xref: /dragonfly/contrib/cryptsetup/lib/setup.c (revision 86d7f5d305c6adaa56ff4582ece9859d73106103)

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <fcntl.h>
#include <errno.h>

#include "libcryptsetup.h"
#include "luks.h"
#include "internal.h"

struct crypt_device {
          char *type;

          char *device;
          struct luks_masterkey *volume_key;
          uint64_t timeout;
          uint64_t iteration_time;
          int tries;
          int password_verify;

          /* used in CRYPT_LUKS1 */
          struct luks_phdr hdr;
          uint64_t PBKDF2_per_sec;

          /* used in CRYPT_PLAIN */
          struct crypt_params_plain plain_hdr;
          char *plain_cipher;
          char *plain_cipher_mode;
          char *plain_uuid;

          /* callbacks definitions */
          void (*log)(int level, const char *msg, void *usrptr);
          void *log_usrptr;
          int (*confirm)(const char *msg, void *usrptr);
          void *confirm_usrptr;
          int (*password)(const char *msg, char *buf, size_t length, void *usrptr);
          void *password_usrptr;
};

/* Log helper */
static void (*_default_log)(int level, const char *msg, void *usrptr) = NULL;
static int _debug_level = 0;

void crypt_set_debug_level(int level)
{
          _debug_level = level;
}

int crypt_get_debug_level()
{
          return _debug_level;
}

void crypt_log(struct crypt_device *cd, int level, const char *msg)
{
          if (cd && cd->log)
                    cd->log(level, msg, cd->log_usrptr);
          else if (_default_log)
                    _default_log(level, msg, NULL);
}

void logger(struct crypt_device *cd, int level, const char *file,
              int line, const char *format, ...)
{
          va_list argp;
          char *target = NULL;

          va_start(argp, format);

          if (vasprintf(&target, format, argp) > 0) {
                    if (level >= 0) {
                              crypt_log(cd, level, target);
#ifdef CRYPT_DEBUG
                    } else if (_debug_level)
                              printf("# %s:%d %s\n", file ?: "?", line, target);
#else
                    } else if (_debug_level)
                              printf("# %s\n", target);
#endif
          }

          va_end(argp);
          free(target);
}

/*
 * Password processing behaviour matrix of process_key
 *
 * from binary file: check if there is sufficently large key material
 * interactive & from fd: hash if requested, otherwise crop or pad with '0'
 */
static char *process_key(struct crypt_device *cd, const char *hash_name,
                               const char *key_file, size_t key_size,
                               const char *pass, size_t passLen)
{
          char *key = safe_alloc(key_size);
          memset(key, 0, key_size);

          /* key is coming from binary file */
          if (key_file && strcmp(key_file, "-")) {
                    if(passLen < key_size) {
                              log_err(cd, _("Cannot not read %d bytes from key file %s.\n"),
                                        key_size, key_file);
                              safe_free(key);
                              return NULL;
                    }
                    memcpy(key, pass, key_size);
                    return key;
          }

          /* key is coming from tty, fd or binary stdin */
          if (hash_name) {
                    if (hash(NULL, hash_name, key, key_size, pass, passLen) < 0) {
                              log_err(cd, _("Key processing error (using hash algorithm %s).\n"),
                                        hash_name);
                              safe_free(key);
                              return NULL;
                    }
          } else if (passLen > key_size) {
                    memcpy(key, pass, key_size);
          } else {
                    memcpy(key, pass, passLen);
          }

          return key;
}

int parse_into_name_and_mode(const char *nameAndMode, char *name, char *mode)
{
/* Token content stringification, see info cpp/stringification */
#define str(s) #s
#define xstr(s) str(s)
#define scanpattern1 "%" xstr(LUKS_CIPHERNAME_L) "[^-]-%" xstr(LUKS_CIPHERMODE_L)  "s"
#define scanpattern2 "%" xstr(LUKS_CIPHERNAME_L) "[^-]"

          int r;

          if(sscanf(nameAndMode,scanpattern1, name, mode) != 2) {
                    if((r = sscanf(nameAndMode,scanpattern2,name)) == 1)
                              strncpy(mode,"cbc-plain",10);
                    else
                              return -EINVAL;
          }

          return 0;

#undef scanpattern1
#undef scanpattern2
#undef str
#undef xstr
}

static int isPLAIN(const char *type)
{
          return (type && !strcmp(CRYPT_PLAIN, type));
}

static int isLUKS(const char *type)
{
          return (type && !strcmp(CRYPT_LUKS1, type));
}

/* keyslot helpers */
static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
{
          if (*keyslot == CRYPT_ANY_SLOT) {
                    *keyslot = LUKS_keyslot_find_empty(&cd->hdr);
                    if (*keyslot < 0) {
                              log_err(cd, _("All key slots full.\n"));
                              return -EINVAL;
                    }
          }

          switch (LUKS_keyslot_info(&cd->hdr, *keyslot)) {
                    case CRYPT_SLOT_INVALID:
                              log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
                                        *keyslot, LUKS_NUMKEYS - 1);
                              return -EINVAL;
                    case CRYPT_SLOT_INACTIVE:
                              break;
                    default:
                              log_err(cd, _("Key slot %d is full, please select another one.\n"),
                                        *keyslot);
                              return -EINVAL;
          }

          return 0;
}

static int verify_other_keyslot(struct crypt_device *cd,
                                        const char *key_file,
                                        unsigned int flags,
                                        int keyIndex)
{
          struct luks_masterkey *mk;
          crypt_keyslot_info ki;
          int openedIndex;
          char *password = NULL;
          unsigned int passwordLen;

          get_key(_("Enter any remaining LUKS passphrase: "), &password,
                    &passwordLen, 0, key_file, cd->timeout, flags, cd);
          if(!password)
                    return -EINVAL;

          ki = crypt_keyslot_status(cd, keyIndex);
          if (ki == CRYPT_SLOT_ACTIVE) /* Not last slot */
                    LUKS_keyslot_set(&cd->hdr, keyIndex, 0);

          openedIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT,
                                                       password, passwordLen,
                                                       &cd->hdr, &mk, cd);

          if (ki == CRYPT_SLOT_ACTIVE)
                    LUKS_keyslot_set(&cd->hdr, keyIndex, 1);
          LUKS_dealloc_masterkey(mk);
          safe_free(password);

          if (openedIndex < 0)
                    return -EPERM;

          log_verbose(cd, _("Key slot %d verified.\n"), openedIndex);
          return 0;
}

static int find_keyslot_by_passphrase(struct crypt_device *cd,
                                              const char *key_file,
                                              unsigned int flags,
                                              char *message)
{
          struct luks_masterkey *mk;
          char *password = NULL;
          unsigned int passwordLen;
          int keyIndex;

          get_key(message,&password,&passwordLen, 0, key_file,
                    cd->timeout, flags, cd);
          if(!password)
                    return -EINVAL;

          keyIndex = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
                                                    passwordLen, &cd->hdr, &mk, cd);
          LUKS_dealloc_masterkey(mk);
          safe_free(password);

          return keyIndex;
}

static int device_check_and_adjust(struct crypt_device *cd,
                                           const char *device,
                                           uint64_t *size, uint64_t *offset,
                                           int *read_only)
{
          struct device_infos infos;

          if (!device || get_device_infos(device, &infos, cd) < 0) {
                    log_err(cd, _("Cannot get info about device %s.\n"),
                              device ?: "[none]");
                    return -ENOTBLK;
          }

          if (!*size) {
                    *size = infos.size;
                    if (!*size) {
                              log_err(cd, _("Device %s has zero size.\n"), device);
                              return -ENOTBLK;
                    }
                    if (*size < *offset) {
                              log_err(cd, _("Device %s is too small.\n"), device);
                              return -EINVAL;
                    }
                    *size -= *offset;
          }

          if (infos.readonly)
                    *read_only = 1;

          log_dbg("Calculated device size is %" PRIu64 " sectors (%s), offset %" PRIu64 ".",
                    *size, *read_only ? "RO" : "RW", *offset);
          return 0;
}

static int luks_remove_helper(struct crypt_device *cd,
                                    int key_slot,
                                    const char *other_key_file,
                                    const char *key_file,
                                    int verify)
{
          crypt_keyslot_info ki;
          int r = -EINVAL;

          if (key_slot == CRYPT_ANY_SLOT) {
                    key_slot = find_keyslot_by_passphrase(cd, key_file, 0,
                                        _("Enter LUKS passphrase to be deleted: "));
                    if(key_slot < 0) {
                              r = -EPERM;
                              goto out;
                    }

                    log_std(cd, _("key slot %d selected for deletion.\n"), key_slot);
          }

          ki = crypt_keyslot_status(cd, key_slot);
          if (ki == CRYPT_SLOT_INVALID) {
                    log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
                              key_slot, LUKS_NUMKEYS - 1);
                    r = -EINVAL;
                    goto out;
          }
          if (ki <= CRYPT_SLOT_INACTIVE) {
                    log_err(cd, _("Key %d not active. Can't wipe.\n"), key_slot);
                    r = -EINVAL;
                    goto out;
          }

          if (ki == CRYPT_SLOT_ACTIVE_LAST && cd->confirm &&
              !(cd->confirm(_("This is the last keyslot."
                                  " Device will become unusable after purging this key."),
                               cd->confirm_usrptr))) {
                    r = -EINVAL;
                    goto out;
          }

          if(verify)
                    r = verify_other_keyslot(cd, other_key_file, 0, key_slot);
          else
                    r = 0;

          if (!r)
                    r = crypt_keyslot_destroy(cd, key_slot);
out:
          return (r < 0) ? r : 0;
}

static int create_device_helper(struct crypt_device *cd,
                                        const char *name,
                                        const char *hash,
                                        const char *cipher,
                                        const char *cipher_mode,
                                        const char *key_file,
                                        const char *key,
                                        unsigned int keyLen,
                                        int key_size,
                                        uint64_t size,
                                        uint64_t skip,
                                        uint64_t offset,
                                        const char *uuid,
                                        int read_only,
                                        unsigned int flags,
                                        int reload)
{
          crypt_status_info ci;
          char *dm_cipher = NULL;
          char *processed_key = NULL;
          int r;

          ci = crypt_status(cd, name);
          if (ci == CRYPT_INVALID)
                    return -EINVAL;

          if (reload && ci < CRYPT_ACTIVE)
                    return -EINVAL;

          if (!reload && ci >= CRYPT_ACTIVE) {
                    log_err(cd, _("Device %s already exists.\n"), name);
                    return -EEXIST;
          }

          if (key_size < 0 || key_size > 1024) {
                    log_err(cd, _("Invalid key size %d.\n"), key_size);
                    return -EINVAL;
          }

          r = device_check_and_adjust(cd, cd->device, &size, &offset, &read_only);
          if (r)
                    return r;

          if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
                    return -ENOMEM;

          processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
          if (!processed_key)
                    return -ENOENT;

          r = dm_create_device(name, cd->device, dm_cipher ?: cipher, cd->type, uuid, size, skip, offset,
                                   key_size, processed_key, read_only, reload);

          free(dm_cipher);
          safe_free(processed_key);
          return r;
}

static int open_from_hdr_and_mk(struct crypt_device *cd,
                                        struct luks_masterkey *mk,
                                        const char *name,
                                        uint32_t flags)
{
          uint64_t size, offset;
          char *cipher;
          int read_only, no_uuid, r;

          size = 0;
          offset = crypt_get_data_offset(cd);
          read_only = flags & CRYPT_ACTIVATE_READONLY;
          no_uuid = flags & CRYPT_ACTIVATE_NO_UUID;

          r = device_check_and_adjust(cd, cd->device, &size, &offset, &read_only);
          if (r)
                    return r;

          if (asprintf(&cipher, "%s-%s", crypt_get_cipher(cd),
                         crypt_get_cipher_mode(cd)) < 0)
                    r = -ENOMEM;
          else
                    r = dm_create_device(name, cd->device, cipher, cd->type,
                                             no_uuid ? NULL : crypt_get_uuid(cd),
                                             size, 0, offset, mk->keyLength, mk->key,
                                             read_only, 0);
          free(cipher);
          return r;
}

static void log_wrapper(int level, const char *msg, void *usrptr)
{
          void (*xlog)(int level, char *msg) = usrptr;
          xlog(level, (char *)msg);
}

static int yesDialog_wrapper(const char *msg, void *usrptr)
{
          int (*xyesDialog)(char *msg) = usrptr;
          return xyesDialog((char*)msg);
}

int crypt_confirm(struct crypt_device *cd, const char *msg)
{
          if (!cd || !cd->confirm)
                    return 1;
          else
                    return cd->confirm(msg, cd->confirm_usrptr);
}

static void key_from_terminal(struct crypt_device *cd, char *msg, char **key,
                                    unsigned int *key_len, int force_verify)
{
          int r, flags = 0;

          if (cd->password) {
                    *key = safe_alloc(MAX_TTY_PASSWORD_LEN);
                    if (*key)
                              return;
                    r = cd->password(msg, *key, (size_t)key_len, cd->password_usrptr);
                    if (r < 0) {
                              safe_free(*key);
                              *key = NULL;
                    } else
                              *key_len = r;
          } else {
                    if (force_verify || cd->password_verify)
                              flags |= CRYPT_FLAG_VERIFY_IF_POSSIBLE;
                    get_key(msg, key, key_len, 0, NULL, cd->timeout, flags, cd);
          }
}

static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslot,
                                                       struct luks_masterkey **mk)
{
          char *prompt = NULL, *passphrase_read = NULL;
          unsigned int passphrase_size_read;
          int r = -EINVAL, tries = cd->tries;

          if(asprintf(&prompt, _("Enter passphrase for %s: "), cd->device) < 0)
                    return -ENOMEM;

          *mk = NULL;
          do {
                    if (*mk)
                              LUKS_dealloc_masterkey(*mk);
                    *mk = NULL;

                    key_from_terminal(cd, prompt, &passphrase_read,
                                          &passphrase_size_read, 0);
                    if(!passphrase_read) {
                              r = -EINVAL;
                              break;
                    }

                    r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
                                                     passphrase_size_read, &cd->hdr, mk, cd);
                    safe_free(passphrase_read);
                    passphrase_read = NULL;
          } while (r == -EPERM && (--tries > 0));

          if (r < 0 && *mk) {
                    LUKS_dealloc_masterkey(*mk);
                    *mk = NULL;
          }
          free(prompt);

          return r;

}

static void key_from_file(struct crypt_device *cd, char *msg,
                                char **key, unsigned int *key_len,
                                const char *key_file, size_t key_size)
{
          get_key(msg, key, key_len, key_size, key_file, cd->timeout, 0, cd);
}

static int _crypt_init(struct crypt_device **cd,
                           const char *type,
                           struct crypt_options *options,
                           int load, int need_dm)
{
          int init_by_name, r;

          /* if it is plain device and mapping table is being reloaded
          initialize it by name*/
          init_by_name = (type && !strcmp(type, CRYPT_PLAIN) && load);

          /* Some of old API calls do not require DM in kernel,
             fake initialisation by initialise it with kernel_check disabled */
          if (!need_dm)
                    (void)dm_init(NULL, 0);
          if (init_by_name)
                    r = crypt_init_by_name(cd, options->name);
          else
                    r = crypt_init(cd, options->device);
          if (!need_dm)
                    dm_exit();

          if (r)
                    return -EINVAL;

          crypt_set_log_callback(*cd, log_wrapper, options->icb->log);
          crypt_set_confirm_callback(*cd, yesDialog_wrapper, options->icb->yesDialog);

          crypt_set_timeout(*cd, options->timeout);
          crypt_set_password_retry(*cd, options->tries);
          crypt_set_iterarion_time(*cd, options->iteration_time ?: 1000);
          crypt_set_password_verify(*cd, options->flags & CRYPT_FLAG_VERIFY);

          if (load && !init_by_name)
                    r = crypt_load(*cd, type, NULL);

          if (!r && type && !(*cd)->type) {
                    (*cd)->type = strdup(type);
                    if (!(*cd)->type)
                              r = -ENOMEM;
          }

          if (r)
                    crypt_free(*cd);

          return r;
}

void crypt_set_log_callback(struct crypt_device *cd,
          void (*log)(int level, const char *msg, void *usrptr),
          void *usrptr)
{
          if (!cd)
                    _default_log = log;
          else {
                    cd->log = log;
                    cd->log_usrptr = usrptr;
          }
}

void crypt_set_confirm_callback(struct crypt_device *cd,
          int (*confirm)(const char *msg, void *usrptr),
          void *usrptr)
{
          cd->confirm = confirm;
          cd->confirm_usrptr = usrptr;
}

void crypt_set_password_callback(struct crypt_device *cd,
          int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
          void *usrptr)
{
          cd->password = password;
          cd->password_usrptr = usrptr;
}

/* OPTIONS: name, cipher, device, hash, key_file, key_size, key_slot,
 *          offset, size, skip, timeout, tries, passphrase_fd (ignored),
 *          flags, icb */
static int crypt_create_and_update_device(struct crypt_options *options, int update)
{
          struct crypt_device *cd = NULL;
          char *key = NULL;
          unsigned int keyLen;
          int r;

          r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
          if (r)
                    return r;

          get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
                    options->key_file, cd->timeout, options->flags, cd);
          if (!key)
                    r = -ENOENT;
          else
                    r = create_device_helper(cd, options->name, options->hash,
                              options->cipher, NULL, options->key_file, key, keyLen,
                              options->key_size, options->size, options->skip,
                              options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
                              options->flags, update);

          safe_free(key);
          crypt_free(cd);
          return r;
}

int crypt_create_device(struct crypt_options *options)
{
          return crypt_create_and_update_device(options, 0);
}

int crypt_update_device(struct crypt_options *options)
{
          return crypt_create_and_update_device(options, 1);
}

/* OPTIONS: name, size, icb */
int crypt_resize_device(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          char *device = NULL, *cipher = NULL, *uuid = NULL, *key = NULL;
          char *type = NULL;
          uint64_t size, skip, offset;
          int key_size, read_only, r;

          log_dbg("Resizing device %s to %" PRIu64 " sectors.", options->name, options->size);

          if (dm_init(NULL, 1) < 0)
                    return -ENOSYS;

          r = dm_query_device(options->name, &device, &size, &skip, &offset,
                                  &cipher, &key_size, &key, &read_only, NULL, &uuid);
          if (r < 0) {
                    log_err(NULL, _("Device %s is not active.\n"), options->name);
                    goto out;
          }

          /* Try to determine type of device from UUID */
          type = CRYPT_PLAIN;
          if (uuid) {
                    if (!strncmp(uuid, CRYPT_PLAIN, strlen(CRYPT_PLAIN))) {
                              type = CRYPT_PLAIN;
                              free (uuid);
                              uuid = NULL;
                    } else if (!strncmp(uuid, CRYPT_LUKS1, strlen(CRYPT_LUKS1)))
                              type = CRYPT_LUKS1;
          }

          if (!options->device)
                    options->device = device;

          r = _crypt_init(&cd, type, options, 1, 1);
          if (r)
                    goto out;

          size = options->size;
          r = device_check_and_adjust(cd, device, &size, &offset, &read_only);
          if (r)
                    goto out;

          r = dm_create_device(options->name, device, cipher, type,
                                   crypt_get_uuid(cd), size, skip, offset,
                                   key_size, key, read_only, 1);
out:
          safe_free(key);
          free(cipher);
          if (options->device == device)
                    options->device = NULL;
          free(device);
          free(uuid);
          crypt_free(cd);
          dm_exit();
          return r;
}

/* OPTIONS: name, icb */
int crypt_query_device(struct crypt_options *options)
{
          int read_only, r;

          log_dbg("Query device %s.", options->name);

          if (dm_init(NULL, 1) < 0)
                    return -ENOSYS;

          r = dm_status_device(options->name);
          if (r == -ENODEV) {
                    dm_exit();
                    return 0;
          }

          r = dm_query_device(options->name, (char **)&options->device, &options->size,
                                  &options->skip, &options->offset, (char **)&options->cipher,
                                  &options->key_size, NULL, &read_only, NULL, NULL);

          dm_exit();
          if (r < 0)
                    return r;

          if (read_only)
                    options->flags |= CRYPT_FLAG_READONLY;

          options->flags |= CRYPT_FLAG_FREE_DEVICE;
          options->flags |= CRYPT_FLAG_FREE_CIPHER;

          return 1;
}

/* OPTIONS: name, icb */
int crypt_remove_device(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          int r;

          r = crypt_init_by_name(&cd, options->name);
          if (r == 0)
                    r = crypt_deactivate(cd, options->name);

          crypt_free(cd);
          return r;

}

/* OPTIONS: device, cipher, hash, align_payload, key_size (master key), key_slot
 *          new_key_file, iteration_time, timeout, flags, icb */
int crypt_luksFormat(struct crypt_options *options)
{
          char cipherName[LUKS_CIPHERNAME_L];
          char cipherMode[LUKS_CIPHERMODE_L];
          char *password=NULL;
          unsigned int passwordLen;
          struct crypt_device *cd = NULL;
          struct crypt_params_luks1 cp = {
                    .hash = options->hash,
                    .data_alignment = options->align_payload
          };
          int r;

          r = parse_into_name_and_mode(options->cipher, cipherName, cipherMode);
          if(r < 0) {
                    log_err(cd, _("No known cipher specification pattern detected.\n"));
                    return r;
          }

          if ((r = _crypt_init(&cd, CRYPT_LUKS1, options, 0, 1)))
                    return r;

          if (options->key_slot >= LUKS_NUMKEYS && options->key_slot != CRYPT_ANY_SLOT) {
                    log_err(cd, _("Key slot %d is invalid, please select between 0 and %d.\n"),
                              options->key_slot, LUKS_NUMKEYS - 1);
                    r = -EINVAL;
                    goto out;
          }

          get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, 0,
                    options->new_key_file, options->timeout, options->flags, cd);

          if(!password) {
                    r = -EINVAL;
                    goto out;
          }

          r = crypt_format(cd, CRYPT_LUKS1, cipherName, cipherMode,
                               NULL, NULL, options->key_size, &cp);
          if (r < 0)
                    goto out;

          /* Add keyslot using internally stored volume key generated during format */
          r = crypt_keyslot_add_by_volume_key(cd, options->key_slot, NULL, 0,
                                                      password, passwordLen);
out:
          crypt_free(cd);
          safe_free(password);
          return (r < 0) ? r : 0;
}

/* OPTIONS: name, device, key_size, key_file, timeout, tries, flags, icb */
int crypt_luksOpen(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          uint32_t flags = 0;
          int r;

          if (!options->name)
                    return -EINVAL;

          r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
          if (r)
                    return r;

          if (options->flags & CRYPT_FLAG_READONLY)
                    flags |= CRYPT_ACTIVATE_READONLY;

          if (options->flags & CRYPT_FLAG_NON_EXCLUSIVE_ACCESS)
                    flags |= CRYPT_ACTIVATE_NO_UUID;

          if (options->key_file)
                    r = crypt_activate_by_keyfile(cd, options->name,
                              CRYPT_ANY_SLOT, options->key_file, options->key_size,
                              flags);
          else
                    r = crypt_activate_by_passphrase(cd, options->name,
                              CRYPT_ANY_SLOT, options->passphrase,
                              options->passphrase ? strlen(options->passphrase) : 0,
                              flags);

          crypt_free(cd);
          return (r < 0) ? r : 0;
}

/* OPTIONS: device, keys_slot, key_file, timeout, flags, icb */
int crypt_luksKillSlot(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          int r;

          r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
          if (r)
                    return r;

          r = luks_remove_helper(cd, options->key_slot, options->key_file, NULL,
                                     options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);

          crypt_free(cd);
          return (r < 0) ? r : 0;
}

/* OPTIONS: device, new_key_file, key_file, timeout, flags, icb */
int crypt_luksRemoveKey(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          int r;

          r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
          if (r)
                    return r;

          r = luks_remove_helper(cd, CRYPT_ANY_SLOT, options->key_file, options->new_key_file,
                                     options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY);

          crypt_free(cd);
          return (r < 0) ? r : 0;
}


/* OPTIONS: device, new_key_file, key_file, key_slot, flags,
            iteration_time, timeout, icb */
int crypt_luksAddKey(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          int r = -EINVAL;

          r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 1);
          if (r)
                    return r;

          if (options->key_file || options->new_key_file)
                    r = crypt_keyslot_add_by_keyfile(cd, options->key_slot,
                                                             options->key_file, 0,
                                                             options->new_key_file, 0);
          else
                    r = crypt_keyslot_add_by_passphrase(cd, options->key_slot,
                                                                NULL, 0, NULL, 0);

          crypt_free(cd);
          return (r < 0) ? r : 0;
}

/* OPTIONS: device, icb */
int crypt_luksUUID(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          char *uuid;
          int r;

          r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
          if (r)
                    return r;

          uuid = (char *)crypt_get_uuid(cd);
          log_std(cd, uuid ?: "");
          log_std(cd, "\n");
          crypt_free(cd);
          return 0;
}

/* OPTIONS: device, icb */
int crypt_isLuks(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          int r;

          log_dbg("Check device %s for LUKS header.", options->device);

          if (init_crypto()) {
                    log_err(cd, _("Cannot initialize crypto backend.\n"));
                    return -ENOSYS;
          }

          r = crypt_init(&cd, options->device);
          if (r < 0)
                    return -EINVAL;

          /* Do print fail here, no need to crypt_load() */
          r = LUKS_read_phdr(cd->device, &cd->hdr, 0, cd) ? -EINVAL : 0;

          crypt_free(cd);
          return r;
}

/* OPTIONS: device, icb */
int crypt_luksDump(struct crypt_options *options)
{
          struct crypt_device *cd = NULL;
          int r;

          r = _crypt_init(&cd, CRYPT_LUKS1, options, 1, 0);
          if(r < 0)
                    return r;

          r = crypt_dump(cd);

          crypt_free(cd);
          return 0;
}

void crypt_get_error(char *buf, size_t size)
{
          const char *error = get_error();

          if (!buf || size < 1)
                    set_error(NULL);
          else if (error) {
                    strncpy(buf, error, size - 1);
                    buf[size - 1] = '\0';
                    set_error(NULL);
          } else
                    buf[0] = '\0';
}

void crypt_put_options(struct crypt_options *options)
{
          if (options->flags & CRYPT_FLAG_FREE_DEVICE) {
                    free((char *)options->device);
                    options->device = NULL;
                    options->flags &= ~CRYPT_FLAG_FREE_DEVICE;
          }
          if (options->flags & CRYPT_FLAG_FREE_CIPHER) {
                    free((char *)options->cipher);
                    options->cipher = NULL;
                    options->flags &= ~CRYPT_FLAG_FREE_CIPHER;
          }
}

const char *crypt_get_dir(void)
{
          return dm_get_dir();
}

/////////////////////////////////
//
// New API
//

int crypt_init(struct crypt_device **cd, const char *device)
{
          struct crypt_device *h = NULL;

          if (!cd)
                    return -EINVAL;

          log_dbg("Allocating crypt device %s context.", device);

          if (device && !device_ready(NULL, device, O_RDONLY))
                    return -ENOTBLK;

          if (!(h = malloc(sizeof(struct crypt_device))))
                    return -ENOMEM;

          memset(h, 0, sizeof(*h));

          if (device) {
                    h->device = strdup(device);
                    if (!h->device) {
                              free(h);
                              return -ENOMEM;
                    }
          } else
                    h->device = NULL;

          if (dm_init(h, 1) < 0) {
                    free(h);
                    return -ENOSYS;
          }

          h->iteration_time = 1000;
          h->password_verify = 0;
          h->tries = 3;
          *cd = h;
          return 0;
}

int crypt_init_by_name(struct crypt_device **cd, const char *name)
{
          crypt_status_info ci;
          char *device = NULL;
          int r;

          log_dbg("Allocating crypt device context by device %s.", name);

          ci = crypt_status(NULL, name);
          if (ci == CRYPT_INVALID)
                    return -ENODEV;

          if (ci < CRYPT_ACTIVE) {
                    log_err(NULL, _("Device %s is not active.\n"), name);
                    return -ENODEV;
          }

          r = dm_query_device(name, &device, NULL, NULL, NULL,
                                  NULL, NULL, NULL, NULL, NULL, NULL);

          /* Underlying device disappeared but mapping still active */
          if (r >= 0 && !device)
                    log_verbose(NULL, _("Underlying device for crypt device %s disappeared.\n"),
                                  name);

          if (r >= 0)
                    r = crypt_init(cd, device);

          free(device);
          return r;
}

static int _crypt_format_plain(struct crypt_device *cd,
                                     const char *cipher,
                                     const char *cipher_mode,
                                     const char *uuid,
                                     struct crypt_params_plain *params)
{
          if (!cipher || !cipher_mode) {
                    log_err(cd, _("Invalid plain crypt parameters.\n"));
                    return -EINVAL;
          }

          if (cd->volume_key->keyLength > 1024) {
                    log_err(cd, _("Invalid key size.\n"));
                    return -EINVAL;
          }

          cd->plain_cipher = strdup(cipher);
          cd->plain_cipher_mode = strdup(cipher_mode);

          if (uuid)
                    cd->plain_uuid = strdup(uuid);

          if (params && params->hash)
                    cd->plain_hdr.hash = strdup(params->hash);

          cd->plain_hdr.offset = params ? params->offset : 0;
          cd->plain_hdr.skip = params ? params->skip : 0;

          if (!cd->plain_cipher || !cd->plain_cipher_mode)
                    return -ENOMEM;

          return 0;
}

static int _crypt_format_luks1(struct crypt_device *cd,
                                     const char *cipher,
                                     const char *cipher_mode,
                                     const char *uuid,
                                     struct crypt_params_luks1 *params)
{
          int r;
          unsigned long required_alignment = DEFAULT_ALIGNMENT;
          unsigned long alignment_offset = 0;

          if (!cd->device) {
                    log_err(cd, _("Can't format LUKS without device.\n"));
                    return -EINVAL;
          }

          if (params && params->data_alignment)
                    required_alignment = params->data_alignment * SECTOR_SIZE;
          else
                    get_topology_alignment(cd->device, &required_alignment,
                                               &alignment_offset, DEFAULT_ALIGNMENT);

          r = LUKS_generate_phdr(&cd->hdr, cd->volume_key, cipher, cipher_mode,
                                     (params && params->hash) ? params->hash : "sha1",
                                     uuid, LUKS_STRIPES,
                                     required_alignment / SECTOR_SIZE,
                                     alignment_offset / SECTOR_SIZE,
                                     cd->iteration_time, &cd->PBKDF2_per_sec, cd);
          if(r < 0)
                    return r;

          /* Wipe first 8 sectors - fs magic numbers etc. */
          r = wipe_device_header(cd->device, 8);
          if(r < 0) {
                    log_err(cd, _("Can't wipe header on device %s.\n"), cd->device);
                    return r;
          }

          r = LUKS_write_phdr(cd->device, &cd->hdr, cd);

          return r;
}

int crypt_format(struct crypt_device *cd,
          const char *type,
          const char *cipher,
          const char *cipher_mode,
          const char *uuid,
          const char *volume_key,
          size_t volume_key_size,
          void *params)
{
          int r;

          log_dbg("Formatting device %s as type %s.", cd->device ?: "(none)", cd->type ?: "(none)");

          if (!type)
                    return -EINVAL;

          /* Some hash functions need initialized gcrypt library */
          if (init_crypto()) {
                    log_err(cd, _("Cannot initialize crypto backend.\n"));
                    return -ENOSYS;
          }

          if (volume_key)
                    cd->volume_key = LUKS_alloc_masterkey(volume_key_size,
                                                                  volume_key);
          else
                    cd->volume_key = LUKS_generate_masterkey(volume_key_size);

          if(!cd->volume_key)
                    return -ENOMEM;

          if (isPLAIN(type))
                    r = _crypt_format_plain(cd, cipher, cipher_mode,
                                                  uuid, params);
          else if (isLUKS(type))
                    r = _crypt_format_luks1(cd, cipher, cipher_mode,
                                                  uuid, params);
          else {
                    /* FIXME: allow plugins here? */
                    log_err(cd, _("Unknown crypt device type %s requested.\n"), type);
                    r = -EINVAL;
          }

          if (!r && !(cd->type = strdup(type)))
                    r = -ENOMEM;

          if (r < 0) {
                    LUKS_dealloc_masterkey(cd->volume_key);
                    cd->volume_key = NULL;
          }

          return r;
}

int crypt_load(struct crypt_device *cd,
                 const char *requested_type,
                 void *params)
{
          struct luks_phdr hdr;
          int r;

          log_dbg("Trying to load %s crypt type from device %s.",
                    requested_type ?: "any", cd->device ?: "(none)");

          if (!cd->device)
                    return -EINVAL;

          if (requested_type && !isLUKS(requested_type))
                    return -EINVAL;

          /* Some hash functions need initialized gcrypt library */
          if (init_crypto()) {
                    log_err(cd, _("Cannot initialize crypto backend.\n"));
                    return -ENOSYS;
          }

          r = LUKS_read_phdr(cd->device, &hdr, 1, cd);

          if (!r) {
                    memcpy(&cd->hdr, &hdr, sizeof(hdr));
                    cd->type = strdup(requested_type);
                    if (!cd->type)
                              r = -ENOMEM;
          }

          return r;
}

int crypt_header_backup(struct crypt_device *cd,
                              const char *requested_type,
                              const char *backup_file)
{
          if ((requested_type && !isLUKS(requested_type)) || !backup_file)
                    return -EINVAL;

          /* Some hash functions need initialized gcrypt library */
          if (init_crypto()) {
                    log_err(cd, _("Cannot initialize crypto backend.\n"));
                    return -ENOSYS;
          }

          log_dbg("Requested header backup of device %s (%s) to "
                    "file %s.", cd->device, requested_type, backup_file);

          return LUKS_hdr_backup(backup_file, cd->device, &cd->hdr, cd);
}

int crypt_header_restore(struct crypt_device *cd,
                               const char *requested_type,
                               const char *backup_file)
{
          if (requested_type && !isLUKS(requested_type))
                    return -EINVAL;

          /* Some hash functions need initialized gcrypt library */
          if (init_crypto()) {
                    log_err(cd, _("Cannot initialize crypto backend.\n"));
                    return -ENOSYS;
          }

          log_dbg("Requested header restore to device %s (%s) from "
                    "file %s.", cd->device, requested_type, backup_file);

          return LUKS_hdr_restore(backup_file, cd->device, &cd->hdr, cd);
}

void crypt_free(struct crypt_device *cd)
{
          if (cd) {
                    log_dbg("Releasing crypt device %s context.", cd->device);

                    dm_exit();
                    if (cd->volume_key)
                              LUKS_dealloc_masterkey(cd->volume_key);

                    free(cd->device);
                    free(cd->type);

                    /* used in plain device only */
                    free((char*)cd->plain_hdr.hash);
                    free(cd->plain_cipher);
                    free(cd->plain_cipher_mode);
                    free(cd->plain_uuid);

                    free(cd);
          }
}

int crypt_suspend(struct crypt_device *cd,
                      const char *name)
{
          crypt_status_info ci;
          int r, suspended = 0;

          log_dbg("Suspending volume %s.", name);

          ci = crypt_status(NULL, name);
          if (ci < CRYPT_ACTIVE) {
                    log_err(cd, _("Volume %s is not active.\n"), name);
                    return -EINVAL;
          }

          if (!cd && dm_init(NULL, 1) < 0)
                    return -ENOSYS;

          r = dm_query_device(name, NULL, NULL, NULL, NULL,
                                  NULL, NULL, NULL, NULL, &suspended, NULL);
          if (r < 0)
                    goto out;

          if (suspended) {
                    log_err(cd, _("Volume %s is already suspended.\n"), name);
                    r = -EINVAL;
                    goto out;
          }

          r = dm_suspend_and_wipe_key(name);
          if (r == -ENOTSUP)
                    log_err(cd, "Suspend is not supported for device %s.\n", name);
          else if (r)
                    log_err(cd, "Error during suspending device %s.\n", name);
out:
          if (!cd)
                    dm_exit();
          return r;
}

int crypt_resume_by_passphrase(struct crypt_device *cd,
                                     const char *name,
                                     int keyslot,
                                     const char *passphrase,
                                     size_t passphrase_size)
{
          struct luks_masterkey *mk = NULL;
          int r, suspended = 0;

          log_dbg("Resuming volume %s.", name);

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    r = -EINVAL;
                    goto out;
          }

          r = dm_query_device(name, NULL, NULL, NULL, NULL,
                                  NULL, NULL, NULL, NULL, &suspended, NULL);
          if (r < 0)
                    return r;

          if (!suspended) {
                    log_err(cd, _("Volume %s is not suspended.\n"), name);
                    return -EINVAL;
          }

          if (passphrase) {
                    r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
                                                     passphrase_size, &cd->hdr, &mk, cd);
          } else
                    r = volume_key_by_terminal_passphrase(cd, keyslot, &mk);

          if (r >= 0) {
                    keyslot = r;
                    r = dm_resume_and_reinstate_key(name, mk->keyLength, mk->key);
                    if (r == -ENOTSUP)
                              log_err(cd, "Resume is not supported for device %s.\n", name);
                    else if (r)
                              log_err(cd, "Error during resuming device %s.\n", name);
          } else
                    r = keyslot;
out:
          LUKS_dealloc_masterkey(mk);
          return r < 0 ? r : keyslot;
}

int crypt_resume_by_keyfile(struct crypt_device *cd,
                                  const char *name,
                                  int keyslot,
                                  const char *keyfile,
                                  size_t keyfile_size)
{
          struct luks_masterkey *mk = NULL;
          char *passphrase_read = NULL;
          unsigned int passphrase_size_read;
          int r, suspended = 0;

          log_dbg("Resuming volume %s.", name);

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    r = -EINVAL;
                    goto out;
          }

          r = dm_query_device(name, NULL, NULL, NULL, NULL,
                                  NULL, NULL, NULL, NULL, &suspended, NULL);
          if (r < 0)
                    return r;

          if (!suspended) {
                    log_err(cd, _("Volume %s is not suspended.\n"), name);
                    return -EINVAL;
          }

          if (!keyfile)
                    return -EINVAL;

          key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
                          &passphrase_size_read, keyfile, keyfile_size);

          if(!passphrase_read)
                    r = -EINVAL;
          else {
                    r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
                                                     passphrase_size_read, &cd->hdr, &mk, cd);
                    safe_free(passphrase_read);
          }

          if (r >= 0) {
                    keyslot = r;
                    r = dm_resume_and_reinstate_key(name, mk->keyLength, mk->key);
                    if (r)
                              log_err(cd, "Error during resuming device %s.\n", name);
          } else
                    r = keyslot;
out:
          LUKS_dealloc_masterkey(mk);
          return r < 0 ? r : keyslot;
}

// slot manipulation
int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
          int keyslot, // -1 any
          const char *passphrase, // NULL -> terminal
          size_t passphrase_size,
          const char *new_passphrase, // NULL -> terminal
          size_t new_passphrase_size)
{
          struct luks_masterkey *mk = NULL;
          char *password = NULL, *new_password = NULL;
          unsigned int passwordLen, new_passwordLen;
          int r;

          log_dbg("Adding new keyslot, existing passphrase %sprovided,"
                    "new passphrase %sprovided.",
                    passphrase ? "" : "not ", new_passphrase  ? "" : "not ");

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          r = keyslot_verify_or_find_empty(cd, &keyslot);
          if (r)
                    return r;

          if (!LUKS_keyslot_active_count(&cd->hdr)) {
                    /* No slots used, try to use pre-generated key in header */
                    if (cd->volume_key) {
                              mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
                              r = mk ? 0 : -ENOMEM;
                    } else {
                              log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
                              return -EINVAL;
                    }
          } else if (passphrase) {
                    /* Passphrase provided, use it to unlock existing keyslot */
                    r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, passphrase,
                                                     passphrase_size, &cd->hdr, &mk, cd);
          } else {
                    /* Passphrase not provided, ask first and use it to unlock existing keyslot */
                    key_from_terminal(cd, _("Enter any passphrase: "),
                                          &password, &passwordLen, 0);
                    if (!password) {
                              r = -EINVAL;
                              goto out;
                    }

                    r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password,
                                                     passwordLen, &cd->hdr, &mk, cd);
                    safe_free(password);
          }

          if(r < 0)
                    goto out;

          if (new_passphrase) {
                    new_password = (char *)new_passphrase;
                    new_passwordLen = new_passphrase_size;
          } else {
                    key_from_terminal(cd, _("Enter new passphrase for key slot: "),
                                          &new_password, &new_passwordLen, 1);
                    if(!new_password) {
                              r = -EINVAL;
                              goto out;
                    }
          }

          r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
                               &cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
          if(r < 0) goto out;

          r = 0;
out:
          if (!new_passphrase)
                    safe_free(new_password);
          LUKS_dealloc_masterkey(mk);
          return r ?: keyslot;
}

int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
          int keyslot,
          const char *keyfile,
          size_t keyfile_size,
          const char *new_keyfile,
          size_t new_keyfile_size)
{
          struct luks_masterkey *mk=NULL;
          char *password=NULL; unsigned int passwordLen;
          char *new_password = NULL; unsigned int new_passwordLen;
          int r;

          log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
                    keyfile ?: "[none]", new_keyfile ?: "[none]");

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          r = keyslot_verify_or_find_empty(cd, &keyslot);
          if (r)
                    return r;

          if (!LUKS_keyslot_active_count(&cd->hdr)) {
                    /* No slots used, try to use pre-generated key in header */
                    if (cd->volume_key) {
                              mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);
                              r = mk ? 0 : -ENOMEM;
                    } else {
                              log_err(cd, _("Cannot add key slot, all slots disabled and no volume key provided.\n"));
                              return -EINVAL;
                    }
          } else {
                    /* Read password from file of (if NULL) from terminal */
                    if (keyfile)
                              key_from_file(cd, _("Enter any passphrase: "), &password, &passwordLen,
                                              keyfile, keyfile_size);
                    else
                              key_from_terminal(cd, _("Enter any passphrase: "),
                                                  &password, &passwordLen, 0);

                    if (!password)
                              return -EINVAL;

                    r = LUKS_open_key_with_hdr(cd->device, CRYPT_ANY_SLOT, password, passwordLen,
                                                     &cd->hdr, &mk, cd);
                    safe_free(password);
          }

          if(r < 0)
                    goto out;

          if (new_keyfile)
                    key_from_file(cd, _("Enter new passphrase for key slot: "),
                                    &new_password, &new_passwordLen, new_keyfile,
                                    new_keyfile_size);
          else
                    key_from_terminal(cd, _("Enter new passphrase for key slot: "),
                                          &new_password, &new_passwordLen, 1);

          if(!new_password) {
                    r = -EINVAL;
                    goto out;
          }

          r = LUKS_set_key(cd->device, keyslot, new_password, new_passwordLen,
                               &cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
out:
          safe_free(new_password);
          LUKS_dealloc_masterkey(mk);
          return r < 0 ? r : keyslot;
}

int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
          int keyslot,
          const char *volume_key,
          size_t volume_key_size,
          const char *passphrase,
          size_t passphrase_size)
{
          struct luks_masterkey *mk = NULL;
          int r = -EINVAL;
          char *new_password = NULL; unsigned int new_passwordLen;

          log_dbg("Adding new keyslot %d using volume key.", keyslot);

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          if (volume_key)
                    mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
          else if (cd->volume_key)
                    mk = LUKS_alloc_masterkey(cd->volume_key->keyLength, cd->volume_key->key);

          if (!mk)
                    return -ENOMEM;

          r = LUKS_verify_master_key(&cd->hdr, mk);
          if (r < 0) {
                    log_err(cd, _("Volume key does not match the volume.\n"));
                    goto out;
          }

          r = keyslot_verify_or_find_empty(cd, &keyslot);
          if (r)
                    goto out;

          if (!passphrase) {
                    key_from_terminal(cd, _("Enter new passphrase for key slot: "),
                                          &new_password, &new_passwordLen, 1);
                    passphrase = new_password;
                    passphrase_size = new_passwordLen;
          }

          r = LUKS_set_key(cd->device, keyslot, passphrase, passphrase_size,
                               &cd->hdr, mk, cd->iteration_time, &cd->PBKDF2_per_sec, cd);
out:
          if (new_password)
                    safe_free(new_password);
          LUKS_dealloc_masterkey(mk);
          return r ?: keyslot;
}

int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot)
{
          crypt_keyslot_info ki;

          log_dbg("Destroying keyslot %d.", keyslot);

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          ki = crypt_keyslot_status(cd, keyslot);
          if (ki == CRYPT_SLOT_INVALID) {
                    log_err(cd, _("Key slot %d is invalid.\n"), keyslot);
                    return -EINVAL;
          }

          if (ki == CRYPT_SLOT_INACTIVE) {
                    log_err(cd, _("Key slot %d is not used.\n"), keyslot);
                    return -EINVAL;
          }

          return LUKS_del_key(cd->device, keyslot, &cd->hdr, cd);
}

// activation/deactivation of device mapping
int crypt_activate_by_passphrase(struct crypt_device *cd,
          const char *name,
          int keyslot,
          const char *passphrase,
          size_t passphrase_size,
          uint32_t flags)
{
          crypt_status_info ci;
          struct luks_masterkey *mk = NULL;
          char *prompt = NULL;
          int r;

          log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
                    name ? "Activating" : "Checking", name ?: "",
                    keyslot, passphrase ? "" : "[none] ");

          if (!name)
                    return -EINVAL;

          /* plain, use hashed passphrase */
          if (isPLAIN(cd->type))
                    return create_device_helper(cd, name, cd->plain_hdr.hash,
                              cd->plain_cipher, cd->plain_cipher_mode, NULL, passphrase, passphrase_size,
                              cd->volume_key->keyLength, 0, cd->plain_hdr.skip,
                              cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);

          if (name) {
                    ci = crypt_status(NULL, name);
                    if (ci == CRYPT_INVALID)
                              return -EINVAL;
                    else if (ci >= CRYPT_ACTIVE) {
                              log_err(cd, _("Device %s already exists.\n"), name);
                              return -EEXIST;
                    }
          }

          if(asprintf(&prompt, _("Enter passphrase for %s: "), cd->device) < 0)
                    return -ENOMEM;

          /* provided passphrase, do not retry */
          if (passphrase) {
                    r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
                                                     passphrase_size, &cd->hdr, &mk, cd);
          } else
                    r = volume_key_by_terminal_passphrase(cd, keyslot, &mk);

          if (r >= 0) {
                    keyslot = r;
                    if (name)
                              r = open_from_hdr_and_mk(cd, mk, name, flags);
          }

          LUKS_dealloc_masterkey(mk);
          free(prompt);

          return r < 0  ? r : keyslot;
}

int crypt_activate_by_keyfile(struct crypt_device *cd,
          const char *name,
          int keyslot,
          const char *keyfile,
          size_t keyfile_size,
          uint32_t flags)
{
          crypt_status_info ci;
          struct luks_masterkey *mk = NULL;
          char *passphrase_read = NULL;
          unsigned int passphrase_size_read;
          int r;

          log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
                    name, keyslot, keyfile ?: "[none]");

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          if (name) {
                    ci = crypt_status(NULL, name);
                    if (ci == CRYPT_INVALID)
                              return -EINVAL;
                    else if (ci >= CRYPT_ACTIVE) {
                              log_err(cd, _("Device %s already exists.\n"), name);
                              return -EEXIST;
                    }
          }

          if (!keyfile)
                    return -EINVAL;

          key_from_file(cd, _("Enter passphrase: "), &passphrase_read,
                          &passphrase_size_read, keyfile, keyfile_size);
          if(!passphrase_read)
                    r = -EINVAL;
          else {
                    r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase_read,
                                                     passphrase_size_read, &cd->hdr, &mk, cd);
                    safe_free(passphrase_read);
          }

          if (r >= 0) {
                    keyslot = r;
                    r = open_from_hdr_and_mk(cd, mk, name, flags);
          }

          LUKS_dealloc_masterkey(mk);

          return r < 0 ? r : keyslot;
}

int crypt_activate_by_volume_key(struct crypt_device *cd,
          const char *name,
          const char *volume_key,
          size_t volume_key_size,
          uint32_t flags)
{
          crypt_status_info ci;
          struct luks_masterkey *mk;
          int r;

          log_dbg("Activating volume %s by volume key.", name);

          /* use key directly, no hash */
          if (isPLAIN(cd->type))
                    return create_device_helper(cd, name, NULL,
                              cd->plain_cipher, cd->plain_cipher_mode, NULL, volume_key, volume_key_size,
                              cd->volume_key->keyLength, 0, cd->plain_hdr.skip,
                              cd->plain_hdr.offset, cd->plain_uuid, flags & CRYPT_ACTIVATE_READONLY, 0, 0);

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          if (name) {
                    ci = crypt_status(NULL, name);
                    if (ci == CRYPT_INVALID)
                              return -EINVAL;
                    else if (ci >= CRYPT_ACTIVE) {
                              log_err(cd, _("Device %s already exists.\n"), name);
                              return -EEXIST;
                    }
          }

          mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
          if (!mk)
                    return -ENOMEM;
          r = LUKS_verify_master_key(&cd->hdr, mk);

          if (r == -EPERM)
                    log_err(cd, _("Volume key does not match the volume.\n"));

          if (!r && name)
                    r = open_from_hdr_and_mk(cd, mk, name, flags);

          LUKS_dealloc_masterkey(mk);

          return r;
}

int crypt_deactivate(struct crypt_device *cd, const char *name)
{
          int r;

          if (!name)
                    return -EINVAL;

          log_dbg("Deactivating volume %s.", name);

          if (!cd && dm_init(NULL, 1) < 0)
                    return -ENOSYS;

          switch (crypt_status(cd, name)) {
                    case CRYPT_ACTIVE:
                              r = dm_remove_device(name, 0, 0);
                              break;
                    case CRYPT_BUSY:
                              log_err(cd, _("Device %s is busy.\n"), name);
                              r = -EBUSY;
                              break;
                    case CRYPT_INACTIVE:
                              log_err(cd, _("Device %s is not active.\n"), name);
                              r = -ENODEV;
                              break;
                    default:
                              log_err(cd, _("Invalid device %s.\n"), name);
                              r = -EINVAL;
          }

          if (!cd)
                    dm_exit();

          return r;
}

// misc helper functions
int crypt_volume_key_get(struct crypt_device *cd,
          int keyslot,
          char *volume_key,
          size_t *volume_key_size,
          const char *passphrase,
          size_t passphrase_size)
{
          struct luks_masterkey *mk;
          char *processed_key = NULL;
          int r, key_len;

          key_len = crypt_get_volume_key_size(cd);
          if (key_len > *volume_key_size) {
                    log_err(cd, _("Volume key buffer too small.\n"));
                    return -ENOMEM;
          }

          if (isPLAIN(cd->type) && cd->plain_hdr.hash) {
                    processed_key = process_key(cd, cd->plain_hdr.hash, NULL, key_len,
                                                      passphrase, passphrase_size);
                    if (!processed_key) {
                              log_err(cd, _("Cannot retrieve volume key for plain device.\n"));
                              return -EINVAL;
                    }
                    memcpy(volume_key, processed_key, key_len);
                    *volume_key_size = key_len;
                    safe_free(processed_key);
                    return 0;
          }

          if (isLUKS(cd->type)) {
                    r = LUKS_open_key_with_hdr(cd->device, keyslot, passphrase,
                                                  passphrase_size, &cd->hdr, &mk, cd);

                    if (r >= 0) {
                              memcpy(volume_key, mk->key, mk->keyLength);
                              *volume_key_size = mk->keyLength;
                    }

                    LUKS_dealloc_masterkey(mk);
                    return r;
          }

          log_err(cd, _("This operation is not supported for %s crypt device.\n"), cd->type ?: "(none)");
          return -EINVAL;
}

int crypt_volume_key_verify(struct crypt_device *cd,
          const char *volume_key,
          size_t volume_key_size)
{
          struct luks_masterkey *mk;
          int r;

          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          mk = LUKS_alloc_masterkey(volume_key_size, volume_key);
          if (!mk)
                    return -ENOMEM;

          r = LUKS_verify_master_key(&cd->hdr, mk);

          if (r == -EPERM)
                    log_err(cd, _("Volume key does not match the volume.\n"));

          LUKS_dealloc_masterkey(mk);

          return r;
}

void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
{
          log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
          cd->timeout = timeout_sec;
}

void crypt_set_password_retry(struct crypt_device *cd, int tries)
{
          log_dbg("Password retry count set to %d.", tries);
          cd->tries = tries;
}

void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
{
          log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
          cd->iteration_time = iteration_time_ms;
}

void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
{
          log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
          cd->password_verify = password_verify ? 1 : 0;
}

int crypt_memory_lock(struct crypt_device *cd, int lock)
{
          return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
}

// reporting
crypt_status_info crypt_status(struct crypt_device *cd, const char *name)
{
          int r;

          if (!cd && dm_init(NULL, 1) < 0)
                    return CRYPT_INVALID;

          r = dm_status_device(name);

          if (!cd)
                    dm_exit();

          if (r < 0 && r != -ENODEV)
                    return CRYPT_INVALID;

          if (r == 0)
                    return CRYPT_ACTIVE;

          if (r > 0)
                    return CRYPT_BUSY;

          return CRYPT_INACTIVE;
}

static void hexprintICB(struct crypt_device *cd, char *d, int n)
{
          int i;
          for(i = 0; i < n; i++)
                    log_std(cd, "%02hhx ", (char)d[i]);
}

int crypt_dump(struct crypt_device *cd)
{
          int i;
          if (!isLUKS(cd->type)) { //FIXME
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return -EINVAL;
          }

          log_std(cd, "LUKS header information for %s\n\n", cd->device);
          log_std(cd, "Version:       \t%d\n", cd->hdr.version);
          log_std(cd, "Cipher name:   \t%s\n", cd->hdr.cipherName);
          log_std(cd, "Cipher mode:   \t%s\n", cd->hdr.cipherMode);
          log_std(cd, "Hash spec:     \t%s\n", cd->hdr.hashSpec);
          log_std(cd, "Payload offset:\t%d\n", cd->hdr.payloadOffset);
          log_std(cd, "MK bits:       \t%d\n", cd->hdr.keyBytes * 8);
          log_std(cd, "MK digest:     \t");
          hexprintICB(cd, cd->hdr.mkDigest, LUKS_DIGESTSIZE);
          log_std(cd, "\n");
          log_std(cd, "MK salt:       \t");
          hexprintICB(cd, cd->hdr.mkDigestSalt, LUKS_SALTSIZE/2);
          log_std(cd, "\n               \t");
          hexprintICB(cd, cd->hdr.mkDigestSalt+LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
          log_std(cd, "\n");
          log_std(cd, "MK iterations: \t%d\n", cd->hdr.mkDigestIterations);
          log_std(cd, "UUID:          \t%s\n\n", cd->hdr.uuid);
          for(i = 0; i < LUKS_NUMKEYS; i++) {
                    if(cd->hdr.keyblock[i].active == LUKS_KEY_ENABLED) {
                              log_std(cd, "Key Slot %d: ENABLED\n",i);
                              log_std(cd, "\tIterations:         \t%d\n",
                                        cd->hdr.keyblock[i].passwordIterations);
                              log_std(cd, "\tSalt:               \t");
                              hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt,
                                            LUKS_SALTSIZE/2);
                              log_std(cd, "\n\t                      \t");
                              hexprintICB(cd, cd->hdr.keyblock[i].passwordSalt +
                                            LUKS_SALTSIZE/2, LUKS_SALTSIZE/2);
                              log_std(cd, "\n");

                              log_std(cd, "\tKey material offset:\t%d\n",
                                        cd->hdr.keyblock[i].keyMaterialOffset);
                              log_std(cd, "\tAF stripes:            \t%d\n",
                                        cd->hdr.keyblock[i].stripes);
                    }
                    else
                              log_std(cd, "Key Slot %d: DISABLED\n", i);
          }
          return 0;
}

const char *crypt_get_cipher(struct crypt_device *cd)
{
          if (isPLAIN(cd->type))
                    return cd->plain_cipher;

          if (isLUKS(cd->type))
                    return cd->hdr.cipherName;

          return NULL;
}

const char *crypt_get_cipher_mode(struct crypt_device *cd)
{
          if (isPLAIN(cd->type))
                    return cd->plain_cipher_mode;

          if (isLUKS(cd->type))
                    return cd->hdr.cipherMode;

          return NULL;
}

const char *crypt_get_uuid(struct crypt_device *cd)
{
          if (isLUKS(cd->type))
                    return cd->hdr.uuid;

          return NULL;
}

int crypt_get_volume_key_size(struct crypt_device *cd)
{
          if (isPLAIN(cd->type))
                    return cd->volume_key->keyLength;

          if (isLUKS(cd->type))
                    return cd->hdr.keyBytes;

          return 0;
}

uint64_t crypt_get_data_offset(struct crypt_device *cd)
{
          if (isPLAIN(cd->type))
                    return cd->plain_hdr.offset;

          if (isLUKS(cd->type))
                    return cd->hdr.payloadOffset;

          return 0;
}

crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot)
{
          if (!isLUKS(cd->type)) {
                    log_err(cd, _("This operation is supported only for LUKS device.\n"));
                    return CRYPT_SLOT_INVALID;
          }

          return LUKS_keyslot_info(&cd->hdr, keyslot);
}