mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-15 04:40:05 +01:00
454 lines
11 KiB
C
454 lines
11 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Helper utilities for LUKS2 features
|
|
*
|
|
* Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
|
|
* Copyright (C) 2018-2025 Milan Broz
|
|
* Copyright (C) 2018-2025 Ondrej Kozina
|
|
*/
|
|
|
|
#include "cryptsetup.h"
|
|
#include "cryptsetup_args.h"
|
|
#include "utils_luks.h"
|
|
|
|
extern const char *set_pbkdf;
|
|
|
|
const char *luksType(const char *type)
|
|
{
|
|
if (type && !strcmp(type, "luks2"))
|
|
return CRYPT_LUKS2;
|
|
|
|
if (type && !strcmp(type, "luks1"))
|
|
return CRYPT_LUKS1;
|
|
|
|
if (type && !strcmp(type, "luks"))
|
|
return CRYPT_LUKS; /* NULL */
|
|
|
|
if (type && *type)
|
|
return type;
|
|
|
|
return CRYPT_LUKS; /* NULL */
|
|
}
|
|
|
|
bool isLUKS1(const char *type)
|
|
{
|
|
return type && !strcmp(type, CRYPT_LUKS1);
|
|
}
|
|
|
|
bool isLUKS2(const char *type)
|
|
{
|
|
/* OPAL just changes the driver, header format is identical, so overload */
|
|
return type && (!strcmp(type, CRYPT_LUKS2));
|
|
}
|
|
|
|
int verify_passphrase(int def)
|
|
{
|
|
/* Batch mode switch off verify - if not overridden by -y */
|
|
if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
|
|
def = 1;
|
|
else if (ARG_SET(OPT_BATCH_MODE_ID))
|
|
def = 0;
|
|
|
|
/* Non-tty input doesn't allow verify */
|
|
if (def && !isatty(STDIN_FILENO)) {
|
|
if (ARG_SET(OPT_VERIFY_PASSPHRASE_ID))
|
|
log_err(_("Can't do passphrase verification on non-tty inputs."));
|
|
def = 0;
|
|
}
|
|
|
|
return def;
|
|
}
|
|
|
|
void set_activation_flags(uint32_t *flags)
|
|
{
|
|
if (ARG_SET(OPT_READONLY_ID))
|
|
*flags |= CRYPT_ACTIVATE_READONLY;
|
|
|
|
if (ARG_SET(OPT_ALLOW_DISCARDS_ID))
|
|
*flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
|
|
|
|
if (ARG_SET(OPT_PERF_SAME_CPU_CRYPT_ID))
|
|
*flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
|
|
|
|
if (ARG_SET(OPT_PERF_SUBMIT_FROM_CRYPT_CPUS_ID))
|
|
*flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
|
|
|
|
if (ARG_SET(OPT_PERF_NO_READ_WORKQUEUE_ID))
|
|
*flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE;
|
|
|
|
if (ARG_SET(OPT_PERF_NO_WRITE_WORKQUEUE_ID))
|
|
*flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
|
|
|
|
if (ARG_SET(OPT_PERF_HIGH_PRIORITY_ID))
|
|
*flags |= CRYPT_ACTIVATE_HIGH_PRIORITY;
|
|
|
|
if (ARG_SET(OPT_INTEGRITY_NO_JOURNAL_ID))
|
|
*flags |= CRYPT_ACTIVATE_NO_JOURNAL;
|
|
|
|
/* In persistent mode, we use what is set on command line */
|
|
if (ARG_SET(OPT_PERSISTENT_ID))
|
|
*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
|
|
|
|
/* Only for LUKS2 but ignored elsewhere */
|
|
if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
|
|
(ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
|
|
*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
|
|
|
|
if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID))
|
|
*flags |= CRYPT_ACTIVATE_KEYRING_KEY;
|
|
|
|
if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
|
|
*flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;
|
|
|
|
/* Only for plain */
|
|
if (ARG_SET(OPT_IV_LARGE_SECTORS_ID))
|
|
*flags |= CRYPT_ACTIVATE_IV_LARGE_SECTORS;
|
|
}
|
|
|
|
int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
|
|
{
|
|
const struct crypt_pbkdf_type *pbkdf_default;
|
|
struct crypt_pbkdf_type pbkdf = {};
|
|
|
|
pbkdf_default = crypt_get_pbkdf_default(dev_type);
|
|
if (!pbkdf_default)
|
|
return -EINVAL;
|
|
|
|
pbkdf.type = set_pbkdf ?: pbkdf_default->type;
|
|
pbkdf.hash = ARG_STR(OPT_HASH_ID) ?: pbkdf_default->hash;
|
|
pbkdf.time_ms = ARG_UINT32(OPT_ITER_TIME_ID) ?: pbkdf_default->time_ms;
|
|
if (strcmp(pbkdf.type, CRYPT_KDF_PBKDF2)) {
|
|
pbkdf.max_memory_kb = ARG_UINT32(OPT_PBKDF_MEMORY_ID) ?: pbkdf_default->max_memory_kb;
|
|
pbkdf.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID) ?: pbkdf_default->parallel_threads;
|
|
}
|
|
|
|
if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID)) {
|
|
pbkdf.iterations = ARG_UINT32(OPT_PBKDF_FORCE_ITERATIONS_ID);
|
|
pbkdf.time_ms = 0;
|
|
pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
|
|
}
|
|
|
|
return crypt_set_pbkdf_type(cd, &pbkdf);
|
|
}
|
|
|
|
int set_tries_tty(bool keyring)
|
|
{
|
|
if (keyring && ARG_SET(OPT_KEY_DESCRIPTION_ID))
|
|
return 1;
|
|
|
|
return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
|
|
}
|
|
|
|
int get_adjusted_key_size(const char *cipher, const char *cipher_mode, uint32_t keysize_bits,
|
|
uint32_t default_size_bits, int integrity_keysize)
|
|
{
|
|
#if ENABLE_LUKS_ADJUST_XTS_KEYSIZE
|
|
if (!keysize_bits && (!strncmp(cipher_mode, "xts-", 4) || !strncmp(cipher, "capi:xts(", 9))) {
|
|
if (default_size_bits == 128)
|
|
keysize_bits = 256;
|
|
else if (default_size_bits == 256)
|
|
keysize_bits = 512;
|
|
}
|
|
#endif
|
|
return (keysize_bits ?: default_size_bits) / 8 + integrity_keysize;
|
|
}
|
|
|
|
/*
|
|
* FIXME: 4MiBs is max LUKS2 mda length (including binary header).
|
|
* In future, read max allowed JSON size from config section.
|
|
*/
|
|
#define LUKS2_MAX_MDA_SIZE 0x400000
|
|
int tools_read_json_file(const char *file, char **json, size_t *json_size, bool batch_mode)
|
|
{
|
|
ssize_t ret;
|
|
int fd, block, r;
|
|
void *buf = NULL;
|
|
bool close_fd = false;
|
|
|
|
block = tools_signals_blocked();
|
|
if (block)
|
|
set_int_block(0);
|
|
|
|
if (tools_is_stdin(file)) {
|
|
fd = STDIN_FILENO;
|
|
log_dbg("STDIN descriptor JSON read requested.");
|
|
} else {
|
|
log_dbg("File descriptor JSON read requested.");
|
|
fd = open(file, O_RDONLY);
|
|
if (fd < 0) {
|
|
log_err(_("Failed to open file %s in read-only mode."), file);
|
|
r = -EINVAL;
|
|
goto out;
|
|
}
|
|
close_fd = true;
|
|
}
|
|
|
|
buf = malloc(LUKS2_MAX_MDA_SIZE);
|
|
if (!buf) {
|
|
r = -ENOMEM;
|
|
goto out;
|
|
}
|
|
|
|
if (isatty(fd) && !batch_mode)
|
|
log_std(_("Provide valid LUKS2 token JSON:\n"));
|
|
|
|
/* we expect JSON (string) */
|
|
r = 0;
|
|
ret = read_buffer_intr(fd, buf, LUKS2_MAX_MDA_SIZE - 1, &quit);
|
|
if (ret < 0) {
|
|
r = -EIO;
|
|
log_err(_("Failed to read JSON file."));
|
|
goto out;
|
|
}
|
|
check_signal(&r);
|
|
if (r) {
|
|
log_err(_("\nRead interrupted."));
|
|
goto out;
|
|
}
|
|
|
|
*json_size = (size_t)ret;
|
|
*json = buf;
|
|
*(*json + ret) = '\0';
|
|
out:
|
|
if (block && !quit)
|
|
set_int_block(1);
|
|
if (close_fd)
|
|
close(fd);
|
|
if (r && buf) {
|
|
memset(buf, 0, LUKS2_MAX_MDA_SIZE);
|
|
free(buf);
|
|
}
|
|
return r;
|
|
}
|
|
|
|
int tools_write_json_file(const char *file, const char *json)
|
|
{
|
|
int block, fd, r;
|
|
size_t json_len;
|
|
ssize_t ret;
|
|
|
|
if (!json || !(json_len = strlen(json)) || json_len >= LUKS2_MAX_MDA_SIZE)
|
|
return -EINVAL;
|
|
|
|
block = tools_signals_blocked();
|
|
if (block)
|
|
set_int_block(0);
|
|
|
|
if (tools_is_stdin(file)) {
|
|
fd = STDOUT_FILENO;
|
|
log_dbg("STDOUT descriptor JSON write requested.");
|
|
} else {
|
|
log_dbg("File descriptor JSON write requested.");
|
|
fd = open(file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
|
|
}
|
|
|
|
if (fd < 0) {
|
|
log_err(_("Failed to open file %s in write mode."), file ?: "");
|
|
r = -EINVAL;
|
|
goto out;
|
|
}
|
|
|
|
r = 0;
|
|
ret = write_buffer_intr(fd, json, json_len, &quit);
|
|
check_signal(&r);
|
|
if (r) {
|
|
log_err(_("\nWrite interrupted."));
|
|
goto out;
|
|
}
|
|
if (ret < 0 || (size_t)ret != json_len) {
|
|
log_err(_("Failed to write JSON file."));
|
|
r = -EIO;
|
|
goto out;
|
|
}
|
|
|
|
if (isatty(fd))
|
|
(void) write_buffer_intr(fd, "\n", 1, &quit);
|
|
out:
|
|
if (block && !quit)
|
|
set_int_block(1);
|
|
if (fd >=0 && fd != STDOUT_FILENO)
|
|
close(fd);
|
|
return r;
|
|
}
|
|
|
|
int luks_init_keyslot_context(struct crypt_device *cd,
|
|
const char *msg,
|
|
bool verify, bool pwquality,
|
|
struct crypt_keyslot_context **r_kc)
|
|
{
|
|
char *password;
|
|
size_t passwordLen;
|
|
int r = -EINVAL;
|
|
|
|
assert(cd);
|
|
assert(r_kc);
|
|
|
|
if (ARG_SET(OPT_KEY_DESCRIPTION_ID))
|
|
r = crypt_keyslot_context_init_by_keyring(cd, ARG_STR(OPT_KEY_DESCRIPTION_ID), r_kc);
|
|
else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)))
|
|
r = crypt_keyslot_context_init_by_keyfile(cd, ARG_STR(OPT_KEY_FILE_ID),
|
|
ARG_UINT32(OPT_KEYFILE_SIZE_ID),
|
|
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), r_kc);
|
|
else {
|
|
r = tools_get_key(msg, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
|
|
ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
|
|
ARG_UINT32(OPT_TIMEOUT_ID), verify, pwquality, cd);
|
|
if (r < 0)
|
|
return r;
|
|
r = crypt_keyslot_context_init_by_passphrase(cd, password, passwordLen, r_kc);
|
|
crypt_safe_free(password);
|
|
}
|
|
|
|
return r;
|
|
}
|
|
|
|
int luks_try_token_unlock(struct crypt_device *cd,
|
|
int keyslot,
|
|
int token_id,
|
|
const char *activated_name,
|
|
const char *token_type,
|
|
uint32_t activate_flags,
|
|
int tries,
|
|
bool activation,
|
|
bool retry_with_pin,
|
|
struct crypt_keyslot_context **r_kc)
|
|
{
|
|
int r;
|
|
struct crypt_keyslot_context *kc;
|
|
size_t pin_len;
|
|
char msg[64], *pin = NULL;
|
|
|
|
assert(tries >= 1);
|
|
assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
|
|
assert(keyslot >= 0 || keyslot == CRYPT_ANY_SLOT);
|
|
|
|
r = crypt_keyslot_context_init_by_token(cd, token_id, token_type, NULL, 0, NULL, &kc);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
if (activation)
|
|
r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, CRYPT_ANY_SLOT, kc, activate_flags);
|
|
else
|
|
r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc);
|
|
|
|
tools_keyslot_msg(r, UNLOCKED);
|
|
tools_token_error_msg(r, token_type, token_id, false);
|
|
|
|
/* Token requires PIN (-ENOANO). */
|
|
if (r != -ENOANO || !retry_with_pin)
|
|
goto out;
|
|
|
|
if (token_id == CRYPT_ANY_TOKEN)
|
|
r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
|
|
else
|
|
r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
|
|
if (r < 0 || (size_t)r >= sizeof(msg)) {
|
|
r = -EINVAL;
|
|
goto out;
|
|
}
|
|
|
|
do {
|
|
r = tools_get_key(msg, &pin, &pin_len, 0, 0, NULL,
|
|
ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
|
|
if (r < 0)
|
|
break;
|
|
|
|
r = crypt_keyslot_context_set_pin(cd, pin, pin_len, kc);
|
|
crypt_safe_free(pin);
|
|
if (r < 0)
|
|
break;
|
|
|
|
if (activation)
|
|
r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot,
|
|
kc, CRYPT_ANY_SLOT, NULL, activate_flags);
|
|
else
|
|
r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc);
|
|
|
|
tools_keyslot_msg(r, UNLOCKED);
|
|
tools_token_error_msg(r, token_type, token_id, true);
|
|
check_signal(&r);
|
|
} while (r == -ENOANO && (--tries > 0));
|
|
out:
|
|
if (r >= 0 && r_kc)
|
|
*r_kc = kc;
|
|
else
|
|
crypt_keyslot_context_free(kc);
|
|
|
|
return r;
|
|
}
|
|
|
|
/* Initiates keyslot context(s) based on non-interactive input only */
|
|
int luks_init_keyslot_contexts_by_volume_keys(struct crypt_device *cd,
|
|
const char *vk_file1,
|
|
const char *vk_file2,
|
|
int keysize1_bytes,
|
|
int keysize2_bytes,
|
|
const char *vk_in_keyring1,
|
|
const char *vk_in_keyring2,
|
|
struct crypt_keyslot_context **r_kc1,
|
|
struct crypt_keyslot_context **r_kc2)
|
|
{
|
|
int r = -EINVAL;
|
|
char *vk_description = NULL, *key = NULL;
|
|
struct crypt_keyslot_context *kc1 = NULL, *kc2 = NULL;
|
|
|
|
assert(cd);
|
|
assert(r_kc1);
|
|
assert(r_kc2);
|
|
|
|
if (vk_file1 && keysize1_bytes > 0) {
|
|
r = tools_read_vk(vk_file1, &key, keysize1_bytes);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize1_bytes, &kc1);
|
|
if (r < 0)
|
|
goto out;
|
|
}
|
|
|
|
/* volume key in file takes precedence */
|
|
if (vk_in_keyring1 && !kc1) {
|
|
r = tools_parse_vk_description(vk_in_keyring1, &vk_description);
|
|
if (r < 0)
|
|
goto out;
|
|
r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc1);
|
|
if (r < 0)
|
|
goto out;
|
|
}
|
|
|
|
if (vk_file2 && keysize2_bytes > 0) {
|
|
crypt_safe_free(key);
|
|
key = NULL;
|
|
r = tools_read_vk(vk_file2, &key, keysize2_bytes);
|
|
if (r < 0)
|
|
goto out;
|
|
|
|
r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize2_bytes, &kc2);
|
|
if (r < 0)
|
|
goto out;
|
|
}
|
|
|
|
/* volume key in file takes precedence */
|
|
if (vk_in_keyring2 && !kc2) {
|
|
free(vk_description);
|
|
vk_description = NULL;
|
|
r = tools_parse_vk_description(vk_in_keyring2, &vk_description);
|
|
if (r < 0)
|
|
goto out;
|
|
r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc2);
|
|
}
|
|
out:
|
|
crypt_safe_free(key);
|
|
free(vk_description);
|
|
|
|
if (r) {
|
|
crypt_keyslot_context_free(kc1);
|
|
crypt_keyslot_context_free(kc2);
|
|
} else {
|
|
*r_kc1 = kc1;
|
|
*r_kc2 = kc2;
|
|
}
|
|
|
|
return r;
|
|
}
|