2 * Copyright (c) 2011 Alex Hornung <alex@alexhornung.com>.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
24 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
25 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
26 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include <sys/types.h>
34 #if defined(__DragonFly__)
35 #include <sys/param.h>
47 #if defined(__linux__)
48 #include <libdevmapper.h>
49 #include <uuid/uuid.h>
50 #elif defined(__DragonFly__)
63 * - LRW-benbi support? needs further work in dm-crypt and even opencrypto
64 * - secure buffer review (i.e: is everything that needs it using secure mem?)
65 * - mlockall? (at least MCL_FUTURE, which is the only one we support)
68 summary_fn_t summary_fn = NULL;
69 int tc_internal_verbose = 1;
70 char tc_internal_log_buffer[LOG_BUFFER_SZ];
71 int tc_internal_state = STATE_UNKNOWN;
74 tc_log(int is_err, const char *fmt, ...)
86 vsnprintf(tc_internal_log_buffer, LOG_BUFFER_SZ, fmt, ap);
90 if (tc_internal_verbose)
91 fprintf(fp, "%s", tc_internal_log_buffer);
94 /* Supported algorithms */
95 struct pbkdf_prf_algo pbkdf_prf_algos[] = {
96 { "RIPEMD160", 2000 }, /* needs to come before the other RIPEMD160 */
97 { "RIPEMD160", 1000 },
99 { "whirlpool", 1000 },
103 struct tc_crypto_algo tc_crypto_algos[] = {
105 /* XXX: turns out TC doesn't support AES-128-XTS */
106 { "AES-128-XTS", "aes-xts-plain", 32, 8 },
107 { "TWOFISH-128-XTS", "twofish-xts-plain", 32, 8 },
108 { "SERPENT-128-XTS", "serpent-xts-plain", 32, 8 },
110 { "AES-256-XTS", "aes-xts-plain64", 64, 8 },
111 { "TWOFISH-256-XTS", "twofish-xts-plain64", 64, 8 },
112 { "SERPENT-256-XTS", "serpent-xts-plain64", 64, 8 },
116 const char *valid_cipher_chains[][MAX_CIPHER_CHAINS] = {
117 { "AES-256-XTS", NULL },
118 { "TWOFISH-256-XTS", NULL },
119 { "SERPENT-256-XTS", NULL },
120 { "AES-256-XTS", "TWOFISH-256-XTS", "SERPENT-256-XTS", NULL },
121 { "SERPENT-256-XTS", "TWOFISH-256-XTS", "AES-256-XTS", NULL },
123 /* It seems that all the two-way cascades are the other way round... */
124 { "AES-256-XTS", "TWOFISH-256-XTS", NULL },
125 { "SERPENT-256-XTS", "AES-256-XTS", NULL },
126 { "TWOFISH-256-XTS", "SERPENT-256-XTS", NULL },
129 { "TWOFISH-256-XTS", "AES-256-XTS", NULL },
130 { "AES-256-XTS", "SERPENT-256-XTS", NULL },
131 { "SERPENT-256-XTS", "TWOFISH-256-XTS", NULL },
135 struct tc_cipher_chain *tc_cipher_chains[MAX_CIPHER_CHAINS];
139 tc_build_cipher_chains(void)
141 struct tc_cipher_chain *chain, *elem, *prev;
145 while (valid_cipher_chains[i][0] != NULL) {
150 while (valid_cipher_chains[i][k] != NULL) {
151 if ((elem = alloc_safe_mem(sizeof(*elem))) == NULL) {
152 tc_log(1, "Error allocating memory for "
157 /* Initialize first element of chain */
163 /* Populate previous element */
169 /* Assume we are the last element in the chain */
172 /* Initialize other fields */
173 elem->cipher = check_cipher(valid_cipher_chains[i][k], 0);
174 if (elem->cipher == NULL)
183 /* Store cipher chain */
184 tc_cipher_chains[i++] = chain;
186 /* Integrity check */
187 if (i >= MAX_CIPHER_CHAINS) {
188 tc_log(1, "FATAL: tc_cipher_chains is full!!\n");
192 /* Make sure array is NULL terminated */
193 tc_cipher_chains[i] = NULL;
200 struct tc_cipher_chain *
201 tc_dup_cipher_chain(struct tc_cipher_chain *src)
203 struct tc_cipher_chain *first = NULL, *prev = NULL, *elem;
205 for (; src != NULL; src = src->next) {
206 if ((elem = alloc_safe_mem(sizeof(*elem))) == NULL) {
207 tc_log(1, "Error allocating memory for "
208 "duplicate cipher chain\n");
212 memcpy(elem, src, sizeof(*elem));
214 if (src->key != NULL) {
215 if ((elem->key = alloc_safe_mem(src->cipher->klen)) == NULL) {
216 tc_log(1, "Error allocating memory for "
217 "duplicate key in cipher chain\n");
221 memcpy(elem->key, src->key, src->cipher->klen);
241 tc_free_cipher_chain(struct tc_cipher_chain *chain)
243 struct tc_cipher_chain *next = chain;
245 while ((chain = next) != NULL) {
248 if (chain->key != NULL)
249 free_safe_mem(chain->key);
250 free_safe_mem(chain);
257 tc_cipher_chain_length(struct tc_cipher_chain *chain)
261 for (; chain != NULL; chain = chain->next)
268 tc_cipher_chain_klen(struct tc_cipher_chain *chain)
272 for (; chain != NULL; chain = chain->next) {
273 klen_bytes += chain->cipher->klen;
280 tc_cipher_chain_sprint(char *buf, size_t bufsz, struct tc_cipher_chain *chain)
282 static char sbuf[256];
287 bufsz = sizeof(sbuf);
290 for (; chain != NULL; chain = chain->next) {
291 n += snprintf(buf+n, bufsz-n, "%s%s", chain->cipher->name,
292 (chain->next != NULL) ? "," : "\0");
300 print_hex(unsigned char *buf, off_t start, size_t len)
304 for (i = start; i < start+len; i++)
305 printf("%02x", buf[i]);
312 print_info(struct tcplay_info *info)
314 printf("Device:\t\t\t%s\n", info->dev);
316 if (info->pbkdf_prf != NULL) {
317 printf("PBKDF2 PRF:\t\t%s\n", info->pbkdf_prf->name);
318 printf("PBKDF2 iterations:\t%d\n",
319 info->pbkdf_prf->iteration_count);
322 printf("Cipher:\t\t\t%s\n",
323 tc_cipher_chain_sprint(NULL, 0, info->cipher_chain));
325 printf("Key Length:\t\t%d bits\n",
326 8*tc_cipher_chain_klen(info->cipher_chain));
328 if (info->hdr != NULL) {
329 printf("CRC Key Data:\t\t%#x\n", info->hdr->crc_keys);
330 printf("Sector size:\t\t%d\n", info->hdr->sec_sz);
332 printf("Sector size:\t\t512\n");
334 printf("Volume size:\t\t%"DISKSZ_FMT" sectors\n", info->size);
336 /* Don't print this; it's always 0 and is rather confusing */
337 printf("Volume offset:\t\t%"PRIu64"\n", (uint64_t)info->start);
341 printf("Vol Flags:\t\t%d\n", info->volflags);
344 printf("IV offset:\t\t%"PRIu64" sectors\n",
345 (uint64_t)info->skip);
346 printf("Block offset:\t\t%"PRIu64" sectors\n",
347 (uint64_t)info->offset);
352 new_info(const char *dev, int flags, struct tc_cipher_chain *cipher_chain,
353 struct pbkdf_prf_algo *prf, struct tchdr_dec *hdr, off_t start)
355 struct tc_cipher_chain *chain_start;
356 struct tcplay_info *info;
360 chain_start = cipher_chain;
362 if ((info = (struct tcplay_info *)alloc_safe_mem(sizeof(*info))) == NULL) {
363 tc_log(1, "could not allocate safe info memory\n");
367 strncpy(info->dev, dev, sizeof(info->dev));
368 info->cipher_chain = cipher_chain;
369 info->pbkdf_prf = prf;
372 info->blk_sz = hdr->sec_sz;
373 info->size = hdr->sz_mk_scope / hdr->sec_sz; /* volume size */
374 info->skip = hdr->off_mk_scope / hdr->sec_sz; /* iv skip */
376 info->volflags = hdr->flags;
379 if (TC_FLAG_SET(flags, SYS))
380 info->offset = 0; /* offset is 0 for system volumes */
382 info->offset = hdr->off_mk_scope / hdr->sec_sz; /* block offset */
384 /* Associate a key out of the key pool with each cipher in the chain */
385 error = tc_cipher_chain_populate_keys(cipher_chain, hdr->keys);
387 tc_log(1, "could not populate keys in cipher chain\n");
391 for (; cipher_chain != NULL; cipher_chain = cipher_chain->next) {
392 for (i = 0; i < cipher_chain->cipher->klen; i++)
393 sprintf(&cipher_chain->dm_key[i*2], "%02x",
394 cipher_chain->key[i]);
397 tc_cipher_chain_free_keys(chain_start);
403 free_info(struct tcplay_info *info)
405 if (info->cipher_chain)
406 tc_free_cipher_chain(info->cipher_chain);
408 free_safe_mem(info->hdr);
416 adjust_info(struct tcplay_info *info, struct tcplay_info *hinfo)
418 if (hinfo->hdr->sz_hidvol == 0)
421 info->size -= hinfo->hdr->sz_hidvol / hinfo->hdr->sec_sz;
426 process_hdr(const char *dev, int flags, unsigned char *pass, int passlen,
427 struct tchdr_enc *ehdr, struct tcplay_info **pinfo)
429 struct tchdr_dec *dhdr;
430 struct tcplay_info *info;
431 struct tc_cipher_chain *cipher_chain = NULL;
433 int i, j, found, error;
437 if ((key = alloc_safe_mem(MAX_KEYSZ)) == NULL) {
438 tc_log(1, "could not allocate safe key memory\n");
442 /* Start search for correct algorithm combination */
444 for (i = 0; !found && pbkdf_prf_algos[i].name != NULL; i++) {
446 printf("\nTrying PRF algo %s (%d)\n", pbkdf_prf_algos[i].name,
447 pbkdf_prf_algos[i].iteration_count);
449 print_hex(ehdr->salt, 0, sizeof(ehdr->salt));
451 error = pbkdf2(&pbkdf_prf_algos[i], (char *)pass, passlen,
452 ehdr->salt, sizeof(ehdr->salt),
456 tc_log(1, "pbkdf failed for algorithm %s\n",
457 pbkdf_prf_algos[i].name);
463 printf("Derived Key: ");
464 print_hex(key, 0, MAX_KEYSZ);
467 for (j = 0; !found && tc_cipher_chains[j] != NULL; j++) {
468 cipher_chain = tc_dup_cipher_chain(tc_cipher_chains[j]);
470 printf("\nTrying cipher chain %d\n", j);
473 dhdr = decrypt_hdr(ehdr, cipher_chain, key);
475 tc_log(1, "hdr decryption failed for cipher "
481 if (verify_hdr(dhdr)) {
483 printf("tc_str: %.4s, tc_ver: %d, tc_min_ver: %d, "
484 "crc_keys: %d, sz_vol: %"PRIu64", "
485 "off_mk_scope: %"PRIu64", sz_mk_scope: %"PRIu64", "
486 "flags: %d, sec_sz: %d crc_dhdr: %d\n",
487 dhdr->tc_str, dhdr->tc_ver, dhdr->tc_min_ver,
488 dhdr->crc_keys, dhdr->sz_vol, dhdr->off_mk_scope,
489 dhdr->sz_mk_scope, dhdr->flags, dhdr->sec_sz,
495 tc_free_cipher_chain(cipher_chain);
505 if ((info = new_info(dev, flags, cipher_chain,
506 &pbkdf_prf_algos[i-1], dhdr, 0)) == NULL) {
517 create_volume(struct tcplay_opts *opts)
519 char *pass, *pass_again;
522 disksz_t blocks, hidden_blocks = 0;
524 struct tchdr_enc *ehdr, *hehdr;
525 struct tchdr_enc *ehdr_backup, *hehdr_backup;
529 pass = h_pass = pass_again = NULL;
531 ehdr_backup = hehdr_backup = NULL;
532 ret = -1; /* Default to returning error */
534 if (opts->cipher_chain == NULL)
535 opts->cipher_chain = tc_cipher_chains[0];
536 if (opts->prf_algo == NULL)
537 opts->prf_algo = &pbkdf_prf_algos[0];
538 if (opts->h_cipher_chain == NULL)
539 opts->h_cipher_chain = opts->cipher_chain;
540 if (opts->h_prf_algo == NULL)
541 opts->h_prf_algo = opts->prf_algo;
543 if ((error = get_disk_info(opts->dev, &blocks, &blksz)) != 0) {
544 tc_log(1, "could not get disk info\n");
548 if ((blocks*blksz) <= MIN_VOL_BYTES) {
549 tc_log(1, "Cannot create volumes on devices with less "
550 "than %d bytes\n", MIN_VOL_BYTES);
554 if (opts->interactive) {
555 if (((pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) ||
556 ((pass_again = alloc_safe_mem(PASS_BUFSZ)) == NULL)) {
557 tc_log(1, "could not allocate safe passphrase memory\n");
561 if ((error = read_passphrase("Passphrase: ", pass, MAX_PASSSZ,
563 (read_passphrase("Repeat passphrase: ", pass_again,
564 MAX_PASSSZ, PASS_BUFSZ, 0)))) {
565 tc_log(1, "could not read passphrase\n");
569 if (strcmp(pass, pass_again) != 0) {
570 tc_log(1, "Passphrases don't match\n");
574 free_safe_mem(pass_again);
577 /* In batch mode, use provided passphrase */
578 if ((pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) {
579 tc_log(1, "could not allocate safe "
580 "passphrase memory");
584 if (opts->passphrase != NULL) {
585 strncpy(pass, opts->passphrase, MAX_PASSSZ);
586 pass[MAX_PASSSZ] = '\0';
590 if (opts->nkeyfiles > 0) {
591 /* Apply keyfiles to 'pass' */
592 if ((error = apply_keyfiles((unsigned char *)pass, PASS_BUFSZ,
593 opts->keyfiles, opts->nkeyfiles))) {
594 tc_log(1, "could not apply keyfiles\n");
600 if (opts->interactive) {
601 if (((h_pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) ||
602 ((pass_again = alloc_safe_mem(PASS_BUFSZ)) == NULL)) {
603 tc_log(1, "could not allocate safe "
604 "passphrase memory\n");
608 if ((error = read_passphrase("Passphrase for hidden volume: ",
609 h_pass, MAX_PASSSZ, PASS_BUFSZ, 0) ||
610 (read_passphrase("Repeat passphrase: ", pass_again,
611 MAX_PASSSZ, PASS_BUFSZ, 0)))) {
612 tc_log(1, "could not read passphrase\n");
616 if (strcmp(h_pass, pass_again) != 0) {
617 tc_log(1, "Passphrases for hidden volume don't "
622 free_safe_mem(pass_again);
625 /* In batch mode, use provided passphrase */
626 if ((h_pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) {
627 tc_log(1, "could not allocate safe "
628 "passphrase memory");
632 if (opts->h_passphrase != NULL) {
633 strncpy(h_pass, opts->h_passphrase, MAX_PASSSZ);
634 h_pass[MAX_PASSSZ] = '\0';
638 if (opts->n_hkeyfiles > 0) {
639 /* Apply keyfiles to 'h_pass' */
640 if ((error = apply_keyfiles((unsigned char *)h_pass,
641 PASS_BUFSZ, opts->h_keyfiles, opts->n_hkeyfiles))) {
642 tc_log(1, "could not apply keyfiles\n");
647 if (opts->interactive) {
650 hidden_blocks = opts->hidden_size_bytes/blksz;
651 if (hidden_blocks == 0) {
652 tc_log(1, "hidden_blocks to create volume "
653 "cannot be zero!\n");
657 if (opts->hidden_size_bytes >=
658 (blocks*blksz) - MIN_VOL_BYTES) {
659 tc_log(1, "Hidden volume needs to be "
660 "smaller than the outer volume\n");
665 /* This only happens in interactive mode */
666 while (hidden_blocks == 0) {
667 if ((r = _humanize_number(buf, sizeof(buf),
668 (uint64_t)(blocks * blksz))) < 0) {
669 sprintf(buf, "%"DISKSZ_FMT" bytes", (blocks * blksz));
672 printf("The total volume size of %s is %s (bytes)\n", opts->dev, buf);
673 memset(buf, 0, sizeof(buf));
674 printf("Size of hidden volume (e.g. 127M): ");
677 if ((fgets(buf, sizeof(buf), stdin)) == NULL) {
678 tc_log(1, "Could not read from stdin\n");
682 /* get rid of trailing newline */
683 buf[strlen(buf)-1] = '\0';
684 if ((error = _dehumanize_number(buf,
686 tc_log(1, "Could not interpret input: %s\n", buf);
690 if (tmp >= (blocks*blksz) - MIN_VOL_BYTES) {
691 tc_log(1, "Hidden volume needs to be "
692 "smaller than the outer volume\n");
697 hidden_blocks = (size_t)tmp;
698 hidden_blocks /= blksz;
702 if (opts->interactive) {
703 /* Show summary and ask for confirmation */
704 printf("Summary of actions:\n");
705 if (opts->secure_erase)
706 printf(" - Completely erase *EVERYTHING* on %s\n", opts->dev);
707 printf(" - Create %svolume on %s\n", opts->hidden?("outer "):"", opts->dev);
709 printf(" - Create hidden volume of %"DISKSZ_FMT" bytes at end of "
711 hidden_blocks * blksz);
714 printf("\n Are you sure you want to proceed? (y/n) ");
716 if ((fgets(buf, sizeof(buf), stdin)) == NULL) {
717 tc_log(1, "Could not read from stdin\n");
721 if ((buf[0] != 'y') && (buf[0] != 'Y')) {
722 tc_log(1, "User cancelled action(s)\n");
728 if (opts->secure_erase) {
729 tc_log(0, "Securely erasing the volume...\nThis process may take "
730 "some time depending on the size of the volume\n");
732 if (opts->state_change_fn)
733 opts->state_change_fn(opts->api_ctx, "secure_erase", 1);
735 if ((error = secure_erase(opts->dev, blocks * blksz, blksz)) != 0) {
736 tc_log(1, "could not securely erase device %s\n", opts->dev);
740 if (opts->state_change_fn)
741 opts->state_change_fn(opts->api_ctx, "secure_erase", 0);
744 tc_log(0, "Creating volume headers...\nDepending on your system, this "
745 "process may take a few minutes as it uses true random data which "
746 "might take a while to refill\n");
748 if (opts->weak_keys_and_salt) {
749 tc_log(0, "WARNING: Using a weak random generator to get "
750 "entropy for the key material. Odds are this is NOT "
754 if (opts->state_change_fn)
755 opts->state_change_fn(opts->api_ctx, "create_header", 1);
757 /* create encrypted headers */
758 ehdr = create_hdr((unsigned char *)pass,
759 (opts->nkeyfiles > 0)?MAX_PASSSZ:strlen(pass),
760 opts->prf_algo, opts->cipher_chain, blksz, blocks, VOL_RSVD_BYTES_START/blksz,
761 blocks - (MIN_VOL_BYTES/blksz), 0, opts->weak_keys_and_salt, &ehdr_backup);
763 tc_log(1, "Could not create header\n");
768 hehdr = create_hdr((unsigned char *)h_pass,
769 (opts->n_hkeyfiles > 0)?MAX_PASSSZ:strlen(h_pass), opts->h_prf_algo,
770 opts->h_cipher_chain,
772 blocks - (VOL_RSVD_BYTES_END/blksz) - hidden_blocks,
773 hidden_blocks, 1, opts->weak_keys_and_salt, &hehdr_backup);
775 tc_log(1, "Could not create hidden volume header\n");
780 if (opts->state_change_fn)
781 opts->state_change_fn(opts->api_ctx, "create_header", 0);
783 tc_log(0, "Writing volume headers to disk...\n");
785 if ((error = write_to_disk(opts->dev, 0, blksz, ehdr, sizeof(*ehdr))) != 0) {
786 tc_log(1, "Could not write volume header to device\n");
790 /* Write backup header; it's offset is relative to the end */
791 if ((error = write_to_disk(opts->dev, (blocks*blksz - BACKUP_HDR_OFFSET_END),
792 blksz, ehdr_backup, sizeof(*ehdr_backup))) != 0) {
793 tc_log(1, "Could not write backup volume header to device\n");
798 if ((error = write_to_disk(opts->dev, HDR_OFFSET_HIDDEN, blksz, hehdr,
799 sizeof(*hehdr))) != 0) {
800 tc_log(1, "Could not write hidden volume header to "
805 /* Write backup hidden header; offset is relative to end */
806 if ((error = write_to_disk(opts->dev,
807 (blocks*blksz - BACKUP_HDR_HIDDEN_OFFSET_END), blksz,
808 hehdr_backup, sizeof(*hehdr_backup))) != 0) {
809 tc_log(1, "Could not write backup hidden volume "
810 "header to device\n");
815 /* Everything went ok */
816 tc_log(0, "All done!\n");
824 free_safe_mem(h_pass);
826 free_safe_mem(pass_again);
830 free_safe_mem(hehdr);
832 free_safe_mem(ehdr_backup);
834 free_safe_mem(hehdr_backup);
840 info_map_common(struct tcplay_opts *opts, char *passphrase_out)
842 struct tchdr_enc *ehdr, *hehdr = NULL;
843 struct tcplay_info *info, *hinfo = NULL;
846 int error, error2 = 0;
854 if ((error = get_disk_info(opts->dev, &blocks, &blksz)) != 0) {
855 tc_log(1, "could not get disk information\n");
859 if (opts->retries < 1)
862 retries = opts->retries;
865 * Add one retry so we can do a first try without asking for
866 * a password if keyfiles are passed in.
868 if (opts->interactive && (opts->nkeyfiles > 0)) {
876 pass = h_pass = NULL;
878 while ((info == NULL) && retries-- > 0)
880 pass = h_pass = NULL;
884 if ((pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) {
885 tc_log(1, "could not allocate safe passphrase memory\n");
891 } else if (opts->interactive) {
892 if ((error = read_passphrase("Passphrase: ", pass,
893 MAX_PASSSZ, PASS_BUFSZ, opts->timeout))) {
894 tc_log(1, "could not read passphrase\n");
895 /* XXX: handle timeout differently? */
898 pass[MAX_PASSSZ] = '\0';
900 /* In batch mode, use provided passphrase */
901 if (opts->passphrase != NULL) {
902 strncpy(pass, opts->passphrase, MAX_PASSSZ);
903 pass[MAX_PASSSZ] = '\0';
907 if (passphrase_out != NULL) {
908 strcpy(passphrase_out, pass);
911 if (opts->nkeyfiles > 0) {
912 /* Apply keyfiles to 'pass' */
913 if ((error = apply_keyfiles((unsigned char *)pass, PASS_BUFSZ,
914 opts->keyfiles, opts->nkeyfiles))) {
915 tc_log(1, "could not apply keyfiles");
920 if (opts->protect_hidden) {
921 if ((h_pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) {
922 tc_log(1, "could not allocate safe passphrase memory\n");
926 if (opts->interactive) {
927 if ((error = read_passphrase(
928 "Passphrase for hidden volume: ", h_pass,
929 MAX_PASSSZ, PASS_BUFSZ, opts->timeout))) {
930 tc_log(1, "could not read passphrase\n");
933 h_pass[MAX_PASSSZ] = '\0';
935 /* In batch mode, use provided passphrase */
936 if (opts->h_passphrase != NULL) {
937 strncpy(h_pass, opts->h_passphrase, MAX_PASSSZ);
938 h_pass[MAX_PASSSZ] = '\0';
942 if (opts->n_hkeyfiles > 0) {
943 /* Apply keyfiles to 'pass' */
944 if ((error = apply_keyfiles((unsigned char *)h_pass, PASS_BUFSZ,
945 opts->h_keyfiles, opts->n_hkeyfiles))) {
946 tc_log(1, "could not apply keyfiles");
952 /* Always read blksz-sized chunks */
955 if (TC_FLAG_SET(opts->flags, HDR_FROM_FILE)) {
956 ehdr = (struct tchdr_enc *)read_to_safe_mem(
957 opts->hdr_file_in, 0, &sz);
959 tc_log(1, "error read hdr_enc: %s", opts->hdr_file_in);
963 ehdr = (struct tchdr_enc *)read_to_safe_mem(
964 (TC_FLAG_SET(opts->flags, SYS)) ? opts->sys_dev : opts->dev,
965 (TC_FLAG_SET(opts->flags, SYS) || TC_FLAG_SET(opts->flags, FDE)) ?
967 (!TC_FLAG_SET(opts->flags, BACKUP)) ? 0 : -BACKUP_HDR_OFFSET_END,
970 tc_log(1, "error read hdr_enc: %s", opts->dev);
975 if (!TC_FLAG_SET(opts->flags, SYS)) {
976 /* Always read blksz-sized chunks */
979 if (TC_FLAG_SET(opts->flags, H_HDR_FROM_FILE)) {
980 hehdr = (struct tchdr_enc *)read_to_safe_mem(
981 opts->h_hdr_file_in, 0, &sz);
983 tc_log(1, "error read hdr_enc: %s", opts->h_hdr_file_in);
987 hehdr = (struct tchdr_enc *)read_to_safe_mem(opts->dev,
988 (!TC_FLAG_SET(opts->flags, BACKUP)) ? HDR_OFFSET_HIDDEN :
989 -BACKUP_HDR_HIDDEN_OFFSET_END, &sz);
991 tc_log(1, "error read hdr_enc: %s", opts->dev);
999 error = process_hdr(opts->dev, opts->flags, (unsigned char *)pass,
1000 (opts->nkeyfiles > 0)?MAX_PASSSZ:strlen(pass),
1004 * Try to process hidden header if we have to protect the hidden
1005 * volume, or the decryption/verification of the main header
1008 if (hehdr && (error || opts->protect_hidden)) {
1010 error2 = process_hdr(opts->dev, opts->flags, (unsigned char *)pass,
1011 (opts->nkeyfiles > 0)?MAX_PASSSZ:strlen(pass), hehdr,
1013 is_hidden = !error2;
1014 } else if (opts->protect_hidden) {
1015 error2 = process_hdr(opts->dev, opts->flags, (unsigned char *)h_pass,
1016 (opts->n_hkeyfiles > 0)?MAX_PASSSZ:strlen(h_pass), hehdr,
1021 /* We need both to protect a hidden volume */
1022 if ((opts->protect_hidden && (error || error2)) ||
1023 (error && error2)) {
1025 tc_log(1, "Incorrect password or not a TrueCrypt volume\n");
1036 /* Try again (or finish) */
1037 free_safe_mem(pass);
1041 free_safe_mem(h_pass);
1045 free_safe_mem(ehdr);
1049 free_safe_mem(hehdr);
1057 if (opts->protect_hidden) {
1058 if (adjust_info(info, hinfo) != 0) {
1059 tc_log(1, "Could not protect hidden volume\n");
1083 free_safe_mem(pass);
1085 free_safe_mem(h_pass);
1087 free_safe_mem(ehdr);
1089 free_safe_mem(hehdr);
1092 info->hidden = is_hidden;
1098 info_mapped_volume(struct tcplay_opts *opts)
1100 struct tcplay_info *info;
1102 info = dm_info_map(opts->map_name);
1104 if (opts->interactive)
1111 } else if (opts->interactive) {
1112 tc_log(1, "Could not retrieve information about mapped "
1113 "volume %s. Does it exist?\n", opts->map_name);
1120 info_volume(struct tcplay_opts *opts)
1122 struct tcplay_info *info;
1124 info = info_map_common(opts, NULL);
1127 if (opts->interactive)
1140 map_volume(struct tcplay_opts *opts)
1142 struct tcplay_info *info;
1145 info = info_map_common(opts, NULL);
1150 if ((error = dm_setup(opts->map_name, info)) != 0) {
1151 tc_log(1, "Could not set up mapping %s\n", opts->map_name);
1156 if (opts->interactive)
1157 printf("All ok!\n");
1165 modify_volume(struct tcplay_opts *opts)
1167 struct tcplay_info *info;
1168 struct tchdr_enc *ehdr, *ehdr_backup;
1169 const char *new_passphrase = opts->new_passphrase;
1170 const char **new_keyfiles = opts->new_keyfiles;
1171 struct pbkdf_prf_algo *new_prf_algo = opts->new_prf_algo;
1172 int n_newkeyfiles = opts->n_newkeyfiles;
1173 char *pass, *pass_again;
1175 off_t offset, offset_backup = 0;
1181 ehdr = ehdr_backup = NULL;
1182 pass = pass_again = NULL;
1185 if (TC_FLAG_SET(opts->flags, ONLY_RESTORE)) {
1186 if (opts->interactive) {
1187 if ((pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) {
1188 tc_log(1, "could not allocate safe "
1189 "passphrase memory");
1193 new_passphrase = opts->passphrase;
1195 new_keyfiles = opts->keyfiles;
1196 n_newkeyfiles = opts->nkeyfiles;
1197 new_prf_algo = NULL;
1200 info = info_map_common(opts, pass);
1204 if (opts->interactive && !TC_FLAG_SET(opts->flags, ONLY_RESTORE)) {
1205 if (((pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) ||
1206 ((pass_again = alloc_safe_mem(PASS_BUFSZ)) == NULL)) {
1207 tc_log(1, "could not allocate safe passphrase memory\n");
1211 if ((error = read_passphrase("New passphrase: ", pass, MAX_PASSSZ,
1213 (read_passphrase("Repeat passphrase: ", pass_again,
1214 MAX_PASSSZ, PASS_BUFSZ, 0)))) {
1215 tc_log(1, "could not read passphrase\n");
1219 if (strcmp(pass, pass_again) != 0) {
1220 tc_log(1, "Passphrases don't match\n");
1224 free_safe_mem(pass_again);
1226 } else if (!opts->interactive) {
1227 /* In batch mode, use provided passphrase */
1228 if ((pass = alloc_safe_mem(PASS_BUFSZ)) == NULL) {
1229 tc_log(1, "could not allocate safe "
1230 "passphrase memory");
1234 if (new_passphrase != NULL) {
1235 strncpy(pass, new_passphrase, MAX_PASSSZ);
1236 pass[MAX_PASSSZ] = '\0';
1240 if (n_newkeyfiles > 0) {
1241 /* Apply keyfiles to 'pass' */
1242 if ((error = apply_keyfiles((unsigned char *)pass, PASS_BUFSZ,
1243 new_keyfiles, n_newkeyfiles))) {
1244 tc_log(1, "could not apply keyfiles\n");
1249 ehdr = copy_reencrypt_hdr((unsigned char *)pass,
1250 (opts->n_newkeyfiles > 0)?MAX_PASSSZ:strlen(pass),
1251 new_prf_algo, opts->weak_keys_and_salt, info, &ehdr_backup);
1253 tc_log(1, "Could not create header\n");
1257 dev = (TC_FLAG_SET(opts->flags, SYS)) ? opts->sys_dev : opts->dev;
1258 if (TC_FLAG_SET(opts->flags, SYS) || TC_FLAG_SET(opts->flags, FDE)) {
1259 /* SYS and FDE don't have backup headers (as far as I understand) */
1261 offset = HDR_OFFSET_HIDDEN;
1263 offset = HDR_OFFSET_SYS;
1267 offset = HDR_OFFSET_HIDDEN;
1268 offset_backup = -BACKUP_HDR_HIDDEN_OFFSET_END;
1271 offset_backup = -BACKUP_HDR_OFFSET_END;
1275 if ((error = get_disk_info(dev, &blocks, &blksz)) != 0) {
1276 tc_log(1, "could not get disk information\n");
1280 tc_log(0, "Writing new volume headers to disk/file...\n");
1282 if (TC_FLAG_SET(opts->flags, SAVE_TO_FILE)) {
1283 if ((error = write_to_file(opts->hdr_file_out, ehdr, sizeof(*ehdr))) != 0) {
1284 tc_log(1, "Could not write volume header to file\n");
1288 if ((error = write_to_disk(dev, offset, blksz, ehdr,
1289 sizeof(*ehdr))) != 0) {
1290 tc_log(1, "Could not write volume header to device\n");
1294 if (!TC_FLAG_SET(opts->flags, SYS) && !TC_FLAG_SET(opts->flags, FDE)) {
1295 if ((error = write_to_disk(dev, offset_backup, blksz,
1296 ehdr_backup, sizeof(*ehdr_backup))) != 0) {
1297 tc_log(1, "Could not write backup volume header to device\n");
1303 /* Everything went ok */
1304 tc_log(0, "All done!\n");
1310 free_safe_mem(pass);
1312 free_safe_mem(pass_again);
1314 free_safe_mem(ehdr);
1316 free_safe_mem(ehdr_backup);
1318 free_safe_mem(info);
1325 dm_get_info(const char *name, struct dm_info *dmi)
1327 struct dm_task *dmt = NULL;
1330 if ((dmt = dm_task_create(DM_DEVICE_INFO)) == NULL)
1333 if ((dm_task_set_name(dmt, name)) == 0)
1336 if ((dm_task_run(dmt)) == 0)
1339 if ((dm_task_get_info(dmt, dmi)) == 0)
1346 dm_task_destroy(dmt);
1351 #if defined(__DragonFly__)
1354 xlate_maj_min(const char *start_path __unused, int max_depth __unused,
1355 char *buf, size_t bufsz, uint32_t maj, uint32_t min)
1357 dev_t dev = makedev(maj, min);
1359 snprintf(buf, bufsz, "/dev/%s", devname(dev, S_IFCHR));
1365 xlate_maj_min(const char *start_path, int max_depth, char *buf, size_t bufsz,
1366 uint32_t maj, uint32_t min)
1368 dev_t dev = makedev(maj, min);
1369 char path[PATH_MAX];
1378 if ((dirp = opendir(start_path)) == NULL)
1381 while ((ent = readdir(dirp)) != NULL) {
1382 /* d_name, d_type, DT_BLK, DT_CHR, DT_DIR, DT_LNK */
1383 if (ent->d_name[0] == '.')
1386 /* Linux' /dev is littered with junk, so skip over it */
1388 * The dm-<number> devices seem to be the raw DM devices
1389 * things in mapper/ link to.
1391 if (((strcmp(ent->d_name, "block")) == 0) ||
1392 ((strcmp(ent->d_name, "fd")) == 0) ||
1393 (((strncmp(ent->d_name, "dm-", 3) == 0) && strlen(ent->d_name) <= 5)))
1396 snprintf(path, PATH_MAX, "%s/%s", start_path, ent->d_name);
1398 if ((stat(path, &sb)) < 0)
1401 if (S_ISDIR(sb.st_mode)) {
1402 found = !xlate_maj_min(path, max_depth-1, buf, bufsz, maj, min);
1407 if (!S_ISBLK(sb.st_mode))
1410 if (sb.st_rdev != dev)
1413 snprintf(buf, bufsz, "%s", path);
1421 return found ? 0 : -ENOENT;
1426 struct tcplay_dm_table *
1427 dm_get_table(const char *name)
1429 struct tcplay_dm_table *tc_table;
1430 struct dm_task *dmt = NULL;
1432 uint64_t start, length;
1439 if ((tc_table = (struct tcplay_dm_table *)alloc_safe_mem(sizeof(*tc_table))) == NULL) {
1440 tc_log(1, "could not allocate safe tc_table memory\n");
1444 if ((dmt = dm_task_create(DM_DEVICE_TABLE)) == NULL)
1447 if ((dm_task_set_name(dmt, name)) == 0)
1450 if ((dm_task_run(dmt)) == 0)
1453 tc_table->start = (off_t)0;
1454 tc_table->size = (size_t)0;
1457 next = dm_get_next_target(dmt, next, &start, &length,
1458 &target_type, ¶ms);
1460 tc_table->size += (size_t)length;
1461 strncpy(tc_table->target, target_type,
1462 sizeof(tc_table->target));
1464 /* Skip any leading whitespace */
1465 while (params && *params == ' ')
1468 if (strcmp(target_type, "crypt") == 0) {
1469 while ((p1 = strsep(¶ms, " ")) != NULL) {
1470 /* Skip any whitespace before the next strsep */
1471 while (params && *params == ' ')
1477 strncpy(tc_table->cipher, p1,
1478 sizeof(tc_table->cipher));
1479 } else if (c == 2) {
1481 tc_table->skip = (off_t)strtoll(p1, NULL, 10);
1482 } else if (c == 3) {
1484 maj = strtoul(p1, NULL, 10);
1485 while (*p1 != ':' && *p1 != '\0')
1487 min = strtoul(++p1, NULL, 10);
1488 if ((xlate_maj_min("/dev", 2, tc_table->device,
1489 sizeof(tc_table->device), maj, min)) != 0)
1490 snprintf(tc_table->device,
1491 sizeof(tc_table->device),
1493 } else if (c == 4) {
1495 tc_table->offset = (off_t)strtoll(p1,
1502 tc_log(1, "could not get all the info required from "
1507 } while (next != NULL);
1510 dm_task_destroy(dmt);
1513 printf("device: %s\n", tc_table->device);
1514 printf("target: %s\n", tc_table->target);
1515 printf("cipher: %s\n", tc_table->cipher);
1516 printf("size: %ju\n", tc_table->size);
1517 printf("offset: %"PRId64"\n", tc_table->offset);
1518 printf("skip: %"PRId64"\n", tc_table->skip);
1525 dm_task_destroy(dmt);
1527 free_safe_mem(tc_table);
1532 struct tcplay_info *
1533 dm_info_map(const char *map_name)
1535 struct dm_task *dmt = NULL;
1536 struct dm_info dmi[3];
1537 struct tcplay_dm_table *dm_table[3];
1538 struct tc_crypto_algo *crypto_algo;
1539 struct tcplay_info *info;
1542 int i, outermost = -1;
1544 memset(dm_table, 0, sizeof(dm_table));
1546 if ((info = (struct tcplay_info *)alloc_safe_mem(sizeof(*info))) == NULL) {
1547 tc_log(1, "could not allocate safe info memory\n");
1551 strncpy(map, map_name, PATH_MAX);
1552 for (i = 0; i < 3; i++) {
1553 if ((dm_get_info(map, &dmi[i])) != 0)
1557 dm_table[i] = dm_get_table(map);
1559 snprintf(map, PATH_MAX, "%s.%d", map_name, i);
1563 dm_task_destroy(dmt);
1565 if (dm_table[0] == NULL)
1569 * Process our dmi, dm_table fun into the info structure.
1571 /* First find which cipher chain we are using */
1573 for (i = 0; i < 3; i++) {
1574 if (dm_table[i] == NULL)
1580 crypto_algo = &tc_crypto_algos[0];
1581 while ((crypto_algo != NULL) &&
1582 (strcmp(dm_table[i]->cipher, crypto_algo->dm_crypt_str) != 0))
1584 if (crypto_algo == NULL) {
1585 tc_log(1, "could not find corresponding cipher\n");
1588 strcat(ciphers, crypto_algo->name);
1589 strcat(ciphers, ",");
1591 ciphers[strlen(ciphers)-1] = '\0';
1593 info->cipher_chain = check_cipher_chain(ciphers, 1);
1594 if (info->cipher_chain == NULL) {
1595 tc_log(1, "could not find cipher chain\n");
1599 /* Copy over the name */
1600 strncpy(info->dev, dm_table[outermost]->device, sizeof(info->dev));
1604 info->pbkdf_prf = NULL;
1605 info->start = dm_table[outermost]->start;
1606 info->size = dm_table[0]->size;
1607 info->skip = dm_table[outermost]->skip;
1608 info->offset = dm_table[outermost]->offset;
1615 dm_task_destroy(dmt);
1617 free_safe_mem(info);
1618 for (i = 0; i < 3; i++)
1619 if (dm_table[i] != NULL)
1620 free_safe_mem(dm_table[i]);
1627 dm_exists_device(const char *name)
1632 if (dm_get_info(name, &dmi) != 0)
1635 exists = dmi.exists;
1643 dm_remove_device(const char *name)
1645 struct dm_task *dmt = NULL;
1648 if ((dmt = dm_task_create(DM_DEVICE_REMOVE)) == NULL)
1651 if ((dm_task_set_name(dmt, name)) == 0)
1654 if ((dm_task_run(dmt)) == 0)
1660 dm_task_destroy(dmt);
1666 dm_setup(const char *mapname, struct tcplay_info *info)
1668 struct tc_cipher_chain *cipher_chain;
1669 struct dm_task *dmt = NULL;
1671 char *params = NULL;
1675 #if defined(__DragonFly__)
1680 off_t start, offset;
1685 dm_udev_set_sync_support(1);
1687 if ((params = alloc_safe_mem(512)) == NULL) {
1688 tc_log(1, "could not allocate safe parameters memory");
1692 strcpy(dev, info->dev);
1695 * Device Mapper blocks are always 512-byte blocks, so convert
1696 * from the "native" block size to the dm block size here.
1698 start = INFO_TO_DM_BLOCKS(info, start);
1699 offset = INFO_TO_DM_BLOCKS(info, offset);
1703 * Find length of cipher chain. Could use the for below, but doesn't
1706 len = tc_cipher_chain_length(info->cipher_chain);
1708 /* Get to the end of the chain */
1709 for (cipher_chain = info->cipher_chain; cipher_chain->next != NULL;
1710 cipher_chain = cipher_chain->next)
1714 * Start j at len-2, as we want to use .0, and the final one has no
1717 for (j = len-2; cipher_chain != NULL;
1718 cipher_chain = cipher_chain->prev, j--) {
1722 if ((dmt = dm_task_create(DM_DEVICE_CREATE)) == NULL) {
1723 tc_log(1, "dm_task_create failed\n");
1729 * If this is the last element in the cipher chain, use the
1730 * final map name. Otherwise pick a secondary name...
1732 if (cipher_chain->prev == NULL)
1733 strcpy(map, mapname);
1735 sprintf(map, "%s.%d", mapname, j);
1737 if ((dm_task_set_name(dmt, map)) == 0) {
1738 tc_log(1, "dm_task_set_name failed\n");
1743 #if defined(__linux__)
1744 uuid_generate(info->uuid);
1745 if ((uu_temp = malloc(1024)) == NULL) {
1746 tc_log(1, "uuid_unparse memory failed\n");
1750 uuid_unparse(info->uuid, uu_temp);
1751 #elif defined(__DragonFly__)
1752 uuid_create(&info->uuid, &status);
1753 if (status != uuid_s_ok) {
1754 tc_log(1, "uuid_create failed\n");
1759 uuid_to_string(&info->uuid, &uu_temp, &status);
1760 if (uu_temp == NULL) {
1761 tc_log(1, "uuid_to_string failed\n");
1767 if ((uu = malloc(1024)) == NULL) {
1769 tc_log(1, "uuid second malloc failed\n");
1774 snprintf(uu, 1024, "CRYPT-TCPLAY-%s", uu_temp);
1777 if ((dm_task_set_uuid(dmt, uu)) == 0) {
1779 tc_log(1, "dm_task_set_uuid failed\n");
1786 if (TC_FLAG_SET(info->flags, FDE)) {
1788 * When the full disk encryption (FDE) flag is set,
1789 * we map the first N sectors using a linear target
1790 * as they aren't encrypted.
1794 /* dev---^ block off --^ */
1795 snprintf(params, 512, "%s 0", dev);
1797 if ((dm_task_add_target(dmt, 0,
1798 INFO_TO_DM_BLOCKS(info, offset),
1799 "linear", params)) == 0) {
1800 tc_log(1, "dm_task_add_target failed\n");
1805 start = INFO_TO_DM_BLOCKS(info, offset);
1808 /* aes-cbc-essiv:sha256 7997f8af... 0 /dev/ad0s0a 8 <opts> */
1809 /* iv off---^ block off--^ <opts> */
1810 snprintf(params, 512, "%s %s %"PRIu64 " %s %"PRIu64 " %s",
1811 cipher_chain->cipher->dm_crypt_str, cipher_chain->dm_key,
1812 (uint64_t)INFO_TO_DM_BLOCKS(info, skip), dev,
1814 TC_FLAG_SET(info->flags, ALLOW_TRIM) ? "1 allow_discards" : "");
1816 printf("Params: %s\n", params);
1819 if ((dm_task_add_target(dmt, start,
1820 INFO_TO_DM_BLOCKS(info, size), "crypt", params)) == 0) {
1821 tc_log(1, "dm_task_add_target failed\n");
1826 if ((dm_task_set_cookie(dmt, &cookie, 0)) == 0) {
1827 tc_log(1, "dm_task_set_cookie failed\n");
1832 if ((dm_task_run(dmt)) == 0) {
1833 dm_udev_wait(cookie);
1834 tc_log(1, "dm_task_run failed\n");
1839 if ((dm_task_get_info(dmt, &dmi)) == 0) {
1840 dm_udev_wait(cookie);
1841 tc_log(1, "dm_task_get info failed\n");
1846 dm_udev_wait(cookie);
1848 if ((r = asprintf(&uu_stack[uu_stack_idx++], "%s", map)) < 0)
1849 tc_log(1, "warning, asprintf failed. won't be able to "
1850 "unroll changes\n");
1855 sprintf(dev, "/dev/mapper/%s.%d", mapname, j);
1857 dm_task_destroy(dmt);
1858 dm_task_update_nodes();
1863 * If an error occured, try to unroll changes made before it
1870 printf("Unrolling dm changes! j = %d (%s)\n", j-1,
1873 if ((uu_stack[j-1] == NULL) ||
1874 ((r = dm_remove_device(uu_stack[--j])) != 0)) {
1875 tc_log(1, "Tried to unroll dm changes, "
1882 while (uu_stack_idx > 0)
1883 free(uu_stack[--uu_stack_idx]);
1885 free_safe_mem(params);
1891 dm_teardown(const char *mapname, const char *device __unused)
1894 struct dm_task *dmt = NULL;
1900 if ((error = dm_remove_device(mapname)) != 0) {
1901 tc_log(1, "Could not remove mapping %s\n", mapname);
1905 /* Try to remove other cascade devices */
1906 for (i = 0; i < 2; i++) {
1907 sprintf(map, "%s.%d", mapname, i);
1908 if (dm_exists_device(map))
1909 dm_remove_device(map);
1915 struct tc_crypto_algo *
1916 check_cipher(const char *cipher, int quiet)
1920 for (i = 0; tc_crypto_algos[i].name != NULL; i++) {
1921 if (strcmp(cipher, tc_crypto_algos[i].name) == 0) {
1927 if (!found && !quiet) {
1928 fprintf(stderr, "Valid ciphers are: ");
1929 for (i = 0; tc_crypto_algos[i].name != NULL; i++)
1930 fprintf(stderr, "%s ", tc_crypto_algos[i].name);
1931 fprintf(stderr, "\n");
1935 return &tc_crypto_algos[i];
1938 struct tc_cipher_chain *
1939 check_cipher_chain(const char *cipher_chain, int quiet)
1941 struct tc_cipher_chain *cipher = NULL;
1942 int i,k, nciphers = 0, mismatch = 0;
1944 char *tmp_chain, *tmp_chain_free;
1947 if ((tmp_chain = strdup(cipher_chain)) == NULL) {
1948 tc_log(1, "Could not allocate strdup memory\n");
1952 tmp_chain_free = tmp_chain;
1954 while ((token = strsep(&tmp_chain, ",")) != NULL)
1955 ciphers[nciphers++] = token;
1959 for (i = 0; valid_cipher_chains[i][0] != NULL; i++) {
1962 for (k = 0; (valid_cipher_chains[i][k] != NULL); k++) {
1964 * If there are more ciphers in the chain than in the
1965 * ciphers[] variable this is not the right chain.
1967 if (k == nciphers) {
1972 if (strcmp(ciphers[k], valid_cipher_chains[i][k]) != 0)
1977 * If all ciphers matched and there are exactly nciphers,
1978 * then we found the right cipher chain.
1980 if ((k == nciphers) && !mismatch) {
1981 cipher = tc_cipher_chains[i];
1986 if (cipher == NULL) {
1987 tc_log(1, "Invalid cipher: %s\n", cipher_chain);
1989 fprintf(stderr, "Valid cipher chains are:\n");
1990 for (i = 0; valid_cipher_chains[i][0] != NULL; i++) {
1991 for (k = 0; valid_cipher_chains[i][k] != NULL;
1993 fprintf(stderr, "%s%c",
1994 valid_cipher_chains[i][k],
1995 (valid_cipher_chains[i][k+1] != NULL) ?
1998 fprintf(stderr, "\n");
2003 free(tmp_chain_free);
2007 struct pbkdf_prf_algo *
2008 check_prf_algo(const char *algo, int quiet)
2012 for (i = 0; pbkdf_prf_algos[i].name != NULL; i++) {
2013 if (strcmp(algo, pbkdf_prf_algos[i].name) == 0) {
2019 if (!found && !quiet) {
2020 fprintf(stderr, "Valid PBKDF PRF algorithms are: ");
2021 for (i = 0; pbkdf_prf_algos[i].name != NULL; i++)
2022 fprintf(stderr, "%s ", pbkdf_prf_algos[i].name);
2023 fprintf(stderr, "\n");
2027 return &pbkdf_prf_algos[i];
2035 if ((error = tc_build_cipher_chains()) != 0)
2038 if ((error = tc_crypto_init()) != 0)
2044 struct tcplay_opts *opts_init(void)
2046 struct tcplay_opts *opts;
2048 if ((opts = (struct tcplay_opts *)alloc_safe_mem(sizeof(*opts))) == NULL) {
2049 tc_log(1, "could not allocate safe opts memory\n");
2053 memset(opts, 0, sizeof(*opts));
2055 opts->retries = DEFAULT_RETRIES;
2056 opts->secure_erase = 1;
2062 opts_add_keyfile(struct tcplay_opts *opts, const char *keyfile)
2066 if (opts->nkeyfiles == MAX_KEYFILES)
2069 if ((keyf = strdup_safe_mem(keyfile)) == NULL) {
2073 opts->keyfiles[opts->nkeyfiles++] = keyf;
2079 opts_add_keyfile_hidden(struct tcplay_opts *opts, const char *keyfile)
2083 if (opts->n_hkeyfiles == MAX_KEYFILES)
2086 if ((keyf = strdup_safe_mem(keyfile)) == NULL) {
2090 opts->h_keyfiles[opts->n_hkeyfiles++] = keyf;
2096 opts_add_keyfile_new(struct tcplay_opts *opts, const char *keyfile)
2100 if (opts->n_newkeyfiles == MAX_KEYFILES)
2103 if ((keyf = strdup_safe_mem(keyfile)) == NULL) {
2107 opts->new_keyfiles[opts->n_newkeyfiles++] = keyf;
2113 opts_clear_keyfile(struct tcplay_opts *opts)
2117 for (i = 0; i < opts->nkeyfiles; i++) {
2118 free_safe_mem(opts->keyfiles[i]);
2121 opts->nkeyfiles = 0;
2125 opts_clear_keyfile_hidden(struct tcplay_opts *opts)
2129 for (i = 0; i < opts->n_hkeyfiles; i++) {
2130 free_safe_mem(opts->h_keyfiles[i]);
2133 opts->n_hkeyfiles = 0;
2138 opts_clear_keyfile_new(struct tcplay_opts *opts)
2142 for (i = 0; i < opts->n_newkeyfiles; i++) {
2143 free_safe_mem(opts->new_keyfiles[i]);
2146 opts->n_newkeyfiles = 0;
2151 opts_free(struct tcplay_opts *opts)
2155 for (i = 0; i < opts->nkeyfiles; i++) {
2156 free_safe_mem(opts->keyfiles[i]);
2159 for (i = 0; i < opts->n_hkeyfiles; i++) {
2160 free_safe_mem(opts->h_keyfiles[i]);
2163 for (i = 0; i < opts->n_newkeyfiles; i++) {
2164 free_safe_mem(opts->new_keyfiles[i]);
2168 free_safe_mem(opts->dev);
2169 if (opts->passphrase)
2170 free_safe_mem(opts->passphrase);
2171 if (opts->h_passphrase)
2172 free_safe_mem(opts->h_passphrase);
2173 if (opts->new_passphrase)
2174 free_safe_mem(opts->new_passphrase);
2176 free_safe_mem(opts->map_name);
2178 free_safe_mem(opts->sys_dev);
2179 if (opts->hdr_file_in)
2180 free_safe_mem(opts->hdr_file_in);
2181 if (opts->h_hdr_file_in)
2182 free_safe_mem(opts->h_hdr_file_in);
2183 if (opts->hdr_file_out)
2184 free_safe_mem(opts->hdr_file_out);
2186 free_safe_mem(opts);