Version 1.6.2.

Remove some TCRYPT comments from man page (FAQ is better for this).

FAQ

@@ -64,6 +64,13 @@ A. Contributors
   installers after a complete backup of all LUKS containers has been
   made.
 
+  UBUNTU INSTALLER: In particular the Ubuntu installer seems to be
+  quite willing to kill LUKS containers in several different ways.
+  Those responsible at Ubuntu seem not to care very much (it is very
+  easy to recognize a LUKS container), so treat the process of
+  installing Ubuntu as a severe hazard to any LUKS container you may
+  have.
+
   NO WARNING ON NON-INTERACTIVE FORMAT: If you feed cryptsetup from
   STDIN (e.g. via GnuPG) on LUKS format, it does not give you the
   warning that you are about to format (and e.g. will lose any
@@ -104,8 +111,11 @@ A. Contributors
   This issue has been acknowledged by the Ubuntu dev team, see here:
   http://launchpad.net/bugs/420080
 
-  Update 7/2012: I am unsure whether this has been fixed by now, best
-  be careful.
+  Update 4/2013: I am still unsure whether this has been fixed by
+  now, best be careful. They also seem to have added even more LUKS
+  killer functionality to the Ubuntu installer. I can only strongly
+  recommended to not install Ubuntu on a system with existing LUKS
+  containers without complete backups.
 
 
  * 1.4 My LUKS-device is broken! Help!
@@ -136,13 +146,17 @@ A. Contributors
 
  * 1.5 Who wrote this?
 
-  Current FAQ maintainer is Arno Wagner <arno@wagner.name>. Other
-  contributors are listed at the end. If you want to contribute, send
-  your article, including a descriptive headline, to the maintainer,
-  or the dm-crypt mailing list with something like "FAQ ..." in the
-  subject. You can also send more raw information and have me write
-  the section. Please note that by contributing to this FAQ, you
-  accept the license described below.
+  Current FAQ maintainer is Arno Wagner <arno@wagner.name>. If you
+  want to send me encrypted email, my current PGP key is DSA key
+  CB5D9718, fingerprint 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D
+  9718.
+
+  Other contributors are listed at the end. If you want to contribute,
+  send your article, including a descriptive headline, to the
+  maintainer, or the dm-crypt mailing list with something like "FAQ
+  ..." in the subject. You can also send more raw information and
+  have me write the section. Please note that by contributing to this
+  FAQ, you accept the license described below.
 
   This work is under the "Attribution-Share Alike 3.0 Unported"
   license, which means distribution is unlimited, you may create
@@ -259,6 +273,25 @@ A. Contributors
  
   Just follow the on-screen instructions.
 
+  Note: Passphrase iteration is determined by cryptsetup depending on
+  CPU power. On a slow device, this may be lower than you want. I
+  recently benchmarked this on a Raspberry Pi and it came out at
+  about 1/15 of the iteration count for a typical PC. If security is
+  paramount, you may want to increase the time spent in iteration, at
+  the cost of a slower unlock later. For the Raspberry Pi, using
+
+   cryptsetup luksFormat -i 15000 <target device>
+ 
+  gives you an iteration count and security level equal to an average
+  PC for passphrase iteration and master-key iteration. If in doubt,
+  check the iteration counts with
+
+   cryptsetup luksDump <target device>
+ 
+  and adjust the iteration count accordingly by creating the container
+  again with a different iteration time (the number after '-i' is the
+  iteration time in milicesonds) until your requirements are met.
+
   05) Map the container. Here it will be mapped to /dev/mapper/c1:
      cryptsetup luksOpen <target device> c1 
  
@@ -289,7 +322,62 @@ A. Contributors
   easy to make, but will compromise your security.
 
 
- * 2.2 What is the difference between "plain" and LUKS format?
+ * 2.2 How do I set up encrypted swap?
+
+  As things that are confidential can end up in swap (keys,
+  passphrases, etc. are usually protected against being swapped to
+  disk, but other things may not be), it may be advisable to do
+  something about the issue. One option is to run without swap, which
+  generally works well in a desktop-context. It may cause problems
+  in a server-setting or under special circumstances. The solution to
+  that is to encrypt swap with a random key at boot-time.
+
+  NOTE: This is for Debian, and should work for Debian-derived
+  distributions. For others you may have to write your own startup
+  script or use other mechanisms.
+
+  01) Add the swap partition to /etc/crypttab. A line like the following
+  should do it:
+
+      swap  /dev/<partition>  /dev/urandom   swap,noearly
+ 
+  Warning: While Debian refuses to overwrite partitions with a
+  filesystem or RAID signature on it, if your disk IDs may change
+  (adding or removing disks, failure of disk during boot, etc.), you
+  may want to take additional precautions. This is not a concern if
+  you have only one disk. One possibility is to make sure the
+  partition number is not present on additional disks or also swap
+  there. Another is to encapsulate the swap partition (by making it a
+  1-disk RAID1 or by using LVM), so that it gets a persistent
+  identifier. Specifying it directly by UUID does not work,
+  unfortunately, as the UUID is part of the swap signature and that
+  is not visible from the outside due to the encryption and in
+  addition changes on each reboot with this setup.
+
+  Note: Use /dev/random if you are paranoid or in a potential
+  low-entropy situation (embedded system, etc.). This may cause the
+  operation to take a long time during boot. If you are in a "no
+  entropy" situation, you cannot encrypt swap securely. In this
+  situation you should find some entropy, also because nothing else
+  using crypto will be secure, like ssh, ssl or GnuPG.
+
+  Note: The "noearly" option makes sure things like LVM, RAID, etc.
+  are running. As swap is non-critical for boot, it is fine to start
+  it late.
+
+  02) Add the swap partition to /etc/fstab. A line like the following
+  should do it:
+
+      /dev/mapper/swap none swap sw 0 0
+ 
+  That is it. Reboot or start it manually to activate encrypted swap.
+  Manual start would look like this:
+
+      /etc/init.d/crypdisks start
+      swapon /dev/mapper/swap
+ 
+
+ * 2.3 What is the difference between "plain" and LUKS format?
 
   First, unless you happen to understand the cryptographic background
   well, you should use LUKS. It does protect the user from a lot of
@@ -309,13 +397,24 @@ A. Contributors
 
   Side-note: That has limited value against the authorities. In
   civilized countries, they cannot force you to give up a crypto-key
-  anyways. In the US, the UK and dictatorships around the world,
-  they can force you to give up the keys (using imprisonment or worse
-  to pressure you), and in the worst case, they only need a
-  nebulous "suspicion" about the presence of encrypted data. My
-  advice is to either be ready to give up the keys or to not have
+  anyways. In quite a few countries around the world, they can force
+  you to give up the keys (using imprisonment or worse to pressure
+  you, sometimes without due process), and in the worst case, they
+  only need a nebulous "suspicion" about the presence of encrypted
+  data. Sometimes this applies to everybody, sometimes only when you
+  are suspected of having "illicit data" (definition subject to
+  change) and sometimes specifically when crossing a border. Note
+  that this is going on in countries like the US and the UK, to
+  different degrees and sometimes with courts restricting what the
+  authorities can actually demand.
+
+  My advice is to either be ready to give up the keys or to not have
   encrypted data when traveling to those countries, especially when
-  crossing the borders.
+  crossing the borders. The latter also means not having any
+  high-entropy (random) data areas on your disk, unless you can
+  explain them and demonstrate that explanation. Hence doing a
+  zero-wipe of all free space, including unused space, may be a good
+  idea.
 
   Disadvantages are that you do not have all the nice features that
   the LUKS metadata offers, like multiple passphrases that can be
@@ -343,7 +442,7 @@ A. Contributors
   non-default XTS mode).
 
 
- * 2.3 Can I encrypt an already existing, non-empty partition to use
+ * 2.4 Can I encrypt an already existing, non-empty partition to use
    LUKS?
 
   There is no converter, and it is not really needed. The way to do
@@ -358,7 +457,7 @@ A. Contributors
   to be in a filesystem.
 
 
- * 2.4 How do I use LUKS with a loop-device?
+ * 2.5 How do I use LUKS with a loop-device?
 
   This can be very handy for experiments. Setup is just the same as
   with any block device. If you want, for example, to use a 100MiB
@@ -372,7 +471,7 @@ A. Contributors
   To unmap the file when done, use "losetup -d /dev/loop0".
 
 
- * 2.5 When I add a new key-slot to LUKS, it asks for a passphrase but
+ * 2.6 When I add a new key-slot to LUKS, it asks for a passphrase but
    then complains about there not being a key-slot with that
    passphrase?
 
@@ -384,7 +483,7 @@ A. Contributors
   new key-slot.
 
 
- * 2.6 Encryption on top of RAID or the other way round?
+ * 2.7 Encryption on top of RAID or the other way round?
 
   Unless you have special needs, place encryption between RAID and
   filesystem, i.e. encryption on top of RAID. You can do it the other
@@ -393,16 +492,39 @@ A. Contributors
   not work anymore. Therefore it is better to encrypt the RAID
   device, e.g. /dev/dm0 .
 
+  This means that the typical layering looks like this:
 
- * 2.7 How do I read a dm-crypt key from file?
+  Filesystem     <- top
+  |
+  Encryption
+  |
+  RAID
+  |
+  Raw partitions
+  |
+  Raw disks      <- bottom
+ 
+  The big advantage is that you can manage the RAID container just
+  like any RAID container, it does not care that what is in it is
+  encrypted.
 
-  Note that the file will still be hashed first, just like keyboard
-  input. Use the --key-file option, like this:
+
+ * 2.8 How do I read a dm-crypt key from file?
+
+  Use the --key-file option, like this:
 
       cryptsetup create --key-file keyfile e1 /dev/loop0
  
+  This will read the binary key from file, i.e. no hashing or
+  transformation will be applied to the keyfile before its bits are
+  used as key. Extra bits (beyond the length of the key) at the end
+  are ignored. Note that if you read from STDIN, the data will still
+  be hashed, just as a key read interactively from the terminal. See
+  the man-page sections "NOTES ON PASSPHRASE PROCESSING..." for more
+  detail.
 
- * 2.8 How do I read a LUKS slot key from file?
+
+ * 2.9 How do I read a LUKS slot key from file?
 
   What you really do here is to read a passphrase from file, just as
   you would with manual entry of a passphrase for a key-slot. You can
@@ -428,7 +550,7 @@ A. Contributors
       cryptsetup luksOpen --key-file keyfile /dev/loop0 e1
  
 
- * 2.9 How do I read the LUKS master key from file?
+ * 2.10 How do I read the LUKS master key from file?
 
   The question you should ask yourself first is why you would want to
   do this. The only legitimate reason I can think of is if you want
@@ -439,7 +561,7 @@ A. Contributors
   do this here.
 
 
- * 2.10 What are the security requirements for a key read from file?
+ * 2.11 What are the security requirements for a key read from file?
 
   A file-stored key or passphrase has the same security requirements
   as one entered interactively, however you can use random bytes and
@@ -451,7 +573,7 @@ A. Contributors
       head -c 256 /dev/random > keyfile
  
 
- * 2.11 If I map a journaled file system using dm-crypt/LUKS, does it
+ * 2.12 If I map a journaled file system using dm-crypt/LUKS, does it
    still provide its usual transactional guarantees?
 
   Yes, it does, unless a very old kernel is used. The required flags
@@ -479,7 +601,7 @@ A. Contributors
   should improve further and eventually the problem should go away.
 
 
- * 2.12 Can I use LUKS or cryptsetup with a more secure (external)
+ * 2.13 Can I use LUKS or cryptsetup with a more secure (external)
    medium for key storage, e.g. TPM or a smartcard?
 
   Yes, see the answers on using a file-supplied key. You do have to
@@ -488,8 +610,12 @@ A. Contributors
   own tool that in turn gets the key from the more secure key
   storage.
 
+  For TPM support, you may want to have a look at tpm-luks at
+  https://github.com/shpedoikal/tpm-luks. Note that tpm-luks is not
+  related to the cryptsetup project.
 
- * 2.13 Can I resize a dm-crypt or LUKS partition?
+
+ * 2.14 Can I resize a dm-crypt or LUKS partition?
 
   Yes, you can, as neither dm-crypt nor LUKS stores partition size.
   Whether you should is a different question. Personally I recommend
@@ -509,6 +635,47 @@ A. Contributors
   for that.
 
 
+ * 2.15 How do I Benchmark the Ciphers, Hashes and Modes?
+
+  Since version 1.60 cryptsetup supports the "benchmark" command.
+  Simply run as root:
+
+   cryptsetup benchmark
+ 
+  It will output first iterations/second for the key-derivation
+  function PBKDF2 parameterized with different hash-functions, and
+  then the raw encryption speed of ciphers with different modes and
+  key-sizes. You can get more than the default benchmarks, see the
+  man-page for the relevant parameters. Note that XTS mode takes two
+  keys, hence the listed key sizes are double that for other modes
+  and half of it is the cipher key, the other half is the XTS key.
+
+
+ * 2.16 How do I Verify I have an Authentic cryptsetup Source Package?
+
+  Current maintainer is Milan Broz and he signs the release packages
+  with his PGP key. The key he currently uses is the "RSA key ID
+  D93E98FC", fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B
+  D93E 98FC. While I have every confidence this really is his key and
+  that he is who he claims to be, don't depend on it if your life is
+  at stake. For that matter, if your life is at stake, don't depend
+  on me being who I claim to be either.
+
+  That said, as cryptsetup is under good version control, a malicious
+  change should be noticed sooner or later, but it may take a while.
+  Also, the attacker model makes compromising the sources in a
+  non-obvious way pretty hard. Sure, you could put the master-key
+  somewhere on disk, but that is rather obvious as soon as somebody
+  looks as there would be data in an empty LUKS container in a place
+  it should not be. Doing this in a more nefarious way, for example
+  hiding the master-key in the salts, would need a look at the
+  sources to be discovered, but I think that somebody would find that
+  sooner or later as well.
+
+  That said, this discussion is really a lot more complicated and
+  longer as an FAQ can sustain. If in doubt, ask on the mailing list.
+
+
 3. Common Problems 
 
 
@@ -617,7 +784,38 @@ A. Contributors
   diagnosing and (if still possible) repairing this.
 
 
- * 4.2 Can a bad RAM module cause problems?
+ * 4.2 I cannot unlock my LUKS container! What could be the problem?
+
+  First, make sure you have a correct passphrase. Then make sure you
+  have the correct key-map and correct keyboard. And then make sure
+  you have the correct character set and encoding, see also
+  "PASSPHRASE CHARACTER SET" under Section 1.2.
+
+  If you are sure you are entering the passphrase right, there is the
+  possibility that the respective key-slot has been damaged. There
+  is no way to recover a damaged key-slot, except from a header
+  backup (see Section 6). For security reasons, there is also no
+  checksum in the key-slots that could tell you whether a key-slot has
+  been damaged. The only checksum present allows recognition of a
+  correct passphrase, but that only works if the passphrase is
+  correct and the respective key-slot is intact.
+
+  In order to find out whether a key-slot is damaged one has to look
+  for "non-random looking" data in it. There is a tool that
+  automatizes this in the cryptsetup distribution from version 1.6.0
+  onwards. It is located in misc/keyslot_checker/. Instructions how
+  to use and how to interpret results are in the README file. Note
+  that this tool requires a libcryptsetup from cryptsetup 1.6.0 or
+  later (which means libcryptsetup.so.4.5.0 or later). If the tool
+  complains about missing functions in libcryptsetup, you likely
+  have an earlier version from your distribution still installed. You
+  can either point the symbolic link(s) from libcryptsetup.so.4 to
+  the new version manually, or you can uninstall the distribution
+  version of cryptsetup and re-install that from cryptsetup >= 1.6.0
+  again to fix this.
+
+
+ * 4.3 Can a bad RAM module cause problems?
 
   LUKS and dm-crypt can give the RAM quite a workout, especially when
   combined with software RAID. In particular the combination RAID5 +
@@ -659,7 +857,7 @@ A. Contributors
   did a verify.
 
 
- * 4.3 How do I test RAM?
+ * 4.4 How do I test RAM?
 
   First you should know that overclocking often makes memory
   problems worse. So if you overclock (which I strongly recommend
@@ -733,8 +931,8 @@ A. Contributors
   is easier than it actually is is fine. An attacker may still have
   vastly higher cost than estimated here.
 
-  LUKS uses SHA1 for hasing per default. The claim in the reference is
-  63 billion tries/second for SHA1. We will leave aside the check
+  LUKS uses SHA1 for hashing per default. The claim in the reference
+  is 63 billion tries/second for SHA1. We will leave aside the check
   whether a try actually decrypts a key-slot. Now, the machine has 25
   GPUs, which I will estimate at an overall lifetime cost of USD/EUR
   1000 each, and an useful lifetime of 2 years. (This is on the low
@@ -1272,7 +1470,7 @@ A. Contributors
   foot, you can figure out how to do it yourself.
 
 
- * 5.19 What about SSDs or Flash Drives?
+ * 5.19 What about SSDs, Flash and Hybrid Drives?
 
   The problem is that you cannot reliably erase parts of these
   devices, mainly due to wear-leveling and possibly defect
@@ -1286,7 +1484,7 @@ A. Contributors
   done in some fashion so that larger writes do not cause a lot of
   small internal updates.
 
-  The thing is that the mappings between outside-adressable sectors
+  The thing is that the mappings between outside-addressable sectors
   and inside sectors is arbitrary (and the vendors are not talking).
   Also the discarded sectors are not necessarily erased immediately.
   They may linger a long time.
@@ -1315,11 +1513,15 @@ A. Contributors
 
   If you trust the device vendor (you probably should not...) you can
   try an ATA "secure erase" command for SSDs. That does not work for
-  USB keys though. And if it finishes after a few seconds, it was
-  possibly faked by the SSD.
+  USB keys though and may or may not be secure for a hybrid drive. If
+  it finishes on an SSD after a few seconds, it was possibly faked.
+  UNfortunately, for hybrid drives that indicator does not work, as
+  the drive may well take the time to dully erase the magnetic part,
+  but only mark the SSD/Flash part as erased while data is still in
+  there.
 
   If you can do without password management and are fine with doing
-  physical destruction for permenently deleting data (allways after
+  physical destruction for permanently deleting data (always after
   one or several full overwrites!), you can use plain dm-crypt or
   LUKS.
 
@@ -1330,13 +1532,13 @@ A. Contributors
   security as on a magnetic disk.
 
   If you are concerned about your laptop being stolen, you are likely
-  fine using LUKS on an SSD. An attacker would need to have access
-  to an old passphrase (and the key-slot for this old passphrase
-  would actually need to still be somewhere in the SSD) for your
-  data to be at risk. So unless you pasted your old passphrase all
-  over the Internet or the attacker has knowledge of it from some
-  other source and does a targetted laptop theft to get at your
-  data, you should be fine.
+  fine using LUKS on an SSD or hybrid drive. An attacker would need
+  to have access to an old passphrase (and the key-slot for this old
+  passphrase would actually need to still be somewhere in the SSD)
+  for your data to be at risk. So unless you pasted your old
+  passphrase all over the Internet or the attacker has knowledge of
+  it from some other source and does a targeted laptop theft to get
+  at your data, you should be fine.
 
 
 6. Backup and Data Recovery 

autogen.sh

@@ -78,7 +78,7 @@ autopoint --force $AP_OPTS
 libtoolize --force --copy
 aclocal -I m4 $AL_OPTS
 autoheader $AH_OPTS
-automake --add-missing --gnu $AM_OPTS
+automake --add-missing --copy --gnu $AM_OPTS
 autoconf $AC_OPTS
 
 if test x$NOCONFIGURE = x; then

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[1.6.0])
+AC_INIT([cryptsetup],[1.6.2])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
@@ -11,7 +11,13 @@ AC_CONFIG_SRCDIR(src/cryptsetup.c)
 AC_CONFIG_MACRO_DIR([m4])
 
 AC_CONFIG_HEADERS([config.h:config.h.in])
-AM_INIT_AUTOMAKE(dist-bzip2)
+
+# We do not want to run test in parallel. Really.
+# http://lists.gnu.org/archive/html/automake/2013-01/msg00060.html
+
+# For old automake use this
+#AM_INIT_AUTOMAKE(dist-bzip2)
+AM_INIT_AUTOMAKE([dist-bzip2 1.12 serial-tests])
 
 if test "x$prefix" = "xNONE"; then
 	sysconfdir=/etc
@@ -32,7 +38,7 @@ PKG_PROG_PKG_CONFIG
 AC_HEADER_DIRENT
 AC_HEADER_STDC
 AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
-	ctype.h unistd.h locale.h)
+	ctype.h unistd.h locale.h byteswap.h endian.h)
 
 AC_CHECK_HEADERS(uuid/uuid.h,,[AC_MSG_ERROR([You need the uuid library.])])
 AC_CHECK_HEADER(libdevmapper.h,,[AC_MSG_ERROR([You need the device-mapper library.])])
@@ -44,11 +50,15 @@ LIBS=$saved_LIBS
 
 AC_CHECK_FUNCS([posix_memalign])
 
+if test "x$enable_largefile" = "xno" ; then
+  AC_MSG_ERROR([Building with --disable-largefile is not supported, it can cause data corruption.])
+fi
+
 AC_C_CONST
 AC_C_BIGENDIAN
 AC_TYPE_OFF_T
 AC_SYS_LARGEFILE
-
+AC_FUNC_FSEEKO
 AC_PROG_GCC_TRADITIONAL
 
 dnl ==========================================================================

docs/v1.6.1-ReleaseNotes

@@ -0,0 +1,32 @@
+Cryptsetup 1.6.1 Release Notes
+==============================
+
+Changes since version 1.6.0
+
+* Fix loop-AES keyfile parsing.
+  Loop-AES keyfile should be text keyfile, reject keyfiles which
+  are not properly terminated.
+
+* Fix passphrase pool overflow for too long TCRYPT passphrase.
+ (Maximal TCRYPT passphrase length is 64 characters.)
+
+* Return EPERM (translated to exit code 2) for too long TCRYPT passphrase.
+
+* Fix deactivation of device when failed underlying node disappeared.
+
+* Fix API deactivate call for TCRYPT format and NULL context parameter.
+
+* Improve keyslot checker example documentation.
+
+* Report error message if deactivation fails and device is still busy.
+
+* Make passphrase prompts more consistent (and remove "LUKS" form prompt).
+
+* Fix some missing headers (compilation failed with alternative libc).
+
+* Remove not functional API UUID support for plain & loopaes devices.
+  (not persistent activation UUID).
+
+* Properly cleanup devices on interrupt in api-test.
+
+* Support all tests run if kernel is in FIPS mode.

docs/v1.6.2-ReleaseNotes

@@ -0,0 +1,25 @@
+Cryptsetup 1.6.2 Release Notes
+==============================
+
+Changes since version 1.6.1
+
+* Print error and fail if more device arguments are present for isLuks command.
+
+* Fix cipher specification string parsing (found by gcc -fsanitize=address option).
+
+* Try to map TCRYPT system encryption through partition
+  (allows to activate mapping when other partition on the same device is mounted).
+
+* Print a warning if system encryption is used and device is a partition.
+  (TCRYPT system encryption uses whole device argument.)
+
+* Disallow explicit small payload offset for LUKS detached header.
+  LUKS detached header only allows data payload 0 (whole data device is used)
+  or explicit offset larger than header + keyslots size.
+
+* Fix boundary condition for verity device that caused failure for certain device sizes.
+
+* Various fixes to documentation, including update FAQ, default modes
+  and TCRYPT description.
+
+* Workaround for some recent changes in automake (serial-tests).

lib/Makefile.am

@@ -5,7 +5,7 @@ moduledir = $(libdir)/cryptsetup
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcryptsetup.pc
 
-AM_CPPFLAGS = \
+AM_CPPFLAGS = -include config.h \
 	-I$(top_srcdir)				\
 	-I$(top_srcdir)/lib/crypto_backend	\
 	-I$(top_srcdir)/lib/luks1		\
@@ -16,10 +16,7 @@ AM_CPPFLAGS = \
 	-DLIBDIR=\""$(libdir)"\"		\
 	-DPREFIX=\""$(prefix)"\"		\
 	-DSYSCONFDIR=\""$(sysconfdir)"\"	\
-	-DVERSION=\""$(VERSION)"\"		\
-	-D_GNU_SOURCE				\
-	-D_LARGEFILE64_SOURCE			\
-	-D_FILE_OFFSET_BITS=64
+	-DVERSION=\""$(VERSION)"\"
 
 lib_LTLIBRARIES = libcryptsetup.la
 
@@ -32,11 +29,11 @@ common_ldadd = \
 
 libcryptsetup_la_DEPENDENCIES = $(common_ldadd) libcryptsetup.sym
 
-libcryptsetup_la_LDFLAGS = \
+libcryptsetup_la_LDFLAGS = $(AM_LDFLAGS) -no-undefined \
 	-Wl,--version-script=$(top_srcdir)/lib/libcryptsetup.sym \
 	-version-info @LIBCRYPTSETUP_VERSION_INFO@
 
-libcryptsetup_la_CFLAGS = -Wall @CRYPTO_CFLAGS@
+libcryptsetup_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
 
 libcryptsetup_la_LIBADD = \
 	@UUID_LIBS@				\

lib/crypto_backend/Makefile.am

@@ -2,7 +2,7 @@ moduledir = $(libdir)/cryptsetup
 
 noinst_LTLIBRARIES = libcrypto_backend.la
 
-libcrypto_backend_la_CFLAGS = -Wall @CRYPTO_CFLAGS@
+libcrypto_backend_la_CFLAGS = $(AM_CFLAGS) -Wall @CRYPTO_CFLAGS@
 
 libcrypto_backend_la_SOURCES = crypto_backend.h \
 	crypto_cipher_kernel.c pbkdf_check.c crc32.c
@@ -27,4 +27,4 @@ if CRYPTO_INTERNAL_PBKDF2
 libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 
-AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/lib
+AM_CPPFLAGS = -include config.h -I$(top_srcdir)/lib

lib/crypto_backend/crypto_backend.h

@@ -23,7 +23,6 @@
 
 #include <stdint.h>
 #include <string.h>
-#include "config.h"
 
 struct crypt_device;
 struct crypt_hash;

lib/internal.h

@@ -24,10 +24,6 @@
 #ifndef INTERNAL_H
 #define INTERNAL_H
 
-#ifdef HAVE_CONFIG_H
-#	include "config.h"
-#endif
-
 #include <stdint.h>
 #include <stdarg.h>
 #include <unistd.h>
@@ -96,7 +92,9 @@ struct device *crypt_data_device(struct crypt_device *cd);
 int crypt_confirm(struct crypt_device *cd, const char *msg);
 
 char *crypt_lookup_dev(const char *dev_id);
-int crypt_sysfs_get_rotational(int major, int minor, int *rotational);
+int crypt_dev_is_rotational(int major, int minor);
+int crypt_dev_is_partition(const char *dev_path);
+char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size);
 
 ssize_t write_blockwise(int fd, int bsize, void *buf, size_t count);
 ssize_t read_blockwise(int fd, int bsize, void *_buf, size_t count);

lib/libcryptsetup.h

@@ -393,7 +393,7 @@ struct crypt_params_verity {
  */
 struct crypt_params_tcrypt {
 	const char *passphrase;    /**< passphrase to unlock header (input only) */
-	size_t passphrase_size;    /**< passphrase size (input only) */
+	size_t passphrase_size;    /**< passphrase size (input only, max length is 64) */
 	const char **keyfiles;     /**< keyfile paths to unlock header (input only) */
 	unsigned int keyfiles_count;/**< keyfiles count (input only) */
 	const char *hash_name;     /**< hash function for PBKDF */

lib/libdevmapper.c

@@ -28,6 +28,7 @@
 #include <fcntl.h>
 #include <linux/fs.h>
 #include <uuid/uuid.h>
+#include <sys/utsname.h>
 
 #include "internal.h"
 
@@ -143,6 +144,16 @@ static void _dm_set_verity_compat(const char *dm_version, unsigned verity_maj,
 		verity_maj, verity_min, verity_patch);
 }
 
+static void _dm_kernel_info(void)
+{
+	struct utsname uts;
+
+	if (!uname(&uts))
+		log_dbg("Detected kernel %s %s %s.",
+			uts.sysname, uts.release, uts.machine);
+
+}
+
 static int _dm_check_versions(void)
 {
 	struct dm_task *dmt;
@@ -153,6 +164,8 @@ static int _dm_check_versions(void)
 	if (_dm_crypt_checked)
 		return 1;
 
+	_dm_kernel_info();
+
 	/* Shut up DM while checking */
 	_quiet_log = 1;
 
@@ -493,14 +506,19 @@ int dm_remove_device(struct crypt_device *cd, const char *name,
  * CRYPT-LUKS1-00000000000000000000000000000000-name
  * CRYPT-TEMP-name
  */
-static void dm_prepare_uuid(const char *name, const char *type, const char *uuid, char *buf, size_t buflen)
+static int dm_prepare_uuid(const char *name, const char *type, const char *uuid, char *buf, size_t buflen)
 {
 	char *ptr, uuid2[UUID_LEN] = {0};
 	uuid_t uu;
 	unsigned i = 0;
 
 	/* Remove '-' chars */
-	if (uuid && !uuid_parse(uuid, uu)) {
+	if (uuid) {
+		if (uuid_parse(uuid, uu) < 0) {
+			log_dbg("Requested UUID %s has invalid format.", uuid);
+			return -EINVAL;
+		}
+
 		for (ptr = uuid2, i = 0; i < UUID_LEN; i++)
 			if (uuid[i] != '-') {
 				*ptr = uuid[i];
@@ -516,6 +534,8 @@ static void dm_prepare_uuid(const char *name, const char *type, const char *uuid
 	log_dbg("DM-UUID is %s", buf);
 	if (i >= buflen)
 		log_err(NULL, _("DM-UUID for device %s was truncated.\n"), name);
+
+	return 0;
 }
 
 static int _dm_create_device(const char *name, const char *type,
@@ -542,7 +562,9 @@ static int _dm_create_device(const char *name, const char *type,
 		if (!dm_task_set_name(dmt, name))
 			goto out_no_removal;
 	} else {
-		dm_prepare_uuid(name, type, uuid, dev_uuid, sizeof(dev_uuid));
+		r = dm_prepare_uuid(name, type, uuid, dev_uuid, sizeof(dev_uuid));
+		if (r < 0)
+			return r;
 
 		if (!(dmt = dm_task_create(DM_DEVICE_CREATE)))
 			goto out_no_removal;

lib/loopaes/Makefile.am

@@ -2,15 +2,13 @@ moduledir = $(libdir)/cryptsetup
 
 noinst_LTLIBRARIES = libloopaes.la
 
-libloopaes_la_CFLAGS = -Wall @CRYPTO_CFLAGS@
+libloopaes_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
 
 libloopaes_la_SOURCES = \
 	loopaes.c \
 	loopaes.h
 
-AM_CPPFLAGS = -D_GNU_SOURCE			\
-	-D_LARGEFILE64_SOURCE                   \
-	-D_FILE_OFFSET_BITS=64                  \
+AM_CPPFLAGS = -include config.h \
         -I$(top_srcdir)/lib			\
         -I$(top_srcdir)/lib/crypto_backend
 

lib/loopaes/loopaes.c

@@ -2,7 +2,7 @@
  * loop-AES compatible volume handling
  *
  * Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2012, Milan Broz
+ * Copyright (C) 2011-2013, Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -75,16 +75,16 @@ static int hash_keys(struct crypt_device *cd,
 		     const char *hash_override,
 		     const char **input_keys,
 		     unsigned int keys_count,
-		     unsigned int key_len_output)
+		     unsigned int key_len_output,
+		     unsigned int key_len_input)
 {
 	const char *hash_name;
 	char tweak, *key_ptr;
-	unsigned i, key_len_input;
+	unsigned int i;
 	int r;
 
 	hash_name = hash_override ?: get_hash(key_len_output);
 	tweak = get_tweak(keys_count);
-	key_len_input = strlen(input_keys[0]);
 
 	if (!keys_count || !key_len_output || !hash_name || !key_len_input) {
 		log_err(cd, _("Key processing error (using hash %s).\n"),
@@ -134,7 +134,8 @@ int LOOPAES_parse_keyfile(struct crypt_device *cd,
 			  size_t buffer_len)
 {
 	const char *keys[LOOPAES_KEYS_MAX];
-	unsigned i, key_index, key_len, offset;
+	unsigned int key_lengths[LOOPAES_KEYS_MAX];
+	unsigned int i, key_index, key_len, offset;
 
 	log_dbg("Parsing loop-AES keyfile of size %d.", buffer_len);
 
@@ -154,33 +155,45 @@ int LOOPAES_parse_keyfile(struct crypt_device *cd,
 
 	offset = 0;
 	key_index = 0;
+	key_lengths[0] = 0;
 	while (offset < buffer_len && key_index < LOOPAES_KEYS_MAX) {
-		keys[key_index++] = &buffer[offset];
-		while (offset < buffer_len && buffer[offset])
+		keys[key_index] = &buffer[offset];
+		key_lengths[key_index] = 0;;
+		while (offset < buffer_len && buffer[offset]) {
 			offset++;
+			key_lengths[key_index]++;
+		}
+		if (offset == buffer_len) {
+			log_dbg("Unterminated key #%d in keyfile.", key_index);
+			log_err(cd, _("Incompatible loop-AES keyfile detected.\n"));
+			return -EINVAL;
+		}
 		while (offset < buffer_len && !buffer[offset])
 			offset++;
+		key_index++;
 	}
 
 	/* All keys must be the same length */
-	key_len = key_index ? strlen(keys[0]) : 0;
+	key_len = key_lengths[0];
 	for (i = 0; i < key_index; i++)
-		if (key_len != strlen(keys[i])) {
+		if (!key_lengths[i] || (key_lengths[i] != key_len)) {
 			log_dbg("Unexpected length %d of key #%d (should be %d).",
-				strlen(keys[i]), i, key_len);
+				key_lengths[i], i, key_len);
 			key_len = 0;
 			break;
 		}
 
-	log_dbg("Keyfile: %d keys of length %d.", key_index, key_len);
 	if (offset != buffer_len || key_len == 0 ||
 	   (key_index != 1 && key_index !=64 && key_index != 65)) {
 		log_err(cd, _("Incompatible loop-AES keyfile detected.\n"));
 		return -EINVAL;
 	}
 
+	log_dbg("Keyfile: %d keys of length %d.", key_index, key_len);
+
 	*keys_count = key_index;
-	return hash_keys(cd, vk, hash, keys, key_index, crypt_get_volume_key_size(cd));
+	return hash_keys(cd, vk, hash, keys, key_index,
+			 crypt_get_volume_key_size(cd), key_len);
 }
 
 int LOOPAES_activate(struct crypt_device *cd,
@@ -195,7 +208,6 @@ int LOOPAES_activate(struct crypt_device *cd,
 	int r;
 	struct crypt_dm_active_device dmd = {
 		.target = DM_CRYPT,
-		.uuid   = crypt_get_uuid(cd),
 		.size   = 0,
 		.flags  = flags,
 		.data_device = crypt_data_device(cd),

lib/loopaes/loopaes.h

@@ -2,7 +2,7 @@
  * loop-AES compatible volume handling
  *
  * Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2012, Milan Broz
+ * Copyright (C) 2011-2013, Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -23,7 +23,6 @@
 #define _LOOPAES_H
 
 #include <unistd.h>
-#include "config.h"
 
 struct crypt_device;
 struct volume_key;

lib/luks1/Makefile.am

@@ -2,7 +2,7 @@ moduledir = $(libdir)/cryptsetup
 
 noinst_LTLIBRARIES = libluks1.la
 
-libluks1_la_CFLAGS = -Wall @CRYPTO_CFLAGS@
+libluks1_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
 
 libluks1_la_SOURCES = \
 	af.c \
@@ -11,9 +11,7 @@ libluks1_la_SOURCES = \
 	af.h \
 	luks.h
 
-AM_CPPFLAGS = -D_GNU_SOURCE			\
-	-D_LARGEFILE64_SOURCE                   \
-	-D_FILE_OFFSET_BITS=64                  \
+AM_CPPFLAGS = -include config.h \
         -I$(top_srcdir)/lib			\
         -I$(top_srcdir)/lib/crypto_backend
 

lib/luks1/keymanage.c

@@ -605,7 +605,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 		       int detached_metadata_device,
 		       struct crypt_device *ctx)
 {
-	unsigned int i=0;
+	unsigned int i = 0, hdr_sectors = LUKS_device_sectors(vk->keylength);
 	size_t blocksPerStripeSet, currentSector;
 	int r;
 	uuid_t partitionUuid;
@@ -615,6 +615,13 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 	if (alignPayload == 0 && !detached_metadata_device)
 		alignPayload = DEFAULT_DISK_ALIGNMENT / SECTOR_SIZE;
 
+	if (alignPayload && detached_metadata_device && alignPayload < hdr_sectors) {
+		log_err(ctx, _("Data offset for detached LUKS header must be "
+			       "either 0 or higher than header size (%d sectors).\n"),
+			       hdr_sectors);
+		return -EINVAL;
+	}
+
 	if (crypt_hmac_size(hashSpec) < LUKS_DIGESTSIZE) {
 		log_err(ctx, _("Requested LUKS hash %s is not supported.\n"), hashSpec);
 		return -EINVAL;

lib/random.c

@@ -23,6 +23,7 @@
 #include <fcntl.h>
 #include <errno.h>
 #include <assert.h>
+#include <sys/select.h>
 
 #include "libcryptsetup.h"
 #include "internal.h"

lib/setup.c

@@ -4,7 +4,7 @@
  * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
  * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2012, Milan Broz
+ * Copyright (C) 2009-2013, Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -60,14 +60,12 @@ struct crypt_device {
 		struct crypt_params_plain hdr;
 		char *cipher;
 		char *cipher_mode;
-		char *uuid;
 		unsigned int key_size;
 	} plain;
 	struct { /* used in CRYPT_LOOPAES */
 		struct crypt_params_loopaes hdr;
 		char *cipher;
 		char *cipher_mode;
-		char *uuid;
 		unsigned int key_size;
 	} loopaes;
 	struct { /* used in CRYPT_VERITY */
@@ -329,7 +327,6 @@ int PLAIN_activate(struct crypt_device *cd,
 	enum devcheck device_check;
 	struct crypt_dm_active_device dmd = {
 		.target = DM_CRYPT,
-		.uuid   = crypt_get_uuid(cd),
 		.size   = size,
 		.flags  = flags,
 		.data_device = crypt_data_device(cd),
@@ -364,10 +361,6 @@ int PLAIN_activate(struct crypt_device *cd,
 
 	r = dm_create_device(cd, name, CRYPT_PLAIN, &dmd, 0);
 
-	// FIXME
-	if (!cd->u.plain.uuid && dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd) >= 0)
-		cd->u.plain.uuid = CONST_CAST(char*)dmd.uuid;
-
 	free(dm_cipher);
 	return r;
 }
@@ -715,7 +708,6 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
 		goto out;
 
 	if (isPLAIN(cd->type)) {
-		cd->u.plain.uuid = dmd.uuid ? strdup(dmd.uuid) : NULL;
 		cd->u.plain.hdr.hash = NULL; /* no way to get this */
 		cd->u.plain.hdr.offset = dmd.u.crypt.offset;
 		cd->u.plain.hdr.skip = dmd.u.crypt.iv_offset;
@@ -727,7 +719,6 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
 			cd->u.plain.cipher_mode = strdup(cipher_mode);
 		}
 	} else if (isLOOPAES(cd->type)) {
-		cd->u.loopaes.uuid = dmd.uuid ? strdup(dmd.uuid) : NULL;
 		cd->u.loopaes.hdr.offset = dmd.u.crypt.offset;
 
 		r = crypt_parse_name_and_mode(dmd.u.crypt.cipher, cipher,
@@ -758,8 +749,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
 				free(cd->type);
 				cd->type = NULL;
 				r = 0;
-				goto out;
 			}
+		} else {
+			log_dbg("LUKS device header not available.");
+			free(cd->type);
+			cd->type = NULL;
+			r = 0;
 		}
 	} else if (isTCRYPT(cd->type)) {
 		r = TCRYPT_init_by_name(cd, name, &dmd, &cd->device,
@@ -784,14 +779,13 @@ static int _init_by_name_verity(struct crypt_device *cd, const char *name)
 
 	r = dm_query_device(cd, name,
 				DM_ACTIVE_DEVICE |
-				DM_ACTIVE_UUID |
 				DM_ACTIVE_VERITY_HASH_DEVICE |
 				DM_ACTIVE_VERITY_PARAMS, &dmd);
 	if (r < 0)
 		goto out;
 
 	if (isVERITY(cd->type)) {
-		cd->u.verity.uuid = dmd.uuid ? strdup(dmd.uuid) : NULL;
+		cd->u.verity.uuid = NULL; // FIXME
 		cd->u.verity.hdr.flags = CRYPT_VERITY_NO_HEADER; //FIXME
 		cd->u.verity.hdr.data_size = params.data_size;
 		cd->u.verity.root_hash_size = dmd.u.verity.root_hash_size;
@@ -810,7 +804,6 @@ static int _init_by_name_verity(struct crypt_device *cd, const char *name)
 	}
 out:
 	device_free(dmd.data_device);
-	free(CONST_CAST(void*)dmd.uuid);
 	return r;
 }
 
@@ -920,6 +913,11 @@ static int _crypt_format_plain(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
+	if (uuid) {
+		log_err(cd, _("UUID is not supported for this crypt type.\n"));
+		return -EINVAL;
+	}
+
 	if (!(cd->type = strdup(CRYPT_PLAIN)))
 		return -ENOMEM;
 
@@ -931,8 +929,6 @@ static int _crypt_format_plain(struct crypt_device *cd,
 	cd->u.plain.cipher = strdup(cipher);
 	cd->u.plain.cipher_mode = strdup(cipher_mode);
 
-	if (uuid)
-		cd->u.plain.uuid = strdup(uuid);
 
 	if (params && params->hash)
 		cd->u.plain.hdr.hash = strdup(params->hash);
@@ -1042,6 +1038,11 @@ static int _crypt_format_loopaes(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
+	if (uuid) {
+		log_err(cd, _("UUID is not supported for this crypt type.\n"));
+		return -EINVAL;
+	}
+
 	if (!(cd->type = strdup(CRYPT_LOOPAES)))
 		return -ENOMEM;
 
@@ -1049,9 +1050,6 @@ static int _crypt_format_loopaes(struct crypt_device *cd,
 
 	cd->u.loopaes.cipher = strdup(cipher ?: DEFAULT_LOOPAES_CIPHER);
 
-	if (uuid)
-		cd->u.loopaes.uuid = strdup(uuid);
-
 	if (params && params->hash)
 		cd->u.loopaes.hdr.hash = strdup(params->hash);
 
@@ -1288,7 +1286,7 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 	int r;
 
 	/* Device context type must be initialised */
-	if (!cd->type || !crypt_get_uuid(cd))
+	if (!cd->type)
 		return -EINVAL;
 
 	log_dbg("Resizing device %s to %" PRIu64 " sectors.", name, new_size);
@@ -1413,11 +1411,9 @@ void crypt_free(struct crypt_device *cd)
 			free(CONST_CAST(void*)cd->u.plain.hdr.hash);
 			free(cd->u.plain.cipher);
 			free(cd->u.plain.cipher_mode);
-			free(cd->u.plain.uuid);
 		} else if (isLOOPAES(cd->type)) {
 			free(CONST_CAST(void*)cd->u.loopaes.hdr.hash);
 			free(cd->u.loopaes.cipher);
-			free(cd->u.loopaes.uuid);
 		} else if (isVERITY(cd->type)) {
 			free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
 			free(CONST_CAST(void*)cd->u.verity.hdr.salt);
@@ -2146,6 +2142,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
 
 int crypt_deactivate(struct crypt_device *cd, const char *name)
 {
+	struct crypt_device *fake_cd = NULL;
 	int r;
 
 	if (!name)
@@ -2153,16 +2150,24 @@ int crypt_deactivate(struct crypt_device *cd, const char *name)
 
 	log_dbg("Deactivating volume %s.", name);
 
-	if (!cd)
-		dm_backend_init();
+	if (!cd) {
+		r = crypt_init_by_name(&fake_cd, name);
+		if (r < 0)
+			return r;
+		cd = fake_cd;
+	}
 
 	switch (crypt_status(cd, name)) {
 		case CRYPT_ACTIVE:
 		case CRYPT_BUSY:
-			if (cd && isTCRYPT(cd->type))
+			if (isTCRYPT(cd->type))
 				r = TCRYPT_deactivate(cd, name);
 			else
 				r = dm_remove_device(cd, name, 0, 0);
+			if (r < 0 && crypt_status(cd, name) == CRYPT_BUSY) {
+				log_err(cd, _("Device %s is still in use.\n"), name);
+				r = -EBUSY;
+			}
 			break;
 		case CRYPT_INACTIVE:
 			log_err(cd, _("Device %s is not active.\n"), name);
@@ -2173,8 +2178,7 @@ int crypt_deactivate(struct crypt_device *cd, const char *name)
 			r = -EINVAL;
 	}
 
-	if (!cd)
-		dm_backend_exit();
+	crypt_free(fake_cd);
 
 	return r;
 }
@@ -2452,12 +2456,6 @@ const char *crypt_get_uuid(struct crypt_device *cd)
 	if (isLUKS(cd->type))
 		return cd->u.luks1.hdr.uuid;
 
-	if (isPLAIN(cd->type))
-		return cd->u.plain.uuid;
-
-	if (isLOOPAES(cd->type))
-		return cd->u.loopaes.uuid;
-
 	if (isVERITY(cd->type))
 		return cd->u.verity.uuid;
 

lib/tcrypt/Makefile.am

@@ -2,15 +2,13 @@ moduledir = $(libdir)/cryptsetup
 
 noinst_LTLIBRARIES = libtcrypt.la
 
-libtcrypt_la_CFLAGS = -Wall @CRYPTO_CFLAGS@
+libtcrypt_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
 
 libtcrypt_la_SOURCES = \
 	tcrypt.c \
 	tcrypt.h
 
-AM_CPPFLAGS = -D_GNU_SOURCE			\
-	-D_LARGEFILE64_SOURCE                   \
-	-D_FILE_OFFSET_BITS=64                  \
+AM_CPPFLAGS = -include config.h \
         -I$(top_srcdir)/lib			\
         -I$(top_srcdir)/lib/crypto_backend
 

lib/tcrypt/tcrypt.c

@@ -2,7 +2,7 @@
  * TCRYPT (TrueCrypt-compatible) volume handling
  *
  * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012, Milan Broz
+ * Copyright (C) 2012-2013, Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -485,6 +485,12 @@ static int TCRYPT_init_hdr(struct crypt_device *cd,
 	else
 		passphrase_size = params->passphrase_size;
 
+	if (params->passphrase_size > TCRYPT_KEY_POOL_LEN) {
+		log_err(cd, _("Maximum TCRYPT passphrase length (%d) exceeded.\n"),
+			      TCRYPT_KEY_POOL_LEN);
+		return -EPERM;
+	}
+
 	/* Calculate pool content from keyfiles */
 	for (i = 0; i < params->keyfiles_count; i++) {
 		r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i]);
@@ -579,8 +585,13 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
 	r = -EIO;
 	if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
 		if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
-		    read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
+		    read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) {
 			r = TCRYPT_init_hdr(cd, hdr, params);
+			if (r == -EPERM && crypt_dev_is_partition(device_path(device)))
+				log_std(cd, _("WARNING: device %s is a partition, for TCRYPT "
+					      "system encryption you usually need to use "
+					      "whole block device path.\n"), device_path(device));
+		}
 	} else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 		if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 			if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
@@ -630,10 +641,12 @@ int TCRYPT_activate(struct crypt_device *cd,
 		     uint32_t flags)
 {
 	char cipher[MAX_CIPHER_LEN], dm_name[PATH_MAX], dm_dev_name[PATH_MAX];
-	struct device *device = NULL;
+	char *part_path;
+	struct device *device = NULL, *part_device = NULL;
 	unsigned int i;
 	int r;
 	struct tcrypt_algs *algs;
+	enum devcheck device_check;
 	struct crypt_dm_active_device dmd = {
 		.target = DM_CRYPT,
 		.size   = 0,
@@ -670,7 +683,30 @@ int TCRYPT_activate(struct crypt_device *cd,
 	else
 		dmd.size = hdr->d.volume_size / hdr->d.sector_size;
 
-	r = device_block_adjust(cd, dmd.data_device, DEV_EXCL,
+	/*
+	 * System encryption use the whole device mapping, there can
+	 * be active partitions.
+	 * FIXME: This will allow multiple mappings unexpectedly.
+	 */
+	if ((dmd.flags & CRYPT_ACTIVATE_SHARED) ||
+	    (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER))
+		device_check = DEV_SHARED;
+	else
+		device_check = DEV_EXCL;
+
+	if ((params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) &&
+		(part_path = crypt_get_partition_device(device_path(dmd.data_device),
+				 dmd.u.crypt.offset, dmd.size))) {
+		if (!device_alloc(&part_device, part_path)) {
+			log_verbose(cd, _("Activating TCRYPT system encryption for partition %s.\n"),
+				    part_path);
+			dmd.data_device = part_device;
+			dmd.u.crypt.offset = 0;
+		}
+		free(part_path);
+	}
+
+	r = device_block_adjust(cd, dmd.data_device, device_check,
 				dmd.u.crypt.offset, &dmd.size, &dmd.flags);
 	if (r)
 		return r;
@@ -721,6 +757,7 @@ int TCRYPT_activate(struct crypt_device *cd,
 		r = -ENOTSUP;
 	}
 
+	device_free(part_device);
 	crypt_free_volume_key(dmd.u.crypt.vk);
 	return r;
 }

lib/tcrypt/tcrypt.h

@@ -2,7 +2,7 @@
  * TCRYPT (TrueCrypt-compatible)  header defitinion
  *
  * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012, Milan Broz
+ * Copyright (C) 2012-2013, Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public

lib/utils_crypt.h

@@ -24,10 +24,9 @@
 #define _UTILS_CRYPT_H
 
 #include <unistd.h>
-#include "config.h"
 
 #define MAX_CIPHER_LEN		32
-#define MAX_CIPHER_LEN_STR	"32"
+#define MAX_CIPHER_LEN_STR	"31"
 #define MAX_KEYFILES		32
 
 struct crypt_device;

lib/utils_devpath.c

@@ -4,7 +4,7 @@
  * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
  * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2012, Milan Broz
+ * Copyright (C) 2009-2013, Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -28,12 +28,10 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <limits.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include "utils_dm.h"
-
-char *crypt_lookup_dev(const char *dev_id);
-int crypt_sysfs_get_rotational(int major, int minor, int *rotational);
+#include "internal.h"
 
 static char *__lookup_dev(char *path, dev_t dev, int dir_level, const int max_level)
 {
@@ -169,16 +167,12 @@ char *crypt_lookup_dev(const char *dev_id)
 	return devpath;
 }
 
-int crypt_sysfs_get_rotational(int major, int minor, int *rotational)
+static int _read_uint64(const char *sysfs_path, uint64_t *value)
 {
-	char path[PATH_MAX], tmp[64] = {0};
+	char tmp[64] = {0};
 	int fd, r;
 
-	if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d/queue/rotational",
-		     major, minor) < 0)
-		return 0;
-
-	if ((fd = open(path, O_RDONLY)) < 0)
+	if ((fd = open(sysfs_path, O_RDONLY)) < 0)
 		return 0;
 	r = read(fd, tmp, sizeof(tmp));
 	close(fd);
@@ -186,8 +180,128 @@ int crypt_sysfs_get_rotational(int major, int minor, int *rotational)
 	if (r <= 0)
 		return 0;
 
-        if (sscanf(tmp, "%d", rotational) != 1)
+        if (sscanf(tmp, "%" PRIu64, value) != 1)
 		return 0;
 
 	return 1;
 }
+
+static int _sysfs_get_uint64(int major, int minor, uint64_t *value, const char *attr)
+{
+	char path[PATH_MAX];
+
+	if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d/%s",
+		     major, minor, attr) < 0)
+		return 0;
+
+	return _read_uint64(path, value);
+}
+
+static int _path_get_uint64(const char *sysfs_path, uint64_t *value, const char *attr)
+{
+	char path[PATH_MAX];
+
+	if (snprintf(path, sizeof(path), "%s/%s",
+		     sysfs_path, attr) < 0)
+		return 0;
+
+	return _read_uint64(path, value);
+}
+
+int crypt_dev_is_rotational(int major, int minor)
+{
+	uint64_t val;
+
+	if (!_sysfs_get_uint64(major, minor, &val, "queue/rotational"))
+		return 1; /* if failed, expect rotational disk */
+
+	return val ? 1 : 0;
+}
+
+int crypt_dev_is_partition(const char *dev_path)
+{
+	uint64_t val;
+	struct stat st;
+
+	if (stat(dev_path, &st) < 0)
+		return 0;
+
+	if (!S_ISBLK(st.st_mode))
+		return 0;
+
+	if (!_sysfs_get_uint64(major(st.st_rdev), minor(st.st_rdev),
+			      &val, "partition"))
+		return 0;
+
+	return val ? 1 : 0;
+}
+
+/* Try to find partition which match offset and size on top level device */
+char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size)
+{
+	char link[PATH_MAX], path[PATH_MAX], part_path[PATH_MAX], *devname;
+	char *result = NULL;
+	struct stat st;
+	size_t devname_len;
+	ssize_t len;
+	struct dirent *entry;
+	DIR *dir;
+	uint64_t part_offset, part_size;
+
+	if (stat(dev_path, &st) < 0)
+		return NULL;
+
+	if (!S_ISBLK(st.st_mode))
+		return NULL;
+
+	if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d",
+		major(st.st_rdev), minor(st.st_rdev)) < 0)
+		return NULL;
+
+	len = readlink(path, link, sizeof(link) - 1);
+	if (len < 0)
+		return NULL;
+
+	/* Get top level disk name for sysfs search */
+	link[len] = '\0';
+	devname = strrchr(link, '/');
+	if (!devname)
+		return NULL;
+	devname++;
+
+	/* DM devices do not use kernel partitions. */
+	if (dm_is_dm_kernel_name(devname))
+		return NULL;
+
+	dir = opendir(path);
+	if (!dir)
+		return NULL;
+
+	devname_len = strlen(devname);
+	while((entry = readdir(dir))) {
+		if (strncmp(entry->d_name, devname, devname_len))
+			continue;
+
+		if (snprintf(part_path, sizeof(part_path), "%s/%s",
+		    path, entry->d_name) < 0)
+			continue;
+
+		if (stat(part_path, &st) < 0)
+			continue;
+
+		if (S_ISDIR(st.st_mode)) {
+			if (!_path_get_uint64(part_path, &part_offset, "start") ||
+			    !_path_get_uint64(part_path, &part_size, "size"))
+				continue;
+			if (part_offset == offset && part_size == size &&
+			    snprintf(part_path, sizeof(part_path), "/dev/%s",
+				     entry->d_name) > 0) {
+				result = strdup(part_path);
+				break;
+			}
+		}
+	}
+	closedir(dir);
+
+	return result;
+}

lib/utils_fips.c

@@ -23,7 +23,6 @@
 #include "libcryptsetup.h"
 #include "nls.h"
 #include "utils_fips.h"
-#include "config.h"
 
 #if !ENABLE_FIPS
 int crypt_fips_mode(void) { return 0; }

lib/utils_wipe.c

@@ -124,7 +124,7 @@ int crypt_wipe(struct device *device,
 {
 	struct stat st;
 	char *buffer;
-	int devfd, flags, rotational, bsize;
+	int devfd, flags, bsize;
 	ssize_t written;
 
 	if (!size || size % SECTOR_SIZE || (size > MAXIMUM_WIPE_BYTES)) {
@@ -139,14 +139,12 @@ int crypt_wipe(struct device *device,
 	}
 
 	if (type == CRYPT_WIPE_DISK && S_ISBLK(st.st_mode)) {
-		rotational = 0;
-		if (!crypt_sysfs_get_rotational(major(st.st_rdev),
-						minor(st.st_rdev),
-						&rotational))
-			rotational = 1;
-		log_dbg("Rotational flag is %d.", rotational);
-		if (!rotational)
+		if (!crypt_dev_is_rotational(major(st.st_rdev),
+						minor(st.st_rdev))) {
 			type = CRYPT_WIPE_SSD;
+			log_dbg("Non-rotational device, using SSD wipe mode.");
+		} else
+			log_dbg("Rotational device, using normal wipe mode.");
 	}
 
 	bsize = device_block_size(device);

lib/verity/Makefile.am

@@ -2,15 +2,13 @@ moduledir = $(libdir)/cryptsetup
 
 noinst_LTLIBRARIES = libverity.la
 
-libverity_la_CFLAGS = -Wall @CRYPTO_CFLAGS@
+libverity_la_CFLAGS = -Wall $(AM_CFLAGS) @CRYPTO_CFLAGS@
 
 libverity_la_SOURCES = \
 	verity_hash.c \
 	verity.c \
 	verity.h
 
-AM_CPPFLAGS = -D_GNU_SOURCE			\
-	-D_LARGEFILE64_SOURCE                   \
-	-D_FILE_OFFSET_BITS=64                  \
+AM_CPPFLAGS = -include config.h \
         -I$(top_srcdir)/lib			\
         -I$(top_srcdir)/lib/crypto_backend

lib/verity/verity.h

@@ -22,7 +22,6 @@
 #define _VERITY_H
 
 #include <unistd.h>
-#include "config.h"
 
 #define VERITY_MAX_HASH_TYPE 1
 #define VERITY_BLOCK_SIZE_OK(x)	((x) % 512 || (x) < 512 || \

lib/verity/verity_hash.c

@@ -220,7 +220,7 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
 	off_t hash_level_block[VERITY_MAX_LEVELS];
 	off_t hash_level_size[VERITY_MAX_LEVELS];
 	off_t data_file_blocks, s;
-	size_t hash_per_block, hash_per_block_bits;
+	size_t hash_per_block_bits;
 	off_t data_device_size = 0, hash_device_size = 0;
 	uint64_t dev_size;
 	int levels, i, r;
@@ -251,7 +251,6 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
 	}
 
 	hash_per_block_bits = get_bits_down(hash_block_size / digest_size);
-	hash_per_block = 1 << hash_per_block_bits;
 	if (!hash_per_block_bits)
 		return -EINVAL;
 
@@ -271,8 +270,7 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd,
 	for (i = levels - 1; i >= 0; i--) {
 		hash_level_block[i] = hash_position;
 		// verity position of block data_file_blocks at level i
-		s = data_file_blocks >> (i * hash_per_block_bits);
-		s = (s + hash_per_block - 1) / hash_per_block;
+		s = (data_file_blocks + ((off_t)1 << ((i + 1) * hash_per_block_bits)) - 1) >> ((i + 1) * hash_per_block_bits);
 		hash_level_size[i] = s;
 		if ((hash_position + s) < hash_position ||
 		    (hash_position + s) < 0) {

man/cryptsetup.8

@@ -10,6 +10,10 @@ device-mapper mappings. These include plain dm-crypt volumes and
 LUKS volumes. The difference is that LUKS uses a metadata header
 and can hence offer more features than plain dm-crypt. On the other
 hand, the header is visible and vulnerable to damage.
+
+In addition, cryptsetup provides limited support for the use of
+historic loopaes volumes and for TruerCrypt compatible volumes.
+
 .SH PLAIN DM-CRYPT OR LUKS?
 .PP
 Unless you understand the cryptographic background well, use LUKS.
@@ -62,18 +66,18 @@ cryptsetup FAQ describes several options.
 .SH BASIC COMMANDS
 The following are valid actions for all supported device types.
 
-\fIopen\fR <name> <device> \-\-type <device_type>
+\fIopen\fR <device> <name> \-\-type <device_type>
 .IP
-Opens (creates a mapping) with <name> backed by device <device>.
+Opens (creates a mapping with) <name> backed by device <device>.
 
 Device type can be \fIplain\fR, \fIluks\fR (default), \fIloopaes\fR
 or \fItcrypt\fR.
 
 For backward compatibility there are \fBopen\fR command aliases:
 
-\fBcreate\fR: open \-\-type plain <device> <name>\fR switched arguments)
+\fBcreate\fR (argument-order <name> <device>): open \-\-type plain 
 .br
-\fBplainOpen\fR: open \-\-type plain
+\fBplainOpen\fR: open \-\-type plain 
 .br
 \fBluksOpen\fR: open \-\-type luks
 .br
@@ -82,7 +86,9 @@ For backward compatibility there are \fBopen\fR command aliases:
 \fBtcryptOpen\fR: open \-\-type tcrypt
 
 \fB<options>\fR are type specific and are described below
-for individual device types.
+for individual device types. For \fBcreate\fR, the order of the <name> 
+and <device> options is inverted for historical reasons, all other
+aliases use the standard \fB<device> <name>\fR order.
 .PP
 \fIclose\fR <name>
 .IP
@@ -109,7 +115,7 @@ sectors of the raw device are represented in the mapped device.
 Plain dm-crypt encrypts the device sector-by-sector with a
 single, non-salted hash of the passphrase. No checks
 are performed, no metadata is used. There is no formatting operation.
-When the raw device is mapped (created), the usual device operations
+When the raw device is mapped (opened), the usual device operations
 can be used on the mapped device, including filesystem creation.
 Mapped devices usually reside in /dev/mapper/<name>.
 
@@ -119,7 +125,7 @@ The following are valid plain device type actions:
 .br
 \fIcreate\fR <name> <device> (\fBOBSOLETE syntax\fR)
 .IP
-Creates a mapping with <name> backed by device <device>.
+Opens (creates a mapping with) <name> backed by device <device>.
 
 \fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify-passphrase,
 \-\-key-file, \-\-keyfile-offset, \-\-key-size, \-\-offset, \-\-skip, \-\-size,
@@ -170,10 +176,12 @@ from stdin and the safety-question being skipped.
 
 You can only call luksFormat on a LUKS device that is not mapped.
 
-\fB<options>\fR can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size,
-\-\-key-slot, \-\-key-file (takes precedence over optional second argument),
-\-\-keyfile-offset, \-\-keyfile-size, \-\-use-random | \-\-use-urandom,
-\-\-uuid, \-\-master-key-file].
+\fB<options>\fR can be [\-\-hash, \-\-cipher, \-\-verify\-passphrase, 
+\-\-key\-size, \-\-key\-slot, 
+\-\-key\-file (takes precedence over optional second argument),
+\-\-keyfile\-offset, \-\-keyfile\-size, \-\-use\-random | \-\-use\-urandom,
+\-\-uuid, \-\-master\-key\-file, \-\-iter\-time, \-\-header,
+\-\-force\-password].
 
 \fBWARNING:\fR Doing a luksFormat on an existing LUKS container will
 make all data the old container permanently irretrievable, unless
@@ -191,9 +199,9 @@ prompts for it interactively.
 The <device> parameter can be also specified by LUKS UUID in the
 format UUID=<uuid>, which uses the symlinks in /dev/disk/by-uuid.
 
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-offset,
-\-\-keyfile-size, \-\-readonly, \-\-test-passphrase,
-\-\-allow-discards, \-\-header, \-\-key-slot, \-\-master-key-file].
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
+\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file].
 .PP
 \fIluksSuspend\fR <name>
 .IP
@@ -215,7 +223,7 @@ the mapped device.
 Resumes a suspended device and reinstates the encryption key.
 Prompts interactively for a passphrase if \-\-key-file is not given.
 
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-header]
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-size, \-\-header]
 .PP
 \fIluksAddKey\fR <device> [<key file with new key>]
 .IP
@@ -224,9 +232,10 @@ interactively or via \-\-key-file.
 The new passphrase to be added can be specified interactively
 or read from the file given as positional argument.
 
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-offset,
-\-\-keyfile-size, \-\-new-keyfile-offset,
-\-\-new-keyfile-size, \-\-key-slot, \-\-master-key-file].
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-new\-keyfile\-offset,
+\-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file,
+\-\-iter\-time, \-\-force\-password].
 .PP
 \fIluksRemoveKey\fR <device> [<key file with passphrase to be removed>]
 .IP
@@ -234,12 +243,12 @@ Removes the supplied passphrase from the LUKS device. The
 passphrase to be removed can be specified interactively,
 as positional argument or via \-\-key-file.
 
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-offset,
-\-\-keyfile-size]
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size]
 
 \fBWARNING:\fR If you read the passphrase from stdin
 (without further argument or with '-' as argument 
-to \-\-key-file), batch-mode (-q) will be implicitely
+to \-\-key\-file), batch-mode (-q) will be implicitely
 switched on and no warning will be given when you remove the
 last remaining passphrase from a LUKS container. Removing
 the last passphrase makes the LUKS container permanently
@@ -248,7 +257,7 @@ inaccessible.
 \fIluksChangeKey\fR <device> [<new key file>]
 .IP
 Changes an existing passphrase. The passphrase
-to be changed must be supplied interactively or via \-\-key-file.
+to be changed must be supplied interactively or via \-\-key\-file.
 The new passphrase can be supplied interactively or in
 a file given as positional argument.
 
@@ -266,9 +275,9 @@ during this operation can cause the overwrite to fail after
 the old passphrase has been wiped and make the LUKS container
 inaccessible.
 
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-offset,
-\-\-keyfile-size, \-\-new-keyfile-offset,
-\-\-new-keyfile-size, \-\-key-slot].
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+\-\-keyfile\-size, \-\-new\-keyfile\-offset,
+\-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password].
 .PP
 \fIluksKillSlot\fR <device> <key slot number>
 .IP
@@ -278,7 +287,8 @@ This command can remove the last remaining key-slot, but requires
 an interactive confirmation when doing so. Removing the last
 passphrase makes a LUKS container permanently inaccessible.
 
-\fB<options>\fR can be [\-\-key-file, \-\-keyfile-offset, \-\-keyfile-size].
+\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset, 
+\-\-keyfile\-size].
 
 \fBWARNING:\fR If you read the passphrase from stdin
 (without further argument or with '-' as argument
@@ -304,7 +314,7 @@ means the device is a LUKS device.
 .IP
 Dump the header information of a LUKS device.
 
-If the \-\-dump-master-key option is used, the LUKS device master key is
+If the \-\-dump\-master\-key option is used, the LUKS device master key is
 dumped instead of the keyslot info. Beware that the master key cannot be
 changed and can be used to decrypt the data stored in the LUKS container
 without a passphrase and even without the LUKS header. This means
@@ -312,16 +322,16 @@ that if the master key is compromised, the whole device has to be
 erased to prevent further access. Use this option carefully.
 
 In order to dump the master key, a passphrase has to be supplied,
-either interactively or via \-\-key-file. 
+either interactively or via \-\-key\-file. 
 
-\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file,
-\-\-keyfile-offset, \-\-keyfile-size].
+\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
+\-\-keyfile\-offset, \-\-keyfile\-size].
 
-\fBWARNING:\fR If \-\-dump-master-key is used with \-\-key-file
-and the argument to \-\-key-file is '-', no validation question
+\fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
+and the argument to \-\-key\-file is '-', no validation question
 will be asked and no warning given.
 .PP
-\fIluksHeaderBackup\fR <device> \-\-header-backup-file <file>
+\fIluksHeaderBackup\fR <device> \-\-header\-backup\-file <file>
 .IP
 Stores a binary backup of the LUKS header and keyslot area.
 .br
@@ -338,7 +348,7 @@ addition or overwrite the encrypted data area as well.
 The second option is less secure, as some sectors
 can survive, e.g. due to defect management.
 .PP
-\fIluksHeaderRestore\fR <device> \-\-header-backup-file <file>
+\fIluksHeaderRestore\fR <device> \-\-header\-backup\-file <file>
 .IP
 Restores a binary backup of the LUKS header and keyslot area
 from the specified file.
@@ -356,18 +366,19 @@ the backup will also be written to it.
 cryptsetup supports mapping loop-AES encrypted partition using
 a compatibility mode.
 .PP
-\fIopen\fR \-\-type loopaes <device> <name> \-\-key-file <keyfile>
+\fIopen\fR \-\-type loopaes <device> <name> \-\-key\-file <keyfile>
 .br
-\fIloopaesOpen\fR <device> <name> \-\-key-file <keyfile>  (\fBold syntax\fR)
+\fIloopaesOpen\fR <device> <name> \-\-key\-file <keyfile>  (\fBold syntax\fR)
 .IP
 Opens the loop-AES <device> and sets up a mapping <name>.
 
 If the key file is encrypted with GnuPG, then you have to use
-\-\-key-file=- and decrypt it before use, e.g. like this:
+\-\-key\-file=\- and decrypt it before use, e.g. like this:
 .br
-gpg \-\-decrypt <keyfile> | cryptsetup loopaesOpen \-\-key-file=- <device> <name>
+gpg \-\-decrypt <keyfile> | cryptsetup loopaesOpen \-\-key\-file=\- 
+<device> <name>
 
-Use \fB\-\-keyfile-size\fR to specify the proper key length if needed.
+Use \fB\-\-keyfile\-size\fR to specify the proper key length if needed.
 
 Use \fB\-\-offset\fR to specify device offset. Note that the units
 need to be specified in number of 512 byte sectors.
@@ -381,8 +392,8 @@ Use \fB\-\-hash\fR to override the default hash function for
 passphrase hashing (otherwise it is detected according to key
 size).
 
-\fB<options>\fR can be [\-\-key-file, \-\-key-size, \-\-offset, \-\-skip,
-\-\-hash, \-\-readonly, \-\-allow-discards].
+\fB<options>\fR can be [\-\-key\-file, \-\-key\-size, \-\-offset, \-\-skip,
+\-\-hash, \-\-readonly, \-\-allow\-discards].
 .PP
 See also section 7 of the FAQ and \fBhttp://loop-aes.sourceforge.net\fR
 for more information regarding loop-AES.
@@ -412,20 +423,28 @@ The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
 and doesn't require superuser privilege.
 
 To map system device (device with boot loader where the whole encrypted
-system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
+system resides) use \fB\-\-tcrypt\-system\fR option. Use the whole
 device not the system partition as the device parameter.
 
 To use hidden header (and map hidden device, if available),
-use \fB\-\-tcrypt-hidden\fR option.
+use \fB\-\-tcrypt\-hidden\fR option.
+
+\fBNOTE:\fR There is no protection for a hidden volume if
+the outer volume is mounted. The reason is that if there
+were any protection, it would require some metadata describing
+what to protect in the outer volume and the hidden volume would
+become detectable.
+
 .PP
 \fIopen\fR \-\-type tcrypt <device> <name>
 .br
 \fItcryptOpen\fR <device> <name>  (\fBold syntax\fR)
 .IP
-Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
+Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up 
+a mapping <name>.
 
-\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
-\-\-readonly, \-\-test-passphrase].
+\fB<options>\fR can be [\-\-key\-file, \-\-tcrypt\-hidden, 
+\-\-tcrypt\-system, \-\-readonly, \-\-test\-passphrase].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated. Note that using keyfiles is compatible
@@ -435,16 +454,16 @@ with TCRYPT and is different from LUKS keyfile logic.
 .IP
 Dump the header information of a TCRYPT device.
 
-If the \-\-dump-master-key option is used, the TCRYPT device master key is
-dumped instead of TCRYPT header info. Beware that the master key
+If the \-\-dump\-master\-key option is used, the TCRYPT device master key 
+is dumped instead of TCRYPT header info. Beware that the master key
 (or concatenated master keys if cipher chain is used)
 can be used to decrypt the data stored in the TCRYPT container without
 a passphrase.
 This means that if the master key is compromised, the whole device has
 to be erased to prevent further access. Use this option carefully.
 
-\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
-\-\-tcrypt-system].
+\fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file, 
+\-\-tcrypt\-hidden, \-\-tcrypt\-system].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated.
@@ -475,7 +494,7 @@ Benchmarks ciphers and KDF (key derivation function).
 Without parameters it tries to measure few common configurations.
 
 To benchmark other ciphers or modes, you need to specify \fB\-\-cipher\fR
-and \fB\-\-key-size\fR options or \fB\-\-hash\fR for KDF test.
+and \fB\-\-key\-size\fR options or \fB\-\-hash\fR for KDF test.
 
 \fBNOTE:\fR This benchmark is using memory only and is only informative.
 You cannot directly predict real storage encryption speed from it.
@@ -486,7 +505,7 @@ If you are configuring kernel yourself, enable
 "User-space interface for symmetric key cipher algorithms" in
 "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
 
-\fB<options>\fR can be [\-\-cipher, \-\-key-size, \-\-hash].
+\fB<options>\fR can be [\-\-cipher, \-\-key\-size, \-\-hash].
 .SH OPTIONS
 .TP
 .B "\-\-verbose, \-v"
@@ -496,7 +515,7 @@ Print more information on command execution.
 Run in debug mode with full diagnostic logs. Debug output
 lines are always prefixed by '#'.
 .TP
-.B "\-\-hash, \-h \fI<hash-spec>\fR"
+.B "\-\-hash, \-h \fI<hash\-spec>\fR"
 Specifies the passphrase hash for \fIopen\fR (for plain and loopaes device types).
 
 Specifies the hash used in the LUKS key setup scheme and volume key digest
@@ -515,16 +534,15 @@ Values compatible with old version of cryptsetup are
 
 Use \fIcryptsetup \-\-help\fR to show the defaults.
 .TP
-.B "\-\-cipher, \-c \fI<cipher-spec>\fR"
+.B "\-\-cipher, \-c \fI<cipher\-spec>\fR"
 Set the cipher specification string.
 
 \fIcryptsetup \-\-help\fR shows the compiled-in defaults.
 The current default in the distributed sources is
-"aes-cbc-essiv:sha256" for both plain dm-crypt and LUKS.
+"aes-cbc-essiv:sha256" for plain dm-crypt and
+"aes-xts-plain64" for LUKS.
 
-For XTS mode (a possible future default), use "aes-xts-plain"
-or better "aes-xts-plain64"
-as cipher specification and optionally set a key size of
+For XTS mode you can optionally set a key size of
 512 bits with the \-s option. Key size for XTS
 mode is twice that for other modes for the same
 security level.
@@ -536,7 +554,7 @@ kernel 2.6.33 or later. More information can be found in the FAQ.
 When interactively asking for a passphrase, ask for it twice
 and complain if both inputs do not match. Advised when creating
 a regular mapping for the first time, or when running
-\fIluksFormat\fR. Ignores on input from file or stdin.
+\fIluksFormat\fR. Ignored on input from file or stdin.
 .TP
 .B "\-\-key-file, \-d \fIname\fR"
 Read the passphrase from file.
@@ -544,9 +562,9 @@ Read the passphrase from file.
 If the name given is "-", then the passphrase will be read from stdin.
 In this case, reading will not stop at newline characters.
 
-With LUKS, passphrases supplied via \-\-key-file are always
+With LUKS, passphrases supplied via \-\-key\-file are always
 the existing passphrases requested by a command, except in
-the case of \fIluksFormat\fR where \-\-key-file is equivalent
+the case of \fIluksFormat\fR where \-\-key\-file is equivalent
 to the positional key file argument.
 
 If you want to set a new passphrase via key file, you have to
@@ -554,37 +572,37 @@ use a positional argument to \fIluksAddKey\fR.
 
 See section \fBNOTES ON PASSPHRASE PROCESSING\fR for more information.
 .TP
-.B "\-\-keyfile-offset \fIvalue\fR"
+.B "\-\-keyfile\-offset \fIvalue\fR"
 Skip \fIvalue\fR bytes at the beginning of the key file.
 Works with all commands that accepts key files.
 .TP
-.B "\-\-keyfile-size, \-l \fIvalue\fR"
+.B "\-\-keyfile\-size, \-l \fIvalue\fR"
 Read a maximum of \fIvalue\fR bytes from the key file.
 Default is to read the whole file up to the compiled-in
 maximum that can be queried with \-\-help. Supplying more
 data than the compiled-in maximum aborts the operation.
 
 This option is useful
-to cut trailing newlines, for example. If \-\-keyfile-offset
+to cut trailing newlines, for example. If \-\-keyfile\-offset
 is also given, the size count starts after the offset.
 Works with all commands that accepts key files.
 .TP
-.B "\-\-new-keyfile-offset \fIvalue\fR"
+.B "\-\-new\-keyfile\-offset \fIvalue\fR"
 Skip \fIvalue\fR bytes at the start when
 adding a new passphrase from key file with
 \fIluksAddKey\fR.
 .TP
-.B "\-\-new-keyfile-size  \fIvalue\fR"
+.B "\-\-new\-keyfile\-size  \fIvalue\fR"
 Read a maximum of \fIvalue\fR bytes when adding
 a new passphrase from key file with \fIluksAddKey\fR.
 Default is to read the whole file up to the compiled-in
 maximum length that can be queried with \-\-help.
 Supplying more than the compiled in maximum aborts the
 operation.
-When \-\-new-keyfile-offset is also given, reading starts
+When \-\-new\-keyfile\-offset is also given, reading starts
 after the offset.
 .TP
-.B "\-\-master-key-file"
+.B "\-\-master\-key\-file"
 Use a master key stored in a file.
 
 For \fIluksFormat\fR this
@@ -594,20 +612,25 @@ LUKS header and all other parameters are the same,
 then the new header decrypts the data encrypted with the
 header the master key was taken from.
 
+\fBWARNING:\fR If you create your own master key, you
+need to make sure to do it right. Otherwise you can end 
+up with a low-entropy or otherwise partially predictable
+master key which will compromise security.
+
 For \fIluksAddKey\fR this allows adding a new passphrase
 without having to know an exiting one.
 
 For \fIopen\fR this allows to open the LUKS device
 without giving a passphrase.
 .TP
-.B "\-\-dump-master-key"
+.B "\-\-dump\-master\-key"
 For \fIluksDump\fR this option includes the master key in the displayed
 information. Use with care, as the master key can be used to
-bypass the passphrases, see also option \-\-master-key-file.
+bypass the passphrases, see also option \-\-master\-key\-file.
 .TP
-.B "\-\-use-random"
+.B "\-\-use\-random"
 .TP
-.B "\-\-use-urandom"
+.B "\-\-use\-urandom"
 For \fIluksFormat\fR these options define which kernel random number
 generator will be used to create the master key (which is a
 long-term key).
@@ -623,7 +646,7 @@ Using /dev/random can block a long time, potentially
 forever, if not enough entropy can be harvested by
 the kernel.
 .TP
-.B "\-\-key-slot, \-S <0-7>"
+.B "\-\-key\-slot, \-S <0\-7>"
 For LUKS operations that add key material, this options allows you
 to specify which key slot is selected for the new key.
 This option can be used for \fIluksFormat\fR,
@@ -634,7 +657,7 @@ specific key-slot to compare the passphrase against.
 If the given passphrase would only match a different key-slot,
 the operation fails.
 .TP
-.B "\-\-key-size, \-s <bits>"
+.B "\-\-key\-size, \-s <bits>"
 Sets key size in bits. The argument has to be a multiple of
 8. The possible key-sizes are limited by the cipher and
 mode used.
@@ -679,13 +702,13 @@ This option is only relevant for the
 \fIopen \-\-type plain\fR action. Use \-\-offset, \-\-size and \-\-skip to
 specify the mapped area.
 .TP
-.B "\-\-iter-time, \-i <number of milliseconds>"
+.B "\-\-iter\-time, \-i <number of milliseconds>"
 The number of milliseconds to spend with PBKDF2 passphrase processing.
 This option is only relevant for LUKS operations that set or change
 passphrases, such as \fIluksFormat\fR or \fIluksAddKey\fR.
 Specifying 0 as parameter selects the compiled-in default.
 .TP
-.B "\-\-batch-mode, \-q"
+.B "\-\-batch\-mode, \-q"
 Suppresses all confirmation questions. Use with care!
 
 If the \-y option is not specified, this option also switches off
@@ -709,7 +732,7 @@ every time a passphrase is asked, for example for
 \fIopen\fR, \fIluksFormat\fR or \fIluksAddKey\fR.
 The default is 3 tries.
 .TP
-.B "\-\-align-payload <number of 512 byte sectors>"
+.B "\-\-align\-payload <number of 512 byte sectors>"
 Align payload at a boundary of \fIvalue\fR 512-byte sectors.
 This option is relevant for \fIluksFormat\fR.
 
@@ -729,7 +752,7 @@ used with the \fIluksUUID\fR command.
 The UUID must be provided in the standard UUID format,
 e.g. 12345678-1234-1234-1234-123456789abc.
 .TP
-.B "\-\-allow-discards\fR"
+.B "\-\-allow\-discards\fR"
 Allow the use of discard (TRIM) requests for device.
 This option is only relevant for \fIopen\fR action.
 
@@ -743,7 +766,7 @@ later. If in doubt, do no use it.
 A kernel version of 3.1 or later is needed. For earlier kernels
 this option is ignored.
 .TP
-.B "\-\-test-passphrase\fR"
+.B "\-\-test\-passphrase\fR"
 Do not activate device, just verify passphrase.
 This option is only relevant for \fIopen\fR action (the device
 mapping name is not mandatory if this option is used).
@@ -765,7 +788,7 @@ For other commands that change the LUKS header (e.g. \fIluksAddKey\fR),
 specify the device or file with the LUKS header directly as the
 LUKS device.
 
-If used with \fIluksFormat\fR, the \-\-align-payload option is taken
+If used with \fIluksFormat\fR, the \-\-align\-payload option is taken
 as absolute sector alignment on ciphertext device and can be zero.
 
 \fBWARNING:\fR There is no check whether the ciphertext device specified
@@ -773,7 +796,7 @@ actually belongs to the header given. In fact you can specify an
 arbitrary device as the ciphertext device for \fIopen\fR
 with the \-\-header option. Use with care.
 .TP
-.B "\-\-force-password\fR"
+.B "\-\-force\-password\fR"
 Do not use password quality checking for new LUKS passwords.
 
 This option applies only to \fIluksFormat\fR, \fIluksAddKey\fR and
@@ -806,7 +829,7 @@ low-entropy passphrases are easy to attack in plain mode.
 first newline, i.e. '\\n'.
 The input without the newline character is processed with
 the default hash or the hash specified with \-\-hash.
-The has result will be truncated to the key size 
+The hash result will be truncated to the key size 
 of the used cipher, or the size specified with \-s.
 
 \fBFrom stdin\fR: Reading will continue until a newline (or until
@@ -849,13 +872,13 @@ the newline character.
 \fBFrom stdin\fR:
 LUKS will read passphrases from stdin up to the
 first newline character or the compiled-in
-maximum key file length. If \-\-keyfile-size is
+maximum key file length. If \-\-keyfile\-size is
 given, it is ignored.
 
 \fBFrom key file\fR:
 The complete keyfile is read up to the compiled-in
 maximum size. Newline characters do not terminate the
-input. The \-\-keyfile-size option can be used to limit
+input. The \-\-keyfile\-size option can be used to limit
 what is read.
 
 \fBPassphrase processing\fR:
@@ -869,7 +892,12 @@ used key length, higher iteration times will not increase security.
 
 The default setting of one second is sufficient for most
 practical cases. The only exception is a low-entropy
-passphrase used on a slow device.
+passphrase used on a device with a slow CPU, as this will
+result in a low iteration count. On a slow device it may
+be advisable to increase the iteration time using the
+\-\-iter\-time option in order to obtain a higher
+iteration count. This does slow down all later luksOpen 
+operations accordingly. 
 .SH INCOHERENT BEHAVIOR FOR INVALID PASSPHRASES/KEYS
 LUKS checks for a valid passphrase when an encrypted partition
 is unlocked. The behavior of plain dm-crypt is different.
@@ -905,7 +933,7 @@ and for wiping deleted keyslots.
 
 The second type is used for the volume (master) key. You can switch
 between using /dev/random and /dev/urandom  here, see
-\fP\-\-use-random\fR and \fP\-\-use-urandom\fR
+\fP\-\-use\-random\fR and \fP\-\-use\-urandom\fR
 options. Using /dev/random on a system without enough entropy sources
 can cause \fPluksFormat\fR to block until the requested amount of
 random data is gathered. In a low-entropy situation (embedded system),
@@ -956,9 +984,9 @@ Copyright \(co 2004-2006 Clemens Fruhwirth
 .br
 Copyright \(co 2009-2012 Red Hat, Inc.
 .br
-Copyright \(co 2009-2012 Milan Broz
+Copyright \(co 2009-2013 Milan Broz
 .br
-Copyright \(co 2012 Arno Wagner
+Copyright \(co 2012-2013 Arno Wagner
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

misc/keyslot_checker/README

@@ -12,8 +12,10 @@ Installation
 ============
 
 1. Install the version of cryptsetup the tool came with.
-2. Compile with
-      gcc -lm -lcryptsetup chk_luks_keyslots.c -o chk_luks_keyslots
+2. Compile with "make"
+   
+Manual compile can be done with
+   gcc -lm -lcryptsetup chk_luks_keyslots.c -o chk_luks_keyslots
 
 Usage
 =====
@@ -21,8 +23,8 @@ Usage
 Call chk_luks_keyslots without arguments for an option summary.
 
 
-Example of a good keyslot area:
--------------------------------
+Example of a good keyslot area with keys 0 and 2 in use:
+--------------------------------------------------------
 
 root> ./chk_luks_keyslots /dev/loop0
 
@@ -31,17 +33,17 @@ parameters (commandline and LUKS header):
   threshold:   0.900000
 
 - processing keyslot 0:  start: 0x001000   end: 0x020400
-- processing keyslot 1:  start: 0x021000   end: 0x040400
+- processing keyslot 1:  keyslot not in use
 - processing keyslot 2:  start: 0x041000   end: 0x060400
-- processing keyslot 3:  start: 0x061000   end: 0x080400
-- processing keyslot 4:  start: 0x081000   end: 0x0a0400
-- processing keyslot 5:  start: 0x0a1000   end: 0x0c0400
-- processing keyslot 6:  start: 0x0c1000   end: 0x0e0400
-- processing keyslot 7:  start: 0x0e1000   end: 0x100400
+- processing keyslot 3:  keyslot not in use
+- processing keyslot 4:  keyslot not in use
+- processing keyslot 5:  keyslot not in use
+- processing keyslot 6:  keyslot not in use
+- processing keyslot 7:  keyslot not in use
 
 
-Example of a fault in slot 8 at offset 0x100200:
------------------------------
+Same example of a fault in slot 2 at offset 0x50000:
+----------------------------------------------------
 
 root>./chk_luks_keyslots /dev/loop2
 
@@ -50,14 +52,14 @@ parameters (commandline and LUKS header):
   threshold:   0.900000
 
 - processing keyslot 0:  start: 0x001000   end: 0x020400
-- processing keyslot 1:  start: 0x021000   end: 0x040400
+- processing keyslot 1:  keyslot not in use
 - processing keyslot 2:  start: 0x041000   end: 0x060400
-- processing keyslot 3:  start: 0x061000   end: 0x080400
-- processing keyslot 4:  start: 0x081000   end: 0x0a0400
-- processing keyslot 5:  start: 0x0a1000   end: 0x0c0400
-- processing keyslot 6:  start: 0x0c1000   end: 0x0e0400
-- processing keyslot 7:  start: 0x0e1000   end: 0x100400
-  low entropy at: 0x100200    entropy: 0.846546
+  low entropy at: 0x050000    entropy: 0.549165
+- processing keyslot 3:  keyslot not in use
+- processing keyslot 4:  keyslot not in use
+- processing keyslot 5:  keyslot not in use
+- processing keyslot 6:  keyslot not in use
+- processing keyslot 7:  keyslot not in use
 
 
 Same as last, but verbose:
@@ -69,48 +71,48 @@ parameters (commandline and LUKS header):
   threshold:   0.900000
 
 - processing keyslot 0:  start: 0x001000   end: 0x020400
-- processing keyslot 1:  start: 0x021000   end: 0x040400
+- processing keyslot 1:  keyslot not in use
 - processing keyslot 2:  start: 0x041000   end: 0x060400
-- processing keyslot 3:  start: 0x061000   end: 0x080400
-- processing keyslot 4:  start: 0x081000   end: 0x0a0400
-- processing keyslot 5:  start: 0x0a1000   end: 0x0c0400
-- processing keyslot 6:  start: 0x0c1000   end: 0x0e0400
-- processing keyslot 7:  start: 0x0e1000   end: 0x100400
-  low entropy at: 0x100200    entropy: 0.846546
+  low entropy at: 0x050000    entropy: 0.549165
   Binary dump:
-  0x100200  BD 0E C7 A8 7D EF 04 F6  AF 83 DF 74 94 FE 04 56  ....}......t...V
-  0x100210  3B 64 BD 68 A9 F6 CF 3C  37 CD 66 B7 17 4D 63 2B  ;d.h...<7.f..Mc+
-  0x100220  8F 6E 74 7E 96 7A 2B 27  32 1B F0 80 37 5A 9A 41  .nt~.z+'2...7Z.A
-  0x100230  4A 6E CB C0 CF 39 95 45  92 90 E1 0B E6 08 EE 2A  Jn...9.E.......*
-  0x100240  FA 66 6D 67 49 89 76 B1  41 CD 24 57 AA 65 F7 69  .fmgI.v.A.$W.e.i
-  0x100250  33 16 A7 C7 61 3D 43 B7  74 D6 86 83 1D 19 BF 85  3...a=C.t.......
-  0x100260  E4 22 3E 16 66 1C B0 1E  11 0D D4 26 37 AD A4 02  .">.f......&7...
-  0x100270  40 77 9A 5A B8 40 39 E3  A3 A0 96 08 4D 57 C5 0C  @w.Z.@9.....MW..
-  0x100280  D4 74 89 45 FA 93 F7 FE  A7 9D D3 99 43 77 8E 35  .t.E........Cw.5
-  0x100290  E0 55 90 3E 91 29 EA DB  5C 13 19 C9 83 CE D8 0C  .U.>.)..\.......
-  0x1002a0  85 7F 96 26 60 16 A0 0B  E1 F9 01 13 1E 59 83 98  ...&`........Y..
-  0x1002b0  06 B5 1D 6F B6 81 9D 60  58 70 15 30 29 42 32 C6  ...o...`Xp.0)B2.
-  0x1002c0  A7 55 64 00 65 ED 41 1C  B4 C1 C7 10 E1 8E 60 B0  .Ud.e.A.......`.
-  0x1002d0  F0 9E 9C 40 5A 84 92 8D  21 F0 B8 2D 61 4E 21 9D  ...@Z...!..-aN!.
-  0x1002e0  FA B8 18 D3 47 A4 4F D4  AB 73 C0 93 F3 8E 9A 95  ....G.O..s......
-  0x1002f0  A4 F1 6D EB 36 85 F4 F7  62 BA 26 D5 15 57 0D 0C  ..m.6...b.&..W..
-  0x100300  C9 4E 19 F2 5B 5A F5 54  B8 F4 B5 57 72 08 1B 7A  .N..[Z.T...Wr..z
-  0x100310  C3 66 7F 82 1E 75 92 C2  E9 97 64 5E F7 FB A9 05  .f...u....d^....
-  0x100320  CF 30 C8 6A D1 35 9B 9D  22 52 22 46 0E 4B DE 53  .0.j.5.."R"F.K.S
-  0x100330  68 C8 DA 5F C7 CA 31 D0  C9 B4 57 CF 0F 1F 4B 9C  h.._..1...W...K.
-  0x100340  DF 0C F8 7C F2 E3 32 52  3C 0D D2 DC 5C CF F0 00  ...|..2R<...\...
-  0x100350  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
-  0x100360  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
-  0x100370  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
-  0x100380  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
-  0x100390  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
-  0x1003a0  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
-  0x1003b0  B4 81 7A F0 BE 38 7E 00  A4 61 41 06 ED 7B 40 D9  ..z..8~..aA..{@.
-  0x1003c0  BF 58 51 C9 CD 37 78 4D  4D B3 6E B4 7D 86 3C CB  .XQ..7xMM.n.}.<.
-  0x1003d0  D5 39 2E FC 78 B1 3E DE  C0 7F 55 25 65 71 AD 2A  .9..x.>...U%eq.*
-  0x1003e0  1E 68 D3 3B 78 17 5F D2  08 93 50 88 D8 0A 75 4F  .h.;x._...P...uO
-  0x1003f0  E5 AA 26 0F B4 F7 F5 88  65 2B E4 92 18 08 32 9E  ..&.....e+....2.
+  0x050000  54 68 69 73 20 69 73 20  61 20 74 65 73 74 2D 73  This is a test-s
+  0x050010  65 63 74 6F 72 20 66 6F  72 20 63 68 6B 5F 6C 75  ector for chk_lu
+  0x050020  6B 73 5F 6B 65 79 73 6C  6F 74 73 20 74 68 65 20  ks_keyslots the
+  0x050030  71 75 69 63 6B 20 62 72  6F 77 6E 20 66 6F 78 20  quick brown fox
+  0x050040  6A 75 6D 70 73 20 6F 76  65 72 20 74 68 65 20 6C  jumps over the l
+  0x050050  61 7A 79 20 64 6F 67 20  74 68 65 20 71 75 69 63  azy dog the quic
+  0x050060  6B 20 62 72 6F 77 6E 20  66 6F 78 20 6A 75 6D 70  k brown fox jump
+  0x050070  73 20 6F 76 65 72 20 74  68 65 20 6C 61 7A 79 20  s over the lazy
+  0x050080  64 6F 67 20 74 68 65 20  71 75 69 63 6B 20 62 72  dog the quick br
+  0x050090  6F 77 6E 20 66 6F 78 20  6A 75 6D 70 73 20 6F 76  own fox jumps ov
+  0x0500a0  65 72 20 74 68 65 20 6C  61 7A 79 20 64 6F 67 20  er the lazy dog
+  0x0500b0  74 68 65 20 71 75 69 63  6B 20 62 72 6F 77 6E 20  the quick brown
+  0x0500c0  66 6F 78 20 6A 75 6D 70  73 20 6F 76 65 72 20 74  fox jumps over t
+  0x0500d0  68 65 20 6C 61 7A 79 20  64 6F 67 20 74 68 65 20  he lazy dog the
+  0x0500e0  71 75 69 63 6B 20 62 72  6F 77 6E 20 66 6F 78 20  quick brown fox
+  0x0500f0  6A 75 6D 70 73 20 6F 76  65 72 20 74 68 65 20 6C  jumps over the l
+  0x050100  61 7A 79 20 64 6F 67 20  74 68 65 20 71 75 69 63  azy dog the quic
+  0x050110  6B 20 62 72 6F 77 6E 20  66 6F 78 20 6A 75 6D 70  k brown fox jump
+  0x050120  73 20 6F 76 65 72 20 74  68 65 20 6C 61 7A 79 20  s over the lazy
+  0x050130  64 6F 67 20 74 68 65 20  71 75 69 63 6B 20 62 72  dog the quick br
+  0x050140  6F 77 6E 20 66 6F 78 20  6A 75 6D 70 73 20 6F 76  own fox jumps ov
+  0x050150  65 72 20 74 68 65 20 6C  61 7A 79 20 64 6F 67 20  er the lazy dog
+  0x050160  74 68 65 20 71 75 69 63  6B 20 62 72 6F 77 6E 20  the quick brown
+  0x050170  66 6F 78 20 6A 75 6D 70  73 20 6F 76 65 72 20 74  fox jumps over t
+  0x050180  68 65 20 6C 61 7A 79 20  64 6F 67 20 74 68 65 20  he lazy dog the
+  0x050190  71 75 69 63 6B 20 62 72  6F 77 6E 20 66 6F 78 20  quick brown fox
+  0x0501a0  6A 75 6D 70 73 20 6F 76  65 72 20 74 68 65 20 6C  jumps over the l
+  0x0501b0  61 7A 79 20 64 6F 67 20  74 68 65 20 71 75 69 63  azy dog the quic
+  0x0501c0  6B 20 62 72 6F 77 6E 20  66 6F 78 20 6A 75 6D 70  k brown fox jump
+  0x0501d0  73 20 6F 76 65 72 20 74  68 65 20 6C 61 7A 79 20  s over the lazy
+  0x0501e0  64 6F 67 20 74 68 65 20  71 75 69 63 6B 20 62 72  dog the quick br
+  0x0501f0  6F 77 6E 20 66 6F 78 20  6A 75 6D 70 73 20 6F 76  own fox jumps ov
 
+- processing keyslot 3:  keyslot not in use
+- processing keyslot 4:  keyslot not in use
+- processing keyslot 5:  keyslot not in use
+- processing keyslot 6:  keyslot not in use
+- processing keyslot 7:  keyslot not in use
 
 ----
 Copyright (C) 2012, Arno Wagner <arno@wagner.name>

po/pl.po

@@ -5,10 +5,10 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 1.6.0\n"
+"Project-Id-Version: cryptsetup 1.6.1\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2013-01-07 18:59+0100\n"
-"PO-Revision-Date: 2013-01-11 16:42+0100\n"
+"POT-Creation-Date: 2013-03-23 21:54+0100\n"
+"PO-Revision-Date: 2013-03-24 21:28+0100\n"
 "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
 "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
 "Language: pl\n"
@@ -25,12 +25,12 @@ msgstr "Nie mo
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
 msgstr "Nie mo<6D>na zainicjowa<77> device-mappera. Czy modu<64> j<>dra dm_mod jest wczytany?\n"
 
-#: lib/libdevmapper.c:518
+#: lib/libdevmapper.c:523
 #, c-format
 msgid "DM-UUID for device %s was truncated.\n"
 msgstr "DM-UUID dla urz<72>dzenia %s zosta<74> skr<6B>cony.\n"
 
-#: lib/random.c:75
+#: lib/random.c:76
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -38,264 +38,274 @@ msgstr ""
 "Entropia w systemie wyczerpa<70>a si<73> w trakcie generowania klucza wolumenu.\n"
 "Prosz<73> porusza<7A> mysz<73> albo wpisa<73> troch<63> tekstu w innym oknie w celu zebrania zdarze<7A> losowych.\n"
 
-#: lib/random.c:79
+#: lib/random.c:80
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Generowanie klucza (gotowe %d%%).\n"
 
-#: lib/random.c:168
+#: lib/random.c:169
 msgid "Fatal error during RNG initialisation.\n"
 msgstr "B<><42>d krytyczny w trakcie inicjalizacji RNG.\n"
 
-#: lib/random.c:205
+#: lib/random.c:206
 msgid "Unknown RNG quality requested.\n"
 msgstr "Nieznane <20><>danie jako<6B>ci RNG.\n"
 
-#: lib/random.c:210
+#: lib/random.c:211
 #, c-format
 msgid "Error %d reading from RNG: %s\n"
 msgstr "B<><42>d %d podczas odczytu z RNG: %s\n"
 
-#: lib/setup.c:192
+#: lib/setup.c:190
 msgid "Cannot initialize crypto RNG backend.\n"
 msgstr "Nie mo<6D>na zainicjowa<77> backendu kryptograficznego RNG.\n"
 
-#: lib/setup.c:198
+#: lib/setup.c:196
 msgid "Cannot initialize crypto backend.\n"
 msgstr "Nie mo<6D>na zainicjowa<77> backendu kryptograficznego.\n"
 
-#: lib/setup.c:221 lib/setup.c:1112 lib/verity/verity.c:123
+#: lib/setup.c:219 lib/setup.c:1110 lib/verity/verity.c:123
 #, c-format
 msgid "Hash algorithm %s not supported.\n"
 msgstr "Algorytm skr<6B>tu %s nie jest obs<62>ugiwany.\n"
 
-#: lib/setup.c:224 lib/loopaes/loopaes.c:90
+#: lib/setup.c:222 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s).\n"
 msgstr "B<><42>d przetwarzania klucza (u<>yto algorytmu skr<6B>tu %s).\n"
 
-#: lib/setup.c:270
+#: lib/setup.c:268
 msgid "All key slots full.\n"
 msgstr "Wszyskie miejsca na klucze s<> pe<70>ne.\n"
 
-#: lib/setup.c:277
+#: lib/setup.c:275
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d.\n"
 msgstr "Numer klucza %d jest b<><62>dny, prosz<73> wybra<72> warto<74><6F> mi<6D>dzy 0 a %d.\n"
 
-#: lib/setup.c:283
+#: lib/setup.c:281
 #, c-format
 msgid "Key slot %d is full, please select another one.\n"
 msgstr "Miejsce na klucz %d jest pe<70>ne, prosz<73> wybra<72> inne.\n"
 
-#: lib/setup.c:397
+#: lib/setup.c:390
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Has<61>o dla %s: "
 
-#: lib/setup.c:578
+#: lib/setup.c:571
 #, c-format
 msgid "Header detected but device %s is too small.\n"
 msgstr "Wykryto nag<61><67>wek, ale urz<72>dzenie %s jest zbyt ma<6D>e.\n"
 
-#: lib/setup.c:594 lib/setup.c:1339
+#: lib/setup.c:587 lib/setup.c:1337
 msgid "This operation is not supported for this device type.\n"
 msgstr "Ta operacja nie jest obs<62>ugiwana dla tego rodzaju urz<72>dzenia.\n"
 
-#: lib/setup.c:832 lib/setup.c:1300 lib/setup.c:2168
+#: lib/setup.c:825 lib/setup.c:1298 lib/setup.c:2173
 #, c-format
 msgid "Device %s is not active.\n"
 msgstr "Urz<72>dzenie %s nie jest aktywne.\n"
 
-#: lib/setup.c:849
+#: lib/setup.c:842
 #, c-format
 msgid "Underlying device for crypt device %s disappeared.\n"
 msgstr "Urz<72>dzenie stoj<6F>ce za urz<72>dzeniem szyfrowanym %s znik<69>o.\n"
 
-#: lib/setup.c:914
+#: lib/setup.c:907
 msgid "Invalid plain crypt parameters.\n"
 msgstr "B<><42>dne parametry szyfru plain.\n"
 
-#: lib/setup.c:919 lib/setup.c:1041
+#: lib/setup.c:912 lib/setup.c:1037
 msgid "Invalid key size.\n"
 msgstr "B<><42>dny rozmiar klucza.\n"
 
-#: lib/setup.c:963
+#: lib/setup.c:917 lib/setup.c:1042
+msgid "UUID is not supported for this crypt type.\n"
+msgstr "UUID nie jest obs<62>ugiwany dla tego rodzaju szyfrowania.\n"
+
+#: lib/setup.c:959
 msgid "Can't format LUKS without device.\n"
 msgstr "Nie mo<6D>na sformatowa<77> LUKS-a bez urz<72>dzenia.\n"
 
-#: lib/setup.c:1011
+#: lib/setup.c:1007
 #, c-format
 msgid "Cannot format device %s which is still in use.\n"
 msgstr "Nie mo<6D>na sformatowa<77> urz<72>dzenia %s, kt<6B>re jest nadal w u<>yciu.\n"
 
-#: lib/setup.c:1014
+#: lib/setup.c:1010
 #, c-format
 msgid "Cannot format device %s, permission denied.\n"
 msgstr "Nie mo<6D>na sformatowa<77> urz<72>dzenia %s, brak uprawnie<69>.\n"
 
-#: lib/setup.c:1018
+#: lib/setup.c:1014
 #, c-format
 msgid "Cannot wipe header on device %s.\n"
 msgstr "Nie mo<6D>na wyczy<7A>ci<63> nag<61><67>wka na urz<72>dzeniu %s.\n"
 
-#: lib/setup.c:1036
+#: lib/setup.c:1032
 msgid "Can't format LOOPAES without device.\n"
 msgstr "Nie mo<6D>na sformatowa<77> urz<72>dzenia LUKSAES bez urz<72>dzenia.\n"
 
-#: lib/setup.c:1072
+#: lib/setup.c:1070
 msgid "Can't format VERITY without device.\n"
 msgstr "Nie mo<6D>na sformatowa<77> VERITY bez urz<72>dzenia.\n"
 
-#: lib/setup.c:1080 lib/verity/verity.c:106
+#: lib/setup.c:1078 lib/verity/verity.c:106
 #, c-format
 msgid "Unsupported VERITY hash type %d.\n"
 msgstr "Nieobs<62>ugiwany typ hasza VERITY %d.\n"
 
-#: lib/setup.c:1086 lib/verity/verity.c:114
+#: lib/setup.c:1084 lib/verity/verity.c:114
 msgid "Unsupported VERITY block size.\n"
 msgstr "Nieobs<62>ugiwany rozmiar bloku VERITY.\n"
 
-#: lib/setup.c:1091 lib/verity/verity.c:76
+#: lib/setup.c:1089 lib/verity/verity.c:76
 msgid "Unsupported VERITY hash offset.\n"
 msgstr "Nieobs<62>ugiwany offset hasza VERITY.\n"
 
-#: lib/setup.c:1203
+#: lib/setup.c:1201
 #, c-format
 msgid "Unknown crypt device type %s requested.\n"
 msgstr "Nieznany typ <20><>danego urz<72>dzenia szyfruj<75>cego %s.\n"
 
-#: lib/setup.c:1354
+#: lib/setup.c:1352
 msgid "Do you really want to change UUID of device?"
 msgstr "Czy na pewno zmieni<6E> UUID urz<72>dzenia?"
 
-#: lib/setup.c:1444 lib/setup.c:1489 lib/setup.c:1538 lib/setup.c:1604
-#: lib/setup.c:1677 lib/setup.c:1741 lib/setup.c:1822 lib/setup.c:1868
-#: lib/setup.c:2234 lib/setup.c:2534
+#: lib/setup.c:1440 lib/setup.c:1485 lib/setup.c:1534 lib/setup.c:1600
+#: lib/setup.c:1673 lib/setup.c:1737 lib/setup.c:1818 lib/setup.c:1864
+#: lib/setup.c:2238 lib/setup.c:2532
 msgid "This operation is supported only for LUKS device.\n"
 msgstr "Ta operacja jest obs<62>ugiwana tylko na urz<72>dzeniach LUKS.\n"
 
-#: lib/setup.c:1451
+#: lib/setup.c:1447
 #, c-format
 msgid "Volume %s is not active.\n"
 msgstr "Wolumen %s nie jest aktywny.\n"
 
-#: lib/setup.c:1462
+#: lib/setup.c:1458
 #, c-format
 msgid "Volume %s is already suspended.\n"
 msgstr "Wolumen %s ju<6A> zosta<74> wstrzymany.\n"
 
-#: lib/setup.c:1469
+#: lib/setup.c:1465
 #, c-format
 msgid "Suspend is not supported for device %s.\n"
 msgstr "Wstrzymywanie nie jest obs<62>ugiwane dla urz<72>dzenia %s.\n"
 
-#: lib/setup.c:1471
+#: lib/setup.c:1467
 #, c-format
 msgid "Error during suspending device %s.\n"
 msgstr "B<><42>d podczas wstrzymywania urz<72>dzenia %s.\n"
 
-#: lib/setup.c:1499 lib/setup.c:1548
+#: lib/setup.c:1495 lib/setup.c:1544
 #, c-format
 msgid "Volume %s is not suspended.\n"
 msgstr "Wolumen %s nie jest wstrzymany.\n"
 
-#: lib/setup.c:1513
+#: lib/setup.c:1509
 #, c-format
 msgid "Resume is not supported for device %s.\n"
 msgstr "Wznawianie nie jest obs<62>ugiwane dla urz<72>dzenia %s.\n"
 
-#: lib/setup.c:1515 lib/setup.c:1569
+#: lib/setup.c:1511 lib/setup.c:1565
 #, c-format
 msgid "Error during resuming device %s.\n"
 msgstr "B<><42>d podczas wznawiania urz<72>dzenia %s.\n"
 
-#: lib/setup.c:1555 lib/setup.c:1993 lib/setup.c:2007 src/cryptsetup.c:151
-#: src/cryptsetup.c:229 src/cryptsetup.c:316
+#: lib/setup.c:1551 lib/setup.c:1989 lib/setup.c:2003 src/cryptsetup.c:151
+#: src/cryptsetup.c:229 src/cryptsetup.c:316 src/cryptsetup.c:660
+#: src/cryptsetup.c:1070
 msgid "Enter passphrase: "
 msgstr "Has<61>o: "
 
-#: lib/setup.c:1618 lib/setup.c:1755
+#: lib/setup.c:1614 lib/setup.c:1751
 msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
 msgstr "Nie mo<6D>na doda<64> klucza, wszystkie miejsca na klucze wy<77><79>czone i nie podano klucza wolumenu.\n"
 
-#: lib/setup.c:1627 lib/setup.c:1761 lib/setup.c:1765 src/cryptsetup.c:928
+#: lib/setup.c:1623 lib/setup.c:1757 lib/setup.c:1761
 msgid "Enter any passphrase: "
 msgstr "Dowolne has<61>o: "
 
-#: lib/setup.c:1644 lib/setup.c:1778 lib/setup.c:1782 lib/setup.c:1845
+#: lib/setup.c:1640 lib/setup.c:1774 lib/setup.c:1778 lib/setup.c:1841
 #: src/cryptsetup.c:942
 msgid "Enter new passphrase for key slot: "
 msgstr "Nowe has<61>o dla klucza: "
 
-#: lib/setup.c:1709
+#: lib/setup.c:1705
 #, c-format
 msgid "Key slot %d changed.\n"
 msgstr "Klucz numer %d zmieniony.\n"
 
-#: lib/setup.c:1712
+#: lib/setup.c:1708
 #, c-format
 msgid "Replaced with key slot %d.\n"
 msgstr "Zast<73>piono kluczem numer %d.\n"
 
-#: lib/setup.c:1717
+#: lib/setup.c:1713
 msgid "Failed to swap new key slot.\n"
 msgstr "Nie uda<64>o si<73> podstawi<77> nowego klucza.\n"
 
-#: lib/setup.c:1836 lib/setup.c:2097 lib/setup.c:2110 lib/setup.c:2245
+#: lib/setup.c:1832 lib/setup.c:2093 lib/setup.c:2106 lib/setup.c:2249
 msgid "Volume key does not match the volume.\n"
 msgstr "Klucz wolumenu nie pasuje do wolumenu.\n"
 
-#: lib/setup.c:1874
+#: lib/setup.c:1870
 #, c-format
 msgid "Key slot %d is invalid.\n"
 msgstr "Numer klucza %d jest nieprawid<69>owy.\n"
 
-#: lib/setup.c:1879
+#: lib/setup.c:1875
 #, c-format
 msgid "Key slot %d is not used.\n"
 msgstr "Klucz %d nie jest u<>ywany.\n"
 
-#: lib/setup.c:1909 lib/setup.c:1981 lib/setup.c:2073
+#: lib/setup.c:1905 lib/setup.c:1977 lib/setup.c:2069
 #, c-format
 msgid "Device %s already exists.\n"
 msgstr "Urz<72>dzenie %s ju<6A> istnieje.\n"
 
-#: lib/setup.c:2084
+#: lib/setup.c:2080
 msgid "Incorrect volume key specified for plain device.\n"
 msgstr "Podano niew<65>a<EFBFBD>ciwy klucz wolumenu dla zwyk<79>ego urz<72>dzenia.\n"
 
-#: lib/setup.c:2117
+#: lib/setup.c:2113
 msgid "Incorrect root hash specified for verity device.\n"
 msgstr "Podano niew<65>a<EFBFBD>ciwy hasz g<><67>wny dla urz<72>dzenia VERITY.\n"
 
-#: lib/setup.c:2140
+#: lib/setup.c:2136
 msgid "Device type is not properly initialised.\n"
 msgstr "Typ urz<72>dzenia nie zosta<74> w<>a<EFBFBD>ciwie zainicjalizowany.\n"
 
-#: lib/setup.c:2172
+#: lib/setup.c:2168
+#, c-format
+msgid "Device %s is still in use.\n"
+msgstr "Urz<72>dzenie %s jest nadal w u<>yciu.\n"
+
+#: lib/setup.c:2177
 #, c-format
 msgid "Invalid device %s.\n"
 msgstr "B<><42>dne urz<72>dzenie %s.\n"
 
-#: lib/setup.c:2194
+#: lib/setup.c:2198
 msgid "Function not available in FIPS mode.\n"
 msgstr "Funkcja nie jest dost<73>pna w trybie FIPS.\n"
 
-#: lib/setup.c:2200
+#: lib/setup.c:2204
 msgid "Volume key buffer too small.\n"
 msgstr "Bufor klucza wolumenu zbyt ma<6D>y.\n"
 
-#: lib/setup.c:2208
+#: lib/setup.c:2212
 msgid "Cannot retrieve volume key for plain device.\n"
 msgstr "Nie mo<6D>na odtworzy<7A> klucza wolumenu dla zwyk<79>ego urz<72>dzenia.\n"
 
-#: lib/setup.c:2215
+#: lib/setup.c:2219
 #, c-format
 msgid "This operation is not supported for %s crypt device.\n"
 msgstr "Ta operacja nie jest obs<62>ugiwana dla urz<72>dzenia szyfruj<75>cego %s.\n"
 
-#: lib/setup.c:2412
+#: lib/setup.c:2416
 msgid "Dump operation is not supported for this device type.\n"
 msgstr "Operacja zrzutu nie jest obs<62>ugiwana dla tego rodzaju urz<72>dzenia.\n"
 
@@ -360,7 +370,7 @@ msgstr "Weryfikacja sumy kontrolnej FIPS nie powiod
 msgid "Running in FIPS mode.\n"
 msgstr "Dzia<69>anie w trybie FIPS.\n"
 
-#: lib/utils_device.c:52 lib/luks1/keyencryption.c:81
+#: lib/utils_device.c:52 lib/luks1/keyencryption.c:82
 #, c-format
 msgid "Device %s doesn't exist or access denied.\n"
 msgstr "Urz<72>dzenie %s nie istnieje lub dost<73>p jest zabroniony.\n"
@@ -402,7 +412,7 @@ msgstr "Urz
 msgid "Device %s is too small.\n"
 msgstr "Urz<72>dzenie %s jest zbyt ma<6D>e.\n"
 
-#: lib/luks1/keyencryption.c:30
+#: lib/luks1/keyencryption.c:31
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -411,21 +421,21 @@ msgstr ""
 "Nie uda<64>o si<73> ustawi<77> odwzorowania klucza dm-crypt dla urz<72>dzenia %s.\n"
 "Prosz<73> sprawdzi<7A>, czy j<>dro obs<62>uguje szyfr %s (wi<77>cej informacji w syslogu).\n"
 
-#: lib/luks1/keyencryption.c:35
+#: lib/luks1/keyencryption.c:36
 msgid "Key size in XTS mode must be 256 or 512 bits.\n"
 msgstr "Rozmiar klucza w trybie XTS musi wynosi<73> 256 lub 512 bit<69>w.\n"
 
-#: lib/luks1/keyencryption.c:87 lib/luks1/keymanage.c:290
+#: lib/luks1/keyencryption.c:88 lib/luks1/keymanage.c:290
 #: lib/luks1/keymanage.c:559 lib/luks1/keymanage.c:971
 #, c-format
 msgid "Cannot write to device %s, permission denied.\n"
 msgstr "Nie mo<6D>na zapisa<73> na urz<72>dzenie %s, brak uprawnie<69>.\n"
 
-#: lib/luks1/keyencryption.c:102
+#: lib/luks1/keyencryption.c:103
 msgid "Failed to open temporary keystore device.\n"
 msgstr "Nie uda<64>o si<73> otworzy<7A> urz<72>dzenia do tymczasowego przechowywania kluczy.\n"
 
-#: lib/luks1/keyencryption.c:109
+#: lib/luks1/keyencryption.c:110
 msgid "Failed to access temporary keystore device.\n"
 msgstr "Nie uda<64>o si<73> uzyska<6B> dost<73>pu do urz<72>dzenia do tymczasowego przechowywania kluczy.\n"
 
@@ -490,7 +500,7 @@ msgstr ""
 "UWAGA: nag<61><67>wek prawdziwego urz<72>dzenia ma inny UUID ni<6E> kopia zapasowa!"
 
 #: lib/luks1/keymanage.c:293 lib/luks1/keymanage.c:522
-#: lib/luks1/keymanage.c:562 lib/tcrypt/tcrypt.c:575 lib/verity/verity.c:82
+#: lib/luks1/keymanage.c:562 lib/tcrypt/tcrypt.c:581 lib/verity/verity.c:82
 #: lib/verity/verity.c:179 lib/verity/verity_hash.c:294
 #: lib/verity/verity_hash.c:305 lib/verity/verity_hash.c:325
 #, c-format
@@ -614,19 +624,19 @@ msgstr "Numer klucza %d jest b
 msgid "Cannot wipe device %s.\n"
 msgstr "Nie mo<6D>na wyczy<7A>ci<63> urz<72>dzenia %s.\n"
 
-#: lib/loopaes/loopaes.c:145
+#: lib/loopaes/loopaes.c:146
 msgid "Detected not yet supported GPG encrypted keyfile.\n"
 msgstr "Wykryto jeszcze nie obs<62>ugiwany plik klucza szyfrowany GPG.\n"
 
-#: lib/loopaes/loopaes.c:146
+#: lib/loopaes/loopaes.c:147
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Prosz<73> u<>y<EFBFBD> gpg --decrypt <PLIK-KLUCZA> | cryptsetup --keyfile=- ...\n"
 
-#: lib/loopaes/loopaes.c:178
+#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
 msgid "Incompatible loop-AES keyfile detected.\n"
 msgstr "Wykryto niekompatybilny plik klucza loop-AES.\n"
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:244
 msgid "Kernel doesn't support loop-AES compatible mapping.\n"
 msgstr "J<>dro nie obs<62>uguje odwzorowa<77> zgodnych z loop-AES.\n"
 
@@ -635,33 +645,38 @@ msgstr "J
 msgid "Error reading keyfile %s.\n"
 msgstr "B<><42>d odczytu pliku klucza %s.\n"
 
-#: lib/tcrypt/tcrypt.c:512
+#: lib/tcrypt/tcrypt.c:489
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
+msgstr "Przekroczono maksymaln<6C> d<>ugo<67><6F> has<61>a TCRYPT (%d).\n"
+
+#: lib/tcrypt/tcrypt.c:518
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
 msgstr "Algorytm skr<6B>tu PBKDF2 %s nie jest dost<73>pny, pomini<6E>to.\n"
 
-#: lib/tcrypt/tcrypt.c:530 src/cryptsetup.c:549
+#: lib/tcrypt/tcrypt.c:536 src/cryptsetup.c:549
 msgid "Required kernel crypto interface not available.\n"
 msgstr "Wymagany interfejs kryptograficzny j<>dra nie jest dost<73>pny.\n"
 
-#: lib/tcrypt/tcrypt.c:532 src/cryptsetup.c:551
+#: lib/tcrypt/tcrypt.c:538 src/cryptsetup.c:551
 msgid "Ensure you have algif_skcipher kernel module loaded.\n"
 msgstr "Prosz<73> upewni<6E> si<73>, <20>e modu<64> j<>dra algif_skcipher zosta<74> za<7A>adowany.\n"
 
-#: lib/tcrypt/tcrypt.c:654
+#: lib/tcrypt/tcrypt.c:660
 #, c-format
 msgid "Activation is not supported for %d sector size.\n"
 msgstr "Aktywacja nie jest obs<62>ugiwana dla rozmiaru sektora %d.\n"
 
-#: lib/tcrypt/tcrypt.c:660
+#: lib/tcrypt/tcrypt.c:666
 msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
 msgstr "J<>dro nie obs<62>uguje aktywacji dla tego starego trybu TCRYPT.\n"
 
-#: lib/tcrypt/tcrypt.c:720
+#: lib/tcrypt/tcrypt.c:726
 msgid "Kernel doesn't support plain64 IV.\n"
 msgstr "J<>dro nie obs<62>uguje IV plain64.\n"
 
-#: lib/tcrypt/tcrypt.c:924
+#: lib/tcrypt/tcrypt.c:930
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Ta funkcja nie jest obs<62>ugiwana bez za<7A>adowanego nag<61><67>wka TCRYPT."
 
@@ -821,10 +836,6 @@ msgstr "b
 msgid "Cannot use %s as on-disk header.\n"
 msgstr "Nie mo<6D>na u<>y<EFBFBD> %s jako nag<61><67>wka na dysku.\n"
 
-#: src/cryptsetup.c:660 src/cryptsetup.c:1070
-msgid "Enter LUKS passphrase: "
-msgstr "Has<61>o LUKS: "
-
 #: src/cryptsetup.c:718
 msgid "Reduced data offset is allowed only for detached LUKS header.\n"
 msgstr "Offset zmniejszonych danych jest dozwolony tylko dla osobnego nag<61><67>wka LUKS.\n"
@@ -844,20 +855,24 @@ msgid "This is the last keyslot. Device will become unusable after purging this
 msgstr "To jest ostatni klucz. Urz<72>dzenie stanie si<73> bezu<7A>yteczne po usuni<6E>ciu tego klucza."
 
 #: src/cryptsetup.c:831
-msgid "Enter any remaining LUKS passphrase: "
-msgstr "Dowolne pozosta<74>e has<61>o LUKS: "
+msgid "Enter any remaining passphrase: "
+msgstr "Dowolne pozosta<74>e has<61>o: "
 
 #: src/cryptsetup.c:859
-msgid "Enter LUKS passphrase to be deleted: "
-msgstr "Has<61>o LUKS do usuni<6E>cia: "
+msgid "Enter passphrase to be deleted: "
+msgstr "Has<61>o do usuni<6E>cia: "
+
+#: src/cryptsetup.c:928 src/cryptsetup_reencrypt.c:948
+msgid "Enter any existing passphrase: "
+msgstr "Dowolne istniej<65>ce has<61>o: "
 
 #: src/cryptsetup.c:977
-msgid "Enter LUKS passphrase to be changed: "
-msgstr "Has<61>o LUKS, kt<6B>re ma by<62> zmienione: "
+msgid "Enter passphrase to be changed: "
+msgstr "Has<61>o, kt<6B>re ma by<62> zmienione: "
 
 #: src/cryptsetup.c:991 src/cryptsetup_reencrypt.c:934
-msgid "Enter new LUKS passphrase: "
-msgstr "Nowe has<61>o LUKS: "
+msgid "Enter new passphrase: "
+msgstr "Nowe has<61>o: "
 
 #: src/cryptsetup.c:1165 src/cryptsetup.c:1186
 msgid "Option --header-backup-file is required.\n"
@@ -1547,14 +1562,10 @@ msgstr "B
 msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
 msgstr "Rozmiaru klucza mo<6D>na u<>y<EFBFBD> tylko z --key-slot albo przy dok<6F>adnie jednym aktywnym kluczu.\n"
 
-#: src/cryptsetup_reencrypt.c:948
-msgid "Enter any LUKS passphrase: "
-msgstr "Dowolne has<61>o LUKS: "
-
 #: src/cryptsetup_reencrypt.c:955
 #, c-format
-msgid "Enter LUKS passphrase for key slot %u: "
-msgstr "Has<61>o LUKS dla klucza %u: "
+msgid "Enter passphrase for key slot %u: "
+msgstr "Has<61>o dla klucza %u: "
 
 #: src/cryptsetup_reencrypt.c:1004
 msgid "Cannot open reencryption log file.\n"

python/Makefile.am

@@ -1,4 +1,4 @@
-AM_CPPFLAGS = -I$(top_srcdir)/lib $(PYTHON_INCLUDES)
+AM_CPPFLAGS = -include $(top_srcdir)/config.h -I$(top_srcdir)/lib $(PYTHON_INCLUDES)
 EXTRA_DIST = pycryptsetup-test.py
 CLEANFILES = *.img
 
@@ -9,7 +9,7 @@ pyexec_LTLIBRARIES = pycryptsetup.la
 
 pycryptsetup_la_SOURCES = pycryptsetup.c
 pycryptsetup_la_CPPFLAGS = $(AM_CPPFLAGS) $(PYTHON_CPPFLAGS) -fno-strict-aliasing
-pycryptsetup_la_LDFLAGS = -avoid-version -module
+pycryptsetup_la_LDFLAGS = -avoid-version -module -shared -export-dynamic
 pycryptsetup_la_LIBADD = $(top_builddir)/lib/libcryptsetup.la -lpython$(PYTHON_VERSION)
 else
 all:

src/Makefile.am

@@ -1,4 +1,4 @@
-AM_CPPFLAGS = \
+AM_CPPFLAGS = -include config.h \
 	-I$(top_srcdir)				\
 	-I$(top_srcdir)/lib			\
 	-DDATADIR=\""$(datadir)"\"		\
@@ -6,8 +6,7 @@ AM_CPPFLAGS = \
 	-DLIBDIR=\""$(libdir)"\"		\
 	-DPREFIX=\""$(prefix)"\"		\
 	-DSYSCONFDIR=\""$(sysconfdir)"\"	\
-	-DVERSION=\""$(VERSION)"\"		\
-	-D_GNU_SOURCE
+	-DVERSION=\""$(VERSION)"\"
 
 # cryptsetup
 cryptsetup_SOURCES = \
@@ -25,7 +24,7 @@ cryptsetup_LDADD = \
 	@FIPSCHECK_LIBS@			\
 	@PWQUALITY_LIBS@
 
-cryptsetup_CFLAGS = -Wall
+cryptsetup_CFLAGS = $(AM_CFLAGS) -Wall
 
 sbin_PROGRAMS=cryptsetup
 
@@ -33,7 +32,7 @@ if STATIC_TOOLS
 sbin_PROGRAMS += cryptsetup.static
 cryptsetup_static_SOURCES = $(cryptsetup_SOURCES)
 cryptsetup_static_CFLAGS = $(cryptsetup_CFLAGS)
-cryptsetup_static_LDFLAGS = -all-static
+cryptsetup_static_LDFLAGS = $(AM_LDFLAGS) -all-static
 cryptsetup_static_LDADD = $(cryptsetup_LDADD)	\
 	@CRYPTO_STATIC_LIBS@			\
 	@PWQUALITY_STATIC_LIBS@			\
@@ -63,7 +62,7 @@ if STATIC_TOOLS
 sbin_PROGRAMS += veritysetup.static
 veritysetup_static_SOURCES = $(veritysetup_SOURCES)
 veritysetup_static_CFLAGS = $(veritysetup_CFLAGS)
-veritysetup_static_LDFLAGS = -all-static
+veritysetup_static_LDFLAGS = $(AM_LDFLAGS) -all-static
 veritysetup_static_LDADD = $(veritysetup_LDADD)	\
 	@CRYPTO_STATIC_LIBS@ \
 	@DEVMAPPER_STATIC_LIBS@ \
@@ -88,7 +87,7 @@ if STATIC_TOOLS
 sbin_PROGRAMS += cryptsetup-reencrypt.static
 cryptsetup_reencrypt_static_SOURCES = $(cryptsetup_reencrypt_SOURCES)
 cryptsetup_reencrypt_static_CFLAGS = $(cryptsetup_reencrypt_CFLAGS)
-cryptsetup_reencrypt_static_LDFLAGS = -all-static
+cryptsetup_reencrypt_static_LDFLAGS = $(AM_LDFLAGS) -all-static
 cryptsetup_reencrypt_static_LDADD = $(cryptsetup_reencrypt_LDADD)	\
 	@CRYPTO_STATIC_LIBS@ \
 	@DEVMAPPER_STATIC_LIBS@ \

src/cryptsetup.c

@@ -4,7 +4,7 @@
  * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
  * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2012, Milan Broz
+ * Copyright (C) 2009-2013, Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -657,7 +657,7 @@ static int action_luksFormat(void)
 	else if (opt_urandom)
 		crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
 
-	r = tools_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
+	r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen,
 			  opt_keyfile_offset, opt_keyfile_size, opt_key_file,
 			  opt_timeout, _verify_passphrase(1), 1, cd);
 	if (r < 0)
@@ -828,7 +828,7 @@ static int action_luksKillSlot(void)
 	if (!opt_batch_mode) {
 		r = verify_keyslot(cd, opt_key_slot,
 			_("This is the last keyslot. Device will become unusable after purging this key."),
-			_("Enter any remaining LUKS passphrase: "),
+			_("Enter any remaining passphrase: "),
 			opt_key_file, opt_keyfile_offset, opt_keyfile_size);
 		if (r < 0)
 			goto out;
@@ -856,7 +856,7 @@ static int action_luksRemoveKey(void)
 	if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
 		goto out;
 
-	r = tools_get_key(_("Enter LUKS passphrase to be deleted: "),
+	r = tools_get_key(_("Enter passphrase to be deleted: "),
 		      &password, &passwordLen,
 		      opt_keyfile_offset, opt_keyfile_size, opt_key_file,
 		      opt_timeout,
@@ -925,7 +925,7 @@ static int action_luksAddKey(void)
 			opt_key_file, opt_keyfile_size, opt_keyfile_offset,
 			opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
 	} else {
-		r = tools_get_key(_("Enter any passphrase: "),
+		r = tools_get_key(_("Enter any existing passphrase: "),
 			      &password, &password_size, 0, 0, NULL,
 			      opt_timeout, _verify_passphrase(0), 0, cd);
 
@@ -974,7 +974,7 @@ static int action_luksChangeKey(void)
 	if (opt_iteration_time)
 		crypt_set_iteration_time(cd, opt_iteration_time);
 
-	r = tools_get_key(_("Enter LUKS passphrase to be changed: "),
+	r = tools_get_key(_("Enter passphrase to be changed: "),
 		      &password, &password_size,
 		      opt_keyfile_offset, opt_keyfile_size, opt_key_file,
 		      opt_timeout, _verify_passphrase(0), 0, cd);
@@ -988,7 +988,7 @@ static int action_luksChangeKey(void)
 	if (r < 0)
 		goto out;
 
-	r = tools_get_key(_("Enter new LUKS passphrase: "),
+	r = tools_get_key(_("Enter new passphrase: "),
 			  &password_new, &password_new_size,
 			  opt_new_keyfile_offset, opt_new_keyfile_size,
 			  opt_new_key_file,
@@ -1010,6 +1010,12 @@ static int action_isLuks(void)
 	struct crypt_device *cd = NULL;
 	int r;
 
+	/* FIXME: argc > max should be checked for other operations as well */
+	if (action_argc > 1) {
+		log_err(_("Only one device argument for isLuks operation is supported.\n"));
+		return -ENODEV;
+	}
+
 	if ((r = crypt_init(&cd, action_argv[0])))
 		goto out;
 
@@ -1067,7 +1073,7 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
 	if (!vk)
 		return -ENOMEM;
 
-	r = tools_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
+	r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen,
 			  opt_keyfile_offset, opt_keyfile_size, opt_key_file,
 			  opt_timeout, 0, 0, cd);
 	if (r < 0)
@@ -1500,7 +1506,7 @@ int main(int argc, const char **argv)
 		usage(popt_context, EXIT_FAILURE, _("Unknown action."),
 		      poptGetInvocationName(popt_context));
 
-	if(action_argc < action->required_action_argc)
+	if (action_argc < action->required_action_argc)
 		help_args(action, popt_context);
 
 	/* FIXME: rewrite this from scratch */

src/cryptsetup.h

@@ -4,7 +4,7 @@
  * Copyright (C) 2004, Christophe Saout <christophe@saout.de>
  * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2012, Milan Broz
+ * Copyright (C) 2009-2013, Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -24,11 +24,6 @@
 #ifndef CRYPTSETUP_H
 #define CRYPTSETUP_H
 
-#define _LARGEFILE64_SOURCE
-#define _FILE_OFFSET_BITS 64
-
-#include <config.h>
-
 #include <string.h>
 #include <stdlib.h>
 #include <stdarg.h>

src/cryptsetup_reencrypt.c

@@ -1,8 +1,8 @@
 /*
  * cryptsetup-reencrypt - crypt utility for offline re-encryption
  *
- * Copyright (C) 2012, Milan Broz All rights reserved.
  * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2013, Milan Broz All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -931,7 +931,7 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
 	log_dbg("Passhrases initialization.");
 
 	if (opt_new && !rc->in_progress) {
-		r = init_passphrase1(rc, cd, _("Enter new LUKS passphrase: "), 0, 0);
+		r = init_passphrase1(rc, cd, _("Enter new passphrase: "), 0, 0);
 		return r > 0 ? 0 : r;
 	}
 
@@ -945,14 +945,14 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
 	if (opt_key_file) {
 		r = init_keyfile(rc, cd, opt_key_slot);
 	} else if (rc->in_progress) {
-		r = init_passphrase1(rc, cd, _("Enter any LUKS passphrase: "),
+		r = init_passphrase1(rc, cd, _("Enter any existing passphrase: "),
 				     CRYPT_ANY_SLOT, 1);
 	} else for (i = 0; i < MAX_SLOT; i++) {
 		ki = crypt_keyslot_status(cd, i);
 		if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
 			continue;
 
-		snprintf(msg, sizeof(msg), _("Enter LUKS passphrase for key slot %u: "), i);
+		snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %u: "), i);
 		r = init_passphrase1(rc, cd, msg, i, 1);
 		if (r < 0)
 			break;

tests/Makefile.am

@@ -33,12 +33,13 @@ clean-local:
 	-rm -rf tcrypt-images
 
 differ_SOURCES = differ.c
-differ_CFLAGS = -Wall -O2
+differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
 
 api_test_SOURCES = api-test.c $(top_srcdir)/lib/utils_loop.c
 api_test_LDADD = ../lib/libcryptsetup.la
-api_test_LDFLAGS = -static
-api_test_CFLAGS = -g -Wall -O0 -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
+api_test_LDFLAGS = $(AM_LDFLAGS) -static
+api_test_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
+api_test_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
 
 check_PROGRAMS = api-test differ
 

tests/api-test.c

@@ -2,7 +2,7 @@
  * cryptsetup library API check functions
  *
  * Copyright (C) 2009-2012 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2012, Milan Broz
+ * Copyright (C) 2009-2013, Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -27,6 +27,7 @@
 #include <linux/fs.h>
 #include <errno.h>
 #include <assert.h>
+#include <signal.h>
 #include <sys/stat.h>
 #include <sys/ioctl.h>
 #include <libdevmapper.h>
@@ -84,6 +85,9 @@
 
 static int _debug   = 0;
 static int _verbose = 1;
+static int _fips_mode = 0;
+
+static int _quit = 0;
 
 static char global_log[4096];
 static int global_lines = 0;
@@ -114,6 +118,24 @@ static int device_size(const char *device, uint64_t *size)
 	return r;
 }
 
+static int fips_mode(void)
+{
+	int fd;
+	char buf = 0;
+
+	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+	if (fd < 0)
+		return 0;
+
+	if (read(fd, &buf, 1) != 1)
+		buf = '0';
+
+	close(fd);
+
+	return (buf == '1');
+}
+
 static int get_luks_offsets(int metadata_device,
 			    size_t keylength,
 			    unsigned int alignpayload_sec,
@@ -451,6 +473,11 @@ static int _setup(void)
 
 	_system("modprobe dm-crypt", 0);
 	_system("modprobe dm-verity", 0);
+
+	_fips_mode = fips_mode();
+	if (_debug)
+		printf("FIPS MODE: %d\n", _fips_mode);
+
 	return 0;
 }
 
@@ -496,6 +523,12 @@ static void xlog(const char *msg, const char *tst, const char *func, int line, c
 		else
 			printf(" [%s,%s:%d] %s\n", msg, func, line, tst);
 	}
+	if (_quit) {
+		if (_verbose)
+			printf("Interrupted by a signal.\n");
+		_cleanup();
+		exit(-1);
+	}
 }
 
 /* crypt_device context must be "cd" to parse error properly here */
@@ -505,8 +538,8 @@ static void xlog(const char *msg, const char *tst, const char *func, int line, c
 #define FAIL_(x, y)	do { xlog("(fail)   ", #x, __FUNCTION__, __LINE__, y); \
 			     check_ko((x), __LINE__, __FUNCTION__); \
 			} while(0)
-#define EQ_(x, y)	do { xlog("(equal)  ", #x " == " #y, __FUNCTION__, __LINE__, NULL); \
-			     int64_t _x = (x), _y = (y); \
+#define EQ_(x, y)	do { int64_t _x = (x), _y = (y); \
+			     xlog("(equal)  ", #x " == " #y, __FUNCTION__, __LINE__, NULL); \
 			     if (_x != _y) check_equal(__LINE__, __FUNCTION__, _x, _y); \
 			} while(0)
 #define RUN_(x, y)		do { printf("%s: %s\n", #x, (y)); x(); } while (0)
@@ -760,14 +793,16 @@ static void AddDevicePlain(void)
 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
 
 	// retrieve volume key check
-	memset(key2, 0, key_size);
-	key_size--;
-	// small buffer
-	FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
-	key_size++;
-	OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+	if (!_fips_mode) {
+		memset(key2, 0, key_size);
+		key_size--;
+		// small buffer
+		FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
+		key_size++;
+		OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
 
-	OK_(memcmp(key, key2, key_size));
+		OK_(memcmp(key, key2, key_size));
+	}
 	OK_(strcmp(cipher, crypt_get_cipher(cd)));
 	OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
 	EQ_((int)key_size, crypt_get_volume_key_size(cd));
@@ -899,16 +934,18 @@ static void UseLuksDevice(void)
 	EQ_((int)key_size, crypt_get_volume_key_size(cd));
 	EQ_(1032, crypt_get_data_offset(cd));
 
-	EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
-	OK_(crypt_volume_key_verify(cd, key, key_size));
-	OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
-	OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
-	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
-	OK_(crypt_deactivate(cd, CDEVICE_1));
+	if (!_fips_mode) {
+		EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
+		OK_(crypt_volume_key_verify(cd, key, key_size));
+		OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
+		OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+		EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+		OK_(crypt_deactivate(cd, CDEVICE_1));
 
-	key[1] = ~key[1];
-	FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
-	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+		key[1] = ~key[1];
+		FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
+		FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+	}
 	crypt_free(cd);
 }
 
@@ -1130,10 +1167,12 @@ static void AddDeviceLuks(void)
 	EQ_(7, crypt_activate_by_passphrase(cd, NULL, 7, passphrase2, strlen(passphrase2), 0));
 	EQ_(6, crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 6, passphrase2, strlen(passphrase2), passphrase, strlen(passphrase)));
 
-	EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
-	OK_(crypt_volume_key_verify(cd, key2, key_size));
+	if (!_fips_mode) {
+		EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+		OK_(crypt_volume_key_verify(cd, key2, key_size));
 
-	OK_(memcmp(key, key2, key_size));
+		OK_(memcmp(key, key2, key_size));
+	}
 	OK_(strcmp(cipher, crypt_get_cipher(cd)));
 	OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
 	EQ_((int)key_size, crypt_get_volume_key_size(cd));
@@ -1713,6 +1752,7 @@ static void TcryptTest(void)
 	};
 	double enc_mbr = 0, dec_mbr = 0;
 	const char *tcrypt_dev = "tcrypt-images/tck_5-sha512-xts-aes";
+	const char *tcrypt_dev2 = "tcrypt-images/tc_5-sha512-xts-serpent-twofish-aes";
 	size_t key_size = 64;
 	char key[key_size], key_def[key_size];
 	const char *key_hex =
@@ -1743,12 +1783,14 @@ static void TcryptTest(void)
 	EQ_(256, crypt_get_data_offset(cd));
 
 	memset(key, 0, key_size);
-	key_size--;
-	// small buffer
-	FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
-	key_size++;
-	OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
-	OK_(memcmp(key, key_def, key_size));
+	if (!_fips_mode) {
+		key_size--;
+		// small buffer
+		FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
+		key_size++;
+		OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
+		OK_(memcmp(key, key_def, key_size));
+	}
 
 	reset_log();
 	crypt_set_log_callback(cd, &new_log, NULL);
@@ -1780,6 +1822,18 @@ static void TcryptTest(void)
 
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 	crypt_free(cd);
+
+	OK_(crypt_init(&cd, tcrypt_dev2));
+	params.keyfiles = NULL;
+	params.keyfiles_count = 0;
+	OK_(crypt_load(cd, CRYPT_TCRYPT, &params));
+	OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, CRYPT_ACTIVATE_READONLY));
+	crypt_free(cd);
+
+	// Deactivate the whole chain
+	EQ_(crypt_status(NULL, CDEVICE_1 "_1"), CRYPT_BUSY);
+	OK_(crypt_deactivate(NULL, CDEVICE_1));
+	EQ_(crypt_status(NULL, CDEVICE_1 "_1"), CRYPT_INACTIVE);
 }
 
 // Check that gcrypt is properly initialised in format
@@ -1817,8 +1871,14 @@ static void NonFIPSAlg(void)
 	crypt_free(cd);
 }
 
+static void int_handler(int sig __attribute__((__unused__)))
+{
+	_quit++;
+}
+
 int main(int argc, char *argv[])
 {
+	struct sigaction sa = { .sa_handler = int_handler };
 	int i;
 
 	if (getuid() != 0) {
@@ -1833,6 +1893,10 @@ int main(int argc, char *argv[])
 			_debug = _verbose = 1;
 	}
 
+	/* Handle interrupt properly */
+	sigaction(SIGINT, &sa, NULL);
+	sigaction(SIGTERM, &sa, NULL);
+
 	_cleanup();
 	if (_setup())
 		goto out;

tests/compat-test

@@ -39,6 +39,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 function remove_mapping()
 {
@@ -63,6 +64,12 @@ function fail()
 	exit 2
 }
 
+function can_fail_fips()
+{
+        # Ignore this fail if running in FIPS mode
+        [ -z "$FIPS_MODE" -o "$FIPS_MODE" -eq 0 ] && fail $1
+}
+
 function skip()
 {
 	[ -n "$1" ] && echo "$1"
@@ -390,8 +397,8 @@ echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
 echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
-$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
+echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || can_fail_fips
+$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || can_fail_fips
 
 prepare "[22] remove disappeared device" wipe
 dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
@@ -520,6 +527,8 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME && fail
 prepare "[28] Detached LUKS header" wipe
 dd if=/dev/zero of=$HEADER_IMG bs=1M count=4 >/dev/null 2>&1
 echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG || fail
+echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG --align-payload 1 >/dev/null 2>&1 && fail
+echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
 echo $PWD1 | $CRYPTSETUP luksFormat -i1 $LOOPDEV --header $HEADER_IMG --align-payload 0 || fail
 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
 $CRYPTSETUP -q resize  $DEV_NAME --size 100 --header $HEADER_IMG || fail