keyencryption.c 7.01 KB
Newer Older
1
/*
2
 * LUKS - Linux Unified Key Setup
3 4
 *
 * Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
Milan Broz's avatar
Milan Broz committed
5 6
 * Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
 * Copyright (C) 2012-2017, Milan Broz
7
 *
8 9
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
10 11
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
12 13 14 15 16 17 18 19
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
20
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 22 23 24 25
 */

#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
26
#include "luks.h"
27
#include "af.h"
28
#include "internal.h"
29

30
static void _error_hint(struct crypt_device *ctx, const char *device,
31
			const char *cipher, const char *mode, size_t keyLength)
32
{
33 34 35 36 37
	char cipher_spec[MAX_CIPHER_LEN * 3];

	if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, mode) < 0)
		return;

38 39 40 41 42
	log_err(ctx, _("Failed to setup dm-crypt key mapping for device %s.\n"
			"Check that kernel supports %s cipher (check syslog for more info).\n"),
			device, cipher_spec);

	if (!strncmp(mode, "xts", 3) && (keyLength != 256 && keyLength != 512))
43
		log_err(ctx, _("Key size in XTS mode must be 256 or 512 bits.\n"));
44
}
45

46 47 48 49
static int LUKS_endec_template(char *src, size_t srcLength,
			       const char *cipher, const char *cipher_mode,
			       struct volume_key *vk,
			       unsigned int sector,
50
			       ssize_t (*func)(int, size_t, size_t, void *, size_t),
51 52
			       int mode,
			       struct crypt_device *ctx)
53
{
54 55
	char name[PATH_MAX], path[PATH_MAX];
	char cipher_spec[MAX_CIPHER_LEN * 3];
56
	struct crypt_dm_active_device dmd = {
57
		.target = DM_CRYPT,
58
		.uuid   = NULL,
Milan Broz's avatar
Milan Broz committed
59
		.flags  = CRYPT_ACTIVATE_PRIVATE,
60
		.data_device = crypt_metadata_device(ctx),
61
		.u.crypt = {
62
			.cipher = cipher_spec,
63 64 65
			.vk     = vk,
			.offset = sector,
			.iv_offset = 0,
66
			.sector_size = SECTOR_SIZE,
67
		}
68
	};
69
	int r, devfd = -1;
70
	size_t bsize, keyslot_alignment, alignment;
71

72 73
	log_dbg("Using dmcrypt to access keyslot area.");

74
	bsize = device_block_size(dmd.data_device);
75
	alignment = device_alignment(dmd.data_device);
76
	if (!bsize || !alignment)
77 78
		return -EINVAL;

79 80 81 82 83
	if (bsize > LUKS_ALIGN_KEYSLOTS)
		keyslot_alignment = LUKS_ALIGN_KEYSLOTS;
	else
		keyslot_alignment = bsize;
	dmd.size = size_round_up(srcLength, keyslot_alignment) / SECTOR_SIZE;
84

85 86
	if (mode == O_RDONLY)
		dmd.flags |= CRYPT_ACTIVATE_READONLY;
87

88 89 90 91 92 93 94
	if (snprintf(name, sizeof(name), "temporary-cryptsetup-%d", getpid()) < 0)
		return -ENOMEM;
	if (snprintf(path, sizeof(path), "%s/%s", dm_get_dir(), name) < 0)
		return -ENOMEM;
	if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, cipher_mode) < 0)
		return -ENOMEM;

Milan Broz's avatar
Milan Broz committed
95 96
	r = device_block_adjust(ctx, dmd.data_device, DEV_OK,
				dmd.u.crypt.offset, &dmd.size, &dmd.flags);
97 98 99 100 101
	if (r < 0) {
		log_err(ctx, _("Device %s doesn't exist or access denied.\n"),
			device_path(dmd.data_device));
		return -EIO;
	}
102

103 104
	if (mode != O_RDONLY && dmd.flags & CRYPT_ACTIVATE_READONLY) {
		log_err(ctx, _("Cannot write to device %s, permission denied.\n"),
105
			device_path(dmd.data_device));
106 107
		return -EACCES;
	}
108

109 110
	r = dm_create_device(ctx, name, "TEMP", &dmd, 0);
	if (r < 0) {
111
		if (r != -EACCES && r != -ENOTSUP)
112
			_error_hint(ctx, device_path(dmd.data_device),
113
				    cipher, cipher_mode, vk->keylength * 8);
114
		return -EIO;
115 116
	}

117 118
	devfd = open(path, mode | O_DIRECT | O_SYNC);
	if (devfd == -1) {
119
		log_err(ctx, _("Failed to open temporary keystore device.\n"));
120
		r = -EIO;
121
		goto out;
122
	}
123

124
	r = func(devfd, bsize, alignment, src, srcLength);
125
	if (r < 0) {
126
		log_err(ctx, _("Failed to access temporary keystore device.\n"));
127
		r = -EIO;
128 129 130
	} else
		r = 0;
 out:
131
	if (devfd != -1)
132
		close(devfd);
133
	dm_remove_device(ctx, name, CRYPT_DEACTIVATE_FORCE);
134 135 136
	return r;
}

137
int LUKS_encrypt_to_storage(char *src, size_t srcLength,
138 139
			    const char *cipher,
			    const char *cipher_mode,
140
			    struct volume_key *vk,
141 142
			    unsigned int sector,
			    struct crypt_device *ctx)
143
{
144 145 146

	struct device *device = crypt_metadata_device(ctx);
	struct crypt_storage *s;
147
	int devfd = -1, r = 0;
148 149 150 151 152 153 154 155

	/* Only whole sector writes supported */
	if (srcLength % SECTOR_SIZE)
		return -EINVAL;

	/* Encrypt buffer */
	r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength);

156 157 158 159
	if (r)
		log_dbg("Userspace crypto wrapper cannot use %s-%s (%d).",
			cipher, cipher_mode, r);

160
	/* Fallback to old temporary dmcrypt device */
161
	if (r == -ENOTSUP || r == -ENOENT)
162 163
		return LUKS_endec_template(src, srcLength, cipher, cipher_mode,
					   vk, sector, write_blockwise, O_RDWR, ctx);
164

165 166 167
	if (r) {
		_error_hint(ctx, device_path(device), cipher, cipher_mode,
			    vk->keylength * 8);
168
		return r;
169 170 171 172
	}

	log_dbg("Using userspace crypto wrapper to access keyslot area.");

173 174
	r = crypt_storage_encrypt(s, 0, srcLength / SECTOR_SIZE, src);
	crypt_storage_destroy(s);
175

176 177 178
	if (r)
		return r;

179 180
	r = -EIO;

181
	/* Write buffer to device */
182
	devfd = device_open(device, O_RDWR);
183
	if (devfd < 0)
184
		goto out;
185

186 187 188
	if (write_lseek_blockwise(devfd, device_block_size(device),
				  device_alignment(device), src, srcLength,
				  sector * SECTOR_SIZE) < 0)
189
		goto out;
190

191 192
	r = 0;
out:
193
	if (devfd >= 0)
194 195 196
		close(devfd);
	if (r)
		log_err(ctx, _("IO error while encrypting keyslot.\n"));
197

198
	return r;
199 200
}

201
int LUKS_decrypt_from_storage(char *dst, size_t dstLength,
202 203
			      const char *cipher,
			      const char *cipher_mode,
204
			      struct volume_key *vk,
205 206
			      unsigned int sector,
			      struct crypt_device *ctx)
207
{
208 209
	struct device *device = crypt_metadata_device(ctx);
	struct crypt_storage *s;
210
	int devfd = -1, r = 0;
211 212 213 214 215 216 217

	/* Only whole sector reads supported */
	if (dstLength % SECTOR_SIZE)
		return -EINVAL;

	r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength);

218 219 220 221
	if (r)
		log_dbg("Userspace crypto wrapper cannot use %s-%s (%d).",
			cipher, cipher_mode, r);

222
	/* Fallback to old temporary dmcrypt device */
223
	if (r == -ENOTSUP || r == -ENOENT)
224 225
		return LUKS_endec_template(dst, dstLength, cipher, cipher_mode,
					   vk, sector, read_blockwise, O_RDONLY, ctx);
226

227 228 229
	if (r) {
		_error_hint(ctx, device_path(device), cipher, cipher_mode,
			    vk->keylength * 8);
230
		return r;
231 232 233
	}

	log_dbg("Using userspace crypto wrapper to access keyslot area.");
234

235 236
	r = -EIO;

237
	/* Read buffer from device */
238
	devfd = device_open(device, O_RDONLY);
239
	if (devfd < 0)
240
		goto bad;
241

242 243 244
	if (read_lseek_blockwise(devfd, device_block_size(device),
				 device_alignment(device), dst, dstLength,
				 sector * SECTOR_SIZE) < 0)
245
		goto bad;
246 247 248 249 250 251 252

	close(devfd);

	/* Decrypt buffer */
	r = crypt_storage_decrypt(s, 0, dstLength / SECTOR_SIZE, dst);
	crypt_storage_destroy(s);

253 254
	return r;
bad:
255
	if (devfd >= 0)
256 257 258 259 260
		close(devfd);

	log_err(ctx, _("IO error while decrypting keyslot.\n"));
	crypt_storage_destroy(s);

261
	return r;
262
}