plain" IV? What is "plain64"?
+
+  First, "plain" and "plain64" are both not safe to use with CBC, see
+  previous FAQ item.
+
+  However there are modes, like XTS, that are secure with "plain" IV.
+  The next limit is that "plain" is 64 bit, with the upper 32 bit set
+  to zero. This means that on volumes larger than 2TiB, the IV
+  repeats, creating a vulnerability that potentially leaks some
+  data. To avoid this, use "plain64", which uses the full sector
+  number up to 64 bit. Note that "plain64" requires a kernel >=
+  2.6.33. Also note that "plain64" is backwards compatible for
+  volume sizes <= 2TiB, but not for those > 2TiB. Finally, "plain64"
+  does not cause any performance penalty compared to "plain".
+
+
+ * What about XTS mode?
+
+  XTS mode is potentially even more secure than cbc-essiv (but only if
+  cbc-essiv is insecure in your scenario). It is a NIST standard and
+  used, e.g. in Truecrypt. At the moment, if you want to use it, you
+  have to specify it manually as "aes-xts-plain", i.e.
+
+      cryptsetup -c aes-xts-plain luksFormat <device>
+ 
+  For volumes >2TiB and kernels >= 2.6.33 use "plain64" (see FAQ
+  item on "plain" and "plain64"):
+
+      cryptsetup -c aes-xts-plain64 luksFormat <device>
+ 
+  There is a potential security issue with XTS mode and large blocks.
+  LUKS and dm-crypt always use 512B blocks and the issue does not
+  apply.
+
+
+6. Backup and Data Recovery 
+
+
+ * Does a backup compromise security?
+
+  Depends on how you do it. First, a backup is non-optional with
+  encrypted data just the same way it is with non-encrypted data.
+  Disks do break and they do not care whether they make plain or
+  encrypted data inaccessible.
+
+  However there are risks introduced by backups. For example if you
+  change/disable a key-slot in LUKS, a binary backup of the partition
+  will still have the old key-slot. To deal with this, you have to
+  be able to change the key-slot on the backup as well, or use a
+  different set-up. One option is to have a different passphrase on
+  the backup and to make the backup with both containers open.
+  Another one is to make a backup of the original, opened container to
+  a single file, e.g. with tar, and to encrypt that file with
+  public-key-cryptography, e.g. with GnuPG. You can then keep the
+  secret key in a safe place, because it is only used to decrypt a
+  backup. The key the backup is encrypted with can be stored without
+  special security measures, as long as an attacker cannot replace
+  it with his own key.
+
+  If you use dm-crypt, backup is simpler: As there is no key
+  management, the main risk is that you cannot wipe the backup when
+  wiping the original. However wiping the original for dm-crypt
+  should consist of forgetting the passphrase and that you can do
+  without actual access to the backup.
+
+  In both cases, there is an additional (usually small) risk: An
+  attacker can see how many sectors and which ones have been changed
+  since the backup. This is not possible with the public-key method
+  though.
+
+  My personal advice is to use one USB disk (low value date) or three
+  disks (high value data) in rotating order for backups, and either
+  use different passphrases or keep them easily accessible in case
+  you need to disable a key-slot. If you do network-backup or
+  tape-backup, I strongly recommend to go the public-key path,
+  especially as you typically cannot reliably delete data in these
+  scenarios. (Well, you can burn the tape if it is under your
+  control...)
+
+
+ * What happens if I overwrite the start of a LUKS partition or damage
+   the LUKS header or key-slots?
+
+  There are two critical components for decryption: The salt values
+  in the header itself and the key-slots. If the salt values are
+  overwritten or changed, nothing (in the cryptographically strong
+  sense) can be done to access the data, unless there is a backup of
+  the LUKS header. If a key-slot is damaged, the data can still be
+  read with a different key-slot, if there is a remaining undamaged
+  and used key-slot. Note that in order to make a key-slot
+  unrecoverable in a cryptographically strong sense, changing about
+  4-6 bits in random locations of its 128kiB size is quite enough.
+
+
+ * What happens if I (quick) format a LUKS partition?
+
+  I have not tried the different ways to do this, but very likely you
+  will have written a new boot-sector, which in turn overwrites the
+  LUKS header, including the salts. You may also damage the key-slots
+  in part or in full. See also last item.
+
+
+ * What does the on-disk structure of dm-crypt look like?
+
+  There is none. dm-crypt takes a block device and gives encrypted
+  access to each of its blocks with a key derived from the passphrase
+  given. If you use a cipher different than the default, you have to
+  specify that as a parameter to cryptsetup too. If you want to
+  change the password, you basically have to create a second
+  encrypted device with the new passphrase and copy your data over.
+  On the plus side, if you accidentally overwrite any part of a
+  dm-crypt device, the damage will be limited to the are you
+  overwrote.
+
+
+ * What does the on-disk structure of LUKS look like?
+
+  A LUKS partition consists of a header, followed by 8 key-slot
+  descriptors, followed by 8 key slots, followed by the encrypted
+  data area.
+
+  Header and key-slot descriptors fill the first 592 bytes. The
+  key-slot size depends on the creation parameters, namely on the
+  number of anti-forensic stripes and on key block alignment.
+
+  With 4000 stripes (the default), each key-slot is a bit less than
+  128kiB in size. Due to sector alignment of the key-slot start,
+  that means the key block 0 is at offset 0x1000-0x20400, key block
+  1 at offset 0x21000-0x40400, and key block 7 at offset
+  0xc1000-0xe0400. The space to the next full sector address is
+  padded with zeros. Never used key-slots are filled with what the
+  disk originally contained there, a key-slot removed with
+  "luksRemoveKey" or "luksKillSlot" gets filled with 0xff. Start of
+  bulk data (with the default 4000 stripes and 8 key-slots) is at
+  0x101000, i.e. at 1'052'672 bytes, i.e. at 1MiB + 4096 bytes from
+  the start of the partition. This is also the value given by command
+  "luksDump" with "Payload offset: 2056", just multiply by the sector
+  size (512 bytes). Incidentally, "luksHeaderBackup" dumps exactly
+  the first 1'052'672 bytes to file and "luksHeaderRestore" restores
+  them.
+
+  The exact specification of the format is here:
+  http://code.google.com/p/cryptsetup/wiki/Specification
+
+
+ * How do I backup a LUKS header?
+
+  While you could just copy the appropriate number of bytes from the
+  start of the LUKS partition, the best way is to use command option
+  "luksHeaderBackup" of cryptsetup. This protects also against errors
+  when non-standard parameters have been used in LUKS partition
+  creation. Example:
+
+ 
+     cryptsetup luksHeaderBackup --header-backup-file h /dev/mapper/c1
+ 
+
+ * How do I backup a LUKS partition?
+
+  You do a sector-image of the whole partition. This will contain the
+  LUKS header, the keys-slots and the data ares. It can be done
+  under Linux e.g. with dd_rescue (for a direct image copy) and with
+  "cat" or "dd". Example:
+
+      cat /dev/sda10 > sda10.img
+      dd_rescue /dev/sda10 sda10.img 
+ 
+  You can also use any other backup software that is capable of making
+  a sector image of a partition. Note that compression is
+  ineffective for encrypted data, hence it does not sense to use it.
+
+
+ * Do I need a backup of the full partition? Would the header and
+   key-slots not be enough?
+
+  Backup protects you against two things: Disk loss or corruption and
+  user error. By far the most questions on the dm-crypt mailing list
+  about how to recover a damaged LUKS partition are related to user
+  error. For example, if you create a new filesystem on a LUKS
+  partition, chances are good that all data is lost permanently.
+
+  For this case, a header+key-slot backup would often be enough. But
+  keep in mind that a HDD has roughly a failure risk of 5% per year.
+  It is highly advisable to have a complete backup to protect against
+  this case.
+
+
+ * Are there security risks from a backup of the LUKS header or a
+   whole LUKS partition?
+
+  Yes. One risk is that if you remove access rights for specific
+  key-slots by deleting their contents, the data can still be
+  accessed with invalidated passphrase and the backup. The other risk
+  is that if you erase a LUKS partition, a backup could still grant
+  access, especially if you only erased the LUKS header and not the
+  whole partition.
+
+
+ * I think this is overly complicated. Is there an alternative?
+
+  Yes, you can use plain dm-crypt. It does not allow multiple
+  passphrases, but on the plus side, it has zero on disk description
+  and if you overwrite some part of a plain dm-crypt partition,
+  exactly the overwritten parts are lost (rounded up to sector
+  borders).
+
+
+7. Issues with Specific Versions of cryptsetup 
+
+
+ * When using the create command for plain dm-crypt with cryptsetup
+   1.1.x, the mapping is incompatible and my data is not accessible
+   anymore!
+
+  With cryptsetup 1.1.x, the distro maintainer can define different
+  default encryption modes for LUKS and plain devices. You can check
+  these compiled-in defaults using "cryptsetup --help". Moreover, the
+  plain device default changed because the old IV mode was
+  vulnerable to a watermarking attack.
+
+  If you are using a plain device and you need a compatible mode, just
+  specify cipher, key size and hash algorithm explicitly. For
+  compatibility with cryptsetup 1.0.x defaults, simple use the
+  following:
+
+    cryptsetup create -c aes-cbc-plain -s 256 -h ripemd160 <name> <dev>
+ 
+  LUKS stores cipher and mode in the metadata on disk, avoiding this
+  problem.
+
+
+ * cryptsetup on SLED 10 has problems...
+
+  SLED 10 is missing an essential kernel patch for dm-crypt, which
+  is broken in its kernel as a result. There may be a very old
+  version of cryptsetup (1.0.x) provided by SLED, which should also
+  not be used anymore as well. My advice would be to drop SLED 10.
+
+ A. Contributors In no particular order:
+
+  - Arno Wagner
+
+  - Milan Broz
+

Makefile.am

@@ -1,5 +1,5 @@
+EXTRA_DIST = FAQ
 SUBDIRS = \
-	luks \
 	lib \
 	src \
 	man \

TODO

@@ -1,12 +0,0 @@
-For 1.02
-
-* Add LUKS key copy cmd: luksKeyCopy
-* Add option to supply a master key directly. For LUKS commands: luksFormat, luksOpen and luksAddKey.
-
-For 2.0
-
-* LUKS header version bump:
-  * Add LUKS partition footer. 
-    * change luks_write_phdr stuff.
-    * change luks_read_phdr stuff
-  * change hashing according to conversation with Sarah.

configure.in

@@ -1,14 +1,14 @@
-AC_PREREQ(2.57)
-AC_INIT(cryptsetup,1.1.1)
+AC_PREREQ([2.67])
+AC_INIT([cryptsetup],[1.2.0])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
-LIBCRYPTSETUP_VERSION_INFO=1:0:0
+LIBCRYPTSETUP_VERSION_INFO=2:0:1
 
 AC_CONFIG_SRCDIR(src/cryptsetup.c)
 AC_CONFIG_MACRO_DIR([m4])
 
-AM_CONFIG_HEADER([config.h:config.h.in])
+AC_CONFIG_HEADERS([config.h:config.h.in])
 AM_INIT_AUTOMAKE(dist-bzip2)
 
 if test "x$prefix" = "xNONE"; then
@@ -17,14 +17,14 @@ fi
 AC_PREFIX_DEFAULT(/usr)
 
 AC_CANONICAL_HOST
-AC_GNU_SOURCE
+AC_USE_SYSTEM_EXTENSIONS
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_PROG_CPP
 AC_PROG_INSTALL
 AC_PROG_MAKE_SET
 AC_ENABLE_STATIC(no)
-AM_PROG_LIBTOOL
+LT_INIT
 
 AC_HEADER_DIRENT
 AC_HEADER_STDC
@@ -47,7 +47,6 @@ AC_CHECK_FUNCS([posix_memalign])
 AC_C_CONST
 AC_C_BIGENDIAN
 AC_TYPE_OFF_T
-AC_STRUCT_ST_RDEV
 AC_SYS_LARGEFILE
 
 AC_PROG_GCC_TRADITIONAL
@@ -66,36 +65,38 @@ AC_SUBST(POPT_LIBS, $LIBS)
 LIBS=$saved_LIBS
 
 dnl ==========================================================================
+saved_LIBS=$LIBS
 
-AC_ARG_ENABLE(shared-library,
-[  --disable-shared-library
-                          disable building of shared cryptsetup library],,
-enable_shared_library=yes)
-AM_CONDITIONAL(STATIC_LIBRARY, test x$enable_shared_library = xno)
+AC_ARG_ENABLE([static-cryptsetup],
+	AS_HELP_STRING([--enable-static-cryptsetup],
+	[enable build of static cryptsetup binary]), [
+	if test x$enable_static = xno; then
+		AC_MSG_WARN([Requested static cryptsetup build, enabling static library.])
+		enable_static=yes
+	fi
+	enable_static_cryptsetup=yes])
+AM_CONDITIONAL(STATIC_CRYPTSETUP, test x$enable_static_cryptsetup = xyes)
 
 AC_ARG_ENABLE(selinux,
-[  --disable-selinux       disable selinux support [[default=auto]]],[], [])
+	AS_HELP_STRING([--disable-selinux],
+	[disable selinux support [default=auto]]),[], [])
 
-AC_ARG_ENABLE([udev],AS_HELP_STRING([--disable-udev],[disable udev support]),[], enable_udev=yes)
+AC_ARG_ENABLE([udev],
+	AS_HELP_STRING([--disable-udev],
+	[disable udev support]),[], enable_udev=yes)
 
 dnl Try to use pkg-config for devmapper, but fallback to old detection
-saved_LIBS=$LIBS
-if AC_RUN_LOG([pkg-config --exists --print-errors devmapper]); then
-	PKG_PROG_PKG_CONFIG
-	if test x$enable_static = xyes; then
-		PKG_CONFIG="$PKG_CONFIG --static"
-	fi
-	PKG_CHECK_MODULES([DEVMAPPER], [devmapper >= 1.02.03])
-	LIBS="$LIBS $DEVMAPPER_LIBS"
-else
+PKG_CHECK_MODULES([DEVMAPPER], [devmapper >= 1.02.03],, [
 	AC_CHECK_LIB(devmapper, dm_task_set_name,,
-		[AC_MSG_ERROR('You need the device-mapper library')])
+		[AC_MSG_ERROR([You need the device-mapper library.])])
 	AC_CHECK_LIB(devmapper, dm_task_set_message,,
 		[AC_MSG_ERROR([The device-mapper library on your system is too old.])])
 	DEVMAPPER_LIBS=$LIBS
-fi
+])
+LIBS=$saved_LIBS
 
-AC_CHECK_FUNCS([dm_task_set_cookie], [have_cookie=yes], [have_cookie=no])
+LIBS="$LIBS $DEVMAPPER_LIBS"
+AC_CHECK_DECLS([DM_UDEV_DISABLE_DISK_RULES_FLAG], [have_cookie=yes], [have_cookie=no], [#include <libdevmapper.h>])
 if test "x$enable_udev" = xyes; then
 	if test "x$have_cookie" = xno; then
 		AC_MSG_WARN([The device-mapper library on your system has no udev support, udev support disabled.])
@@ -103,30 +104,53 @@ if test "x$enable_udev" = xyes; then
 		AC_DEFINE(USE_UDEV, 1, [Try to use udev synchronisation?])
 	fi
 fi
-
 LIBS=$saved_LIBS
+
+dnl Magic for cryptsetup.static build.
+if test x$enable_static_cryptsetup = xyes; then
+	saved_PKG_CONFIG=$PKG_CONFIG
+	PKG_CONFIG="$PKG_CONFIG --static"
+
+	LIBS="$saved_LIBS $LIBGCRYPT_LIBS -static"
+	AC_CHECK_LIB(gcrypt, gcry_check_version,,
+		AC_MSG_ERROR([Cannot find static gcrypt library.]),
+		[-lgpg-error])
+	LIBGCRYPT_STATIC_LIBS="$LIBGCRYPT_LIBS -lgpg-error"
+
+	LIBS="$saved_LIBS -static"
+	AC_CHECK_LIB(popt, poptGetContext,,
+		AC_MSG_ERROR([Cannot find static popt library.]))
+
+	dnl Try to detect needed device-mapper static libraries, try pkg-config first.
+	LIBS="$saved_LIBS -static"
+	PKG_CHECK_MODULES([DEVMAPPER_STATIC], [devmapper >= 1.02.27],,[
+		DEVMAPPER_STATIC_LIBS=$DEVMAPPER_LIBS
 		if test "x$enable_selinux" != xno; then
 			AC_CHECK_LIB(sepol, sepol_bool_set)
 			AC_CHECK_LIB(selinux, is_selinux_enabled)
-	if test x$enable_static = xyes; then
-		SELINUX_STATIC_LIBS=$LIBS
-		# Check if we need -pthread with --enable-static and selinux
-		saved_LIBS2=$LIBS
-		LIBS="$LIBS -static"
-		AC_SEARCH_LIBS([pthread_mutex_lock], [pthread],
-			[test "$ac_cv_search_pthread_mutex_lock" = "none required" || LIB_PTHREAD=-lpthread])
-		LIBS=$saved_LIBS2
-	fi
+			DEVMAPPER_STATIC_LIBS="$DEVMAPPER_STATIC_LIBS $LIBS"
 		fi
+	])
+	LIBS="$saved_LIBS $DEVMAPPER_STATIC_LIBS"
+	AC_CHECK_LIB(devmapper, dm_task_set_uuid,,
+		AC_MSG_ERROR([Cannot link with static device-mapper library.]))
 
 	LIBS=$saved_LIBS
+	PKG_CONFIG=$saved_PKG_CONFIG
+fi
 
-DEVMAPPER_LIBS="$DEVMAPPER_LIBS $LIB_PTHREAD"
 AC_SUBST([DEVMAPPER_LIBS])
-AC_SUBST([SELINUX_STATIC_LIBS])
+AC_SUBST([DEVMAPPER_STATIC_LIBS])
+AC_SUBST([LIBGCRYPT_STATIC_LIBS])
 AC_SUBST([LIBCRYPTSETUP_VERSION])
 AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
 
+dnl ==========================================================================
+AC_ARG_ENABLE([dev-random], AS_HELP_STRING([--enable-dev-random],
+[use blocking /dev/random by default for key generator (otherwise use /dev/urandom)]),
+[default_rng=/dev/random], [default_rng=/dev/urandom])
+AC_DEFINE_UNQUOTED(DEFAULT_RNG, ["$default_rng"], [default RNG type for key generator])
+
 dnl ==========================================================================
 AC_DEFUN([CS_DEFINE],
 	[AC_DEFINE_UNQUOTED(DEFAULT_[]m4_translit([$1], [-a-z], [_A-Z]), [$2], [$3])
@@ -154,19 +178,16 @@ CS_STR_WITH([luks1-cipher], [cipher for LUKS1], [aes])
 CS_STR_WITH([luks1-mode],   [cipher mode for LUKS1], [cbc-essiv:sha256])
 CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
 
-dnl ==========================================================================
-
-AM_CONDITIONAL(STATIC_CRYPTSETUP, test x$enable_static = xyes)
-AM_CONDITIONAL(DYNAMIC_CRYPTSETUP, test x$enable_static = xno)
 
 dnl ==========================================================================
 
-AC_OUTPUT([ Makefile
+AC_CONFIG_FILES([ Makefile
 lib/Makefile
 lib/libcryptsetup.pc
+lib/luks1/Makefile
 src/Makefile
 po/Makefile.in
-luks/Makefile
 man/Makefile
 tests/Makefile
 ])
+AC_OUTPUT

lib/Makefile.am

@@ -1,3 +1,5 @@
+SUBDIRS = luks1
+
 moduledir = $(libdir)/cryptsetup
 
 pkgconfigdir = $(libdir)/pkgconfig
@@ -5,7 +7,7 @@ pkgconfig_DATA = libcryptsetup.pc
 
 INCLUDES = \
 	-I$(top_srcdir)				\
-	-I$(top_srcdir)/luks			\
+	-I$(top_srcdir)/lib/luks1		\
 	-DDATADIR=\""$(datadir)"\"		\
 	-DLIBDIR=\""$(libdir)"\"		\
 	-DPREFIX=\""$(prefix)"\"		\
@@ -17,14 +19,9 @@ INCLUDES = \
 
 lib_LTLIBRARIES = libcryptsetup.la
 
-if STATIC_LIBRARY
-_STATIC_LIBRARY = -static
-endif
-
 libcryptsetup_la_DEPENDENCIES = libcryptsetup.sym
 
 libcryptsetup_la_LDFLAGS = \
-	$(_STATIC_LIBRARY) \
 	-Wl,--version-script=$(top_srcdir)/lib/libcryptsetup.sym \
 	-version-info @LIBCRYPTSETUP_VERSION_INFO@
 
@@ -34,7 +31,7 @@ libcryptsetup_la_LIBADD = \
 	@UUID_LIBS@				\
 	@DEVMAPPER_LIBS@			\
 	@LIBGCRYPT_LIBS@			\
-	../luks/libluks.la
+	luks1/libluks1.la
 
 libcryptsetup_la_SOURCES = \
 	setup.c					\
@@ -43,9 +40,13 @@ libcryptsetup_la_SOURCES = \
 	blockdev.h				\
 	libcryptsetup.h				\
 	utils.c					\
+	utils_crypt.c				\
+	utils_crypt.h				\
 	utils_debug.c				\
 	backends.c				\
 	libdevmapper.c				\
+	volumekey.c				\
+	random.c				\
 	gcrypt.c
 
 include_HEADERS = libcryptsetup.h

lib/gcrypt.c

@@ -10,11 +10,19 @@
 #define MAX_DIGESTS		64
 #define GCRYPT_REQ_VERSION	"1.1.42"
 
-int init_crypto(void)
+int init_crypto(struct crypt_device *ctx)
 {
+	int r;
+
+	r = crypt_random_init(ctx);
+	if (r < 0)
+		goto fail;
+
 	if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
-		if (!gcry_check_version (GCRYPT_REQ_VERSION))
-			return -ENOSYS;
+		if (!gcry_check_version (GCRYPT_REQ_VERSION)) {
+			r = -ENOSYS;
+			goto fail;
+		}
 
 /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
  * it drops all privileges during secure memory initialisation.
@@ -35,6 +43,9 @@ int init_crypto(void)
 	}
 
 	return 0;
+fail:
+	log_err(ctx, _("Cannot initialize crypto backend.\n"));
+	return r;
 }
 
 static int gcrypt_hash(void *data, int size, char *key,

lib/internal.h

@@ -11,12 +11,12 @@
 #include <inttypes.h>
 
 #include "nls.h"
+#include "utils_crypt.h"
 
 #define SECTOR_SHIFT		9
 #define SECTOR_SIZE		(1 << SECTOR_SHIFT)
-#define DEFAULT_ALIGNMENT	4096
-
-#define MAX_TTY_PASSWORD_LEN	512
+#define DEFAULT_DISK_ALIGNMENT	1048576 /* 1MiB */
+#define DEFAULT_MEM_ALIGNMENT	4096
 
 /* private struct crypt_options flags */
 
@@ -27,6 +27,8 @@
 
 #define at_least(a, b) ({ __typeof__(a) __at_least = (a); (__at_least >= (b))?__at_least:(b); })
 
+struct crypt_device;
+
 struct hash_type {
 	char		*name;
 	void		*private;
@@ -40,32 +42,28 @@ struct hash_backend {
 	void			(*free_hashes)(struct hash_type *hashes);
 };
 
-struct device_infos {
-	uint64_t	size;
-	int		readonly;
+struct volume_key {
+	size_t keylength;
+	char key[];
 };
 
-struct crypt_device;
+struct volume_key *crypt_alloc_volume_key(unsigned keylength, const char *key);
+struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, unsigned keylength);
+void crypt_free_volume_key(struct volume_key *vk);
+
 int crypt_confirm(struct crypt_device *cd, const char *msg);
 
 void set_error_va(const char *fmt, va_list va);
 void set_error(const char *fmt, ...);
 const char *get_error(void);
-void *safe_alloc(size_t size);
-void safe_free(void *data);
-void *safe_realloc(void *data, size_t size);
-char *safe_strdup(const char *s);
-void set_debug_level(int level);
 
-int init_crypto(void);
+int init_crypto(struct crypt_device *ctx);
 struct hash_backend *get_hash_backend(const char *name);
 void put_hash_backend(struct hash_backend *backend);
 int hash(const char *backend_name, const char *hash_name,
          char *result, size_t size,
          const char *passphrase, size_t sizep);
 
-void hexprint(char *d, int n);
-
 /* Device mapper backend */
 const char *dm_get_dir(void);
 int dm_init(struct crypt_device *context, int check_kernel);
@@ -98,18 +96,16 @@ ssize_t write_blockwise(int fd, const void *buf, size_t count);
 ssize_t read_blockwise(int fd, void *_buf, size_t count);
 ssize_t write_lseek_blockwise(int fd, const char *buf, size_t count, off_t offset);
 int device_ready(struct crypt_device *cd, const char *device, int mode);
-int get_device_infos(const char *device, struct device_infos *infos, struct crypt_device *cd);
+int get_device_infos(const char *device,
+		     int open_exclusive,
+		     int *readonly,
+		     uint64_t *size);
 int wipe_device_header(const char *device, int sectors);
 
-void get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
-	     const char *key_file, int timeout, int how2verify,
-	     struct crypt_device *cd);
-
-int parse_into_name_and_mode(const char *nameAndMode, char *name, char *mode);
-
 void logger(struct crypt_device *cd, int class, const char *file, int line, const char *format, ...);
 #define log_dbg(x...) logger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)
 #define log_std(c, x...) logger(c, CRYPT_LOG_NORMAL, __FILE__, __LINE__, x)
+#define log_verbose(c, x...) logger(c, CRYPT_LOG_VERBOSE, __FILE__, __LINE__, x)
 #define log_err(c, x...) do { \
 	logger(c, CRYPT_LOG_ERROR, __FILE__, __LINE__, x); \
 	set_error(x); } while(0)
@@ -125,4 +121,10 @@ void get_topology_alignment(const char *device,
 			    unsigned long *alignment_offset,   /* bytes */
 			    unsigned long default_alignment);
 
+enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1 };
+int crypt_random_init(struct crypt_device *ctx);
+int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int quality);
+void crypt_random_exit(void);
+int crypt_random_default_key_rng(void);
+
 #endif /* INTERNAL_H */

lib/libcryptsetup.h

@@ -42,6 +42,7 @@ int crypt_init_by_name(struct crypt_device **cd, const char *name);
  */
 #define CRYPT_LOG_NORMAL 0
 #define CRYPT_LOG_ERROR  1
+#define CRYPT_LOG_VERBOSE  2
 #define CRYPT_LOG_DEBUG -1 /* always on stdout */
 void crypt_set_log_callback(struct crypt_device *cd,
 	void (*log)(int level, const char *msg, void *usrptr),
@@ -85,9 +86,9 @@ void crypt_set_confirm_callback(struct crypt_device *cd,
  * @length - size of buffer
  *
  * - Note that if this function is defined, verify option is ignored
- *   (caller whch provided callback is responsible fo password verification)
- * - Only zero terminated passwords can be enteted this way, for complex
- *   API functions directly.
+ *   (caller which provided callback is responsible for password verification)
+ * - Only zero terminated passwords can be entered this way, for complex
+ *   use API functions directly.
  * - Maximal length of password is limited to @length-1 (minimal 511 chars)
  */
 void crypt_set_password_callback(struct crypt_device *cd,
@@ -98,7 +99,7 @@ void crypt_set_password_callback(struct crypt_device *cd,
  * Various crypt device parameters
  *
  * @cd - crypt device handle
- * @timeout - timeout in secons for password entry if compiled-in function used
+ * @timeout - timeout in seconds for password entry if compiled-in function used
  * @password_retry - number of tries for password if not verified
  * @iteration_time - iteration time for LUKS header in miliseconds
  * @password_verify - for compiled-in password query always verify passwords twice
@@ -108,6 +109,27 @@ void crypt_set_password_retry(struct crypt_device *cd, int tries);
 void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms);
 void crypt_set_password_verify(struct crypt_device *cd, int password_verify);
 
+/**
+ * Set which RNG (random number generator) is used for generating long term key
+ * @cd - crypt device handle
+ * @rng_type - kernel random number generator to use
+ *
+ * CRYPT_RNG_URANDOM - use /dev/urandom
+ * CRYPT_RNG_RANDOM  - use /dev/random (waits if no entropy in system)
+ */
+#define CRYPT_RNG_URANDOM 0
+#define CRYPT_RNG_RANDOM  1
+void crypt_set_rng_type(struct crypt_device *cd, int rng_type);
+
+/**
+ * Get which RNG (random number generator) is used for generating long term key
+ *
+ * Returns RNG type on success or negative errno value otherwise.
+ *
+ * @cd - crypt device handle
+ */
+int crypt_get_rng_type(struct crypt_device *cd);
+
 /**
  * Helper to lock/unlock memory to avoid swap sensitive data to disk
  *
@@ -122,6 +144,15 @@ int crypt_memory_lock(struct crypt_device *cd, int lock);
 #define CRYPT_PLAIN "PLAIN" /* regular crypt device, no on-disk header */
 #define CRYPT_LUKS1 "LUKS1" /* LUKS version 1 header on-disk */
 
+/**
+ * Get device type
+ *
+ * @cd - crypt device handle
+ *
+ * Returns string according to device type or NULL if not known.
+ */
+const char *crypt_get_type(struct crypt_device *cd);
+
 struct crypt_params_plain {
 	const char *hash; /* password hash function */
 	uint64_t offset;  /* offset in sectors */
@@ -144,12 +175,11 @@ struct crypt_params_luks1 {
  * @cipher_mode - including IV specification (e.g. "xts-plain")
  * @uuid - requested UUID or NULL if it should be generated
  * @volume_key - pre-generated volume key or NULL if it should be generated (only for LUKS)
- * @volume_key_size - size og volume key in bytes.
+ * @volume_key_size - size of volume key in bytes.
  * @params - crypt type specific parameters
  *
- * Note that crypt_format do not enable any keyslot, but it stores volume key internally
+ * Note that crypt_format does not enable any keyslot, but it stores volume key internally
  * and subsequent crypt_keyslot_add_* calls can be used.
- * (It is the only situation when crypt_keyslot_add_* do not require active key slots.)
  */
 int crypt_format(struct crypt_device *cd,
 	const char *type,
@@ -160,6 +190,17 @@ int crypt_format(struct crypt_device *cd,
 	size_t volume_key_size,
 	void *params);
 
+/**
+ * Set new UUID for already existing device (if format supports it)
+ *
+ * Returns 0 on success or negative errno value otherwise.
+ *
+ * @cd - crypt device handle
+ * @uuid - requested UUID or NULL if it should be generated
+ */
+int crypt_set_uuid(struct crypt_device *cd,
+		   const char *uuid);
+
 /**
  * Load crypt device parameters from on-disk header
  *
@@ -173,6 +214,19 @@ int crypt_load(struct crypt_device *cd,
 	       const char *requested_type,
 	       void *params);
 
+/**
+ * Resize crypt device
+ *
+ * Returns 0 on success or negative errno value otherwise.
+ *
+ * @cd - crypt device handle
+ * @name - name of device to resize
+ * @new_size - new device size in sectors or 0 to use underlying device size
+ */
+int crypt_resize(struct crypt_device *cd,
+		 const char *name,
+		 uint64_t new_size);
+
 /**
  * Suspends crypt device.
  *
@@ -245,6 +299,16 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
 	const char *new_passphrase,
 	size_t new_passphrase_size);
 
+/**
+ * Get number of keyslots supported for device type.
+ *
+ * Returns slot count or negative errno otherwise if device
+ * doesn't not support keyslots.
+ *
+ * @type - crypt device type
+ */
+int crypt_keyslot_max(const char *type);
+
 /**
 * Add key slot using provided key file path
  *
@@ -303,6 +367,29 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
 #define CRYPT_ACTIVATE_READONLY (1 << 0)
 #define CRYPT_ACTIVATE_NO_UUID  (1 << 1)
 
+/**
+ * Active device runtime attributes
+ */
+struct crypt_active_device {
+	uint64_t offset;	/* offset in sectors */
+	uint64_t iv_offset;	/* IV initilisation sector */
+	uint64_t size;		/* active device size */
+	uint32_t flags;		/* activation flags */
+};
+
+/**
+ * Receives runtime attributes of active crypt device
+ *
+ * Returns 0 on success or negative errno value otherwise.
+ *
+ * @cd - crypt device handle (can be NULL)
+ * @name - name of active device
+ * @cad - preallocated active device attributes to fill
+ */
+int crypt_get_active_device(struct crypt_device *cd,
+			    const char *name,
+			    struct crypt_active_device *cad);
+
 /**
  * Activate device or check passphrase
  *
@@ -348,9 +435,12 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
  *
  * @cd - crypt device handle
  * @name - name of device to create, if NULL only check volume key
- * @volume_key - provided volume key
+ * @volume_key - provided volume key (or NULL to use internal)
  * @volume_key_size - size of @volume_key
  * @flags - activation flags
+ *
+ * If NULL is used for volume_key, device has to be initialized
+ * by previous operation (like crypt_format() or crypt_init_by_name())
  */
 int crypt_activate_by_volume_key(struct crypt_device *cd,
 	const char *name,
@@ -424,7 +514,7 @@ crypt_status_info crypt_status(struct crypt_device *cd, const char *name);
  *
  * Returns 0 on success or negative errno value otherwise.
  *
- * @cd - crypt device handle, can be NULL
+ * @cd - crypt device handle
  */
 int crypt_dump(struct crypt_device *cd);
 
@@ -436,12 +526,14 @@ int crypt_dump(struct crypt_device *cd);
  * cipher - used cipher, e.g. "aes" or NULL otherwise
  * cipher_mode - used cipher mode including IV, e.g. "xts-plain" or NULL otherwise
  * uuid - device UUID or NULL if not set
+ * device_name - underlying device name or NULL if not yet set
  * data_offset - device offset in sectors where real data starts on underlying device)
  * volume_key_size - size (in bytes) of volume key for crypt device
  */
 const char *crypt_get_cipher(struct crypt_device *cd);
 const char *crypt_get_cipher_mode(struct crypt_device *cd);
 const char *crypt_get_uuid(struct crypt_device *cd);
+const char *crypt_get_device_name(struct crypt_device *cd);
 uint64_t crypt_get_data_offset(struct crypt_device *cd);
 int crypt_get_volume_key_size(struct crypt_device *cd);
 

lib/libcryptsetup.sym

@@ -9,10 +9,12 @@ CRYPTSETUP_1.0 {
 		crypt_set_password_retry;
 		crypt_set_iterarion_time;
 		crypt_set_password_verify;
+		crypt_set_uuid;
 
 		crypt_memory_lock;
 		crypt_format;
 		crypt_load;
+		crypt_resize;
 		crypt_suspend;
 		crypt_resume_by_passphrase;
 		crypt_resume_by_keyfile;
@@ -35,7 +37,15 @@ CRYPTSETUP_1.0 {
 		crypt_get_uuid;
 		crypt_get_data_offset;
 		crypt_get_volume_key_size;
+		crypt_get_device_name;
 
+		crypt_get_type;
+		crypt_get_active_device;
+
+		crypt_set_rng_type;
+		crypt_get_rng_type;
+
+		crypt_keyslot_max;
 		crypt_keyslot_status;
 		crypt_get_error;
 		crypt_get_dir;

lib/libdevmapper.c

@@ -26,14 +26,16 @@ static int _dm_use_count = 0;
 static struct crypt_device *_context = NULL;
 
 /* Compatibility for old device-mapper without udev support */
-#ifndef HAVE_DM_TASK_SET_COOKIE
-#define CRYPT_TEMP_UDEV_FLAGS	0
-static int dm_task_set_cookie(struct dm_task *dmt, uint32_t *cookie, uint16_t flags) { return 0; }
-static int dm_udev_wait(uint32_t cookie) { return 0; };
-#else
+#if HAVE_DECL_DM_UDEV_DISABLE_DISK_RULES_FLAG
 #define CRYPT_TEMP_UDEV_FLAGS	DM_UDEV_DISABLE_SUBSYSTEM_RULES_FLAG | \
 				DM_UDEV_DISABLE_DISK_RULES_FLAG | \
 				DM_UDEV_DISABLE_OTHER_RULES_FLAG
+#define _dm_task_set_cookie	dm_task_set_cookie
+#define _dm_udev_wait		dm_udev_wait
+#else
+#define CRYPT_TEMP_UDEV_FLAGS	0
+static int _dm_task_set_cookie(struct dm_task *dmt, uint32_t *cookie, uint16_t flags) { return 0; }
+static int _dm_udev_wait(uint32_t cookie) { return 0; };
 #endif
 
 static int _dm_use_udev()
@@ -197,7 +199,7 @@ static char *lookup_dev(const char *dev_id)
 {
 	uint32_t major, minor;
 	dev_t dev;
-	char *result, buf[PATH_MAX + 1];
+	char *result = NULL, buf[PATH_MAX + 1];
 
 	if (sscanf(dev_id, "%" PRIu32 ":%" PRIu32, &major, &minor) != 2)
 		return NULL;
@@ -220,8 +222,8 @@ static char *lookup_dev(const char *dev_id)
 	strncpy(buf, DEVICE_DIR, PATH_MAX);
 	result = __lookup_dev(buf, dev, 0, 4);
 
-	/* If not found, return major:minor */
-	return result ?: strdup(dev_id);
+	/* If not found, return NULL */
+	return result;
 }
 
 static int _dev_read_ahead(const char *dev, uint32_t *read_ahead)
@@ -255,13 +257,13 @@ static char *get_params(const char *device, uint64_t skip, uint64_t offset,
 	char *params;
 	char *hexkey;
 
-	hexkey = safe_alloc(key_size * 2 + 1);
+	hexkey = crypt_safe_alloc(key_size * 2 + 1);
 	if (!hexkey)
 		return NULL;
 
 	hex_key(hexkey, key_size, key);
 
-	params = safe_alloc(strlen(hexkey) + strlen(cipher) + strlen(device) + 64);
+	params = crypt_safe_alloc(strlen(hexkey) + strlen(cipher) + strlen(device) + 64);
 	if (!params)
 		goto out;
 
@@ -269,7 +271,7 @@ static char *get_params(const char *device, uint64_t skip, uint64_t offset,
 	        cipher, hexkey, skip, device, offset);
 
 out:
-	safe_free(hexkey);
+	crypt_safe_free(hexkey);
 	return params;
 }
 
@@ -289,13 +291,13 @@ static int _dm_simple(int task, const char *name, int udev_wait)
 	if (name && !dm_task_set_name(dmt, name))
 		goto out;
 
-	if (udev_wait && !dm_task_set_cookie(dmt, &cookie, 0))
+	if (udev_wait && !_dm_task_set_cookie(dmt, &cookie, 0))
 		goto out;
 
 	r = dm_task_run(dmt);
 
 	if (udev_wait)
-		(void)dm_udev_wait(cookie);
+		(void)_dm_udev_wait(cookie);
 
       out:
 	dm_task_destroy(dmt);
@@ -455,7 +457,7 @@ int dm_create_device(const char *name,
 		if (!dm_task_set_uuid(dmt, dev_uuid))
 			goto out_no_removal;
 
-		if (_dm_use_udev() && !dm_task_set_cookie(dmt, &cookie, udev_flags))
+		if (_dm_use_udev() && !_dm_task_set_cookie(dmt, &cookie, udev_flags))
 			goto out_no_removal;
 	}
 
@@ -481,7 +483,7 @@ int dm_create_device(const char *name,
 			goto out;
 		if (uuid && !dm_task_set_uuid(dmt, dev_uuid))
 			goto out;
-		if (_dm_use_udev() && !dm_task_set_cookie(dmt, &cookie, udev_flags))
+		if (_dm_use_udev() && !_dm_task_set_cookie(dmt, &cookie, udev_flags))
 			goto out;
 		if (!dm_task_run(dmt))
 			goto out;
@@ -493,7 +495,7 @@ int dm_create_device(const char *name,
 	r = 0;
 out:
 	if (_dm_use_udev()) {
-		(void)dm_udev_wait(cookie);
+		(void)_dm_udev_wait(cookie);
 		cookie = 0;
 	}
 
@@ -511,10 +513,10 @@ out:
 
 out_no_removal:
 	if (cookie && _dm_use_udev())
-		(void)dm_udev_wait(cookie);
+		(void)_dm_udev_wait(cookie);
 
 	if (params)
-		safe_free(params);
+		crypt_safe_free(params);
 	if (dmt)
 		dm_task_destroy(dmt);
 
@@ -532,22 +534,16 @@ int dm_status_device(const char *name)
 	int r = -EINVAL;
 
 	if (!(dmt = dm_task_create(DM_DEVICE_STATUS)))
-		return -EINVAL;
-
-	if (!dm_task_set_name(dmt, name)) {
-		r = -EINVAL;
 		goto out;
-	}
 
-	if (!dm_task_run(dmt)) {
-		r = -EINVAL;
+	if (!dm_task_set_name(dmt, name))
 		goto out;
-	}
 
-	if (!dm_task_get_info(dmt, &dmi)) {
-		r = -EINVAL;
+	if (!dm_task_run(dmt))
+		goto out;
+
+	if (!dm_task_get_info(dmt, &dmi))
 		goto out;
-	}
 
 	if (!dmi.exists) {
 		r = -ENODEV;
@@ -649,7 +645,7 @@ int dm_query_device(const char *name,
 
 	/* key */
 	if (key_size && key) {
-		*key = safe_alloc(*key_size);
+		*key = crypt_safe_alloc(*key_size);
 		if (!*key) {
 			r = -ENOMEM;
 			goto out;
@@ -660,7 +656,7 @@ int dm_query_device(const char *name,
 			memcpy(buffer, &key_[i * 2], 2);
 			(*key)[i] = strtoul(buffer, &endp, 16);
 			if (endp != &buffer[2]) {
-				safe_free(key);
+				crypt_safe_free(key);
 				*key = NULL;
 				goto out;
 			}
@@ -743,7 +739,7 @@ int dm_resume_and_reinstate_key(const char *name,
 	if (!_dm_crypt_wipe_key_supported)
 		return -ENOTSUP;
 
-	msg = safe_alloc(msg_size);
+	msg = crypt_safe_alloc(msg_size);
 	if (!msg)
 		return -ENOMEM;
 
@@ -755,7 +751,7 @@ int dm_resume_and_reinstate_key(const char *name,
 	    !_dm_simple(DM_DEVICE_RESUME, name, 1))
 		r = -EINVAL;
 
-	safe_free(msg);
+	crypt_safe_free(msg);
 	return r;
 }
 

lib/luks1/Makefile.am

@@ -1,18 +1,15 @@
 moduledir = $(libdir)/cryptsetup
 
-noinst_LTLIBRARIES = libluks.la
+noinst_LTLIBRARIES = libluks1.la
 
-libluks_la_CFLAGS = -Wall @LIBGCRYPT_CFLAGS@
+libluks1_la_CFLAGS = -Wall @LIBGCRYPT_CFLAGS@
 
-libluks_la_SOURCES = \
+libluks1_la_SOURCES = \
 	af.c \
 	pbkdf.c \
 	keymanage.c \
 	keyencryption.c \
-	hexprint.c \
-	random.c \
 	pbkdf.h \
-	random.h \
 	af.h \
 	luks.h
 

lib/luks1/af.c

@@ -26,7 +26,7 @@
 #include <netinet/in.h>
 #include <errno.h>
 #include <gcrypt.h>
-#include "random.h"
+#include "internal.h"
 
 static void XORblock(char const *src1, char const *src2, char *dst, size_t n)
 {
@@ -99,7 +99,7 @@ int AF_split(char *src, char *dst, size_t blocksize, unsigned int blocknumbers,
 
 	/* process everything except the last block */
 	for(i=0; i<blocknumbers-1; i++) {
-		r = getRandom(dst+(blocksize*i),blocksize);
+		r = crypt_random_get(NULL, dst+(blocksize*i), blocksize, CRYPT_RND_NORMAL);
 		if(r < 0) goto out;
 
 		XORblock(dst+(blocksize*i),bufblock,bufblock,blocksize);
@@ -124,7 +124,8 @@ int AF_merge(char *src, char *dst, size_t blocksize, unsigned int blocknumbers,
 	if (!(hash_id = gcry_md_map_name(hash)))
 		return -EINVAL;
 
-	if((bufblock = calloc(blocksize, 1)) == NULL) return -ENOMEM;
+	if((bufblock = calloc(blocksize, 1)) == NULL)
+		return -ENOMEM;
 
 	memset(bufblock,0,blocksize);
 	for(i=0; i<blocknumbers-1; i++) {
@@ -136,5 +137,5 @@ int AF_merge(char *src, char *dst, size_t blocksize, unsigned int blocknumbers,
 	r = 0;
 out:
 	free(bufblock);
-	return 0;
+	return r;
 }

lib/luks1/keyencryption.c

@@ -33,9 +33,7 @@
 #include <signal.h>
 
 #include "luks.h"
-//#include "../lib/libcryptsetup.h"
-#include "../lib/internal.h"
-//#include "../lib/blockdev.h"
+#include "internal.h"
 
 #define div_round_up(a,b) ({          \
 	typeof(a) __a = (a);          \

lib/luks1/keymanage.c

@@ -29,13 +29,12 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <uuid/uuid.h>
 
 #include "luks.h"
 #include "af.h"
 #include "pbkdf.h"
-#include "random.h"
-#include <uuid/uuid.h>
-#include <../lib/internal.h>
+#include "internal.h"
 
 #define div_round_up(a,b) ({           \
 	typeof(a) __a = (a);          \
@@ -47,38 +46,6 @@ static inline int round_up_modulo(int x, int m) {
 	return div_round_up(x, m) * m;
 }
 
-struct luks_masterkey *LUKS_alloc_masterkey(int keylength, const char *key)
-{ 
-	struct luks_masterkey *mk=malloc(sizeof(*mk) + keylength);
-	if(NULL == mk) return NULL;
-	mk->keyLength=keylength;
-	if (key)
-		memcpy(&mk->key, key, keylength);
-	return mk;
-}
-
-void LUKS_dealloc_masterkey(struct luks_masterkey *mk)
-{
-	if(NULL != mk) {
-		memset(mk->key,0,mk->keyLength);
-		mk->keyLength=0;
-		free(mk);
-	}
-}
-
-struct luks_masterkey *LUKS_generate_masterkey(int keylength)
-{
-	struct luks_masterkey *mk=LUKS_alloc_masterkey(keylength, NULL);
-	if(NULL == mk) return NULL;
-
-	int r = getRandom(mk->key,keylength);
-	if(r < 0) {
-		LUKS_dealloc_masterkey(mk);
-		return NULL;
-	}
-	return mk;
-}
-
 int LUKS_hdr_backup(
 	const char *backup_file,
 	const char *device,
@@ -95,12 +62,12 @@ int LUKS_hdr_backup(
 		return -EINVAL;
 	}
 
-	r = LUKS_read_phdr(device, hdr, 0, ctx);
+	r = LUKS_read_phdr(device, hdr, 1, ctx);
 	if (r)
 		return r;
 
 	buffer_size = hdr->payloadOffset << SECTOR_SHIFT;
-	buffer = safe_alloc(buffer_size);
+	buffer = crypt_safe_alloc(buffer_size);
 	if (!buffer || buffer_size < LUKS_ALIGN_KEYSLOTS) {
 		r = -ENOMEM;
 		goto out;
@@ -141,7 +108,7 @@ int LUKS_hdr_backup(
 out:
 	if (devfd != -1)
 		close(devfd);
-	safe_free(buffer);
+	crypt_safe_free(buffer);
 	return r;
 }
 
@@ -171,7 +138,7 @@ int LUKS_hdr_restore(
 		goto out;
 	}
 
-	buffer = safe_alloc(buffer_size);
+	buffer = crypt_safe_alloc(buffer_size);
 	if (!buffer) {
 		r = -ENOMEM;
 		goto out;
@@ -238,7 +205,7 @@ int LUKS_hdr_restore(
 out:
 	if (devfd != -1)
 		close(devfd);
-	safe_free(buffer);
+	crypt_safe_free(buffer);
 	return r;
 }
 
@@ -420,7 +387,7 @@ static int LUKS_PBKDF2_performance_check(const char *hashSpec,
 }
 
 int LUKS_generate_phdr(struct luks_phdr *header,
-		       const struct luks_masterkey *mk,
+		       const struct volume_key *vk,
 		       const char *cipherName, const char *cipherMode, const char *hashSpec,
 		       const char *uuid, unsigned int stripes,
 		       unsigned int alignPayload,
@@ -430,14 +397,26 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 		       struct crypt_device *ctx)
 {
 	unsigned int i=0;
-	unsigned int blocksPerStripeSet = div_round_up(mk->keyLength*stripes,SECTOR_SIZE);
+	unsigned int blocksPerStripeSet = div_round_up(vk->keylength*stripes,SECTOR_SIZE);
 	int r;
 	char luksMagic[] = LUKS_MAGIC;
 	uuid_t partitionUuid;
 	int currentSector;
-	int alignSectors = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE;
+
 	if (alignPayload == 0)
-		alignPayload = alignSectors;
+		alignPayload = DEFAULT_DISK_ALIGNMENT / SECTOR_SIZE;
+
+	if (PBKDF2_HMAC_ready(hashSpec) < 0) {
+		log_err(ctx, _("Requested LUKS hash %s is not supported.\n"), hashSpec);
+		return -EINVAL;
+	}
+
+	if (uuid && uuid_parse(uuid, partitionUuid) == -1) {
+		log_err(ctx, _("Wrong LUKS UUID format provided.\n"));
+		return -EINVAL;
+	}
+	if (!uuid)
+		uuid_generate(partitionUuid);
 
 	memset(header,0,sizeof(struct luks_phdr));
 
@@ -448,7 +427,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 	strncpy(header->cipherMode,cipherMode,LUKS_CIPHERMODE_L);
 	strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L);
 
-	header->keyBytes=mk->keyLength;
+	header->keyBytes=vk->keylength;
 
 	LUKS_fix_header_compatible(header);
 
@@ -456,7 +435,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 		header->version, header->hashSpec ,header->cipherName, header->cipherMode,
 		header->keyBytes);
 
-	r = getRandom(header->mkDigestSalt,LUKS_SALTSIZE);
+	r = crypt_random_get(ctx, header->mkDigestSalt, LUKS_SALTSIZE, CRYPT_RND_NORMAL);
 	if(r < 0) {
 		log_err(ctx,  _("Cannot create LUKS header: reading random salt failed.\n"));
 		return r;
@@ -470,7 +449,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 	header->mkDigestIterations = at_least((uint32_t)(*PBKDF2_per_sec/1024) * iteration_time_ms,
 					      LUKS_MKD_ITERATIONS_MIN);
 
-	r = PBKDF2_HMAC(header->hashSpec,mk->key,mk->keyLength,
+	r = PBKDF2_HMAC(header->hashSpec,vk->key,vk->keylength,
 			header->mkDigestSalt,LUKS_SALTSIZE,
 			header->mkDigestIterations,
 			header->mkDigest,LUKS_DIGESTSIZE);
@@ -480,24 +459,19 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 		return r;
 	}
 
-	currentSector = round_up_modulo(LUKS_PHDR_SIZE, alignSectors);
+	currentSector = round_up_modulo(LUKS_PHDR_SIZE, LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
 	for(i = 0; i < LUKS_NUMKEYS; ++i) {
 		header->keyblock[i].active = LUKS_KEY_DISABLED;
 		header->keyblock[i].keyMaterialOffset = currentSector;
 		header->keyblock[i].stripes = stripes;
-		currentSector = round_up_modulo(currentSector + blocksPerStripeSet, alignSectors);
+		currentSector = round_up_modulo(currentSector + blocksPerStripeSet,
+						LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE);
 	}
 	currentSector = round_up_modulo(currentSector, alignPayload);
 
 	/* alignOffset - offset from natural device alignment provided by topology info */
 	header->payloadOffset = currentSector + alignOffset;
 
-	if (uuid && !uuid_parse(uuid, partitionUuid)) {
-		log_err(ctx, _("Wrong UUID format provided, generating new one.\n"));
-		uuid = NULL;
-	}
-	if (!uuid)
-		uuid_generate(partitionUuid);
         uuid_unparse(partitionUuid, header->uuid);
 
 	log_dbg("Data offset %d, UUID %s, digest iterations %" PRIu32,
@@ -506,9 +480,29 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 	return 0;
 }
 
+int LUKS_hdr_uuid_set(
+	const char *device,
+	struct luks_phdr *hdr,
+	const char *uuid,
+	struct crypt_device *ctx)
+{
+	uuid_t partitionUuid;
+
+	if (uuid && uuid_parse(uuid, partitionUuid) == -1) {
+		log_err(ctx, _("Wrong LUKS UUID format provided.\n"));
+		return -EINVAL;
+	}
+	if (!uuid)
+		uuid_generate(partitionUuid);
+
+	uuid_unparse(partitionUuid, hdr->uuid);
+
+	return LUKS_write_phdr(device, hdr, ctx);
+}
+
 int LUKS_set_key(const char *device, unsigned int keyIndex,
 		 const char *password, size_t passwordLen,
-		 struct luks_phdr *hdr, struct luks_masterkey *mk,
+		 struct luks_phdr *hdr, struct volume_key *vk,
 		 uint32_t iteration_time_ms,
 		 uint64_t *PBKDF2_per_sec,
 		 struct crypt_device *ctx)
@@ -548,10 +542,11 @@ int LUKS_set_key(const char *device, unsigned int keyIndex,
 
 	log_dbg("Key slot %d use %d password iterations.", keyIndex, hdr->keyblock[keyIndex].passwordIterations);
 
-	r = getRandom(hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE);
+	r = crypt_random_get(ctx, hdr->keyblock[keyIndex].passwordSalt,
+		       LUKS_SALTSIZE, CRYPT_RND_NORMAL);
 	if(r < 0) return r;
 
-//	assert((mk->keyLength % TWOFISH_BLOCKSIZE) == 0); FIXME
+//	assert((vk->keylength % TWOFISH_BLOCKSIZE) == 0); FIXME
 
 	r = PBKDF2_HMAC(hdr->hashSpec, password,passwordLen,
 			hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE,
@@ -560,15 +555,15 @@ int LUKS_set_key(const char *device, unsigned int keyIndex,
 	if(r < 0) return r;
 
 	/*
-	 * AF splitting, the masterkey stored in mk->key is splitted to AfMK
+	 * AF splitting, the masterkey stored in vk->key is splitted to AfMK
 	 */
-	AFEKSize = hdr->keyblock[keyIndex].stripes*mk->keyLength;
+	AFEKSize = hdr->keyblock[keyIndex].stripes*vk->keylength;
 	AfKey = (char *)malloc(AFEKSize);
 	if(AfKey == NULL) return -ENOMEM;
 
 	log_dbg("Using hash %s for AF in key slot %d, %d stripes",
 		hdr->hashSpec, keyIndex, hdr->keyblock[keyIndex].stripes);
-	r = AF_split(mk->key,AfKey,mk->keyLength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
+	r = AF_split(vk->key,AfKey,vk->keylength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
 	if(r < 0) goto out;
 
 	log_dbg("Updating key slot %d [0x%04x] area on device %s.", keyIndex,
@@ -601,13 +596,13 @@ out:
 	return r;
 }
 
-/* Check whether a master key is invalid. */
-int LUKS_verify_master_key(const struct luks_phdr *hdr,
-			   const struct luks_masterkey *mk)
+/* Check whether a volume key is invalid. */
+int LUKS_verify_volume_key(const struct luks_phdr *hdr,
+			   const struct volume_key *vk)
 {
 	char checkHashBuf[LUKS_DIGESTSIZE];
 
-	if (PBKDF2_HMAC(hdr->hashSpec, mk->key, mk->keyLength,
+	if (PBKDF2_HMAC(hdr->hashSpec, vk->key, vk->keylength,
 			hdr->mkDigestSalt, LUKS_SALTSIZE,
 			hdr->mkDigestIterations, checkHashBuf,
 			LUKS_DIGESTSIZE) < 0)
@@ -620,12 +615,12 @@ int LUKS_verify_master_key(const struct luks_phdr *hdr,
 }
 
 /* Try to open a particular key slot */
-int LUKS_open_key(const char *device,
+static int LUKS_open_key(const char *device,
 		  unsigned int keyIndex,
 		  const char *password,
 		  size_t passwordLen,
 		  struct luks_phdr *hdr,
-		  struct luks_masterkey *mk,
+		  struct volume_key *vk,
 		  struct crypt_device *ctx)
 {
 	crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyIndex);
@@ -639,9 +634,9 @@ int LUKS_open_key(const char *device,
 	if (ki < CRYPT_SLOT_ACTIVE)
 		return -ENOENT;
 
-	// assert((mk->keyLength % TWOFISH_BLOCKSIZE) == 0); FIXME
+	// assert((vk->keylength % TWOFISH_BLOCKSIZE) == 0); FIXME
 
-	AFEKSize = hdr->keyblock[keyIndex].stripes*mk->keyLength;
+	AFEKSize = hdr->keyblock[keyIndex].stripes*vk->keylength;
 	AfKey = (char *)malloc(AFEKSize);
 	if(AfKey == NULL) return -ENOMEM;
 
@@ -665,12 +660,12 @@ int LUKS_open_key(const char *device,
 		goto out;
 	}
 
-	r = AF_merge(AfKey,mk->key,mk->keyLength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
+	r = AF_merge(AfKey,vk->key,vk->keylength,hdr->keyblock[keyIndex].stripes,hdr->hashSpec);
 	if(r < 0) goto out;
 
-	r = LUKS_verify_master_key(hdr, mk);
-	if (r >= 0)
-		log_std(ctx, _("Key slot %d unlocked.\n"), keyIndex);
+	r = LUKS_verify_volume_key(hdr, vk);
+	if (!r)
+		log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
 out:
 	free(AfKey);
 	return r;
@@ -681,19 +676,21 @@ int LUKS_open_key_with_hdr(const char *device,
 			   const char *password,
 			   size_t passwordLen,
 			   struct luks_phdr *hdr,
-			   struct luks_masterkey **mk,
+			   struct volume_key **vk,
 			   struct crypt_device *ctx)
 {
 	unsigned int i;
 	int r;
 
-	*mk = LUKS_alloc_masterkey(hdr->keyBytes, NULL);
+	*vk = crypt_alloc_volume_key(hdr->keyBytes, NULL);
 
-	if (keyIndex >= 0)
-		return LUKS_open_key(device, keyIndex, password, passwordLen, hdr, *mk, ctx);
+	if (keyIndex >= 0) {
+		r = LUKS_open_key(device, keyIndex, password, passwordLen, hdr, *vk, ctx);
+		return (r < 0) ? r : keyIndex;
+	}
 
 	for(i = 0; i < LUKS_NUMKEYS; i++) {
-		r = LUKS_open_key(device, i, password, passwordLen, hdr, *mk, ctx);
+		r = LUKS_open_key(device, i, password, passwordLen, hdr, *vk, ctx);
 		if(r == 0)
 			return i;
 
@@ -746,12 +743,15 @@ static int wipe(const char *device, unsigned int from, unsigned int to)
 		return -EINVAL;
 
 	buffer = (char *) malloc(bufLen);
-	if(!buffer) return -ENOMEM;
+	if(!buffer) {
+		close(devfd);
+		return -ENOMEM;
+	}
 
 	for(i = 0; i < 39; ++i) {
-		if     (i >=  0 && i <  5) getRandom(buffer, bufLen);
+		if     (i >=  0 && i <  5) crypt_random_get(NULL, buffer, bufLen, CRYPT_RND_NORMAL);
 		else if(i >=  5 && i < 32) wipeSpecial(buffer, bufLen, i - 5);
-		else if(i >= 32 && i < 38) getRandom(buffer, bufLen);
+		else if(i >= 32 && i < 38) crypt_random_get(NULL, buffer, bufLen, CRYPT_RND_NORMAL);
 		else if(i >= 38 && i < 39) memset(buffer, 0xFF, bufLen);
 
 		if(write_lseek_blockwise(devfd, buffer, bufLen, from * SECTOR_SIZE) < 0) {
@@ -796,6 +796,10 @@ int LUKS_del_key(const char *device,
 		return r;
 	}
 
+	/* Wipe keyslot info */
+	memset(&hdr->keyblock[keyIndex].passwordSalt, 0, LUKS_SALTSIZE);
+	hdr->keyblock[keyIndex].passwordIterations = 0;
+
 	r = LUKS_write_phdr(device, hdr, ctx);
 
 	return r;

lib/luks1/luks.h

@@ -36,12 +36,14 @@
 /* Actually we need only 37, but we don't want struct autoaligning to kick in */
 #define UUID_STRING_L 40
 
-/* Offset to align kesylot area */
+/* Offset to keyslot area [in bytes] */
 #define LUKS_ALIGN_KEYSLOTS 4096
 
 /* Any integer values are stored in network byte order on disk and must be
 converted */
 
+struct volume_key;
+
 struct luks_phdr {
 	char		magic[LUKS_MAGIC_L];
 	uint16_t	version;
@@ -71,20 +73,12 @@ struct luks_phdr {
 	char		_padding[432];
 };
 
-struct luks_masterkey {
-	size_t keyLength;
-	char key[];
-};
-
-struct luks_masterkey *LUKS_alloc_masterkey(int keylength, const char *key);
-void LUKS_dealloc_masterkey(struct luks_masterkey *mk);
-struct luks_masterkey *LUKS_generate_masterkey(int keylength);
-int LUKS_verify_master_key(const struct luks_phdr *hdr,
-			   const struct luks_masterkey *mk);
+int LUKS_verify_volume_key(const struct luks_phdr *hdr,
+			   const struct volume_key *vk);
 
 int LUKS_generate_phdr(
 	struct luks_phdr *header,
-	const struct luks_masterkey *mk,
+	const struct volume_key *vk,
 	const char *cipherName,
 	const char *cipherMode,
 	const char *hashSpec,
@@ -109,6 +103,12 @@ int LUKS_read_phdr_backup(
 	int require_luks_device,
 	struct crypt_device *ctx);
 
+int LUKS_hdr_uuid_set(
+	const char *device,
+	struct luks_phdr *hdr,
+	const char *uuid,
+	struct crypt_device *ctx);
+
 int LUKS_hdr_backup(
 	const char *backup_file,
 	const char *device,
@@ -132,27 +132,18 @@ int LUKS_set_key(
 	const char *password,
 	size_t passwordLen,
 	struct luks_phdr *hdr,
-	struct luks_masterkey *mk,
+	struct volume_key *vk,
 	uint32_t iteration_time_ms,
 	uint64_t *PBKDF2_per_sec,
 	struct crypt_device *ctx);
 
-int LUKS_open_key(
-	const char *device,
-	unsigned int keyIndex,
-	const char *password,
-	size_t passwordLen,
-	struct luks_phdr *hdr,
-	struct luks_masterkey *mk,
-	struct crypt_device *ctx);
-
 int LUKS_open_key_with_hdr(
 	const char *device,
 	int keyIndex,
 	const char *password,
 	size_t passwordLen,
 	struct luks_phdr *hdr,
-	struct luks_masterkey **mk,
+	struct volume_key **vk,
 	struct crypt_device *ctx);
 
 int LUKS_del_key(

lib/luks1/pbkdf.h

@@ -3,8 +3,6 @@
 
 #include <stddef.h>
 
-/* */
-
 int PBKDF2_HMAC(const char *hash,
 		const char *password, size_t passwordLen,
 		const char *salt, size_t saltLen, unsigned int iterations,

lib/random.c

@@ -0,0 +1,226 @@
+/*
+ * cryptsetup kernel RNG access functions
+ *
+ * Copyright (C) 2010 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <assert.h>
+
+#include "libcryptsetup.h"
+#include "internal.h"
+
+static int random_initialised = 0;
+
+#define URANDOM_DEVICE	"/dev/urandom"
+static int urandom_fd = -1;
+
+#define RANDOM_DEVICE	"/dev/random"
+static int random_fd = -1;
+
+/* Read random chunk - gathered data usually appears with this granularity */
+#define RANDOM_DEVICE_CHUNK	8
+
+/* Timeout to print warning if no random data (entropy) */
+#define RANDOM_DEVICE_TIMEOUT	5
+
+/* URANDOM_DEVICE access */
+static int _get_urandom(struct crypt_device *ctx, char *buf, size_t len)
+{
+	int r;
+	size_t old_len = len;
+	char *old_buf = buf;
+
+	assert(urandom_fd != -1);
+
+	while(len) {
+		r = read(urandom_fd, buf, len);
+		if (r == -1 && errno != EINTR)
+			return -EINVAL;
+		if (r > 0) {
+			len -= r;
+			buf += r;
+		}
+	}
+
+	assert(len == 0);
+	assert((size_t)(buf - old_buf) == old_len);
+
+	return 0;
+}
+
+static void _get_random_progress(struct crypt_device *ctx, int warn,
+				 size_t expected_len, size_t read_len)
+{
+	if (warn)
+		log_std(ctx,
+			_("System is out of entropy while generating volume key.\n"
+			  "Please move mouse or type some text in another window "
+			  "to gather some random events.\n"));
+
+	log_std(ctx, _("Generating key (%d%% done).\n"),
+		(int)((expected_len - read_len) * 100 / expected_len));
+}
+
+/* RANDOM_DEVICE access */
+static int _get_random(struct crypt_device *ctx, char *buf, size_t len)
+{
+	int r, warn_once = 1;
+	size_t n, old_len = len;
+	char *old_buf = buf;
+	fd_set fds;
+	struct timeval tv;
+
+	assert(random_fd != -1);
+
+	while (len) {
+		FD_ZERO(&fds);
+		FD_SET(random_fd, &fds);
+
+		tv.tv_sec = RANDOM_DEVICE_TIMEOUT;
+		tv.tv_usec = 0;
+
+		r = select(random_fd + 1, &fds, NULL, NULL, &tv);
+		if(r == -1)
+			return -EINVAL;
+
+		if(!r) {
+			_get_random_progress(ctx, warn_once, old_len, len);
+			warn_once = 0;
+			continue;
+		}
+
+		do {
+			n = RANDOM_DEVICE_CHUNK;
+			if (len < RANDOM_DEVICE_CHUNK)
+				n = len;
+
+			r = read(random_fd, buf, n);
+
+			if (r == -1 && errno == EINTR) {
+				r = 0;
+				continue;
+			}
+
+			/* bogus read? */
+			if(r > (int)n)
+				return -EINVAL;
+
+			/* random device is opened with O_NONBLOCK, EAGAIN is expected */
+			if (r == -1 && (errno != EAGAIN && errno != EWOULDBLOCK))
+				return -EINVAL;
+
+			if (r > 0) {
+				len -= r;
+				buf += r;
+			}
+		} while (len && r > 0);
+	}
+
+	assert(len == 0);
+	assert((size_t)(buf - old_buf) == old_len);
+
+	if (!warn_once)
+		_get_random_progress(ctx, 0, old_len, len);
+
+	return 0;
+}
+/* Initialisation of both RNG file descriptors is mandatory */
+int crypt_random_init(struct crypt_device *ctx)
+{
+	/* Used for CRYPT_RND_NORMAL */
+	if(urandom_fd == -1)
+		urandom_fd = open(URANDOM_DEVICE, O_RDONLY);
+	if(urandom_fd == -1)
+		goto fail;
+
+	/* Used for CRYPT_RND_KEY */
+	if(random_fd == -1)
+		random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK);
+	if(random_fd == -1)
+		goto fail;
+
+	random_initialised = 1;
+	return 0;
+fail:
+	crypt_random_exit();
+	log_err(ctx, _("Fatal error during RNG initialisation.\n"));
+	return -ENOSYS;
+}
+
+int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int quality)
+{
+	int status, rng_type;
+
+	switch(quality) {
+	case CRYPT_RND_NORMAL:
+		status = _get_urandom(ctx, buf, len);
+		break;
+	case CRYPT_RND_KEY:
+		rng_type = ctx ? crypt_get_rng_type(ctx) :
+				 crypt_random_default_key_rng();
+		switch (rng_type) {
+		case CRYPT_RNG_URANDOM:
+			status = _get_urandom(ctx, buf, len);
+			break;
+		case CRYPT_RNG_RANDOM:
+			status = _get_random(ctx, buf, len);
+			break;
+		default:
+			abort();
+		}
+		break;
+	default:
+		log_err(ctx, _("Unknown RNG quality requested.\n"));
+		return -EINVAL;
+	}
+
+	if (status)
+		log_err(ctx, _("Error %d reading from RNG: %s\n"),
+			errno, strerror(errno));
+
+	return status;
+}
+
+void crypt_random_exit()
+{
+	random_initialised = 0;
+
+	if(random_fd != -1) {
+		(void)close(random_fd);
+		random_fd = -1;
+	}
+
+	if(urandom_fd != -1) {
+		(void)close(urandom_fd);
+		urandom_fd = -1;
+	}
+}
+
+int crypt_random_default_key_rng()
+{
+	if (!strcmp(DEFAULT_RNG, RANDOM_DEVICE))
+		return CRYPT_RNG_RANDOM;
+
+	if (!strcmp(DEFAULT_RNG, URANDOM_DEVICE))
+		return CRYPT_RNG_URANDOM;
+
+	/* RNG misconfiguration is fatal */
+	abort();
+}

lib/utils.c

@@ -11,18 +11,12 @@
 #include <sys/stat.h>
 #include <sys/ioctl.h>
 #include <fcntl.h>
-#include <termios.h>
 #include <sys/mman.h>
 #include <sys/resource.h>
 
 #include "libcryptsetup.h"
 #include "internal.h"
 
-struct safe_allocation {
-	size_t	size;
-	char	data[1];
-};
-
 static char *error=NULL;
 
 void set_error_va(const char *fmt, va_list va)
@@ -61,76 +55,14 @@ const char *get_error(void)
 	return error;
 }
 
-void *safe_alloc(size_t size)
-{
-	struct safe_allocation *alloc;
-
-	if (!size)
-		return NULL;
-
-	alloc = malloc(size + offsetof(struct safe_allocation, data));
-	if (!alloc)
-		return NULL;
-
-	alloc->size = size;
-
-	return &alloc->data;
-}
-
-void safe_free(void *data)
-{
-	struct safe_allocation *alloc;
-
-	if (!data)
-		return;
-
-	alloc = data - offsetof(struct safe_allocation, data);
-
-	memset(data, 0, alloc->size);
-
-	alloc->size = 0x55aa55aa;
-	free(alloc);
-}
-
-void *safe_realloc(void *data, size_t size)
-{
-	void *new_data;
-
-	new_data = safe_alloc(size);
-
-	if (new_data && data) {
-		struct safe_allocation *alloc;
-
-		alloc = data - offsetof(struct safe_allocation, data);
-
-		if (size > alloc->size)
-			size = alloc->size;
-
-		memcpy(new_data, data, size);
-	}
-
-	safe_free(data);
-	return new_data;
-}
-
-char *safe_strdup(const char *s)
-{
-	char *s2 = safe_alloc(strlen(s) + 1);
-
-	if (!s2)
-		return NULL;
-
-	return strcpy(s2, s);
-}
-
 static int get_alignment(int fd)
 {
-	int alignment = DEFAULT_ALIGNMENT;
+	int alignment = DEFAULT_MEM_ALIGNMENT;
 
 #ifdef _PC_REC_XFER_ALIGN
 	alignment = fpathconf(fd, _PC_REC_XFER_ALIGN);
 	if (alignment < 0)
-		alignment = DEFAULT_ALIGNMENT;
+		alignment = DEFAULT_MEM_ALIGNMENT;
 #endif
 	return alignment;
 }
@@ -239,7 +171,7 @@ ssize_t read_blockwise(int fd, void *orig_buf, size_t count) {
 	if ((long)orig_buf & (alignment - 1)) {
 		buf = aligned_malloc(&buf_base, count, alignment);
 		if (!buf)
-			goto out;
+			return -1;
 	} else
 		buf = orig_buf;
 
@@ -304,222 +236,6 @@ ssize_t write_lseek_blockwise(int fd, const char *buf, size_t count, off_t offse
 	return write_blockwise(fd, buf, count) + innerCount;
 }
 
-/* Password reading helpers */
-
-static int untimed_read(int fd, char *pass, size_t maxlen)
-{
-	ssize_t i;
-
-	i = read(fd, pass, maxlen);
-	if (i > 0) {
-		pass[i-1] = '\0';
-		i = 0;
-	} else if (i == 0) { /* EOF */
-		*pass = 0;
-		i = -1;
-	}
-	return i;
-}
-
-static int timed_read(int fd, char *pass, size_t maxlen, long timeout)
-{
-	struct timeval t;
-	fd_set fds;
-	int failed = -1;
-
-	FD_ZERO(&fds);
-	FD_SET(fd, &fds);
-	t.tv_sec = timeout;
-	t.tv_usec = 0;
-
-	if (select(fd+1, &fds, NULL, NULL, &t) > 0)
-		failed = untimed_read(fd, pass, maxlen);
-
-	return failed;
-}
-
-static int interactive_pass(const char *prompt, char *pass, size_t maxlen,
-		long timeout)
-{
-	struct termios orig, tmp;
-	int failed = -1;
-	int infd = STDIN_FILENO, outfd;
-
-	if (maxlen < 1)
-		goto out_err;
-
-	/* Read and write to /dev/tty if available */
-	if ((infd = outfd = open("/dev/tty", O_RDWR)) == -1) {
-		infd = STDIN_FILENO;
-		outfd = STDERR_FILENO;
-	}
-
-	if (tcgetattr(infd, &orig))
-		goto out_err;
-
-	memcpy(&tmp, &orig, sizeof(tmp));
-	tmp.c_lflag &= ~ECHO;
-
-	if (write(outfd, prompt, strlen(prompt)) < 0)
-		goto out_err;
-
-	tcsetattr(infd, TCSAFLUSH, &tmp);
-	if (timeout)
-		failed = timed_read(infd, pass, maxlen, timeout);
-	else
-		failed = untimed_read(infd, pass, maxlen);
-	tcsetattr(infd, TCSAFLUSH, &orig);
-
-out_err:
-	if (!failed && write(outfd, "\n", 1));
-
-	if (infd != STDIN_FILENO)
-		close(infd);
-	return failed;
-}
-
-/*
- * Password reading behaviour matrix of get_key
- * 
- *                    p   v   n   h
- * -----------------+---+---+---+---
- * interactive      | Y | Y | Y | Inf
- * from fd          | N | N | Y | Inf
- * from binary file | N | N | N | Inf or options->key_size
- *
- * Legend: p..prompt, v..can verify, n..newline-stop, h..read horizon
- *
- * Note: --key-file=- is interpreted as a read from a binary file (stdin)
- */
-
-void get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
-            const char *key_file, int timeout, int how2verify,
-	    struct crypt_device *cd)
-{
-	int fd = -1;
-	const int verify = how2verify & CRYPT_FLAG_VERIFY;
-	const int verify_if_possible = how2verify & CRYPT_FLAG_VERIFY_IF_POSSIBLE;
-	char *pass = NULL;
-	int newline_stop;
-	int read_horizon;
-	int regular_file = 0;
-	int r;
-
-	if(key_file && !strcmp(key_file, "-")) {
-		/* Allow binary reading from stdin */
-		fd = STDIN_FILENO;
-		newline_stop = 0;
-		read_horizon = 0;
-	} else if (key_file) {
-		fd = open(key_file, O_RDONLY);
-		if (fd < 0) {
-			log_err(cd, _("Failed to open key file %s.\n"), key_file);
-			goto out_err;
-		}
-		newline_stop = 0;
-
-		/* This can either be 0 (LUKS) or the actually number
-		 * of key bytes (default or passed by -s) */
-		read_horizon = key_size;
-	} else {
-		fd = STDIN_FILENO;
-		newline_stop = 1;
-		read_horizon = 0;   /* Infinite, if read from terminal or fd */
-	}
-
-	/* Interactive case */
-	if(isatty(fd)) {
-		int i;
-
-		pass = safe_alloc(MAX_TTY_PASSWORD_LEN);
-		if (!pass || (i = interactive_pass(prompt, pass, MAX_TTY_PASSWORD_LEN, timeout))) {
-			log_err(cd, _("Error reading passphrase from terminal.\n"));
-			goto out_err;
-		}
-		if (verify || verify_if_possible) {
-			char pass_verify[MAX_TTY_PASSWORD_LEN];
-			i = interactive_pass(_("Verify passphrase: "), pass_verify, sizeof(pass_verify), timeout);
-			if (i || strcmp(pass, pass_verify) != 0) {
-				log_err(cd, _("Passphrases do not match.\n"));
-				goto out_err;
-			}
-			memset(pass_verify, 0, sizeof(pass_verify));
-		}
-		*passLen = strlen(pass);
-		*key = pass;
-	} else {
-		/* 
-		 * This is either a fd-input or a file, in neither case we can verify the input,
-		 * however we don't stop on new lines if it's a binary file.
-		 */
-		int buflen, i;
-
-		if(verify) {
-			log_err(cd, _("Can't do passphrase verification on non-tty inputs.\n"));
-			goto out_err;
-		}
-		/* The following for control loop does an exhausting
-		 * read on the key material file, if requested with
-		 * key_size == 0, as it's done by LUKS. However, we
-		 * should warn the user, if it's a non-regular file,
-		 * such as /dev/random, because in this case, the loop
-		 * will read forever.
-		 */ 
-		if(key_file && strcmp(key_file, "-") && read_horizon == 0) {
-			struct stat st;
-			if(stat(key_file, &st) < 0) {
-				log_err(cd, _("Failed to stat key file %s.\n"), key_file);
-				goto out_err;
-			}
-			if(!S_ISREG(st.st_mode))
-				log_std(cd, _("Warning: exhausting read requested, but key file %s"
-					" is not a regular file, function might never return.\n"),
-					key_file);
-			else
-				regular_file = 1;
-		}
-		buflen = 0;
-		for(i = 0; read_horizon == 0 || i < read_horizon; i++) {
-			if(i >= buflen - 1) {
-				buflen += 128;
-				pass = safe_realloc(pass, buflen);
-				if (!pass) {
-					log_err(cd, _("Out of memory while reading passphrase.\n"));
-					goto out_err;
-				}
-			}
-
-			r = read(fd, pass + i, 1);
-			if (r < 0) {
-				log_err(cd, _("Error reading passphrase.\n"));
-				goto out_err;
-			}
-
-			if(r == 0 || (newline_stop && pass[i] == '\n'))
-				break;
-		}
-		/* Fail if piped input dies reading nothing */
-		if(!i && !regular_file) {
-			log_dbg("Error reading passphrase.");
-			goto out_err;
-		}
-		pass[i] = 0;
-		*key = pass;
-		*passLen = i;
-	}
-	if(fd != STDIN_FILENO)
-		close(fd);
-	return;
-
-out_err:
-	if(fd >= 0 && fd != STDIN_FILENO)
-		close(fd);
-	if(pass)
-		safe_free(pass);
-	*key = NULL;
-	*passLen = 0;
-}
-
 int device_ready(struct crypt_device *cd, const char *device, int mode)
 {
 	int devfd, r = 1;
@@ -554,82 +270,94 @@ int device_ready(struct crypt_device *cd, const char *device, int mode)
 	return r;
 }
 
-int get_device_infos(const char *device, struct device_infos *infos, struct crypt_device *cd)
+int get_device_infos(const char *device,
+		     int open_exclusive,
+		     int *readonly,
+		     uint64_t *size)
 {
-	uint64_t size;
+	struct stat st;
 	unsigned long size_small;
-	int readonly = 0;
-	int ret = -1;
-	int fd;
+	int fd, r = -1;
+	int flags = 0;
+
+	*readonly = 0;
+	*size = 0;
+
+	if (stat(device, &st) < 0)
+		return -EINVAL;
+
+	/* never wipe header on mounted device */
+	if (open_exclusive && S_ISBLK(st.st_mode))
+		flags |= O_EXCL;
 
 	/* Try to open read-write to check whether it is a read-only device */
-	fd = open(device, O_RDWR);
-	if (fd < 0) {
-		if (errno == EROFS) {
-			readonly = 1;
-			fd = open(device, O_RDONLY);
-		}
-	} else {
-		close(fd);
-		fd = open(device, O_RDONLY);
-	}
-	if (fd < 0) {
-		log_err(cd, _("Cannot open device: %s\n"), device);
-		return -1;
+	fd = open(device, O_RDWR | flags);
+	if (fd == -1 && errno == EROFS) {
+		*readonly = 1;
+		fd = open(device, O_RDONLY | flags);
 	}
 
+	if (fd == -1 && open_exclusive && errno == EBUSY)
+		return -EBUSY;
+
+	if (fd == -1)
+		return -EINVAL;
+
 #ifdef BLKROGET
 	/* If the device can be opened read-write, i.e. readonly is still 0, then
 	 * check whether BKROGET says that it is read-only. E.g. read-only loop
 	 * devices may be openend read-write but are read-only according to BLKROGET
 	 */
-	if (readonly == 0 && ioctl(fd, BLKROGET, &readonly) < 0) {
-		log_err(cd, _("BLKROGET failed on device %s.\n"), device);
+	if (*readonly == 0 && (r = ioctl(fd, BLKROGET, readonly)) < 0)
 		goto out;
-	}
 #else
 #error BLKROGET not available
 #endif
 
 #ifdef BLKGETSIZE64
-	if (ioctl(fd, BLKGETSIZE64, &size) >= 0) {
-		size >>= SECTOR_SHIFT;
-		ret = 0;
+	if (ioctl(fd, BLKGETSIZE64, size) >= 0) {
+		*size >>= SECTOR_SHIFT;
+		r = 0;
 		goto out;
 	}
 #endif
 
 #ifdef BLKGETSIZE
 	if (ioctl(fd, BLKGETSIZE, &size_small) >= 0) {
-		size = (uint64_t)size_small;
-		ret = 0;
+		*size = (uint64_t)size_small;
+		r = 0;
 		goto out;
 	}
+
 #else
 #	error Need at least the BLKGETSIZE ioctl!
 #endif
-
-	log_err(cd, _("BLKGETSIZE failed on device %s.\n"), device);
+	r = -EINVAL;
 out:
-	if (ret == 0) {
-		infos->size = size;
-		infos->readonly = readonly;
-	}
 	close(fd);
-	return ret;
+	return r;
 }
 
 int wipe_device_header(const char *device, int sectors)
 {
+	struct stat st;
 	char *buffer;
 	int size = sectors * SECTOR_SIZE;
 	int r = -1;
 	int devfd;
+	int flags = O_RDWR | O_DIRECT | O_SYNC;
 
-	devfd = open(device, O_RDWR | O_DIRECT | O_SYNC);
-	if(devfd == -1)
+	if (stat(device, &st) < 0)
 		return -EINVAL;
 
+	/* never wipe header on mounted device */
+	if (S_ISBLK(st.st_mode))
+		flags |= O_EXCL;
+
+	devfd = open(device, flags);
+	if(devfd == -1)
+		return errno == EBUSY ? -EBUSY : -EINVAL;
+
 	buffer = malloc(size);
 	if (!buffer) {
 		close(devfd);
@@ -698,8 +426,9 @@ void get_topology_alignment(const char *device,
 			    unsigned long *alignment_offset,   /* bytes */
 			    unsigned long default_alignment)
 {
-	unsigned int dev_alignment_offset = 0;
-	unsigned long min_io_size = 0, opt_io_size = 0;
+	int dev_alignment_offset = 0;
+	unsigned int min_io_size = 0, opt_io_size = 0;
+	unsigned long temp_alignment = 0;
 	int fd;
 
 	*required_alignment = default_alignment;
@@ -721,18 +450,20 @@ void get_topology_alignment(const char *device,
 		opt_io_size = min_io_size;
 
 	/* alignment offset, bogus -1 means misaligned/unknown */
-	if (ioctl(fd, BLKALIGNOFF, &dev_alignment_offset) == -1 || (int)dev_alignment_offset < 0)
+	if (ioctl(fd, BLKALIGNOFF, &dev_alignment_offset) == -1 || dev_alignment_offset < 0)
 		dev_alignment_offset = 0;
-
-	if (*required_alignment < min_io_size)
-		*required_alignment = min_io_size;
-
-	if (*required_alignment < opt_io_size)
-		*required_alignment = opt_io_size;
-
 	*alignment_offset = (unsigned long)dev_alignment_offset;
 
-	log_dbg("Topology: IO (%lu/%lu), offset = %lu; Required alignment is %lu bytes.",
+	temp_alignment = (unsigned long)min_io_size;
+
+	if (temp_alignment < (unsigned long)opt_io_size)
+		temp_alignment = (unsigned long)opt_io_size;
+
+	/* If calculated alignment is multiple of default, keep default */
+	if (temp_alignment && (default_alignment % temp_alignment))
+		*required_alignment = temp_alignment;
+
+	log_dbg("Topology: IO (%u/%u), offset = %lu; Required alignment is %lu bytes.",
 		min_io_size, opt_io_size, *alignment_offset, *required_alignment);
 out:
 	(void)close(fd);

lib/utils_crypt.c

@@ -0,0 +1,295 @@
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <termios.h>
+
+#include "libcryptsetup.h"
+#include "nls.h"
+#include "utils_crypt.h"
+
+struct safe_allocation {
+	size_t	size;
+	char	data[0];
+};
+
+int crypt_parse_name_and_mode(const char *s, char *cipher, char *cipher_mode)
+{
+	if (sscanf(s, "%" MAX_CIPHER_LEN_STR "[^-]-%" MAX_CIPHER_LEN_STR "s",
+		   cipher, cipher_mode) == 2) {
+		if (!strcmp(cipher_mode, "plain"))
+			strncpy(cipher_mode, "cbc-plain", 10);
+		return 0;
+	}
+
+	if (sscanf(s, "%" MAX_CIPHER_LEN_STR "[^-]", cipher) == 1) {
+		strncpy(cipher_mode, "cbc-plain", 10);
+		return 0;
+	}
+
+	return -EINVAL;
+}
+
+/* safe allocations */
+void *crypt_safe_alloc(size_t size)
+{
+	struct safe_allocation *alloc;
+
+	if (!size)
+		return NULL;
+
+	alloc = malloc(size + offsetof(struct safe_allocation, data));
+	if (!alloc)
+		return NULL;
+
+	alloc->size = size;
+
+	return &alloc->data;
+}
+
+void crypt_safe_free(void *data)
+{
+	struct safe_allocation *alloc;
+
+	if (!data)
+		return;
+
+	alloc = data - offsetof(struct safe_allocation, data);
+
+	memset(data, 0, alloc->size);
+
+	alloc->size = 0x55aa55aa;
+	free(alloc);
+}
+
+void *crypt_safe_realloc(void *data, size_t size)
+{
+	void *new_data;
+
+	new_data = crypt_safe_alloc(size);
+
+	if (new_data && data) {
+		struct safe_allocation *alloc;
+
+		alloc = data - offsetof(struct safe_allocation, data);
+
+		if (size > alloc->size)
+			size = alloc->size;
+
+		memcpy(new_data, data, size);
+	}
+
+	crypt_safe_free(data);
+	return new_data;
+}
+
+/* Password reading helpers */
+static int untimed_read(int fd, char *pass, size_t maxlen)
+{
+	ssize_t i;
+
+	i = read(fd, pass, maxlen);
+	if (i > 0) {
+		pass[i-1] = '\0';
+		i = 0;
+	} else if (i == 0) { /* EOF */
+		*pass = 0;
+		i = -1;
+	}
+	return i;
+}
+
+static int timed_read(int fd, char *pass, size_t maxlen, long timeout)
+{
+	struct timeval t;
+	fd_set fds;
+	int failed = -1;
+
+	FD_ZERO(&fds);
+	FD_SET(fd, &fds);
+	t.tv_sec = timeout;
+	t.tv_usec = 0;
+
+	if (select(fd+1, &fds, NULL, NULL, &t) > 0)
+		failed = untimed_read(fd, pass, maxlen);
+
+	return failed;
+}
+
+static int interactive_pass(const char *prompt, char *pass, size_t maxlen,
+		long timeout)
+{
+	struct termios orig, tmp;
+	int failed = -1;
+	int infd = STDIN_FILENO, outfd;
+
+	if (maxlen < 1)
+		goto out_err;
+
+	/* Read and write to /dev/tty if available */
+	if ((infd = outfd = open("/dev/tty", O_RDWR)) == -1) {
+		infd = STDIN_FILENO;
+		outfd = STDERR_FILENO;
+	}
+
+	if (tcgetattr(infd, &orig))
+		goto out_err;
+
+	memcpy(&tmp, &orig, sizeof(tmp));
+	tmp.c_lflag &= ~ECHO;
+
+	if (write(outfd, prompt, strlen(prompt)) < 0)
+		goto out_err;
+
+	tcsetattr(infd, TCSAFLUSH, &tmp);
+	if (timeout)
+		failed = timed_read(infd, pass, maxlen, timeout);
+	else
+		failed = untimed_read(infd, pass, maxlen);
+	tcsetattr(infd, TCSAFLUSH, &orig);
+
+out_err:
+	if (!failed && write(outfd, "\n", 1)) {};
+
+	if (infd != STDIN_FILENO)
+		close(infd);
+	return failed;
+}
+
+/*
+ * Password reading behaviour matrix of get_key
+ * FIXME: rewrite this from scratch.
+ *                    p   v   n   h
+ * -----------------+---+---+---+---
+ * interactive      | Y | Y | Y | Inf
+ * from fd          | N | N | Y | Inf
+ * from binary file | N | N | N | Inf or options->key_size
+ *
+ * Legend: p..prompt, v..can verify, n..newline-stop, h..read horizon
+ *
+ * Note: --key-file=- is interpreted as a read from a binary file (stdin)
+ */
+
+int crypt_get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
+		  const char *key_file, int timeout, int verify,
+		  struct crypt_device *cd)
+{
+	int fd = -1;
+	char *pass = NULL;
+	int read_horizon;
+	int regular_file = 0;
+	int read_stdin;
+	int r;
+	struct stat st;
+
+	/* Passphrase read from stdin? */
+	read_stdin = (!key_file || !strcmp(key_file, "-")) ? 1 : 0;
+
+	/* read_horizon applies only for real keyfile, not stdin or terminal */
+	read_horizon = (key_file && !read_stdin) ? key_size : 0 /* until EOF */;
+
+	/* Setup file descriptior */
+	fd = read_stdin ? STDIN_FILENO : open(key_file, O_RDONLY);
+	if (fd < 0) {
+		crypt_log(cd, CRYPT_LOG_ERROR,
+			  _("Failed to open key file.\n"));
+		goto out_err;
+	}
+
+	/* Interactive case */
+	if(isatty(fd)) {
+		int i;
+
+		pass = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
+		if (!pass || interactive_pass(prompt, pass, MAX_TTY_PASSWORD_LEN, timeout)) {
+			crypt_log(cd, CRYPT_LOG_ERROR,
+				  _("Error reading passphrase from terminal.\n"));
+			goto out_err;
+		}
+		if (verify) {
+			char pass_verify[MAX_TTY_PASSWORD_LEN];
+			i = interactive_pass(_("Verify passphrase: "), pass_verify, sizeof(pass_verify), timeout);
+			if (i || strcmp(pass, pass_verify) != 0) {
+				crypt_log(cd, CRYPT_LOG_ERROR,
+				 _("Passphrases do not match.\n"));
+				goto out_err;
+			}
+			memset(pass_verify, 0, sizeof(pass_verify));
+		}
+		*passLen = strlen(pass);
+		*key = pass;
+	} else {
+		/*
+		 * This is either a fd-input or a file, in neither case we can verify the input,
+		 * however we don't stop on new lines if it's a binary file.
+		 */
+		int buflen, i;
+
+		/* The following for control loop does an exhausting
+		 * read on the key material file, if requested with
+		 * key_size == 0, as it's done by LUKS. However, we
+		 * should warn the user, if it's a non-regular file,
+		 * such as /dev/random, because in this case, the loop
+		 * will read forever.
+		 */
+		if(!read_stdin && read_horizon == 0) {
+			if(stat(key_file, &st) < 0) {
+				crypt_log(cd, CRYPT_LOG_ERROR,
+					_("Failed to stat key file.\n"));
+				goto out_err;
+			}
+			if(!S_ISREG(st.st_mode))
+				crypt_log(cd, CRYPT_LOG_NORMAL,
+					  _("Warning: exhausting read requested, but key file"
+					    " is not a regular file, function might never return.\n"));
+			else
+				regular_file = 1;
+		}
+		buflen = 0;
+		for(i = 0; read_horizon == 0 || i < read_horizon; i++) {
+			if(i >= buflen - 1) {
+				buflen += 128;
+				pass = crypt_safe_realloc(pass, buflen);
+				if (!pass) {
+					crypt_log(cd, CRYPT_LOG_ERROR,
+						  _("Out of memory while reading passphrase.\n"));
+					goto out_err;
+				}
+			}
+
+			r = read(fd, pass + i, 1);
+			if (r < 0) {
+				crypt_log(cd, CRYPT_LOG_ERROR,
+					  _("Error reading passphrase.\n"));
+				goto out_err;
+			}
+
+			/* Stop on newline only if not requested read from keyfile */
+			if(r == 0 || (!key_file && pass[i] == '\n'))
+				break;
+		}
+		/* Fail if piped input dies reading nothing */
+		if(!i && !regular_file)
+			goto out_err;
+		pass[i] = 0;
+		*key = pass;
+		*passLen = i;
+	}
+	if(fd != STDIN_FILENO)
+		close(fd);
+	return 0;
+
+out_err:
+	if(fd >= 0 && fd != STDIN_FILENO)
+		close(fd);
+	if(pass)
+		crypt_safe_free(pass);
+	*key = NULL;
+	*passLen = 0;
+	return -EINVAL;
+}

lib/utils_crypt.h

@@ -0,0 +1,21 @@
+#ifndef _UTILS_CRYPT_H
+#define _UTILS_CRYPT_H
+
+#define MAX_CIPHER_LEN		32
+#define MAX_CIPHER_LEN_STR	"32"
+
+#define MAX_TTY_PASSWORD_LEN	512
+
+struct crypt_device;
+
+int crypt_parse_name_and_mode(const char *s, char *cipher, char *cipher_mode);
+
+int crypt_get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
+		  const char *key_file, int timeout, int how2verify,
+		  struct crypt_device *cd);
+
+void *crypt_safe_alloc(size_t size);
+void crypt_safe_free(void *data);
+void *crypt_safe_realloc(void *data, size_t size);
+
+#endif /* _UTILS_CRYPT_H */

lib/volumekey.c

@@ -0,0 +1,64 @@
+/*
+ * cryptsetup volume key implementation
+ *
+ * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2010 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <string.h>
+#include <stdlib.h>
+
+#include "internal.h"
+
+struct volume_key *crypt_alloc_volume_key(unsigned keylength, const char *key)
+{
+	struct volume_key *vk = malloc(sizeof(*vk) + keylength);
+
+	if (!vk)
+		return NULL;
+
+	vk->keylength = keylength;
+	if (key)
+		memcpy(&vk->key, key, keylength);
+
+	return vk;
+}
+
+void crypt_free_volume_key(struct volume_key *vk)
+{
+	if (vk) {
+		memset(vk->key, 0, vk->keylength);
+		vk->keylength = 0;
+		free(vk);
+	}
+}
+
+struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, unsigned keylength)
+{
+	int r;
+	struct volume_key *vk;
+
+	vk = crypt_alloc_volume_key(keylength, NULL);
+	if (!vk)
+		return NULL;
+
+	r = crypt_random_get(cd, vk->key, keylength, CRYPT_RND_KEY);
+	if(r < 0) {
+		crypt_free_volume_key(vk);
+		return NULL;
+	}
+	return vk;
+}

luks/hexprint.c

@@ -1,12 +0,0 @@
-
-#include <stdio.h>
-
-void hexprint(char *d, int n)
-{
-	int i;
-	for(i = 0; i < n; i++)
-	{
-		printf("%02hhx ", (char)d[i]);
-	}
-}
-

luks/random.c

@@ -1,46 +0,0 @@
-/*
- *	Random supply helper
- * Copyright 2004, Clemens Fruhwirth <clemens@endorphin.org>
- *
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <stdio.h>
-#include <unistd.h>
-
-static int randomfd = -1; 
-
-int openRandom() {
-    if(randomfd == -1) 
-	randomfd = open("/dev/urandom", O_RDONLY);
-    return randomfd;
-}
-
-/* This method leaks a file descriptor that can be obtained by calling
-   closeRandom */
-int getRandom(char *buf, size_t len)
-{
-    if(openRandom() == -1) {
-	perror("getRandom:");
-	return -EINVAL;
-    }
-    while(len) {
-	int r;
-	r = read(randomfd,buf,len);
-	if (-1 == r && errno != -EINTR) {	
-	    perror("read: "); return -EINVAL;
-	}
-	len-= r; buf += r;
-    }
-    return 0;
-}
-
-void closeRandom() {
-    if(randomfd != -1) {
-	close(randomfd);
-	randomfd = -1;
-    }
-}

luks/random.h

@@ -1,8 +0,0 @@
-#ifndef INCLUDED_CRYPTSETUP_LUKS_RANDOM_H
-#define INCLUDED_CRYPTSETUP_LUKS_RANDOM_H
-
-#include <stddef.h>
-
-int getRandom(char *buf, size_t len);
-
-#endif

man/cryptsetup.8

@@ -1,29 +1,29 @@
-.TH CRYPTSETUP "8" "March 2005" "cryptsetup" "Maintenance Commands"
+.TH CRYPTSETUP "8" "" "cryptsetup" "Maintenance Commands"
 .SH NAME
 cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
 .SH SYNOPSIS
 
 .B cryptsetup <options> <action> <action args>
-
 .SH DESCRIPTION
-.\" Add any additional description here
 .PP
-cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. For basic dm-crypt mappings, there are five operations.
+cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings.
+For basic (plain) dm-crypt mappings, there are four operations.
 .SH ACTIONS
 These strings are valid for \fB<action>\fR, followed by their \fB<action args>\fR:
 
 \fIcreate\fR <name> <device>
 .IP
 creates a mapping with <name> backed by device <device>.
-<options> can be [\-\-hash, \-\-cipher, \-\-verify-passphrase, \-\-key-file, \-\-key-size, \-\-offset, \-\-skip, \-\-readonly]
+
+\fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify-passphrase, \-\-key-file, \-\-key-size, \-\-offset, \-\-skip, \-\-readonly]
 .PP
 \fIremove\fR <name>
 .IP
-removes an existing mapping <name>. No options.
+removes an existing mapping <name>.
 .PP
 \fIstatus\fR <name>
 .IP
-reports the status for the mapping <name>. No options.
+reports the status for the mapping <name>.
 .PP
 \fIresize\fR <name>
 .IP
@@ -41,12 +41,16 @@ These are valid LUKS actions:
 \fIluksFormat\fR <device> [<key file>]
 .IP
 initializes a LUKS partition and sets the initial key, either via prompting or via <key file>.
-<options> can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size, \-\-key-slot].
+
+\fB<options>\fR can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size, \-\-key-slot,
+\-\-key-file (takes precedence over optional second argument), \-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid].
+
 .PP
 \fIluksOpen\fR <device> <name>
 .IP
 opens the LUKS partition <device> and sets up a mapping <name> after successful verification of the supplied key material (either via key file by \-\-key-file, or via prompting).
-<options> can be [\-\-key-file, \-\-readonly].
+
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-readonly].
 .PP
 \fIluksClose\fR <name>
 .IP
@@ -62,11 +66,17 @@ After that operation you have to use \fIluksResume\fR to reinstate encryption ke
 .PP
 \fIluksResume\fR <name>
 .IP
-Resumes suspended device and reinstates encryption key. You will need provide passphrase identical to \fIluksOpen\fR command (using prompting or key file).
+Resumes suspended device and reinstates encryption key. You will need provide passphrase
+identical to \fIluksOpen\fR command (using prompting or key file).
+
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size]
 .PP
 \fIluksAddKey\fR <device> [<new key file>]
 .IP
-add a new key file/passphrase. An existing passphrase or key file (via \-\-key-file) must be supplied. The key file with the new material is supplied as a positional argument. <options> can be [\-\-key-file, \-\-key-slot].
+add a new key file/passphrase. An existing passphrase or key file (via \-\-key-file) must be supplied.
+The key file with the new material is supplied as a positional argument.
+
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot].
 .PP
 \fIluksRemoveKey\fR <device> [<key file>] 
 .IP
@@ -74,23 +84,35 @@ remove supplied key or key file from LUKS device
 .PP
 \fIluksKillSlot\fR <device> <key slot number>
 .IP
-wipe key with number <key slot> from LUKS device. A remaining passphrase or key file (via \-\-key-file) must be supplied. <options> can be [\-\-key-file].
-.PP
-\fIluksDelKey\fR <device> <key slot number>
-.IP
-identical to luksKillSlot, but deprecated action name.
+wipe key with number <key slot> from LUKS device. A remaining passphrase or
+key file (via \-\-key-file) must be supplied.
+
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size].
 .PP
 \fIluksUUID\fR <device>
 .IP
-print UUID, if <device> has a LUKS header. No options.
+print UUID, if <device> has a LUKS header.
+
+set new UUID if \fI\-\-uuid\fR option is specified.
 .PP
 \fIisLuks\fR <device>
 .IP
-returns true, if <device> is a LUKS partition. Otherwise, false. No options.
+returns true, if <device> is a LUKS partition. Otherwise, false.
 .PP
 \fIluksDump\fR <device>
 .IP
-dumps the header information of a LUKS partition. No options.
+dumps the header information of a LUKS partition.
+
+If \-\-dump-master-key option is used, the volume (master) key is dumped instead of keyslot info.
+Because this information can be used to access encrypted device without passphrase knowledge
+(even without LUKS header) use this option very carefully.
+
+Dump with volume key (either printed or stored to file) should be always stored encrypted
+and on safe place.
+
+LUKS passphrase or key file is required for volume key dump.
+
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-keyfile-size].
 .PP
 \fIluksHeaderBackup\fR <device> \-\-header-backup-file <file>
 .IP
@@ -114,6 +136,12 @@ For more information about LUKS, see \fBhttp://code.google.com/p/cryptsetup/wiki
 
 .SH OPTIONS
 .TP
+.B "\-\-verbose, \-v"
+Print more verbose messages.
+.TP
+.B "\-\-debug"
+Run in debug mode with full diagnostic logs.
+.TP
 .B "\-\-hash, \-h"
 For \fIcreate\fR action specifies hash to use for password hashing.
 
@@ -121,7 +149,8 @@ For \fIluksFormat\fR action specifies hash used in LUKS key setup scheme and vol
 
 \fBWARNING:\fR setting hash other than \fBsha1\fR causes LUKS device incompatible with older version of cryptsetup.
 
-The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported.
+The hash string is passed to libgcrypt, so all hash algorithms are supported
+(for \fIluksFormat\fR algorithm must provide at least 20 byte long hash).
 Default is set during compilation, compatible values with old version of cryptsetup are
 \fB"ripemd160"\fR for \fIcreate\fR action and \fB"sha1"\fR for \fIluksFormat\fR.
 
@@ -145,15 +174,41 @@ Use "aes-xts-plain" cipher specification and set key size to 256 (or 512) bits (
 query for passwords twice. Useful when creating a (regular) mapping for the first time, or when running \fIluksFormat\fR.
 .TP
 .B "\-\-key-file, \-d"
-use file as key material. With LUKS, key material supplied in key files via \-d are always used for existing passphrases. If you want to set a new key via a key file, you have to use a positional arg to \fIluksFormat\fR or \fIluksAddKey\fR.
+use file as key material.
 
-If the key file is "-", stdin will be used. This is different from how cryptsetup usually reads from stdin. See section \fBNOTES ON PASSWORD PROCESSING\fR for more information.
+With LUKS, key material supplied in key files via \-d are always used for existing passphrases,
+except in \fIluksFormat\fR action where \-d is equivalent to positional key file argument.
+If you want to set a new key via a key file, you have to use a positional arg to \fIluksAddKey\fR.
+
+If the key file is "-", stdin will be used. With the "-" key file reading will
+not stop when new line character is detected. See section \fBNOTES ON PASSWORD PROCESSING\fR for more information.
+.TP
+.B "\-\-keyfile-size, \-d \fIvalue\fR"
+Limits read from keyfile to \fIvalue\fR bytes.
+Usable together with all comands using key file.
+.TP
+.B "\-\-new-keyfile-size  \fIvalue\fR"
+Limits read from new keyfile to \fIvalue\fR bytes in \fIluksAddKey\fR when adding new key file.
+Default is exhaustive read from key file.
 .TP
 .B "\-\-master-key-file"
 Use pre-generated master key stored in file. For \fIluksFormat\fR it allows LUKS header reformatting with the same master key (if all other parameters are the same existing encrypted data remains intact).
 
 For \fIluksAddKey\fR it allows adding new passphrase with only master key knowledge.
 .TP
+.B "\-\-dump-master-key"
+For \fIluksDump\fR it allows LUKS header dump including volume (master) key.
+Use with care (this information allows access to device without passphrase knowledge).
+
+See \fIluksDump\fR for more info.
+.TP
+.B "\-\-use-random"
+.TP
+.B "\-\-use-urandom"
+For \fIluksFormat\fR it defines which kernel random number generator will be used for long-term key (volume key).
+
+See \fBNOTES ON RNG\fR for more information. Use \fIcryptsetup \-\-help\fR to show default RNG.
+.TP
 .B "\-\-key-slot, \-S"
 For LUKS operations that add key material, this options allows to you specify which key slot is selected for the new key. This option can be used for \fIluksFormat\fR and \fIluksAddKey\fR.
 .TP
@@ -165,15 +220,13 @@ Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will us
 Default is set during compilation, if not changed it is 256 bits.
 
 Use \fIcryptsetup \-\-help\fR to show defaults.
-
-For \fIluksOpen\fR this option specifies number of bits read from the key-file (default is exhaustive read from key-file).
 .TP
 .B "\-\-size, \-b"
 force the size of the underlying device in sectors.
 This option is only relevant for \fIcreate\fR and \fIresize\fR action.
 .TP
 .B "\-\-offset, \-o"
-start offset in the backend device.
+start offset in the backend device (in 512-byte sectors).
 This option is only relevant for \fIcreate\fR action.
 .TP
 .B "\-\-skip, \-p"
@@ -196,15 +249,20 @@ The number of seconds to wait before timeout. This option is relevant every time
 How often the input of the passphrase shall be retried. This option is relevant every time a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. The default is 3 tries.
 .TP
 .B "\-\-align-payload=\fIvalue\fR"
-Align payload at a boundary of \fIvalue\fR 512-byte sectors. This option is relevant for \fIluksFormat\fR.  If your block device lives on a RAID, it is
-useful to align the filesystem at full stripe boundaries so it can take advantage of the RAID's geometry.  See for instance the sunit and swidth options
-in the mkfs.xfs manual page. By default, the payload is aligned at an 8 sector (4096 byte) boundary.
+Align payload at a boundary of \fIvalue\fR 512-byte sectors. This option is relevant for \fIluksFormat\fR.
+If not specified, cryptsetup tries to use topology info provided by kernel for underlying device to get optimal alignment.
+If not available (or calculated value is multiple of default) data is by default aligned to 1 MiB boundary (2048 512-byte sectors).
+.TP
+.B "\-\-uuid=\fIUUID\fR"
+Use provided \fIUUID\fR in \fIluksFormat\fR command instead of generating new one or change existing UUID in \fIluksUUID\fR command.
+
+The UUID must be provided in standard UUID format (e.g. 12345678-1234-1234-1234-123456789abc).
 .TP
 .B "\-\-version"
 Show the version.
 
 .SH NOTES ON PASSWORD PROCESSING
-\fIFrom a file descriptor or a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will process the read material (without newline) with the default hash or the hash given by \-\-hash. After hashing, it will be cropped to the key size given by \-s.
+\fIFrom a terminal\fR: Password processing is new-line sensitive, meaning the reading will stop after encountering \\n. It will process the read material (without newline) with the default hash or the hash given by \-\-hash. After hashing, it will be cropped to the key size given by \-s.
 
 \fIFrom stdin\fR: Reading will continue until EOF (so using e.g. /dev/random as stdin will not work), with the trailing newline stripped. After that the read data will be hashed with the default hash or the hash given by \-\-hash and the result will be cropped to the keysize given by \-s. If "plain" is used as an argument to the hash option, the input data will not be hashed.
 Instead, it will be zero padded (if shorter than the keysize) or truncated (if longer than the keysize) and used directly as the key. No warning will be given if the amount of data read from stdin is less than the keysize.
@@ -217,8 +275,6 @@ LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898).
 
 LUKS will always do an exhaustive password reading. Hence, password can not be read from /dev/random, /dev/zero or any other stream that does not terminate.
 
-LUKS saves the processing options when a password is set to the respective key slot.
-Therefore, no options can be given to luksOpen. 
 For any password creation action (luksAddKey, or luksFormat), the user may specify how much the time the password processing should consume.
 Increasing the time will lead to a more secure password, but also will take luksOpen longer to complete. The default setting of one second is sufficient for good security.
 .SH INCOHERENT BEHAVIOUR FOR INVALID PASSWORDS/KEYS
@@ -231,60 +287,44 @@ The available combinations of ciphers, modes, hashes and key sizes depend on ker
 For \-\-hash option all algorithms supported by gcrypt library are available.
 .SH NOTES ON PASSWORDS
 Mathematics can't be bribed. Make sure you keep your passwords safe. There are a few nice tricks for constructing a fallback, when suddenly out of (or after being) blue, your brain refuses to cooperate. These fallbacks are possible with LUKS, as it's only possible with LUKS to have multiple passwords.
+.SH NOTES ON RNG
+Random Number Generator (RNG) used in cryptsetup always uses kernel RNG without
+any modifications or additions to data stream procudes by kernel (like internal
+random pool operations or mixing with the other random sources).
+
+There are two types of randomness cryptsetup/LUKS needs. One type (which always
+uses /dev/urandom) is used for salt, AF splitter and for wiping removed
+keyslot.
+
+Second type is used for volume (master) key. You can switch between
+using /dev/random and /dev/urandom  here, see \fP--use-random\fR and \fP--use-urandom\fR
+options. Using /dev/random on system without enough entropy sources
+can cause \fPluksFormat\fR to block until the requested amount of random data is gathered.
+See \fPurandom(4)\fR for more information.
 .SH AUTHORS
 cryptsetup is written by Christophe Saout <christophe@saout.de>
 .br
 LUKS extensions, and man page by Clemens Fruhwirth <clemens@endorphin.org>
-.SH "COMPATABILITY WITH OLD SUSE TWOFISH PARTITIONS"
-To read images created with SuSE Linux 9.2's loop_fish2 use \-\-cipher
-twofish-cbc-null \-s 256 \-h sha512, for images created with even
-older SuSE Linux use \-\-cipher twofish-cbc-null \-s 192 \-h
-ripemd160:20
-
 .SH DEPRECATED ACTIONS
 .PP
-\fIreload\fR <name> <device>
-.IP
-modifies an active mapping <name>. Same options as for
-create. 
-.B WARNING:
-Do not use this for LUKS devices, as the semantics
-are identical to the create action, which are totally incompatible
-with the LUKS key setup. 
-
-This action is deprected because it proved to be rarely useful.  It is
-uncommon to change the underlying device, key, or offset on the
-fly. In case, you really want to do this, you certainly know what you
-are doing and then you are probably better off with the swiss knive
-tool for device mapper, namely dmsetup. It provides you with the same
-functionality, see dmsetup reload.
+The \fIreload\fR action is no longer supported.
+Please use \fIdmsetup(8)\fR if you need to
+directly manipulate with the device mapping table.
 .PP
-\fIluksDelKey\fR <device> <key slot number>
-.IP
-identical to luksKillSlot, but deprecated action name. This option was
-renamed, as we introduced luksRemoveKey, a softer method for disabling
-password slots. To make a clear distinction that luksDelKey was more brutal than luksRemoveKey
+The \fIluksDelKey\fR was replaced with \fIluksKillSlot\fR.
 .PP
-\fI\-\-non-exclusive\fR
-.IP
-This option is ignored. Non-exclusive access to the same block device
-can cause data corruption thus this mode is no longer supported by cryptsetup.
-
 .SH "REPORTING BUGS"
-Report bugs to <dm-crypt@saout.de>.
+Report bugs to <dm-crypt@saout.de> or Issues section on LUKS website.
+Please attach output of failed command with added \-\-debug option.
 .SH COPYRIGHT
 Copyright \(co 2004 Christophe Saout
 .br
 Copyright \(co 2004-2006 Clemens Fruhwirth
 .br
-Copyright \(co 2009 Red Hat, Inc.
+Copyright \(co 2009-2010 Red Hat, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 .SH "SEE ALSO"
 
-dm-crypt website, \fBhttp://www.saout.de/misc/dm-crypt/\fR
-
 LUKS website, \fBhttp://code.google.com/p/cryptsetup/\fR
-
-dm-crypt TWiki, \fBhttp://www.saout.de/tikiwiki/tiki-index.php\fR

po/LINGUAS

@@ -1,7 +1,9 @@
+cs
 de
 fr
 id
 it
 nl
+pl
 sv
 vi

po/POTFILES.in

@@ -1,13 +1,13 @@
 lib/backends.c
 lib/gcrypt.c
 lib/libdevmapper.c
+lib/random.c
 lib/setup.c
 lib/utils.c
+lib/utils_crypt.c
 lib/utils_debug.c
-luks/af.c
-luks/hexprint.c
-luks/keyencryption.c
-luks/keymanage.c
-luks/pbkdf.c
-luks/random.c
+lib/luks1/af.c
+lib/luks1/keyencryption.c
+lib/luks1/keymanage.c
+lib/luks1/pbkdf.c
 src/cryptsetup.c

po/cs.po

@@ -0,0 +1,930 @@
+# Czech translation for cryptsetup.
+# Copyright (C) 2010 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# Petr Pisar <petr.pisar@atlas.cz>, 2010.
+# Milan Broz <mbroz@redhat.com>, 2010.
+#
+# See `LUKS On-Disk Format Specification' document to clarify some terms.
+#
+# key slot → pozice klíče
+# plain/LUSK1 crypt → šifra plain/LUKS1 („plain“ nepřekládat)
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.2.0-rc1\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2010-11-15 18:03+0100\n"
+"PO-Revision-Date: 2010-11-25 15:11+0100\n"
+"Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
+"Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Language: cs\n"
+
+#: lib/gcrypt.c:47
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Nelze inicializovat šifrovací rozhraní.\n"
+
+#: lib/libdevmapper.c:120
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Nelze inicializovat device-mapper. Je jaderný modul dm_mod zaveden?\n"
+
+#: lib/libdevmapper.c:408
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID pro zařízení %s bylo zkráceno.\n"
+
+#: lib/random.c:73
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Během vytváření klíče svazku došla systému entropie.\n"
+"Aby bylo možné nasbírat náhodné události, žádáme uživatele, aby pohyboval\n"
+"myší nebo psal text do jiného okna.\n"
+
+#: lib/random.c:77
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Vytváří se klíč (%d %% hotovo).\n"
+
+#: lib/random.c:163
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "Fatální chyba během přípravy generátoru náhodných čísel.\n"
+
+#: lib/random.c:190
+msgid "Unknown RNG quality requested.\n"
+msgstr "Požadována neznámá kvalita generátoru náhodných čísel.\n"
+
+#: lib/random.c:195
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "Chyba %d při čtení z generátoru náhodných čísel: %s\n"
+
+# TODO: plural
+#: lib/setup.c:109
+#, c-format
+msgid "Cannot not read %d bytes from key file %s.\n"
+msgstr "Ze souboru s klíčem %2$s nelze přečíst %1$d bajtů.\n"
+
+#: lib/setup.c:121
+#, c-format
+msgid "Key processing error (using hash algorithm %s).\n"
+msgstr "Chyba zpracování klíče (za použití hašovacího algoritmu %s).\n"
+
+#: lib/setup.c:151
+msgid "All key slots full.\n"
+msgstr "Všechny pozice klíčů jsou obsazeny.\n"
+
+#: lib/setup.c:158 lib/setup.c:299 lib/setup.c:763
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Pozice klíče %d není platná, prosím, vyberte číslo mezi 0 a %d.\n"
+
+#: lib/setup.c:164
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Pozice klíče %d je obsazena, prosím, vyberte jinou.\n"
+
+#: lib/setup.c:182 src/cryptsetup.c:516
+msgid "Enter any remaining LUKS passphrase: "
+msgstr "Zadejte jakékoliv jiné heslo LUKS: "
+
+#: lib/setup.c:202
+#, c-format
+msgid "Key slot %d verified.\n"
+msgstr "Pozice klíče %d ověřena.\n"
+
+#: lib/setup.c:247
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr ""
+"Zařízení %s nelze použít, protože se již používá\n"
+"(již namapováno nebo připojeno).\n"
+
+#: lib/setup.c:251
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "O zařízení %s nelze získat údaje.\n"
+
+#: lib/setup.c:259
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Zařízení %s má nulovou velikost.\n"
+
+#: lib/setup.c:263
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Zařízení %s je příliš malé.\n"
+
+#: lib/setup.c:288 src/cryptsetup.c:544
+msgid "Enter LUKS passphrase to be deleted: "
+msgstr "Zadejte heslo LUKS, které se má smazat: "
+
+#: lib/setup.c:294 src/cryptsetup.c:505 src/cryptsetup.c:559
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "Ke smazání vybrán klíč na pozici %d.\n"
+
+#: lib/setup.c:305 src/cryptsetup.c:508
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Klíč %d není aktivní. Nelze jej odstranit.\n"
+
+#: lib/setup.c:311 src/cryptsetup.c:515 src/cryptsetup.c:562
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr ""
+"Toto je poslední pozice klíče. Smazáním tohoto klíče přijdete o možnost\n"
+"zařízení použít."
+
+#: lib/setup.c:362 lib/setup.c:1791 lib/setup.c:1862 lib/setup.c:1926
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Zařízení %s již existuje.\n"
+
+#: lib/setup.c:367
+#, c-format
+msgid "Invalid key size %d.\n"
+msgstr "%d není platná velikost klíče.\n"
+
+#: lib/setup.c:449
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Zadejte heslo pro %s: "
+
+#: lib/setup.c:606 lib/setup.c:1523 lib/setup.c:1870 src/cryptsetup.c:227
+msgid "Enter passphrase: "
+msgstr "Zadejte heslo: "
+
+#: lib/setup.c:647 lib/setup.c:1032 lib/setup.c:1287 lib/setup.c:1978
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Zařízení %s není aktivní.\n"
+
+#: lib/setup.c:755
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Nelze určit žádnou známou specifikaci šifry.\n"
+
+#: lib/setup.c:769 src/cryptsetup.c:383 src/cryptsetup.c:677
+msgid "Enter LUKS passphrase: "
+msgstr "Zadejte heslo LUKS: "
+
+#: lib/setup.c:1044
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Zařízení nižší úrovně pod šifrovaným zařízením %s zmizelo.\n"
+
+#: lib/setup.c:1109
+msgid "Invalid plain crypt parameters.\n"
+msgstr "Neplatné parametry plain šifry.\n"
+
+#: lib/setup.c:1114
+msgid "Invalid key size.\n"
+msgstr "Neplatná velikost klíče.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format LUKS without device.\n"
+msgstr "LUKS nelze bez zařízení naformátovat.\n"
+
+#: lib/setup.c:1185
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Zařízení %s, které se stále používá, nelze formátovat.\n"
+
+#: lib/setup.c:1188
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Ze zařízení %s nelze odstranit hlavičku.\n"
+
+#: lib/setup.c:1227
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Požadován neznámý typ šifrovaného zařízení %s.\n"
+
+#: lib/setup.c:1324
+msgid "This operation is not supported for this device type.\n"
+msgstr "Tato operace není na zařízení tohoto typu podporována.\n"
+
+#: lib/setup.c:1339
+msgid "Do you really want to change UUID of device?"
+msgstr "Opravdu chcete změnit UUID zařízení?"
+
+#: lib/setup.c:1415
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Svazek %s není aktivní.\n"
+
+#: lib/setup.c:1428
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Svazek %s je již uspán.\n"
+
+#: lib/setup.c:1456 lib/setup.c:1505 lib/setup.c:1561 lib/setup.c:1635
+#: lib/setup.c:1704 lib/setup.c:1750 lib/setup.c:1853 lib/setup.c:2047
+#: lib/setup.c:2148 lib/setup.c:2257
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Tato operace je podporována jen u zařízení LUKS.\n"
+
+#: lib/setup.c:1467 lib/setup.c:1516
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Svazek %s není uspán.\n"
+
+#: lib/setup.c:1575 lib/setup.c:1649
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr ""
+"Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku\n"
+"nebyl poskytnut.\n"
+
+#: lib/setup.c:1584 lib/setup.c:1655 lib/setup.c:1659
+msgid "Enter any passphrase: "
+msgstr "Zadejte jakékoliv heslo: "
+
+#: lib/setup.c:1601 lib/setup.c:1672 lib/setup.c:1676 lib/setup.c:1727
+msgid "Enter new passphrase for key slot: "
+msgstr "Zadejte nové heslo pro pozici klíče: "
+
+#: lib/setup.c:1718 lib/setup.c:1934 lib/setup.c:1947 lib/setup.c:2058
+msgid "Volume key does not match the volume.\n"
+msgstr "Heslo svazku neodpovídá svazku.\n"
+
+#: lib/setup.c:1756
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Pozice klíče %d je neplatná.\n"
+
+#: lib/setup.c:1761
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Pozice klíče %d není použita.\n"
+
+#: lib/setup.c:1906
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Byl zadán neplatný klíč svazku.\n"
+
+#: lib/setup.c:1917
+msgid "Device type is not properly initialised.\n"
+msgstr "Typ zařízení není řádně inicializován.\n"
+
+#: lib/setup.c:1974
+#, c-format
+msgid "Device %s is busy.\n"
+msgstr "Zařízení %s je stále používáno.\n"
+
+#: lib/setup.c:1982
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "Neplatné zařízení %s.\n"
+
+#: lib/setup.c:2005
+msgid "Volume key buffer too small.\n"
+msgstr "Vyhrazená paměť pro klíč svazku je příliš malá.\n"
+
+#: lib/setup.c:2013
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Nelze získat klíč svazku pro otevřené zařízení.\n"
+
+#: lib/setup.c:2035
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Na šifrovaném zařízení %s není tato operace podporována.\n"
+
+#: lib/utils.c:247
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Zařízení %s neexistuje nebo přístup byl zamítnut.\n"
+
+#: lib/utils.c:254
+#, c-format
+msgid "Cannot open device %s for %s%s access.\n"
+msgstr "Zařízení %s nelze otevřít pro %s%s přístup.\n"
+
+#: lib/utils.c:255
+msgid "exclusive "
+msgstr "výlučný "
+
+#: lib/utils.c:256
+msgid "writable"
+msgstr "zápisový"
+
+#: lib/utils.c:256
+msgid "read-only"
+msgstr "jen pro čtení"
+
+#: lib/utils.c:263
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Ze zařízení %s nelze číst.\n"
+
+#: lib/utils.c:388
+msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+msgstr "POZOR!!! Zřejmě nezabezpečená paměť. Jste root?\n"
+
+#: lib/utils.c:394
+msgid "Cannot get process priority.\n"
+msgstr "Nelze zjistit prioritu procesu.\n"
+
+#: lib/utils.c:397 lib/utils.c:410
+#, c-format
+msgid "setpriority %u failed: %s"
+msgstr "nastavení priority %u selhalo: %s"
+
+#: lib/utils.c:408
+msgid "Cannot unlock memory."
+msgstr "Paměť nelze odemknout."
+
+#: lib/utils_crypt.c:200
+msgid "Failed to open key file.\n"
+msgstr "Soubor s klíčem se nepodařilo otevřít.\n"
+
+#: lib/utils_crypt.c:211
+msgid "Error reading passphrase from terminal.\n"
+msgstr "Chyba při čtení hesla z terminálu.\n"
+
+#: lib/utils_crypt.c:216
+msgid "Verify passphrase: "
+msgstr "Ověřte heslo: "
+
+#: lib/utils_crypt.c:219
+msgid "Passphrases do not match.\n"
+msgstr "Hesla se neshodují.\n"
+
+#: lib/utils_crypt.c:243
+msgid "Failed to stat key file.\n"
+msgstr "O souboru s klíčem nebylo možné zjistit údaje.\n"
+
+#: lib/utils_crypt.c:248
+msgid "Warning: exhausting read requested, but key file is not a regular file, function might never return.\n"
+msgstr "Pozor: požadováno úplné čtení, avšak soubor s klíčem není běžný soubor. Funkce se možná nikdy nevrátí.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Při čtení hesla došla paměť.\n"
+
+#: lib/utils_crypt.c:268
+msgid "Error reading passphrase.\n"
+msgstr "Chyba při čtení hesla.\n"
+
+#: lib/luks1/keyencryption.c:66
+#, c-format
+msgid "Unable to obtain sector size for %s"
+msgstr "Není možné zjistit velikost sektoru u %s"
+
+#: lib/luks1/keyencryption.c:106
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "V režimu XTS musí být velikost klíče 256 nebo 512 bitů.\n"
+
+#: lib/luks1/keyencryption.c:108
+msgid "Block mode XTS is available since kernel 2.6.24.\n"
+msgstr "Blokový režim XTS je dostupný až od jádra 2.6.24.\n"
+
+#: lib/luks1/keyencryption.c:110
+msgid "Key size in LRW mode must be 256 or 512 bits.\n"
+msgstr "V režimu LRW musí být velikost klíče 256 nebo 512 bitů.\n"
+
+#: lib/luks1/keyencryption.c:112
+msgid "Block mode LRW is available since kernel 2.6.20.\n"
+msgstr "Blokový režim LRW je dostupný až od jádra 2.6.20.\n"
+
+#: lib/luks1/keyencryption.c:135
+msgid "Failed to obtain device mapper directory."
+msgstr "Adresář device-mapperu se nepodařilo získat."
+
+#: lib/luks1/keyencryption.c:151
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+"%s"
+msgstr ""
+"Nepodařilo se nastavit mapování klíče v dm-cryptu pro zařízení %s.\n"
+"Zkontrolujte, že jádro podporuje šifru %s (podrobnosti v syslogu).\n"
+"%s"
+
+#: lib/luks1/keyencryption.c:161
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Otevření dočasného zařízení s úložištěm klíče selhalo.\n"
+
+#: lib/luks1/keyencryption.c:168
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Přístup do dočasného zařízení s úložištěm klíče selhal.\n"
+
+#: lib/luks1/keymanage.c:61
+#, c-format
+msgid "Requested file %s already exist.\n"
+msgstr "Požadovaný soubor %s již existuje.\n"
+
+#: lib/luks1/keymanage.c:81 lib/luks1/keymanage.c:224
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Zařízení %s není platným zařízením LUKS.\n"
+
+#: lib/luks1/keymanage.c:101
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Nelze zapsat soubor %s se zálohou hlavičky.\n"
+
+#: lib/luks1/keymanage.c:128
+#, c-format
+msgid "Backup file %s doesn't exist.\n"
+msgstr "Záložní soubor %s neexistuje.\n"
+
+#: lib/luks1/keymanage.c:136
+msgid "Backup file do not contain valid LUKS header.\n"
+msgstr "Záložní soubor neobsahuje platnou hlavičku LUKS.\n"
+
+#: lib/luks1/keymanage.c:149
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Nelze otevřít soubor se zálohou hlavičky %s.\n"
+
+#: lib/luks1/keymanage.c:155
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Soubor se zálohou hlavičky %s nelze načíst.\n"
+
+#: lib/luks1/keymanage.c:166
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Počátek dat nebo velikost klíče se liší mezi zařízením a zálohou, obnova se nezdařila.\n"
+
+#: lib/luks1/keymanage.c:174
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Zařízení %s %s%s"
+
+#: lib/luks1/keymanage.c:175
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "neobsahuje hlavičku LUKS. Nahrazení hlavičky může zničit data na daném zařízení."
+
+#: lib/luks1/keymanage.c:176
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "již obsahuje hlavičku LUKS. Nahrazení hlavičky zničí existující pozice s klíči."
+
+#: lib/luks1/keymanage.c:177
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"POZOR: hlavička ve skutečném zařízení má jiné UUID než záloha!"
+
+#: lib/luks1/keymanage.c:192 lib/luks1/keymanage.c:305
+#: lib/luks1/keymanage.c:340
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Zařízení %s nelze otevřít.\n"
+
+#: lib/luks1/keymanage.c:226
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Zařízení %s není platným zařízením LUKS."
+
+#: lib/luks1/keymanage.c:229
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Nepodporovaná verze LUKS %d.\n"
+
+#: lib/luks1/keymanage.c:232 lib/luks1/keymanage.c:410
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "Požadovaný haš LUKSu %s není podporován.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Cannot open file %s.\n"
+msgstr "Soubor %s nelze otevřít.\n"
+
+#: lib/luks1/keymanage.c:317
+#, c-format
+msgid "LUKS header detected but device %s is too small.\n"
+msgstr "Nalezena hlavička LUKS, ale zařízení %s je příliš malé.\n"
+
+#: lib/luks1/keymanage.c:361
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "Chyba při aktualizaci hlavičky LUKS na zařízení %s.\n"
+
+#: lib/luks1/keymanage.c:368
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "Chyba při opakovaném čtení hlavičky LUKS po aktualizaci zařízení %s.\n"
+
+#: lib/luks1/keymanage.c:380
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Neslučitelné volby PBKDF2 (při použití hašovacího algoritmu %s).\n"
+
+#: lib/luks1/keymanage.c:415 lib/luks1/keymanage.c:492
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Poskytnut UUID LUKSu ve špatném tvaru.\n"
+
+#: lib/luks1/keymanage.c:440
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Hlavičku LUKS nelze vytvořit: čtení náhodné soli selhalo.\n"
+
+#: lib/luks1/keymanage.c:457
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Hlavičku LUKS nelze vytvořit: výpočet otisku hlavičky (haš %s) selhal.\n"
+
+#: lib/luks1/keymanage.c:517
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Pozice klíče %d je aktivní, nejprve ji uvolněte.\n"
+
+#: lib/luks1/keymanage.c:522
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Pozice klíče %d obsahuje příliš málo útržků. Manipulace s hlavičkou?\n"
+
+#: lib/luks1/keymanage.c:582
+msgid "Failed to write to key storage.\n"
+msgstr "Zápis do úložiště klíče selhal.\n"
+
+#: lib/luks1/keymanage.c:659
+msgid "Failed to read from key storage.\n"
+msgstr "Čtení z úložiště klíče selhalo.\n"
+
+#: lib/luks1/keymanage.c:668
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Pozice klíče %d odemknuta.\n"
+
+#: lib/luks1/keymanage.c:703 src/cryptsetup.c:482
+msgid "No key available with this passphrase.\n"
+msgstr "S tímto heslem není dostupný žádný klíč.\n"
+
+#: lib/luks1/keymanage.c:783
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Pozice klíče %d není platná, prosím, vyberte pozici mezi 0 a %d.\n"
+
+#: lib/luks1/keymanage.c:795
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Zařízení %s není možné smazat.\n"
+
+#: src/cryptsetup.c:75
+msgid "<name> <device>"
+msgstr "<název> <zařízení>"
+
+#: src/cryptsetup.c:75
+msgid "create device"
+msgstr "vytvoří zařízení"
+
+#: src/cryptsetup.c:76 src/cryptsetup.c:77 src/cryptsetup.c:78
+#: src/cryptsetup.c:86
+msgid "<name>"
+msgstr "<název>"
+
+#: src/cryptsetup.c:76
+msgid "remove device"
+msgstr "odstraní zařízení"
+
+#: src/cryptsetup.c:77
+msgid "resize active device"
+msgstr "změní velikost aktivního zařízení"
+
+#: src/cryptsetup.c:78
+msgid "show device status"
+msgstr "zobrazí stav zařízení"
+
+#: src/cryptsetup.c:79 src/cryptsetup.c:81
+msgid "<device> [<new key file>]"
+msgstr "<zařízení> [<soubor_s_novým_klíčem>]"
+
+#: src/cryptsetup.c:79
+msgid "formats a LUKS device"
+msgstr "naformátuje zařízení LUKS"
+
+#: src/cryptsetup.c:80
+msgid "<device> <name> "
+msgstr "<zařízení> <název> "
+
+#: src/cryptsetup.c:80
+msgid "open LUKS device as mapping <name>"
+msgstr "otevře zařízení LUKS jako mapování <název>"
+
+#: src/cryptsetup.c:81
+msgid "add key to LUKS device"
+msgstr "do zařízení LUKS přidá klíč"
+
+#: src/cryptsetup.c:82
+msgid "<device> [<key file>]"
+msgstr "<zařízení> [<soubor_s_klíčem>]"
+
+#: src/cryptsetup.c:82
+msgid "removes supplied key or key file from LUKS device"
+msgstr "odstraní zadaný klíč nebo soubor s klíčem ze zařízení LUKS"
+
+#: src/cryptsetup.c:83
+msgid "<device> <key slot>"
+msgstr "<zařízení> <pozice_klíče>"
+
+#: src/cryptsetup.c:83
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "smaže klíč s číslem <pozice_klíče> ze zařízení LUKS"
+
+#: src/cryptsetup.c:84 src/cryptsetup.c:85 src/cryptsetup.c:87
+#: src/cryptsetup.c:88 src/cryptsetup.c:89 src/cryptsetup.c:90
+#: src/cryptsetup.c:91
+msgid "<device>"
+msgstr "<zařízení>"
+
+#: src/cryptsetup.c:84
+msgid "print UUID of LUKS device"
+msgstr "zobrazí UUID zařízení LUKS"
+
+#: src/cryptsetup.c:85
+msgid "tests <device> for LUKS partition header"
+msgstr "otestuje <zařízení> na hlavičku oddílu LUKS"
+
+#: src/cryptsetup.c:86
+msgid "remove LUKS mapping"
+msgstr "odstraní mapování LUKS"
+
+#: src/cryptsetup.c:87
+msgid "dump LUKS partition information"
+msgstr "vypíše údaje o oddílu LUKS"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:88
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "uspí zařízení LUKS a smaže klíč (všechny operace budou zmrazeny)"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:89
+msgid "Resume suspended LUKS device."
+msgstr "probudí uspané zařízení LUKS"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:90
+msgid "Backup LUKS device header and keyslots"
+msgstr "zálohuje hlavičku zařízení LUKS a jeho pozice s klíči"
+
+# TODO: not consistent with previous line
+#: src/cryptsetup.c:91
+msgid "Restore LUKS device header and keyslots"
+msgstr "obnoví hlavičku zařízení LUKS a jeho pozice s klíči"
+
+#: src/cryptsetup.c:169
+msgid "Command successful.\n"
+msgstr "Příkaz úspěšně vykonán.\n"
+
+#: src/cryptsetup.c:183
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Příkaz selhal s kódem %i"
+
+#: src/cryptsetup.c:351
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Toto nevratně přepíše data na %s."
+
+#: src/cryptsetup.c:352
+msgid "memory allocation error in action_luksFormat"
+msgstr "chyba alokace paměti v action_luksFormat"
+
+#: src/cryptsetup.c:666
+msgid ""
+"LUKS header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Výpis hlavičky LUKS s klíčem svazku je citlivý údaj,\n"
+"který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n"
+"Tento výpis by měl být vždy uložen na bezpečném místě a v zašifrované podobě."
+
+#: src/cryptsetup.c:769 src/cryptsetup.c:790
+msgid "Option --header-backup-file is required.\n"
+msgstr "Je vyžadován přepínač --header-backup-file.\n"
+
+#: src/cryptsetup.c:824
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<akce> je jedna z:\n"
+
+#: src/cryptsetup.c:830
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<název> je zařízení, které se má vytvořit v %s\n"
+"<zařízení> je zašifrované zařízení\n"
+"<pozice_klíče> je číslo pozice klíče LUKS, který se má upravit\n"
+"<soubor_s_klíčem> je volitelný soubor s novým klíčem pro akci luksAddKey\n"
+
+#: src/cryptsetup.c:837
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Výchozí zakompilované parametry šifer zařízení:\n"
+"\tplain: %s, Klíč: %d bitů, Haš hesla: %s\n"
+"\tLUKS1: %s, Klíč: %d bitů, Haš hlavičky LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:901
+msgid "Show this help message"
+msgstr "Zobrazí tuto nápovědu"
+
+#: src/cryptsetup.c:902
+msgid "Display brief usage"
+msgstr "Zobrazí stručný návod na použití"
+
+#: src/cryptsetup.c:906
+msgid "Help options:"
+msgstr "Přepínače nápovědy:"
+
+#: src/cryptsetup.c:907
+msgid "Print package version"
+msgstr "Vypíše verzi balíku"
+
+#: src/cryptsetup.c:908
+msgid "Shows more detailed error messages"
+msgstr "Zobrazuje podrobnější chybové hlášky"
+
+#: src/cryptsetup.c:909
+msgid "Show debug messages"
+msgstr "Zobrazuje ladicí hlášky"
+
+#: src/cryptsetup.c:910
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Šifra použita k zašifrování disku (vizte /proc/crypto)"
+
+#: src/cryptsetup.c:911
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Haš použit k vytvořené šifrovacího klíče z hesla"
+
+#: src/cryptsetup.c:912
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Ověřuje heslo dvojitým dotazem"
+
+# TODO: Remove period
+#: src/cryptsetup.c:913
+msgid "Read the key from a file."
+msgstr "Klíč načte ze souboru"
+
+# TODO: Remove period
+#: src/cryptsetup.c:914
+msgid "Read the volume (master) key from file."
+msgstr "(Hlavní) klíč svazku načte ze souboru"
+
+# TODO: Remove period
+#: src/cryptsetup.c:915
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Vypíše (hlavní) klíč svazku namísto údajů o pozicích klíčů"
+
+#: src/cryptsetup.c:916
+msgid "The size of the encryption key"
+msgstr "Velikost šifrovacího klíče"
+
+#: src/cryptsetup.c:916
+msgid "BITS"
+msgstr "BITY"
+
+#: src/cryptsetup.c:917
+msgid "Limits the read from keyfile"
+msgstr "Omezí čtení ze souboru s klíčem"
+
+#: src/cryptsetup.c:917 src/cryptsetup.c:918
+msgid "bytes"
+msgstr "bajty"
+
+#: src/cryptsetup.c:918
+msgid "Limits the read from newly added keyfile"
+msgstr "Omezí čtení z nově přidaného souboru s klíčem"
+
+#: src/cryptsetup.c:919
+msgid "Slot number for new key (default is first free)"
+msgstr "Číslo pozice pro nový klíč (výchozí je první volná)"
+
+#: src/cryptsetup.c:920
+msgid "The size of the device"
+msgstr "Velikost zařízení"
+
+#: src/cryptsetup.c:920 src/cryptsetup.c:921 src/cryptsetup.c:922
+#: src/cryptsetup.c:928
+msgid "SECTORS"
+msgstr "SEKTORY"
+
+#: src/cryptsetup.c:921
+msgid "The start offset in the backend device"
+msgstr "Poloha začátku dat v podkladovém zařízení"
+
+#: src/cryptsetup.c:922
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Kolik sektorů šifrovaných dat se má na začátku přeskočit"
+
+#: src/cryptsetup.c:923
+msgid "Create a readonly mapping"
+msgstr "Vytvoří mapování určené jen pro čtení"
+
+#: src/cryptsetup.c:924
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Doba opakování PBKDF2 pro LUKS (v ms)"
+
+#: src/cryptsetup.c:924
+msgid "msecs"
+msgstr "milisekundy"
+
+#: src/cryptsetup.c:925
+msgid "Do not ask for confirmation"
+msgstr "Nevyžaduje potvrzení"
+
+#: src/cryptsetup.c:926
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Časový limit pro interaktivní dotaz na heslo (v sekundách)"
+
+#: src/cryptsetup.c:926
+msgid "secs"
+msgstr "sekundy"
+
+#: src/cryptsetup.c:927
+msgid "How often the input of the passphrase can be retried"
+msgstr "Kolikrát se lze zeptat na heslo"
+
+#: src/cryptsetup.c:928
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Zarovnává data na hranici <n> sektorů – pro luksFormat"
+
+#: src/cryptsetup.c:929
+msgid "File with LUKS header and keyslots backup."
+msgstr "Soubor se zálohou hlavičky LUKS a jejích pozic s klíči"
+
+#: src/cryptsetup.c:930
+msgid "Use /dev/random for generating volume key."
+msgstr "Klíče svazku vytvoří z /dev/random."
+
+#: src/cryptsetup.c:931
+msgid "Use /dev/urandom for generating volume key."
+msgstr "Klíč svazku vytvoří z /dev/urandom."
+
+#: src/cryptsetup.c:932
+msgid "UUID for device to use."
+msgstr "Použije zařízení s UUID."
+
+#: src/cryptsetup.c:950
+msgid "[OPTION...] <action> <action-specific>]"
+msgstr "[PŘEPÍNAČ…] <akce> <přepínače_akce>]"
+
+#: src/cryptsetup.c:985
+msgid "Argument <action> missing."
+msgstr "Chybí argument <akce>."
+
+#: src/cryptsetup.c:991
+msgid "Unknown action."
+msgstr "Neznámá akce."
+
+#: src/cryptsetup.c:1006
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: vyžaduje %s jako argumenty"
+
+#: src/cryptsetup.c:1017
+msgid ""
+"Option --key-size is allowed only for luksFormat and create.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Přepínač --key-size je dovolen jen u luksFormat a create.\n"
+"Čtení ze souboru s klíčem lze omezit pomocí --keyfile-size=(bajty)."
+
+#: src/cryptsetup.c:1024
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Velikost klíče musí být násobkem 8 bitů."
+
+#: src/cryptsetup.c:1031
+msgid "Key slot is invalid."
+msgstr "Pozice klíče není platná."
+
+#: src/cryptsetup.c:1038
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Přepínač --key-file má přednost před zadaným argumentem souboru s klíčem.\n"
+
+#: src/cryptsetup.c:1044
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Je dovolen pouze jeden z přepínačů --use-[u]random."
+
+#: src/cryptsetup.c:1047
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Přepínač --use-[u]random je dovolen pouze u luksFormat."
+
+#: src/cryptsetup.c:1051
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Přepínač --uuid je dovolen pouze u luksFormat a luksUUID."
+
+#: src/cryptsetup.c:1055
+msgid "Options --offset and --skip are supported only for create command.\n"
+msgstr "Přepínače --offset a --skip jsou podporovány jen u příkazu create.\n"

po/pl.po

@@ -0,0 +1,909 @@
+# Polish translation for cryptsetup.
+# Copyright (C) 2010 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# Jakub Bogusz <qboosh@pld-linux.org>, 2010.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 1.2.0-rc1\n"
+"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
+"POT-Creation-Date: 2010-11-15 18:03+0100\n"
+"PO-Revision-Date: 2010-11-23 07:57+0100\n"
+"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
+"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-2\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: lib/gcrypt.c:47
+msgid "Cannot initialize crypto backend.\n"
+msgstr "Nie mo<6D>na zainicjowa<77> backendu kryptograficznego.\n"
+
+#: lib/libdevmapper.c:120
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
+msgstr "Nie mo<6D>na zainicjowa<77> device-mappera. Czy modu<64> j<>dra dm_mod jest wczytany?\n"
+
+#: lib/libdevmapper.c:408
+#, c-format
+msgid "DM-UUID for device %s was truncated.\n"
+msgstr "DM-UUID dla urz<72>dzenia %s zosta<74> skr<6B>cony.\n"
+
+#: lib/random.c:73
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Entropia w systemie wyczerpa<70>a si<73> w trakcie generowania klucza wolumenu.\n"
+"Prosz<73> porusza<7A> mysz<73> albo wpisa<73> troch<63> tekstu w innym oknie w celu zebrania zdarze<7A> losowych.\n"
+
+#: lib/random.c:77
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Generowanie klucza (gotowe %d%%).\n"
+
+#: lib/random.c:163
+msgid "Fatal error during RNG initialisation.\n"
+msgstr "B<><42>d krytyczny w trakcie inicjalizacji RNG.\n"
+
+#: lib/random.c:190
+msgid "Unknown RNG quality requested.\n"
+msgstr "Nieznane <20><>danie jako<6B>ci RNG.\n"
+
+#: lib/random.c:195
+#, c-format
+msgid "Error %d reading from RNG: %s\n"
+msgstr "B<><42>d %d podczas odczytu z RNG: %s\n"
+
+#: lib/setup.c:109
+#, c-format
+msgid "Cannot not read %d bytes from key file %s.\n"
+msgstr "Nie mo<6D>na odczyta<74> %d bajt<6A>w z pliku klucza %s.\n"
+
+#: lib/setup.c:121
+#, c-format
+msgid "Key processing error (using hash algorithm %s).\n"
+msgstr "B<><42>d przetwarzania klucza (u<>yto algorytmu skr<6B>tu %s).\n"
+
+#: lib/setup.c:151
+msgid "All key slots full.\n"
+msgstr "Wszyskie miejsca na klucze s<> pe<70>ne.\n"
+
+#: lib/setup.c:158 lib/setup.c:299 lib/setup.c:763
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d.\n"
+msgstr "Numer klucza %d jest b<><62>dny, prosz<73> wybra<72> warto<74><6F> mi<6D>dzy 0 a %d.\n"
+
+#: lib/setup.c:164
+#, c-format
+msgid "Key slot %d is full, please select another one.\n"
+msgstr "Miejsce na klucz %d jest pe<70>ne, prosz<73> wybra<72> inne.\n"
+
+#: lib/setup.c:182 src/cryptsetup.c:516
+msgid "Enter any remaining LUKS passphrase: "
+msgstr "Dowolne pozosta<74>e has<61>o LUKS: "
+
+#: lib/setup.c:202
+#, c-format
+msgid "Key slot %d verified.\n"
+msgstr "Klucz %d sprawdzony.\n"
+
+#: lib/setup.c:247
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
+msgstr "Nie mo<6D>na u<>y<EFBFBD> urz<72>dzenia %s, kt<6B>re jest w u<>yciu (ju<6A> podmapowane lub zamontowane).\n"
+
+#: lib/setup.c:251
+#, c-format
+msgid "Cannot get info about device %s.\n"
+msgstr "Nie mo<6D>na uzyska<6B> informacji o urz<72>dzeniu %s.\n"
+
+#: lib/setup.c:259
+#, c-format
+msgid "Device %s has zero size.\n"
+msgstr "Urz<72>dzenie %s ma zerowy rozmiar.\n"
+
+#: lib/setup.c:263
+#, c-format
+msgid "Device %s is too small.\n"
+msgstr "Urz<72>dzenie %s jest zbyt ma<6D>e.\n"
+
+#: lib/setup.c:288 src/cryptsetup.c:544
+msgid "Enter LUKS passphrase to be deleted: "
+msgstr "Has<61>o LUKS do usuni<6E>cia: "
+
+#: lib/setup.c:294 src/cryptsetup.c:505 src/cryptsetup.c:559
+#, c-format
+msgid "Key slot %d selected for deletion.\n"
+msgstr "klucz %d wybrany do usuni<6E>cia.\n"
+
+#: lib/setup.c:305 src/cryptsetup.c:508
+#, c-format
+msgid "Key %d not active. Can't wipe.\n"
+msgstr "Klucz %d nie jest aktywny. Nie mo<6D>na wyczy<7A>ci<63>.\n"
+
+#: lib/setup.c:311 src/cryptsetup.c:515 src/cryptsetup.c:562
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "To jest ostatni klucz. Urz<72>dzenie stanie si<73> bezu<7A>yteczne po usuni<6E>ciu tego klucza."
+
+#: lib/setup.c:362 lib/setup.c:1791 lib/setup.c:1862 lib/setup.c:1926
+#, c-format
+msgid "Device %s already exists.\n"
+msgstr "Urz<72>dzenie %s ju<6A> istnieje.\n"
+
+#: lib/setup.c:367
+#, c-format
+msgid "Invalid key size %d.\n"
+msgstr "B<><42>dny rozmiar klucza %d.\n"
+
+#: lib/setup.c:449
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Has<61>o dla %s: "
+
+#: lib/setup.c:606 lib/setup.c:1523 lib/setup.c:1870 src/cryptsetup.c:227
+msgid "Enter passphrase: "
+msgstr "Has<61>o: "
+
+#: lib/setup.c:647 lib/setup.c:1032 lib/setup.c:1287 lib/setup.c:1978
+#, c-format
+msgid "Device %s is not active.\n"
+msgstr "Urz<72>dzenie %s nie jest aktywne.\n"
+
+#: lib/setup.c:755
+msgid "No known cipher specification pattern detected.\n"
+msgstr "Nie wykryto znanego wzorca okre<72>laj<61>cego szyfr.\n"
+
+#: lib/setup.c:769 src/cryptsetup.c:383 src/cryptsetup.c:677
+msgid "Enter LUKS passphrase: "
+msgstr "Has<61>o LUKS: "
+
+#: lib/setup.c:1044
+#, c-format
+msgid "Underlying device for crypt device %s disappeared.\n"
+msgstr "Urz<72>dzenie stoj<6F>ce za urz<72>dzeniem szyfrowanym %s znik<69>o.\n"
+
+#: lib/setup.c:1109
+msgid "Invalid plain crypt parameters.\n"
+msgstr "B<><42>dne parametry szyfru plain.\n"
+
+#: lib/setup.c:1114
+msgid "Invalid key size.\n"
+msgstr "B<><42>dny rozmiar klucza.\n"
+
+#: lib/setup.c:1153
+msgid "Can't format LUKS without device.\n"
+msgstr "Nie mo<6D>na sformatowa<77> LUKS-a bez urz<72>dzenia.\n"
+
+#: lib/setup.c:1185
+#, c-format
+msgid "Cannot format device %s which is still in use.\n"
+msgstr "Nie mo<6D>na sformatowa<77> urz<72>dzenia %s, kt<6B>re jest nadal w u<>yciu.\n"
+
+#: lib/setup.c:1188
+#, c-format
+msgid "Cannot wipe header on device %s.\n"
+msgstr "Nie mo<6D>na wyczy<7A>ci<63> nag<61><67>wka na urz<72>dzeniu %s.\n"
+
+#: lib/setup.c:1227
+#, c-format
+msgid "Unknown crypt device type %s requested.\n"
+msgstr "Nieznany typ <20><>danego urz<72>dzenia szyfruj<75>cego %s.\n"
+
+#: lib/setup.c:1324
+msgid "This operation is not supported for this device type.\n"
+msgstr "Ta operacja nie jest obs<62>ugiwana dla tego rodzaju urz<72>dzenia.\n"
+
+#: lib/setup.c:1339
+msgid "Do you really want to change UUID of device?"
+msgstr "Czy na pewno zmieni<6E> UUID urz<72>dzenia?"
+
+#: lib/setup.c:1415
+#, c-format
+msgid "Volume %s is not active.\n"
+msgstr "Wolumen %s nie jest aktywny.\n"
+
+#: lib/setup.c:1428
+#, c-format
+msgid "Volume %s is already suspended.\n"
+msgstr "Wolumen %s ju<6A> zosta<74> zatrzymany.\n"
+
+#: lib/setup.c:1456 lib/setup.c:1505 lib/setup.c:1561 lib/setup.c:1635
+#: lib/setup.c:1704 lib/setup.c:1750 lib/setup.c:1853 lib/setup.c:2047
+#: lib/setup.c:2148 lib/setup.c:2257
+msgid "This operation is supported only for LUKS device.\n"
+msgstr "Ta operacja jest obs<62>ugiwana tylko na urz<72>dzeniach LUKS.\n"
+
+#: lib/setup.c:1467 lib/setup.c:1516
+#, c-format
+msgid "Volume %s is not suspended.\n"
+msgstr "Wolumen %s nie jest zatrzymany.\n"
+
+#: lib/setup.c:1575 lib/setup.c:1649
+msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
+msgstr "Nie mo<6D>na doda<64> klucza, wszystkie miejsca na klucze wy<77><79>czone i nie podano klucza wolumenu.\n"
+
+#: lib/setup.c:1584 lib/setup.c:1655 lib/setup.c:1659
+msgid "Enter any passphrase: "
+msgstr "Dowolne has<61>o: "
+
+#: lib/setup.c:1601 lib/setup.c:1672 lib/setup.c:1676 lib/setup.c:1727
+msgid "Enter new passphrase for key slot: "
+msgstr "Nowe has<61>o dla klucza: "
+
+#: lib/setup.c:1718 lib/setup.c:1934 lib/setup.c:1947 lib/setup.c:2058
+msgid "Volume key does not match the volume.\n"
+msgstr "Klucz wolumenu nie pasuje do wolumenu.\n"
+
+#: lib/setup.c:1756
+#, c-format
+msgid "Key slot %d is invalid.\n"
+msgstr "Numer klucza %d jest nieprawid<69>owy.\n"
+
+#: lib/setup.c:1761
+#, c-format
+msgid "Key slot %d is not used.\n"
+msgstr "Klucz %d nie jest u<>ywany.\n"
+
+#: lib/setup.c:1906
+msgid "Incorrect volume key specified for plain device.\n"
+msgstr "Podano niew<65>a<EFBFBD>ciwy klucz wolumenu dla zwyk<79>ego urz<72>dzenia.\n"
+
+#: lib/setup.c:1917
+msgid "Device type is not properly initialised.\n"
+msgstr "Typ urz<72>dzenia nie zosta<74> w<>a<EFBFBD>ciwie zainicjalizowany.\n"
+
+#: lib/setup.c:1974
+#, c-format
+msgid "Device %s is busy.\n"
+msgstr "Urz<72>dzenie %s jest zaj<61>te.\n"
+
+#: lib/setup.c:1982
+#, c-format
+msgid "Invalid device %s.\n"
+msgstr "B<><42>dne urz<72>dzenie %s.\n"
+
+#: lib/setup.c:2005
+msgid "Volume key buffer too small.\n"
+msgstr "Bufor klucza wolumenu zbyt ma<6D>y.\n"
+
+#: lib/setup.c:2013
+msgid "Cannot retrieve volume key for plain device.\n"
+msgstr "Nie mo<6D>na odtworzy<7A> klucza wolumenu dla zwyk<79>ego urz<72>dzenia.\n"
+
+#: lib/setup.c:2035
+#, c-format
+msgid "This operation is not supported for %s crypt device.\n"
+msgstr "Ta operacja nie jest obs<62>ugiwana dla urz<72>dzenia szyfruj<75>cego %s.\n"
+
+#: lib/utils.c:247
+#, c-format
+msgid "Device %s doesn't exist or access denied.\n"
+msgstr "Urz<72>dzenie %s nie istnieje lub dost<73>p jest zabroniony.\n"
+
+#: lib/utils.c:254
+#, c-format
+msgid "Cannot open device %s for %s%s access.\n"
+msgstr "Nie mo<6D>na otworzy<7A> urz<72>dzenia %s do %sdost<73>pu %s.\n"
+
+#: lib/utils.c:255
+msgid "exclusive "
+msgstr "wy<77><79>cznego "
+
+#: lib/utils.c:256
+msgid "writable"
+msgstr "do zapisu"
+
+#: lib/utils.c:256
+msgid "read-only"
+msgstr "tylko do odczytu"
+
+#: lib/utils.c:263
+#, c-format
+msgid "Cannot read device %s.\n"
+msgstr "Nie mo<6D>na odczyta<74> urz<72>dzenia %s.\n"
+
+#: lib/utils.c:388
+msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
+msgstr "UWAGA! Pami<6D><69> mo<6D>e nie by<62> bezpieczna. Czy jeste<74> rootem?\n"
+
+#: lib/utils.c:394
+msgid "Cannot get process priority.\n"
+msgstr "Nie mo<6D>na odczyta<74> priorytetu procesu.\n"
+
+#: lib/utils.c:397 lib/utils.c:410
+#, c-format
+msgid "setpriority %u failed: %s"
+msgstr "setpriority %u nie powiod<6F>o si<73>: %s"
+
+#: lib/utils.c:408
+msgid "Cannot unlock memory."
+msgstr "Nie mo<6D>na odblokowa<77> pami<6D>ci."
+
+#: lib/utils_crypt.c:200
+msgid "Failed to open key file.\n"
+msgstr "Nie uda<64>o si<73> otworzy<7A> pliku klucza.\n"
+
+#: lib/utils_crypt.c:211
+msgid "Error reading passphrase from terminal.\n"
+msgstr "B<><42>d podczas odczytu has<61>a z terminala.\n"
+
+#: lib/utils_crypt.c:216
+msgid "Verify passphrase: "
+msgstr "Weryfikacja has<61>a: "
+
+#: lib/utils_crypt.c:219
+msgid "Passphrases do not match.\n"
+msgstr "Has<61>a nie zgadzaj<61> si<73>.\n"
+
+#: lib/utils_crypt.c:243
+msgid "Failed to stat key file.\n"
+msgstr "Nie uda<64>o si<73> wykona<6E> stat na pliku klucza.\n"
+
+#: lib/utils_crypt.c:248
+msgid "Warning: exhausting read requested, but key file is not a regular file, function might never return.\n"
+msgstr "Uwaga: <20><>dano odczytu ca<63>o<EFBFBD>ci, ale plik klucza nie jest zwyk<79>ym plikiem i funkcja mo<6D>e nigdy si<73> nie zako<6B>czy<7A>.\n"
+
+#: lib/utils_crypt.c:260
+msgid "Out of memory while reading passphrase.\n"
+msgstr "Brak pami<6D>ci podczas odczytu has<61>a.\n"
+
+#: lib/utils_crypt.c:268
+msgid "Error reading passphrase.\n"
+msgstr "B<><42>d podczas odczytu has<61>a.\n"
+
+#: lib/luks1/keyencryption.c:66
+#, c-format
+msgid "Unable to obtain sector size for %s"
+msgstr "Nie uda<64>o si<73> uzyska<6B> rozmiaru sektora dla %s"
+
+#: lib/luks1/keyencryption.c:106
+msgid "Key size in XTS mode must be 256 or 512 bits.\n"
+msgstr "Rozmiar klucza w trybie XTS musi wynosi<73> 256 lub 512 bit<69>w.\n"
+
+#: lib/luks1/keyencryption.c:108
+msgid "Block mode XTS is available since kernel 2.6.24.\n"
+msgstr "Tryb blokowy XTS jest dost<73>pny od j<>dra 2.6.24.\n"
+
+#: lib/luks1/keyencryption.c:110
+msgid "Key size in LRW mode must be 256 or 512 bits.\n"
+msgstr "Rozmiar klucza w trybie LRW musi wynosi<73> 256 lub 512 bit<69>w.\n"
+
+#: lib/luks1/keyencryption.c:112
+msgid "Block mode LRW is available since kernel 2.6.20.\n"
+msgstr "Tryb blokowy LRW jest dost<73>pny od j<>dra 2.6.20.\n"
+
+#: lib/luks1/keyencryption.c:135
+msgid "Failed to obtain device mapper directory."
+msgstr "Nie uda<64>o si<73> uzyska<6B> katalogu device mappera."
+
+#: lib/luks1/keyencryption.c:151
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info).\n"
+"%s"
+msgstr ""
+"Nie uda<64>o si<73> ustawi<77> odwzorowania klucza dm-crypt dla urz<72>dzenia %s.\n"
+"Prosz<73> sprawdzi<7A>, czy j<>dro obs<62>uguje szyfr %s (wi<77>cej informacji w syslogu).\n"
+"%s"
+
+#: lib/luks1/keyencryption.c:161
+msgid "Failed to open temporary keystore device.\n"
+msgstr "Nie uda<64>o si<73> otworzy<7A> urz<72>dzenia do tymczasowego przechowywania kluczy.\n"
+
+#: lib/luks1/keyencryption.c:168
+msgid "Failed to access temporary keystore device.\n"
+msgstr "Nie uda<64>o si<73> uzyska<6B> dost<73>pu do urz<72>dzenia do tymczasowego przechowywania kluczy.\n"
+
+#: lib/luks1/keymanage.c:61
+#, c-format
+msgid "Requested file %s already exist.\n"
+msgstr "<22><>dany plik %s ju<6A> istnieje.\n"
+
+#: lib/luks1/keymanage.c:81 lib/luks1/keymanage.c:224
+#, c-format
+msgid "Device %s is not a valid LUKS device.\n"
+msgstr "Urz<72>dzenie %s nie jest prawid<69>owym urz<72>dzeniem LUKS.\n"
+
+#: lib/luks1/keymanage.c:101
+#, c-format
+msgid "Cannot write header backup file %s.\n"
+msgstr "Nie mo<6D>na zapisa<73> pliku kopii zapasowej nag<61><67>wka %s.\n"
+
+#: lib/luks1/keymanage.c:128
+#, c-format
+msgid "Backup file %s doesn't exist.\n"
+msgstr "Plik kopii zapasowej %s nie istnieje.\n"
+
+#: lib/luks1/keymanage.c:136
+msgid "Backup file do not contain valid LUKS header.\n"
+msgstr "Plik kopii zapasowej nie zawiera prawid<69>owego nag<61><67>wka LUKS.\n"
+
+#: lib/luks1/keymanage.c:149
+#, c-format
+msgid "Cannot open header backup file %s.\n"
+msgstr "Nie mo<6D>na otworzy<7A> pliku kopii zapasowej nag<61><67>wka %s.\n"
+
+#: lib/luks1/keymanage.c:155
+#, c-format
+msgid "Cannot read header backup file %s.\n"
+msgstr "Nie mo<6D>na odczyta<74> pliku kopii zapasowej nag<61><67>wka %s.\n"
+
+#: lib/luks1/keymanage.c:166
+msgid "Data offset or key size differs on device and backup, restore failed.\n"
+msgstr "Offset danych lub rozmiar klucza r<><72>ni<6E> si<73> mi<6D>dzy urz<72>dzeniem a kopi<70> zapasow<6F>; przywr<77>cenie nie powiod<6F>o si<73>.\n"
+
+#: lib/luks1/keymanage.c:174
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Urz<72>dzenie %s %s%s"
+
+#: lib/luks1/keymanage.c:175
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "nie zawiera nag<61><67>wka LUKS. Nadpisanie nag<61><67>wka mo<6D>e zniszczy<7A> dane na tym urz<72>dzeniu."
+
+#: lib/luks1/keymanage.c:176
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "ju<6A> zawiera nag<61><67>wek LUKS. Nadpisanie nag<61><67>wka zniszczy istniej<65>ce klucze."
+
+#: lib/luks1/keymanage.c:177
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"UWAGA: nag<61><67>wek prawdziwego urz<72>dzenia ma inny UUID ni<6E> kopia zapasowa!"
+
+#: lib/luks1/keymanage.c:192 lib/luks1/keymanage.c:305
+#: lib/luks1/keymanage.c:340
+#, c-format
+msgid "Cannot open device %s.\n"
+msgstr "Nie mo<6D>na otworzy<7A> urz<72>dzenia %s.\n"
+
+#: lib/luks1/keymanage.c:226
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Urz<72>dzenie %s nie jest prawid<69>owym urz<72>dzeniem LUKS."
+
+#: lib/luks1/keymanage.c:229
+#, c-format
+msgid "Unsupported LUKS version %d.\n"
+msgstr "Nieobs<62>ugiwana wersja LUKS %d.\n"
+
+#: lib/luks1/keymanage.c:232 lib/luks1/keymanage.c:410
+#, c-format
+msgid "Requested LUKS hash %s is not supported.\n"
+msgstr "<22><>dany skr<6B>t LUKS %s nie jest obs<62>ugiwany.\n"
+
+#: lib/luks1/keymanage.c:277
+#, c-format
+msgid "Cannot open file %s.\n"
+msgstr "Nie mo<6D>na otworzy<7A> pliku %s.\n"
+
+#: lib/luks1/keymanage.c:317
+#, c-format
+msgid "LUKS header detected but device %s is too small.\n"
+msgstr "Wykryto nag<61><67>wek LUKS, ale urz<72>dzenie %s jest zbyt ma<6D>e.\n"
+
+#: lib/luks1/keymanage.c:361
+#, c-format
+msgid "Error during update of LUKS header on device %s.\n"
+msgstr "B<><42>d podczas uaktualniania nag<61><67>wka LUKS na urz<72>dzeniu %s.\n"
+
+#: lib/luks1/keymanage.c:368
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s.\n"
+msgstr "B<><42>d podczas ponownego odczytu nag<61><67>wka LUKS po uaktualnieniu na urz<72>dzeniu %s.\n"
+
+#: lib/luks1/keymanage.c:380
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
+msgstr "Niekompatybilne opcje PBKDF2 (przy u<>yciu algorytmu skr<6B>tu %s).\n"
+
+#: lib/luks1/keymanage.c:415 lib/luks1/keymanage.c:492
+msgid "Wrong LUKS UUID format provided.\n"
+msgstr "Podano z<>y format LUKS UUID.\n"
+
+#: lib/luks1/keymanage.c:440
+msgid "Cannot create LUKS header: reading random salt failed.\n"
+msgstr "Nie mo<6D>na utworzy<7A> nag<61><67>wka LUKS: odczyt losowego zarodka nie powi<77>d<EFBFBD> si<73>.\n"
+
+#: lib/luks1/keymanage.c:457
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
+msgstr "Nie mo<6D>na utworzy<7A> nag<61><67>wka LUKS: uzyskanie skr<6B>tu nag<61><67>wka nie powiod<6F>o si<73> (przy u<>yciu algorytmu %s).\n"
+
+#: lib/luks1/keymanage.c:517
+#, c-format
+msgid "Key slot %d active, purge first.\n"
+msgstr "Klucz numer %d jest aktywny, nale<6C>y go najpierw wyczy<7A>ci<63>.\n"
+
+#: lib/luks1/keymanage.c:522
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+msgstr "Klucz %d zawiera zbyt ma<6D>o pas<61>w. Zmieniony nag<61><67>wek?\n"
+
+#: lib/luks1/keymanage.c:582
+msgid "Failed to write to key storage.\n"
+msgstr "Nie uda<64>o si<73> zapisa<73> klucza.\n"
+
+#: lib/luks1/keymanage.c:659
+msgid "Failed to read from key storage.\n"
+msgstr "Nie uda<64>o si<73> odczyta<74> klucza.\n"
+
+#: lib/luks1/keymanage.c:668
+#, c-format
+msgid "Key slot %d unlocked.\n"
+msgstr "Klucz numer %d odblokowany.\n"
+
+#: lib/luks1/keymanage.c:703 src/cryptsetup.c:482
+msgid "No key available with this passphrase.\n"
+msgstr "Dla tego has<61>a nie ma dost<73>pnego klucza.\n"
+
+#: lib/luks1/keymanage.c:783
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+msgstr "Numer klucza %d jest b<><62>dny, prosz<73> wybra<72> numer od 0 do %d.\n"
+
+#: lib/luks1/keymanage.c:795
+#, c-format
+msgid "Cannot wipe device %s.\n"
+msgstr "Nie mo<6D>na wyczy<7A>ci<63> urz<72>dzenia %s.\n"
+
+#: src/cryptsetup.c:75
+msgid "<name> <device>"
+msgstr "<nazwa> <urz<72>dzenie>"
+
+#: src/cryptsetup.c:75
+msgid "create device"
+msgstr "utworzenie urz<72>dzenia"
+
+#: src/cryptsetup.c:76 src/cryptsetup.c:77 src/cryptsetup.c:78
+#: src/cryptsetup.c:86
+msgid "<name>"
+msgstr "<nazwa>"
+
+#: src/cryptsetup.c:76
+msgid "remove device"
+msgstr "usuni<6E>cie urz<72>dzenia"
+
+#: src/cryptsetup.c:77
+msgid "resize active device"
+msgstr "zmiana rozmiaru aktywnego urz<72>dzenia"
+
+#: src/cryptsetup.c:78
+msgid "show device status"
+msgstr "pokazanie stanu urz<72>dzenia"
+
+#: src/cryptsetup.c:79 src/cryptsetup.c:81
+msgid "<device> [<new key file>]"
+msgstr "<urz<72>dzenie> [<nowy plik klucza>]"
+
+#: src/cryptsetup.c:79
+msgid "formats a LUKS device"
+msgstr "sformatowanie urz<72>dzenia LUKS"
+
+#: src/cryptsetup.c:80
+msgid "<device> <name> "
+msgstr "<uz<75>dzenie> <nazwa> "
+
+#: src/cryptsetup.c:80
+msgid "open LUKS device as mapping <name>"
+msgstr "otwarcie urz<72>dzenia LUKS jako odwzorowania <nazwa>"
+
+#: src/cryptsetup.c:81
+msgid "add key to LUKS device"
+msgstr "dodanie klucza do urz<72>dzenia LUKS"
+
+#: src/cryptsetup.c:82
+msgid "<device> [<key file>]"
+msgstr "<urz<72>dzenie> [<plik klucza>]"
+
+#: src/cryptsetup.c:82
+msgid "removes supplied key or key file from LUKS device"
+msgstr "usuni<6E>cie podanego klucza lub pliku klucza z urz<72>dzenia LUKS"
+
+#: src/cryptsetup.c:83
+msgid "<device> <key slot>"
+msgstr "<urz<72>dzenie> <numer klucza>"
+
+#: src/cryptsetup.c:83
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "wyczyszczenie klucza o numerze <numer klucza> z urz<72>dzenia LUKS"
+
+#: src/cryptsetup.c:84 src/cryptsetup.c:85 src/cryptsetup.c:87
+#: src/cryptsetup.c:88 src/cryptsetup.c:89 src/cryptsetup.c:90
+#: src/cryptsetup.c:91
+msgid "<device>"
+msgstr "<urz<72>dzenie>"
+
+#: src/cryptsetup.c:84
+msgid "print UUID of LUKS device"
+msgstr "wypisanie UUID-a urz<72>dzenia LUKS"
+
+#: src/cryptsetup.c:85
+msgid "tests <device> for LUKS partition header"
+msgstr "sprawdzenie <urz<72>dzenia> pod k<>tem nag<61><67>wka partycji LUKS"
+
+#: src/cryptsetup.c:86
+msgid "remove LUKS mapping"
+msgstr "usuni<6E>cie odwzorowania LUKS"
+
+#: src/cryptsetup.c:87
+msgid "dump LUKS partition information"
+msgstr "zrzut informacji o partycji LUKS"
+
+#: src/cryptsetup.c:88
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+msgstr "Zatrzymanie urz<72>dzenia LUKS i wyczyszczenie klucza (zamra<72>a wszystkie operacje we/wy)."
+
+#: src/cryptsetup.c:89
+msgid "Resume suspended LUKS device."
+msgstr "Wznowienie zatrzymanego urz<72>dzenia LUKS."
+
+#: src/cryptsetup.c:90
+msgid "Backup LUKS device header and keyslots"
+msgstr "Kopia zapasowa nag<61><67>wka i kluczy urz<72>dzenia LUKS"
+
+#: src/cryptsetup.c:91
+msgid "Restore LUKS device header and keyslots"
+msgstr "Odtworzenie nag<61><67>wka i kluczy urz<72>dzenia LUKS z kopii zapasowej"
+
+#: src/cryptsetup.c:169
+msgid "Command successful.\n"
+msgstr "Polecenie si<73> powiod<6F>o.\n"
+
+#: src/cryptsetup.c:183
+#, c-format
+msgid "Command failed with code %i"
+msgstr "Polecenie nie powiod<6F>o si<73> z kodem %i"
+
+#: src/cryptsetup.c:351
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "To nieodwo<77>alnie nadpisze dane na %s."
+
+#: src/cryptsetup.c:352
+msgid "memory allocation error in action_luksFormat"
+msgstr "b<><62>d przydzielania pami<6D>ci w action_luksFormat"
+
+#: src/cryptsetup.c:666
+msgid ""
+"LUKS header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Zrzut nag<61><67>wka LUKS z kluczem wolumenu jest informacj<63> wra<72>liw<69>,\n"
+"pozwalaj<61>c<EFBFBD> na dost<73>p do zaszyfrowanej partycji bez has<61>a.\n"
+"Zrzut ten powinien by<62> zawsze zapisywany w postaci zaszyfrowanej\n"
+"w bezpiecznym miejscu."
+
+#: src/cryptsetup.c:769 src/cryptsetup.c:790
+msgid "Option --header-backup-file is required.\n"
+msgstr "Wymagana jest opcja --header-backup-file.\n"
+
+#: src/cryptsetup.c:824
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<akcja> to jedno z:\n"
+
+#: src/cryptsetup.c:830
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<nazwa> to urz<72>dzenie do utworzenia wewn<77>trz %s\n"
+"<urz<72>dzenie> to zaszyfrowane urz<72>dzenie\n"
+"<numer klucza> to numer klucza LUKS do zmiany\n"
+"<plik klucza> to opcjonalny plik nowego klucza dla akcji luksAddKey\n"
+
+#: src/cryptsetup.c:837
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Domy<6D>lne wkompilowane parametry szyfrowania urz<72>dze<7A>:\n"
+"\tplain: %s, bit<69>w klucza: %d, skr<6B>t has<61>a: %s\n"
+"\tLUKS1: %s, bit<69>w klucza: %d, skr<6B>t nag<61><67>wka LUKS: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:901
+msgid "Show this help message"
+msgstr "Wy<57>wietlenie tego opisu"
+
+#: src/cryptsetup.c:902
+msgid "Display brief usage"
+msgstr "Wy<57>wietlenie kr<6B>tkiej informacji o sk<73>adni"
+
+#: src/cryptsetup.c:906
+msgid "Help options:"
+msgstr "Opcje pomocnicze:"
+
+#: src/cryptsetup.c:907
+msgid "Print package version"
+msgstr "Wypisanie wersji pakietu"
+
+#: src/cryptsetup.c:908
+msgid "Shows more detailed error messages"
+msgstr "Wy<57>wietlanie bardziej szczeg<65><67>owych komunikat<61>w b<><62>d<EFBFBD>w"
+
+#: src/cryptsetup.c:909
+msgid "Show debug messages"
+msgstr "Wy<57>wietlanie informacji diagnostycznych"
+
+#: src/cryptsetup.c:910
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Szyfr u<>ywany do zaszyfrowania dysku (p. /proc/crypto)"
+
+#: src/cryptsetup.c:911
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "Skr<6B>t u<>ywany do utworzenia klucza szyfruj<75>cego z has<61>a"
+
+#: src/cryptsetup.c:912
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Sprawdzenie poprawno<6E>ci has<61>a poprzez dwukrotne pytanie"
+
+#: src/cryptsetup.c:913
+msgid "Read the key from a file."
+msgstr "Odczyt klucza z pliku."
+
+#: src/cryptsetup.c:914
+msgid "Read the volume (master) key from file."
+msgstr "Odczyt klucza wolumenu (klucza g<><67>wnego) z pliku."
+
+#: src/cryptsetup.c:915
+msgid "Dump volume (master) key instead of keyslots info."
+msgstr "Zrzut (g<><67>wnego) klucza wolumenu zamiast informacji o kluczach."
+
+#: src/cryptsetup.c:916
+msgid "The size of the encryption key"
+msgstr "Rozmiar klucza szyfruj<75>cego"
+
+#: src/cryptsetup.c:916
+msgid "BITS"
+msgstr "BIT<49>W"
+
+#: src/cryptsetup.c:917
+msgid "Limits the read from keyfile"
+msgstr "Ograniczenie odczytu z pliku klucza"
+
+#: src/cryptsetup.c:917 src/cryptsetup.c:918
+msgid "bytes"
+msgstr "bajty"
+
+#: src/cryptsetup.c:918
+msgid "Limits the read from newly added keyfile"
+msgstr "Ograniczenie odczytu z nowo dodanego pliku klucza"
+
+#: src/cryptsetup.c:919
+msgid "Slot number for new key (default is first free)"
+msgstr "Numer dla nowego klucza (domy<6D>lny: pierwszy wolny)"
+
+#: src/cryptsetup.c:920
+msgid "The size of the device"
+msgstr "Rozmiar urz<72>dzenia"
+
+#: src/cryptsetup.c:920 src/cryptsetup.c:921 src/cryptsetup.c:922
+#: src/cryptsetup.c:928
+msgid "SECTORS"
+msgstr "SEKTOR<4F>W"
+
+#: src/cryptsetup.c:921
+msgid "The start offset in the backend device"
+msgstr "Offset pocz<63>tku na urz<72>dzeniu przechowuj<75>cym"
+
+#: src/cryptsetup.c:922
+msgid "How many sectors of the encrypted data to skip at the beginning"
+msgstr "Liczba sektor<6F>w zaszyfrowanych danych do pomini<6E>cia"
+
+#: src/cryptsetup.c:923
+msgid "Create a readonly mapping"
+msgstr "Utworzenie odwzorowania tylko do odczytu"
+
+#: src/cryptsetup.c:924
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "Czas iteracji PBKDF2 dla LUKS (w milisekundach)"
+
+#: src/cryptsetup.c:924
+msgid "msecs"
+msgstr "ms"
+
+#: src/cryptsetup.c:925
+msgid "Do not ask for confirmation"
+msgstr "Bez pyta<74> o potwierdzenie"
+
+#: src/cryptsetup.c:926
+msgid "Timeout for interactive passphrase prompt (in seconds)"
+msgstr "Limit czasu przy interaktywnym pytaniu o has<61>o (w sekundach)"
+
+#: src/cryptsetup.c:926
+msgid "secs"
+msgstr "s"
+
+#: src/cryptsetup.c:927
+msgid "How often the input of the passphrase can be retried"
+msgstr "Jak cz<63>sto mo<6D>na powtarza<7A> pr<70>by wprowadzenia has<61>a"
+
+#: src/cryptsetup.c:928
+msgid "Align payload at <n> sector boundaries - for luksFormat"
+msgstr "Wyr<79>wnanie danych do granicy <n> sektor<6F>w - dla luksFormat"
+
+#: src/cryptsetup.c:929
+msgid "File with LUKS header and keyslots backup."
+msgstr "Plik z kopi<70> zapasow<6F> nag<61><67>wka LUKS i kluczy."
+
+#: src/cryptsetup.c:930
+msgid "Use /dev/random for generating volume key."
+msgstr "U<>ycie /dev/random do wygenerowania klucza wolumenu."
+
+#: src/cryptsetup.c:931
+msgid "Use /dev/urandom for generating volume key."
+msgstr "U<>ycie /dev/urandom do wygenerowania klucza wolumenu."
+
+#: src/cryptsetup.c:932
+msgid "UUID for device to use."
+msgstr "UUID dla urz<72>dzenia, kt<6B>re ma by<62> u<>yte."
+
+#: src/cryptsetup.c:950
+msgid "[OPTION...] <action> <action-specific>]"
+msgstr "[OPCJA...] <akcja> <parametry-akcji>]"
+
+#: src/cryptsetup.c:985
+msgid "Argument <action> missing."
+msgstr "Brak argumentu <akcja>."
+
+#: src/cryptsetup.c:991
+msgid "Unknown action."
+msgstr "Nieznana akcja."
+
+#: src/cryptsetup.c:1006
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: wymaga %s jako argument<6E>w"
+
+#: src/cryptsetup.c:1017
+msgid ""
+"Option --key-size is allowed only for luksFormat and create.\n"
+"To limit read from keyfile use --keyfile-size=(bytes)."
+msgstr ""
+"Opcja --key-size jest dopuszczalna tylko dla operacji luksFormat i create.\n"
+"Aby ograniczy<7A> odczyt z pliku klucza, nale<6C>y u<>y<EFBFBD> --keyfile-size=(bajty)."
+
+#: src/cryptsetup.c:1024
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Rozmiar klucza musi by<62> wielokrotno<6E>ci<63> 8 bit<69>w"
+
+#: src/cryptsetup.c:1031
+msgid "Key slot is invalid."
+msgstr "Numer klucza jest nieprawid<69>owy."
+
+#: src/cryptsetup.c:1038
+msgid "Option --key-file takes precedence over specified key file argument.\n"
+msgstr "Opcja --key-file ma priorytet nad podanym argumentem pliku klucza.\n"
+
+#: src/cryptsetup.c:1044
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Dozwolona jest tylko jedna z opcji --use-[u]random."
+
+#: src/cryptsetup.c:1047
+msgid "Option --use-[u]random is allowed only for luksFormat."
+msgstr "Opcja --use-[u]random jest dozwolona tylko dla operacji luksFormat."
+
+#: src/cryptsetup.c:1051
+msgid "Option --uuid is allowed only for luksFormat and luksUUID."
+msgstr "Opcja --uuid jest dozwolona tylko dla operacji luksFormat i luksUUID."
+
+#: src/cryptsetup.c:1055
+msgid "Options --offset and --skip are supported only for create command.\n"
+msgstr "Opcje --offset i --skip s<> obs<62>ugiwane tylko dla polecenia create.\n"

src/Makefile.am

@@ -10,23 +10,25 @@ INCLUDES = \
 	-D_GNU_SOURCE
 
 cryptsetup_SOURCES = \
+	$(top_builddir)/lib/utils_crypt.c	\
 	cryptsetup.c				\
 	cryptsetup.h
 
-if STATIC_CRYPTSETUP
-_STATIC_FLAGS = -all-static
-_STATIC_LDADD = @LIBGCRYPT_LIBS@ -lgpg-error @SELINUX_STATIC_LIBS@
-endif
-
 cryptsetup_LDADD = \
 	$(top_builddir)/lib/libcryptsetup.la	\
-	$(_STATIC_LDADD)			\
 	@POPT_LIBS@
 
-
-cryptsetup_LDFLAGS = \
-	$(_STATIC_FLAGS)
-
 cryptsetup_CFLAGS = -Wall
 
 sbin_PROGRAMS=cryptsetup
+
+if STATIC_CRYPTSETUP
+sbin_PROGRAMS += cryptsetup.static
+cryptsetup_static_SOURCES = $(cryptsetup_SOURCES)
+cryptsetup_static_CFLAGS = $(cryptsetup_CFLAGS)
+cryptsetup_static_LDFLAGS = -all-static
+cryptsetup_static_LDADD = $(cryptsetup_LDADD)	\
+	@LIBGCRYPT_STATIC_LIBS@			\
+	@DEVMAPPER_STATIC_LIBS@			\
+	@UUID_LIBS@
+endif

src/cryptsetup.h

@@ -6,13 +6,13 @@
 #endif
 
 #include "lib/nls.h"
+#include "lib/utils_crypt.h"
 
-#define MAX_CIPHER_LEN		32
-#define MAX_CIPHER_LEN_STR	"32"
 #define DEFAULT_CIPHER(type)	(DEFAULT_##type##_CIPHER "-" DEFAULT_##type##_MODE)
 
 #define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)
 #define log_std(x...) clogger(NULL, CRYPT_LOG_NORMAL, __FILE__, __LINE__, x)
+#define log_verbose(x...) clogger(NULL, CRYPT_LOG_VERBOSE, __FILE__, __LINE__, x)
 #define log_err(x...) clogger(NULL, CRYPT_LOG_ERROR, __FILE__, __LINE__, x)
 
 #endif /* CRYPTSETUP_H */

tests/Makefile.am

@@ -1,13 +1,16 @@
-TESTS = api-test compat-test align-test
+TESTS = api-test compat-test align-test mode-test password-hash-test
 
-EXTRA_DIST = fileDiffer.py compatimage.img.bz2 align-test compat-test
+EXTRA_DIST = compatimage.img.bz2 align-test compat-test mode-test password-hash-test
+
+differ_SOURCES = differ.c
+differ_CFLAGS = -Wall -O2
 
 api_test_SOURCES = api-test.c
 api_test_LDADD = ../lib/libcryptsetup.la
 api_test_LDFLAGS = -static
 api_test_CFLAGS = -g -Wall -O0 -I$(top_srcdir)/lib/
 
-check_PROGRAMS = api-test
+check_PROGRAMS = api-test differ
 
 compatimage.img:
 	@bzip2 -k -d compatimage.img.bz2

tests/align-test

@@ -2,9 +2,11 @@
 
 CRYPTSETUP="../src/cryptsetup"
 DEV=""
+DEV_STACKED="luks0xbabe"
 
 cleanup() {
 	udevadm settle 2>/dev/null 2>&1
+	[ -b /dev/mapper/$DEV_STACKED ] && dmsetup remove $DEV_STACKED 2>/dev/null 2>&1
 	rmmod scsi_debug 2>/dev/null
 	sleep 2
 }
@@ -41,10 +43,10 @@ format() # key_bits expected [forced]
 {
 	if [ -z "$3" ] ; then
 		echo -n "Formatting using topology info ($1 bits key)...."
-		echo xxx| $CRYPTSETUP luksFormat $DEV -q -s $1
+		echo xxx| $CRYPTSETUP luksFormat $DEV -q -i1 -s $1
 	else
-		echo -n "Formatting using forced offset $3 ($1 bits key)..."
-		echo xxx| $CRYPTSETUP luksFormat $DEV -q -s $1 --align-payload=$2
+		echo -n "Formatting using forced sector alignment $3 ($1 bits key)..."
+		echo xxx| $CRYPTSETUP luksFormat $DEV -q -i1 -s $1 --align-payload=$2
 	fi
 
 	ALIGN=$($CRYPTSETUP luksDump $DEV |grep "Payload offset" | sed -e s/.*\\t//)
@@ -69,8 +71,10 @@ cleanup
 echo "# Create desktop-class 4K drive"
 echo "# (logical_block_size=512, physical_block_size=4096, alignment_offset=0)"
 add_device dev_size_mb=16 sector_size=512 physblk_exp=3 num_tgts=1
-format 256 2112
-format 128 1088
+format 256 4096
+format 256 2112 8
+format 128 2048
+format 128 1088 8
 format 256 8192 8192
 format 128 8192 8192
 cleanup
@@ -78,25 +82,30 @@ cleanup
 echo "# Create desktop-class 4K drive w/ 63-sector DOS partition compensation"
 echo "# (logical_block_size=512, physical_block_size=4096, alignment_offset=3584)"
 add_device dev_size_mb=16 sector_size=512 physblk_exp=3 lowest_aligned=7 num_tgts=1
-format 256 2119
-format 128 1095
+format 256 4103
+format 256 2119 8
+format 128 2055
+format 128 1095 8
 cleanup
 
 echo "# Create enterprise-class 4K drive"
 echo "# (logical_block_size=4096, physical_block_size=4096, alignment_offset=0)"
 add_device dev_size_mb=16 sector_size=4096 num_tgts=1
-format 256 2560
-format 128 1536 
+format 256 4096
+format 256 2560 8
+format 128 2048
+format 128 1536 8
 cleanup
 
 echo "# Create classic 512b drive and stack dm-linear"
 echo "# (logical_block_size=512, physical_block_size=512, alignment_offset=0)"
 add_device dev_size_mb=16 sector_size=512 num_tgts=1
 DEV2=$DEV
-DEV=/dev/mapper/luks0xbabe
-dmsetup create luks0xbabe --table "0 32768 linear $DEV2 0"
-format 256 2112
-format 128 1088
+DEV=/dev/mapper/$DEV_STACKED
+dmsetup create $DEV_STACKED --table "0 32768 linear $DEV2 0"
+format 256 4096
+format 256 2112 8
+format 128 2048
+format 128 1088 8
 format 128 8192 8192
-dmsetup remove luks0xbabe
 cleanup

tests/api-test.c

@@ -1,7 +1,7 @@
 /*
  * cryptsetup library API check functions
  *
- * Copyright (C) 2009 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2010 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -24,6 +24,7 @@
 #include <fcntl.h>
 #include <linux/fs.h>
 #include <errno.h>
+#include <assert.h>
 #include <sys/stat.h>
 #include <sys/ioctl.h>
 
@@ -52,6 +53,10 @@
 #define KEYFILE2 "key2.file"
 #define KEY2 "0123456789abcdef"
 
+#define PASSPHRASE "blabla"
+
+#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
+
 static int _debug   = 0;
 static int _verbose = 1;
 
@@ -129,6 +134,12 @@ static void reset_log()
 	global_lines = 0;
 }
 
+static void _system(const char *command, int warn)
+{
+	if (system(command) < 0 && warn)
+		printf("System command failed: %s", command);
+}
+
 static struct interface_callbacks cmd_icb = {
 	.yesDialog = yesDialog,
 	.log = cmdLineLog,
@@ -136,46 +147,43 @@ static struct interface_callbacks cmd_icb = {
 
 static void _cleanup(void)
 {
-	int r;
 	struct stat st;
 
-	//r = system("udevadm settle");
+	//_system("udevadm settle", 0);
 
 	if (!stat(DMDIR CDEVICE_1, &st))
-		r = system("dmsetup remove " CDEVICE_1);
+		_system("dmsetup remove " CDEVICE_1, 0);
 
 	if (!stat(DMDIR CDEVICE_2, &st))
-		r = system("dmsetup remove " CDEVICE_2);
+		_system("dmsetup remove " CDEVICE_2, 0);
 
 	if (!stat(DEVICE_EMPTY, &st))
-		r = system("dmsetup remove " DEVICE_EMPTY_name);
+		_system("dmsetup remove " DEVICE_EMPTY_name, 0);
 
 	if (!stat(DEVICE_ERROR, &st))
-		r = system("dmsetup remove " DEVICE_ERROR_name);
+		_system("dmsetup remove " DEVICE_ERROR_name, 0);
 
 	if (!strncmp("/dev/loop", DEVICE_1, 9))
-		r = system("losetup -d " DEVICE_1);
+		_system("losetup -d " DEVICE_1, 0);
 
 	if (!strncmp("/dev/loop", DEVICE_2, 9))
-		r = system("losetup -d " DEVICE_2);
+		_system("losetup -d " DEVICE_2, 0);
 
-	r = system("rm -f " IMAGE_EMPTY);
+	_system("rm -f " IMAGE_EMPTY, 0);
 	_remove_keyfiles();
 }
 
 static void _setup(void)
 {
-	int r;
-
-	r = system("dmsetup create " DEVICE_EMPTY_name " --table \"0 10000 zero\"");
-	r = system("dmsetup create " DEVICE_ERROR_name " --table \"0 10000 error\"");
+	_system("dmsetup create " DEVICE_EMPTY_name " --table \"0 10000 zero\"", 1);
+	_system("dmsetup create " DEVICE_ERROR_name " --table \"0 10000 error\"", 1);
 	if (!strncmp("/dev/loop", DEVICE_1, 9)) {
-		r = system(" [ ! -e " IMAGE1 " ] && bzip2 -dk " IMAGE1 ".bz2");
-		r = system("losetup " DEVICE_1 " " IMAGE1);
+		_system(" [ ! -e " IMAGE1 " ] && bzip2 -dk " IMAGE1 ".bz2", 1);
+		_system("losetup " DEVICE_1 " " IMAGE1, 1);
 	}
 	if (!strncmp("/dev/loop", DEVICE_2, 9)) {
-		r = system("dd if=/dev/zero of=" IMAGE_EMPTY " bs=1M count=4");
-		r = system("losetup " DEVICE_2 " " IMAGE_EMPTY);
+		_system("dd if=/dev/zero of=" IMAGE_EMPTY " bs=1M count=4", 1);
+		_system("losetup " DEVICE_2 " " IMAGE_EMPTY, 1);
 	}
 
 }
@@ -476,7 +484,6 @@ void DeviceResizeGame(void)
 	co.size = 0;
 	OK_(crypt_resize_device(&co));
 	EQ_(_get_device_size(DMDIR CDEVICE_2), (orig_size - 333));
-
 	co.size = 0;
 	co.offset = 444;
 	co.skip = 555;
@@ -492,10 +499,36 @@ void DeviceResizeGame(void)
 	EQ_(co.key_size, 128 / 8);
 	EQ_(co.offset, 444);
 	EQ_(co.skip, 555);
-	OK_(crypt_remove_device(&co));
-
 	crypt_put_options(&co);
 
+	// dangerous switch device still works
+	memset(&co, 0, sizeof(co));
+	co.name = CDEVICE_2,
+	co.device = DEVICE_1;
+	co.key_file = KEYFILE2;
+	co.key_size = 128 / 8;
+	co.cipher = "aes-cbc-plain";
+	co.hash = "sha1";
+	co.icb = &cmd_icb;
+	OK_(crypt_update_device(&co));
+
+	memset(&co, 0, sizeof(co));
+	co.icb = &cmd_icb,
+	co.name = CDEVICE_2;
+	EQ_(crypt_query_device(&co), 1);
+	EQ_(strcmp(co.cipher, "aes-cbc-plain"), 0);
+	EQ_(co.key_size, 128 / 8);
+	EQ_(co.offset, 0);
+	EQ_(co.skip, 0);
+	// This expect lookup returns prefered /dev/loopX
+	EQ_(strcmp(co.device, DEVICE_1), 0);
+	crypt_put_options(&co);
+
+	memset(&co, 0, sizeof(co));
+	co.icb = &cmd_icb,
+	co.name = CDEVICE_2;
+	OK_(crypt_remove_device(&co));
+
 	_remove_keyfiles();
 }
 
@@ -512,7 +545,7 @@ static void AddDevicePlain(void)
 	int fd;
 	char key[128], key2[128], path[128];
 
-	char *passphrase = "blabla";
+	char *passphrase = PASSPHRASE;
 	char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
 	size_t key_size = strlen(mk_hex) / 2;
 	char *cipher = "aes";
@@ -525,6 +558,7 @@ static void AddDevicePlain(void)
 	// default is "plain" hash - no password hash
 	OK_(crypt_init(&cd, DEVICE_1));
 	OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, NULL));
+	FAIL_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0), "cannot verify key with plain");
 	OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
 	// FIXME: this should get key from active device?
@@ -536,6 +570,8 @@ static void AddDevicePlain(void)
 	// Now use hashed password
 	OK_(crypt_init(&cd, DEVICE_1));
 	OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, &params));
+	FAIL_(crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0),
+	      "cannot verify passphrase with plain" );
 	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
 
 	// device status check
@@ -565,6 +601,73 @@ static void AddDevicePlain(void)
 	EQ_(key_size, crypt_get_volume_key_size(cd));
 	EQ_(0, crypt_get_data_offset(cd));
 	OK_(crypt_deactivate(cd, CDEVICE_1));
+
+	// now with keyfile
+	OK_(_prepare_keyfile(KEYFILE1, KEY1));
+	FAIL_(crypt_activate_by_keyfile(cd, NULL, CRYPT_ANY_SLOT, KEYFILE1, 0, 0), "cannot verify key with plain");
+	EQ_(0, crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, 0, 0));
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+	_remove_keyfiles();
+
+	crypt_free(cd);
+}
+
+#define CALLBACK_ERROR "calback_error xyz"
+static int pass_callback_err(const char *msg, char *buf, size_t length, void *usrptr)
+{
+	struct crypt_device *cd = usrptr;
+
+	assert(cd);
+	assert(length);
+	assert(msg);
+
+	crypt_log(cd, CRYPT_LOG_ERROR, CALLBACK_ERROR);
+	return -EINVAL;
+}
+
+static int pass_callback_ok(const char *msg, char *buf, size_t length, void *usrptr)
+{
+	assert(length);
+	assert(msg);
+	strcpy(buf, PASSPHRASE);
+	return strlen(buf);
+}
+
+static void CallbacksTest(void)
+{
+	struct crypt_device *cd;
+	struct crypt_params_plain params = {
+		.hash = "sha1",
+		.skip = 0,
+		.offset = 0,
+	};
+
+	size_t key_size = 256 / 8;
+	char *cipher = "aes";
+	char *cipher_mode = "cbc-essiv:sha256";
+	char *passphrase = PASSPHRASE;
+
+	OK_(crypt_init(&cd, DEVICE_1));
+	crypt_set_log_callback(cd, &new_log, NULL);
+	//crypt_set_log_callback(cd, NULL, NULL);
+
+	OK_(crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, key_size, &params));
+
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), 0));
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+
+	reset_log();
+	crypt_set_password_callback(cd, pass_callback_err, cd);
+	FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, NULL, 0, 0), "callback fails");
+	EQ_(strncmp(global_log, CALLBACK_ERROR, strlen(CALLBACK_ERROR)), 0);
+
+	crypt_set_password_callback(cd, pass_callback_ok, NULL);
+	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, NULL, 0, 0));
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+
 	crypt_free(cd);
 }
 
@@ -577,6 +680,7 @@ static void UseLuksDevice(void)
 	OK_(crypt_init(&cd, DEVICE_1));
 	OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+	OK_(crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0));
 	OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0));
 	FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0), "already open");
 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
@@ -592,6 +696,7 @@ static void UseLuksDevice(void)
 
 	EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
 	OK_(crypt_volume_key_verify(cd, key, key_size));
+	OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
 	OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
 	OK_(crypt_deactivate(cd, CDEVICE_1));
@@ -667,6 +772,18 @@ static void AddDeviceLuks(void)
 	EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
 	OK_(crypt_deactivate(cd, CDEVICE_2));
 
+	EQ_(1, crypt_keyslot_add_by_volume_key(cd, 1, key, key_size, KEY1, strlen(KEY1)));
+	OK_(_prepare_keyfile(KEYFILE1, KEY1));
+	OK_(_prepare_keyfile(KEYFILE2, KEY2));
+	EQ_(2, crypt_keyslot_add_by_keyfile(cd, 2, KEYFILE1, 0, KEYFILE2, 0));
+	FAIL_(crypt_activate_by_keyfile(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, strlen(KEY2)-1, 0), "key mismatch");
+	EQ_(2, crypt_activate_by_keyfile(cd, NULL, CRYPT_ANY_SLOT, KEYFILE2, 0, 0));
+	EQ_(2, crypt_activate_by_keyfile(cd, CDEVICE_2, CRYPT_ANY_SLOT, KEYFILE2, 0, 0));
+	OK_(crypt_keyslot_destroy(cd, 1));
+	OK_(crypt_keyslot_destroy(cd, 2));
+	OK_(crypt_deactivate(cd, CDEVICE_2));
+	_remove_keyfiles();
+
 	FAIL_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), "slot used");
 	key[1] = ~key[1];
 	FAIL_(crypt_keyslot_add_by_volume_key(cd, 6, key, key_size, passphrase, strlen(passphrase)), "key mismatch");
@@ -689,6 +806,7 @@ static void AddDeviceLuks(void)
 	OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
 	EQ_(key_size, crypt_get_volume_key_size(cd));
 	EQ_(4096, crypt_get_data_offset(cd));
+	OK_(strcmp(DEVICE_2, crypt_get_device_name(cd)));
 
 	reset_log();
 	crypt_set_log_callback(cd, &new_log, NULL);
@@ -697,10 +815,71 @@ static void AddDeviceLuks(void)
 	crypt_set_log_callback(cd, NULL, NULL);
 	reset_log();
 
+	FAIL_(crypt_set_uuid(cd, "blah"), "wrong UUID format");
+	OK_(crypt_set_uuid(cd, DEVICE_TEST_UUID));
+	OK_(strcmp(DEVICE_TEST_UUID, crypt_get_uuid(cd)));
+
 	FAIL_(crypt_deactivate(cd, CDEVICE_2), "not active");
 	crypt_free(cd);
 }
 
+static void UseTempVolumes(void)
+{
+	struct crypt_device *cd;
+
+	// Tepmporary device without keyslot but with on-disk LUKS header
+	OK_(crypt_init(&cd, DEVICE_2));
+	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "not yet formatted");
+	OK_(crypt_format(cd, CRYPT_LUKS1, "aes", "cbc-essiv:sha256", NULL, NULL, 16, NULL));
+	OK_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0));
+	EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+	crypt_free(cd);
+
+	// Volume key is properly initialised from active device
+	OK_(crypt_init_by_name(&cd, CDEVICE_2));
+	OK_(crypt_deactivate(cd, CDEVICE_2));
+	OK_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0));
+	OK_(crypt_deactivate(cd, CDEVICE_2));
+	crypt_free(cd);
+
+	// Dirty checks: device without UUID
+	// we should be able to remove it but not manuipulate with it
+	_system("dmsetup create " CDEVICE_2 " --table \""
+		"0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
+		DEVICE_2 " 2048\"", 1);
+	OK_(crypt_init_by_name(&cd, CDEVICE_2));
+	OK_(crypt_deactivate(cd, CDEVICE_2));
+	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "No known device type");
+	crypt_free(cd);
+
+	// Dirty checks: device with UUID but LUKS header key fingerprint must fail)
+	_system("dmsetup create " CDEVICE_2 " --table \""
+		"0 100 crypt aes-cbc-essiv:sha256 deadbabedeadbabedeadbabedeadbabe 0 "
+		DEVICE_2 " 2048\" "
+		"-u CRYPT-LUKS1-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-ctest1", 1);
+	OK_(crypt_init_by_name(&cd, CDEVICE_2));
+	OK_(crypt_deactivate(cd, CDEVICE_2));
+	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "wrong volume key");
+	crypt_free(cd);
+
+	// No slots
+	OK_(crypt_init(&cd, DEVICE_2));
+	OK_(crypt_load(cd, CRYPT_LUKS1, NULL));
+	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, NULL, 0, 0), "volume key is lost");
+	crypt_free(cd);
+
+	// Plain device
+	OK_(crypt_init(&cd, DEVICE_2));
+	OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, NULL));
+	FAIL_(crypt_activate_by_volume_key(cd, NULL, "xxx", 3, 0), "cannot verify key with plain");
+	FAIL_(crypt_volume_key_verify(cd, "xxx", 3), "cannot verify key with plain");
+	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, "xxx", 3, 0), "wrong key lenght");
+	OK_(crypt_activate_by_volume_key(cd, CDEVICE_2, "volumekeyvolumek", 16, 0));
+	EQ_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_2));
+	crypt_free(cd);
+}
+
 // Check that gcrypt is properly initialised in format
 static void NonFIPSAlg(void)
 {
@@ -719,6 +898,10 @@ static void NonFIPSAlg(void)
 	}
 	OK_(crypt_init(&cd, DEVICE_2));
 	OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, &params));
+
+	params.hash = "md5";
+	FAIL_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, &params),
+	      "MD5 unsupported, too short");
 	crypt_free(cd);
 }
 
@@ -764,6 +947,7 @@ int main (int argc, char *argv[])
 	crypt_set_debug_level(_debug ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
 
 	RUN_(NonFIPSAlg, "Crypto is properly initialised in format"); //must be the first!
+
 	RUN_(LuksUUID, "luksUUID API call");
 	RUN_(IsLuks, "isLuks API call");
 	RUN_(LuksOpen, "luksOpen API call");
@@ -777,6 +961,9 @@ int main (int argc, char *argv[])
 	RUN_(AddDeviceLuks, "Format and use LUKS device");
 	RUN_(UseLuksDevice, "Use pre-formated LUKS device");
 	RUN_(SuspendDevice, "Suspend/Resume test");
+	RUN_(UseTempVolumes, "Format and use temporary encrypted device");
+
+	RUN_(CallbacksTest, "API callbacks test");
 
 	_cleanup();
 	return 0;

tests/compat-test

@@ -7,24 +7,26 @@ DEV_NAME=dummy
 DEV_NAME2=dummy2
 ORIG_IMG=luks-test-orig
 IMG=luks-test
-IMG1=luks-test1
 KEY1=key1
+KEY2=key2
 
 LUKS_HEADER="S0-5 S6-7 S8-39 S40-71 S72-103 S104-107 S108-111 R112-131 R132-163 S164-167 S168-207 A0-591"
-KEY_SLOT0="S208-211 S212-215 R216-247 S248-251 S251-255"
+KEY_SLOT0="S208-211 S212-215 R216-247 A248-251 A251-255"
 KEY_MATERIAL0="R4096-68096"
 KEY_MATERIAL0_EXT="R4096-68096"
 
-KEY_SLOT1="S256-259 S260-263 R264-295 S296-299 S300-303"
+KEY_SLOT1="S256-259 S260-263 R264-295 A296-299 A300-303"
 KEY_MATERIAL1="R69632-133632"
 KEY_MATERIAL1_EXT="S69632-133632"
 
+TEST_UUID="12345678-1234-1234-1234-123456789abc"
+
 function remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
 	losetup -d $LOOPDEV >/dev/null 2>&1
-	rm -f $ORIG_IMG $IMG $IMG1 $KEY1 >/dev/null 2>&1
+	rm -f $ORIG_IMG $IMG $KEY1 $KEY2 >/dev/null 2>&1
 }
 
 function fail()
@@ -36,32 +38,45 @@ function fail()
 
 function prepare()
 {
-	if [ $(id -u) != 0 ]; then
-		echo "WARNING: You must be root to run this test, test skipped."
-		exit 0
-	fi
-
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME
 
+	case "$2" in
+	wipe)
+		remove_mapping
+		dd if=/dev/zero of=$IMG bs=1k count=10000 >/dev/null 2>&1
+		sync
+		losetup $LOOPDEV $IMG
+		;;
+	new)
+		remove_mapping
+		bzip2 -cd compatimage.img.bz2 > $IMG
+		losetup $LOOPDEV $IMG
+		;;
+	reuse | *)
+		if [ ! -e $IMG ]; then
+			bzip2 -cd compatimage.img.bz2 > $IMG
+			losetup $LOOPDEV $IMG
+		fi
+		;;
+	esac
+
 	if [ ! -e $KEY1 ]; then
 		dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
 	fi
 
-	if [ ! -e $IMG ]; then
-		bzip2 -cd compatimage.img.bz2 > $IMG
-		losetup -d $LOOPDEV >/dev/null 2>&1
-		losetup $LOOPDEV $IMG
+	if [ ! -e $KEY2 ]; then
+		dd if=/dev/urandom of=$KEY2 count=1 bs=16 >/dev/null 2>&1
 	fi
 
 	cp $IMG $ORIG_IMG
-
 	[ -n "$1" ] && echo "CASE: $1"
 }
 
 function check()
 {
 	sync
-	./fileDiffer.py $IMG $ORIG_IMG $1|| fail
+	[ -z "$1" ] && return
+	./differ $ORIG_IMG $IMG $1 || fail
 }
 
 function check_exists()
@@ -70,22 +85,27 @@ function check_exists()
 	check $1
 }
 
+if [ $(id -u) != 0 ]; then
+	echo "WARNING: You must be root to run this test, test skipped."
+	exit 0
+fi
+
 # LUKS tests
 
-prepare	"[1] open - compat image - acceptance check"
+prepare	"[1] open - compat image - acceptance check" new
 echo "compatkey" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 check_exists
 
-prepare "[2] open - compat image - denial check"
-echo "wrongkey" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail
+prepare "[2] open - compat image - denial check" new
+echo "wrongkey" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
 check
 
 # All headers items and first key material section must change
-prepare "[3] format"
+prepare "[3] format" wipe
 echo "key0" | $CRYPTSETUP -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV || fail
 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
 
-prepare "[4] format using hash sha512"
+prepare "[4] format using hash sha512" wipe
 echo "key0" | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV || fail
 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
 
@@ -101,15 +121,15 @@ echo "key1" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 
 # Unsuccessful Key Delete - nothing may change
 prepare "[7] unsuccessful delete"
-echo "invalid" | $CRYPTSETUP luksDelKey $LOOPDEV 1 && fail
+echo "invalid" | $CRYPTSETUP luksKillSlot $LOOPDEV 1 2>/dev/null && fail
 check
 
 # Delete Key Test
 # Key Slot 1 and key material section 1 must change, the rest must not
 prepare "[8] successful delete"
-$CRYPTSETUP -q luksDelKey $LOOPDEV 1 || fail
+$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
 check "$KEY_SLOT1 $KEY_MATERIAL1_EXT"
-echo "key1" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail
+echo "key1" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2> /dev/null && fail
 echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 
 # Key Slot 1 and key material section 1 must change, the rest must not
@@ -120,24 +140,24 @@ $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
 
 # Key Slot 1 and key material section 1 must change, the rest must not
 prepare "[10] delete key test with key1 as remaining key"
-$CRYPTSETUP -d $KEY1 luksDelKey $LOOPDEV 0 || fail
+$CRYPTSETUP -d $KEY1 luksKillSlot $LOOPDEV 0 || fail
 check "$KEY_SLOT0 $KEY_MATERIAL0_EXT"
-echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail
+echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
 
 # Delete last slot
-prepare "[11] delete last key"
+prepare "[11] delete last key" wipe
 echo "key0" | $CRYPTSETUP luksFormat $LOOPDEV || fail
 echo "key0" | $CRYPTSETUP luksKillSlot $LOOPDEV 0 || fail
-echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME && fail
+echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
 
 # Format test for ESSIV, and some other parameters.
-prepare "[12] parameter variation test"
+prepare "[12] parameter variation test" wipe
 $CRYPTSETUP -q -i 1000 -c aes-cbc-essiv:sha256 -s 128 luksFormat $LOOPDEV $KEY1 || fail
 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
 $CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
 
-prepare	"[13] open/close - stacked devices"
+prepare	"[13] open/close - stacked devices" wipe
 echo "key0" | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
 echo "key0" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
 echo "key0" | $CRYPTSETUP -q luksFormat /dev/mapper/$DEV_NAME || fail
@@ -145,5 +165,118 @@ echo "key0" | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME2 || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 
+prepare	"[14] format/open - passphrase on stdin & new line" wipe
+# stdin defined by "-" must take even newline
+echo -n $'foo\nbar' | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
+echo -n $'foo\nbar' | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+echo -n $'foo\nbar' | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
+# now also try --key-file
+echo -n $'foo\nbar' | $CRYPTSETUP -q luksFormat $LOOPDEV --key-file=- || fail
+echo -n $'foo\nbar' | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+# process newline if from stdin
+echo -n $'foo\nbar' | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
+echo 'foo' | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+
+prepare "[15] UUID - use and report provided UUID" wipe
+echo "key0" | $CRYPTSETUP -q luksFormat --uuid blah $LOOPDEV 2>/dev/null && fail
+echo "key0" | $CRYPTSETUP -q luksFormat --uuid $TEST_UUID $LOOPDEV || fail
+tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
+[ "$tst"x = "$TEST_UUID"x ] || fail
+echo "key0" | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
+$CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
+tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
+[ "$tst"x = "$TEST_UUID"x ] || fail
+
+prepare "[16] luksFormat" wipe
+echo "key0" | $CRYPTSETUP -q luksFormat --master-key-file /dev/urandom $LOOPDEV || fail
+echo "key0" | $CRYPTSETUP -q luksFormat --master-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP -q luksFormat --master-key-file /dev/urandom -s 128 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+
+prepare "[17] AddKey passphrase and keyfile" wipe
+# [0]key0 [1]key1 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
+$CRYPTSETUP -q luksFormat $LOOPDEV $KEY1 --key-slot 3 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 --key-slot 3 2>/dev/null && fail
+# keyfile/keyfile
+$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 --key-slot 4 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: ENABLED" || fail
+# passphrase/keyfile
+echo "key0" | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 --key-slot 0 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
+# passphrase/passphrase
+echo -e "key0\nkey1\n" | $CRYPTSETUP luksAddKey $LOOPDEV --key-slot 1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
+# keyfile/passphrase
+echo -e "key1\n" | $CRYPTSETUP luksAddKey $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
+
+prepare "[18] RemoveKey passphrase and keyfile" reuse
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
+$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: DISABLED" || fail
+# kill slot using passphrase from 1
+echo "key1" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: DISABLED" || fail
+# remove key0 / slot 0
+echo "key0" | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
+# last keyslot, in batch mode no passphrase needed...
+$CRYPTSETUP luksKillSlot -q $LOOPDEV 1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
+
+prepare "[19] create & status & resize" wipe
+echo "key0" | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail
+echo "key0" | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
+$CRYPTSETUP -q resize  $DEV_NAME --size 100 || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q resize  $DEV_NAME || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "19997 sectors" || fail
+$CRYPTSETUP -q remove  $DEV_NAME || fail
+echo "key0" | $CRYPTSETUP create $DEV_NAME $LOOPDEV || fail
+$CRYPTSETUP -q remove  $DEV_NAME || fail
+echo "key0" | $CRYPTSETUP -q create $DEV_NAME $LOOPDEV || fail
+$CRYPTSETUP -q remove  $DEV_NAME || fail
+# verify is ignored on non-tty input
+echo "key0" | $CRYPTSETUP create $DEV_NAME $LOOPDEV --verify-passphrase || fail
+$CRYPTSETUP -q remove  $DEV_NAME || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail
+$CRYPTSETUP -q remove  $DEV_NAME || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d /dev/urandom || fail
+$CRYPTSETUP -q remove  $DEV_NAME || fail
+
+prepare "[20] Disallow open/create if already mapped." wipe
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
+$CRYPTSETUP create $DEV_NAME2 $LOOPDEV -d $KEY1 2>/dev/null && fail
+echo "key0" | $CRYPTSETUP -q luksFormat $LOOPDEV 2>/dev/null && fail
+$CRYPTSETUP remove  $DEV_NAME || fail
+echo "key0" | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
+echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
+echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
+$CRYPTSETUP  luksClose  $DEV_NAME || fail
+
+prepare "[21] luksDump" wipe
+echo "key0" | $CRYPTSETUP -q luksFormat --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
+echo "key0" | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
+$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
+echo "bad" | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
+echo "key0" | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
+$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
+
 remove_mapping
 exit 0

tests/differ.c

@@ -0,0 +1,165 @@
+/*
+ * cryptsetup file differ check (rewritten Clemens' fileDiffer in Python)
+ *
+ * Copyright (C) 2010 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+struct ffile {
+	char *name;
+	int fd;
+	unsigned char *addr;
+	size_t size;
+};
+
+enum df { OK , FAIL };
+
+static void print_diff(off_t from, int max,
+		       const unsigned char *o,
+		       const unsigned char *n)
+{
+	int i, len = max;
+
+	if (len > 16)
+		len = 16;
+
+	printf("OLD:");
+	for (i = 0; i < len; i++)
+		printf(" %02x", o[from + i]);
+	printf("%s\n    ", max != len ? " ..." : "");
+	for (i = 0; i < len; i++)
+		printf(" %2c", o[from + i] > ' ' ? o[from + i]: '.');
+	printf("\nNEW:");
+	for (i = 0; i < len; i++)
+		printf(" %02x", n[from + i]);
+	printf("%s\n    ", max != len ? " ..." : "");
+	for (i = 0; i < len; i++)
+		printf(" %2c", n[from + i] > ' ' ? n[from + i]: '.');
+	printf("\n");
+}
+
+/*
+ * Xfrom-to (e.g. R10-15)
+ * A - change allowed
+ * S - change required, semantic
+ * R - change required, random
+ * F - change forbidden
+ */
+static enum df check(const char *range, unsigned char *o, unsigned char *n)
+{
+	char strict;
+	unsigned long long from, to;
+	enum df ret;
+
+	if (sscanf(range, "%c%llu-%llu", &strict, &from, &to) != 3) {
+		printf("Unknown range format %s.\n", range);
+		return FAIL;
+	}
+
+	switch (toupper(strict)) {
+	case 'A':
+		ret = OK;
+		break;
+	case 'S':
+		ret = memcmp(&o[from], &n[from], to - from + 1) != 0 ? OK : FAIL;
+		break;
+	case 'R': /* FIXME - random test */
+		ret = memcmp(&o[from], &n[from], to - from + 1) != 0 ? OK : FAIL;
+		break;
+	case 'F':
+		ret = memcmp(&o[from], &n[from], to - from + 1) == 0 ? OK : FAIL;
+		break;
+	default:
+		ret = FAIL;
+		break;
+	}
+
+	if (ret == FAIL)
+		print_diff(from,  to - from + 1, o, n);
+
+	return ret;
+}
+
+static int open_mmap(struct ffile *f)
+{
+	struct stat st;
+
+	f->fd = open(f->name, O_RDONLY);
+	if (f->fd == -1 || fstat(f->fd, &st) == -1)
+		return 0;
+
+	f->size = st.st_size;
+	f->addr = mmap(NULL, f->size, PROT_READ, MAP_PRIVATE, f->fd, 0);
+
+	return (f->addr == MAP_FAILED) ? 0 : 1;
+}
+
+static void close_mmap(struct ffile *f)
+{
+	if (f->addr != MAP_FAILED && !munmap(f->addr, f->size))
+		f->addr = MAP_FAILED;
+
+	if (f->fd != -1 && !close(f->fd))
+		f->fd = -1;
+}
+
+int main(int argc, char *argv[])
+{
+	int i, r = 1;
+	struct ffile file_old = {
+		.fd = -1,
+		.addr = MAP_FAILED,
+	};
+	struct ffile file_new = {
+		.fd = -1,
+		.addr = MAP_FAILED,
+	};
+
+	if (argc < 3) {
+		printf("Use: differ old_file new_file change_list.\n");
+		goto bad;
+	}
+
+	file_old.name = argv[1];
+	if (!open_mmap(&file_old))
+		goto bad;
+
+	file_new.name = argv[2];
+	if (!open_mmap(&file_new))
+		goto bad;
+
+	for (i = 3; i < argc; i++)
+		if (check(argv[i], file_old.addr, file_new.addr) == FAIL) {
+			printf ("FAILED for %s\n", argv[i]);
+			r = 1;
+			goto bad;
+		}
+
+	r = 0;
+bad:
+	close_mmap(&file_new);
+	close_mmap(&file_old);
+
+	return r;
+}

tests/fileDiffer.py

@@ -1,129 +0,0 @@
-#!/usr/bin/python
-
-#
-# Usage: fileDiffer <afile> <bfile> <list of disk changes>
-# 
-
-# LUKS 
-# quick regression test suite
-# Tests LUKS images for changes at certain disk offsets
-#
-# Does fast python code has to look ugly or is it just me?
-
-import sys
-
-class changes:
-	pass
-
-def parseArgs(args):
-	aFileName = args[1]
-	bFileName = args[2]
-	changelist = []
-	args[0:3] = []
-	for i in args:
-		mychanges = changes();
-		if i.startswith('A'):
-			mychanges.mode = 'ALLOWED'
-		if i.startswith('R'):
-			mychanges.mode = 'REQUIRED'
-			mychanges.strictness = 'RANDOM'
-		if i.startswith('S'):
-			mychanges.mode = 'REQUIRED'
-			mychanges.strictness = 'SEMANTIC'
-		
-		dashIndex = i.find('-')
-		if dashIndex == -1:			
-			mychanges.starts = int(i[1:])
-			mychanges.ends = mychanges.starts
-		else:
-			mychanges.starts = int(i[1:dashIndex])
-			mychanges.ends = int(i[dashIndex+1:])
-		mychanges.miss = 0
-		changelist.append(mychanges)
-	mychanges = changes();
-	mychanges.starts = 0
-#	mychanges.ends will be fixed later
-	mychanges.mode = 'FORBIDDEN'	
-	changelist.append(mychanges)
-	return [aFileName, bFileName, changelist]
-
-def mode(i):
-	for c in changelist:
-		if i >= c.starts and i<=c.ends:
-			return c
-def cleanchanges(i):
-	newchangelist=[]	
-	for c in changelist:
-		if i <= c.starts or i <= c.ends:
-			newchangelist.append(c)
-	return newchangelist
-
-[aFileName, bFileName, changelist] = parseArgs(sys.argv)
-
-aFile = open(aFileName,'r')
-bFile = open(bFileName,'r')
-
-aString = aFile.read()
-bString = bFile.read()
-
-if len(aString) != len(bString): 
-	sys.exit("Mismatch different file sizes")
-
-fileLen = len(aString)
-fileLen10th = fileLen/10
-
-# Create a catch all entry
-changelist[-1].ends = fileLen
-
-print "Changes list: (FORBIDDEN default)"
-print "start\tend\tmode\t\tstrictness"
-for i in changelist:
-	if i.mode == 'REQUIRED':
-		print "%d\t%d\t%s\t%s" % (i.starts, i.ends, i.mode, i.strictness)
-	else:
-		print "%d\t%d\t%s" % (i.starts, i.ends, i.mode)
-
-
-filepos = 0
-fileLen10thC = 0
-print "[..........]"
-sys.stdout.write("[")
-sys.stdout.flush()
-
-modeNotTrivial = 1
-while filepos < fileLen:
-
-	if modeNotTrivial == 1:
-		c = mode(filepos)
-#	print (filepos, c.mode)
-	if c.mode == 'REQUIRED':
-		if aString[filepos] == bString[filepos]:
-			c.miss = c.miss + 1
-	else:
-		if aString[filepos] != bString[filepos] and c.mode != 'ALLOWED':
-			sys.exit("Mismatch at %d: change forbidden" % filepos)
-
-	# Do some maintaince, print progress bar, and clean changelist
-	#
-	# Maintaining two counters appears to be faster than modulo operation
-	if fileLen10thC == fileLen10th:
-		fileLen10thC = 0
-		sys.stdout.write(".")
-		sys.stdout.flush()
-		changelist = cleanchanges(filepos)
-		if len(changelist) == 1:
-			modeNotTrivial = 0
-	filepos = filepos + 1
-	fileLen10thC = fileLen10thC + 1
-
-for c in changelist:
-	if c.mode == 'REQUIRED':
-		if c.strictness == 'SEMANTIC' and c.miss == (c.ends-c.starts+1):
-			sys.exit("Mismatch: not even a single change in region %d-%d." % (c.starts, c.ends))
-   	        # This is not correct. We should do a statistical test
-	        # of the sampled data against the hypothetical distribution
-	        # of collision. Chi-Square Test.
-		if c.strictness == 'RANDOM' and c.miss == (c.ends-c.starts+1):
-			sys.exit("Mismatch: not even a single change in region %d-%d." % (c.starts, c.ends))
-
-print ".] - everything ok"

tests/mode-test

@@ -0,0 +1,143 @@
+#!/bin/bash
+#
+# Test mode compatibility, check input + kernel and cryptsetup cipher status
+#
+CRYPTSETUP=../src/cryptsetup
+DEV_NAME=dmc_test
+LOOPDEV=/dev/loop5
+HEADER_IMG=mode-test.img
+PASSWORD=3xrododenron
+
+# cipher-chainmode-ivopts:ivmode
+CIPHERS="aes twofish serpent"
+MODES="cbc lrw xts"
+IVMODES="null benbi plain plain64 essiv:sha256"
+
+dmremove() { # device
+	udevadm settle 2>/dev/null 2>&1
+	dmsetup remove $1 2>/dev/null 2>&1
+}
+
+cleanup() {
+	for dev in $(dmsetup status --target crypt | sed s/\:\ .*// | grep "^$DEV_NAME"_); do
+		dmremove $dev
+	done
+	sleep 2
+	[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
+	losetup -d $LOOPDEV >/dev/null 2>&1
+	rm -f $HEADER_IMG >/dev/null 2>&1
+}
+
+fail()
+{
+	[ -n "$1" ] && echo "$1"
+	cleanup
+	exit 100
+}
+
+add_device() {
+	dd if=/dev/zero of=$HEADER_IMG bs=1M count=6 >/dev/null 2>&1
+	sync
+	losetup $LOOPDEV $HEADER_IMG >/dev/null 2>&1
+	dmsetup create $DEV_NAME --table "0 10240 linear $LOOPDEV 8" >/dev/null 2>&1
+}
+
+dmcrypt_check() # device outstring
+{
+	X=$(dmsetup table $1 2>/dev/null | cut -d' '  -f 4)
+	if [ $X = $2 ] ; then
+		echo -n "[table OK]"
+	else
+		echo "[table FAIL]"
+		echo " Expecting $2 got $X."
+		fail
+	fi
+
+	X=$($CRYPTSETUP status $1 | grep cipher | sed s/\.\*cipher:\\s*//)
+	if [ $X = $2 ] ; then
+		echo -n "[status OK]"
+	else
+		echo "[status FAIL]"
+		echo " Expecting $2 got $X."
+		fail
+	fi
+
+	dmremove $1
+}
+
+dmcrypt_check_sum() # cipher device outstring
+{
+	EXPSUM="c036cbb7553a909f8b8877d4461924307f27ecb66cff928eeeafd569c3887e29"
+	# Fill device with zeroes and reopen it
+	dd if=/dev/zero of=/dev/mapper/$2 bs=1M count=6 >/dev/null 2>&1
+	sync
+	dmremove $2
+	echo $PASSWORD | $CRYPTSETUP create -c $1 -s 256 $2 /dev/mapper/$DEV_NAME >/dev/null 2>&1
+	ret=$?
+	VSUM=$(sha256sum /dev/mapper/$2 | cut -d' ' -f 1)
+	if [ $ret -eq 0 -a "$VSUM" = "$EXPSUM" ] ; then
+		echo -n "[OK]"
+	else
+		echo "[FAIL]"
+		echo " Expecting $EXPSUM got $VSUM."
+		fail
+	fi
+
+	dmremove $2
+}
+
+dmcrypt()
+{
+	OUT=$2
+	[ -z "$OUT" ] && OUT=$1
+	printf "%-25s" "$1"
+
+	echo $PASSWORD | $CRYPTSETUP create -c $1 -s 256 "$DEV_NAME"_"$1" /dev/mapper/$DEV_NAME >/dev/null 2>&1
+	if [ $? -eq 0 ] ; then
+		echo -n -e "PLAIN:"
+		dmcrypt_check "$DEV_NAME"_"$1" $OUT
+	else
+		echo -n "[n/a]"
+	fi
+
+	echo $PASSWORD | $CRYPTSETUP luksFormat -i 1 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1
+	if [ $? -eq 0 ] ; then
+		echo -n -e " LUKS:"
+		echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_"$1" >/dev/null 2>&1
+		dmcrypt_check "$DEV_NAME"_"$1" $OUT
+	fi
+
+	# repeated device creation must return the same checksum
+	echo $PASSWORD | $CRYPTSETUP create -c $1 -s 256 "$DEV_NAME"_"$1" /dev/mapper/$DEV_NAME >/dev/null 2>&1
+	if [ $? -eq 0 ] ; then
+		echo -n -e " CHECKSUM:"
+		dmcrypt_check_sum "$1" "$DEV_NAME"_"$1"
+	fi
+	echo
+}
+
+if [ $(id -u) != 0 ]; then
+	echo "WARNING: You must be root to run this test, test skipped."
+	exit 0
+fi
+
+add_device
+
+# compatibility modes
+dmcrypt aes aes-cbc-plain
+dmcrypt aes-plain aes-cbc-plain
+
+# codebook doesn't support IV at all
+for cipher in $CIPHERS ; do
+	dmcrypt "$cipher-ecb"
+done
+
+for cipher in $CIPHERS ; do
+	for mode in $MODES ; do
+		for ivmode in $IVMODES ; do
+			dmcrypt "$cipher-$mode-$ivmode"
+		done
+	done
+done
+
+cleanup

tests/password-hash-test

@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# check hash processing in create command
+
+CRYPTSETUP=../src/cryptsetup
+DEV_NAME=dmc_test
+KEY_FILE=keyfile
+
+DEV2=$DEV_NAME"_x"
+
+dmremove() { # device
+	udevadm settle 2>/dev/null 2>&1
+	dmsetup remove $1 2>/dev/null 2>&1
+}
+
+cleanup() {
+	[ -b /dev/mapper/$DEV2 ] && dmremove $DEV2
+	[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
+	rm -f $KEY_FILE
+	exit $1
+}
+
+crypt_key() # hash keysize pwd/file name outkey
+{
+	DEV2=$DEV_NAME"_x"
+	MODE=aes-cbc-essiv:sha256
+	[ $2 -gt 256 ] && MODE=aes-xts-plain
+
+	echo -n "HASH: $1 KSIZE: $2 / $3"
+	case "$3" in
+	pwd)
+		echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+		ret=$?
+		;;
+	stdin)
+		echo -e -n "$4" | $CRYPTSETUP create -c $MODE -d "-" -h $1 -s $2 $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+		ret=$?
+		;;
+	file)
+		$CRYPTSETUP create -c $MODE -d $4 -h $1 -s $2 $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
+		ret=$?
+		;;
+	*)
+		fail
+		;;
+	esac
+
+	if [ $ret -ne 0 ] ; then
+		echo " [n/a]"
+		return
+	fi
+
+	VKEY=$(dmsetup table $DEV2 --showkeys 2>/dev/null | cut -d' '  -f 5)
+	if [ "$VKEY" != "$5" ] ; then
+		echo " [FAILED]"
+		echo "expected: $5"
+		echo "real key: $VKEY"
+		cleanup 100
+	else
+		echo " [OK]"
+	fi
+
+	dmremove $DEV2
+}
+
+if [ $(id -u) != 0 ]; then
+	echo "WARNING: You must be root to run this test, test skipped."
+	exit 0
+fi
+
+dmsetup create $DEV_NAME --table "0 10240 zero" >/dev/null 2>&1
+
+crypt_key ripemd160   0 pwd "xxx" aeb26d1f69eb6dddfb9381eed4d7299f091e99aa5d3ff06866d4ce9f620f7aca
+crypt_key ripemd160 256 pwd "xxx" aeb26d1f69eb6dddfb9381eed4d7299f091e99aa5d3ff06866d4ce9f620f7aca
+crypt_key ripemd160 128 pwd "xxx" aeb26d1f69eb6dddfb9381eed4d7299f
+crypt_key sha1      256 pwd "xxx" b60d121b438a380c343d5ec3c2037564b82ffef30b1e0a6ad9af7a73aa91c197
+crypt_key sha1      128 pwd "xxx" b60d121b438a380c343d5ec3c2037564
+crypt_key sha256    256 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860
+crypt_key sha256    128 pwd "xxx" cd2eb0837c9b4c962c22d2ff8b5441b7
+
+crypt_key ripemd160   0 stdin "xxx"   aeb26d1f69eb6dddfb9381eed4d7299f091e99aa5d3ff06866d4ce9f620f7aca
+crypt_key ripemd160 256 stdin "xxx\n" 625ce2a8dbdf08f1de400dba7ab9fab246f2a55ad6136e6cafd6703732dab8cf
+
+# with keyfile, hash is ignored
+crypt_key ripemd160 256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
+crypt_key sha256    256 file /dev/zero 0000000000000000000000000000000000000000000000000000000000000000
+
+# key file, 80 chars
+echo -n -e "0123456789abcdef\n\x01\x00\x03\xff\xff\r\xff\xff\n\r" \
+	   "2352j3rkjhadcfasc823rqaw7e1 3dq sdq3d 2dkjqw3h2=====" >$KEY_FILE
+KEY_FILE_HEX="303132333435363738396162636465660a010003ffff0dffff0a0d20323335326a33726b6a686164636661736338323372716177376531203364712073647133"
+
+crypt_key ripemd160 256 file $KEY_FILE ${KEY_FILE_HEX:0:64}
+crypt_key sha256    256 file $KEY_FILE ${KEY_FILE_HEX:0:64}
+crypt_key sha256    128 file $KEY_FILE ${KEY_FILE_HEX:0:32}
+crypt_key sha256    512 file $KEY_FILE $KEY_FILE_HEX
+
+cleanup 0