diff options
| author | Richard Jones <rjones@redhat.com> | 2010-07-22 11:00:59 +0100 |
|---|---|---|
| committer | Richard Jones <rjones@redhat.com> | 2010-07-22 16:51:56 +0100 |
| commit | 945e569db64ab2608b21feba0aa94044c9835ac3 (patch) | |
| tree | 26f47a5537c954fd9bb69ff1311c56fa46c20fc1 /daemon | |
| parent | 2fd8c259d3daa88b0cdf98090bb57f3dbd178432 (diff) | |
| download | libguestfs-945e569db64ab2608b21feba0aa94044c9835ac3.tar.gz libguestfs-945e569db64ab2608b21feba0aa94044c9835ac3.tar.xz libguestfs-945e569db64ab2608b21feba0aa94044c9835ac3.zip | |
New APIs: Support for creating LUKS and managing keys.
This commit adds four APIs for creating new LUKS devices
and key management. These are:
luks_format Format a LUKS device with the default cipher.
luks_format_cipher Format with a chosen cipher.
luks_add_key Add another key to an existing device.
luks_kill_slot Delete a key from an existing device.
This enables all the significant functionality of the
cryptsetup luks* commands.
Note that you can obtain the UUID of a LUKS device already
by using vfs-uuid.
This also includes a regression test covering all the LUKS
functions.
Diffstat (limited to 'daemon')
| -rw-r--r-- | daemon/luks.c | 204 |
1 files changed, 184 insertions, 20 deletions
diff --git a/daemon/luks.c b/daemon/luks.c index f5a0b9dc..07aebddd 100644 --- a/daemon/luks.c +++ b/daemon/luks.c @@ -33,43 +33,69 @@ optgroup_luks_available (void) return prog_exists ("cryptsetup"); } -static int -luks_open (const char *device, const char *key, const char *mapname, - int readonly) +/* Callers must also call remove_temp (tempfile). */ +static char * +write_key_to_temp (const char *key) { - /* Sanity check: /dev/mapper/mapname must not exist already. Note - * that the device-mapper control device (/dev/mapper/control) is - * always there, so you can't ever have mapname == "control". - */ - size_t len = strlen (mapname); - char devmapper[len+32]; - snprintf (devmapper, len+32, "/dev/mapper/%s", mapname); - if (access (devmapper, F_OK) == 0) { - reply_with_error ("%s: device already exists", devmapper); - return -1; + char *tempfile = strdup ("/tmp/luksXXXXXX"); + if (!tempfile) { + reply_with_perror ("strdup"); + return NULL; } - char tempfile[] = "/tmp/luksXXXXXX"; int fd = mkstemp (tempfile); if (fd == -1) { reply_with_perror ("mkstemp"); - return -1; + goto error; } - len = strlen (key); + size_t len = strlen (key); if (xwrite (fd, key, len) == -1) { reply_with_perror ("write"); close (fd); - unlink (tempfile); - return -1; + goto error; } if (close (fd) == -1) { reply_with_perror ("close"); - unlink (tempfile); + goto error; + } + + return tempfile; + + error: + unlink (tempfile); + free (tempfile); + return NULL; +} + +static void +remove_temp (char *tempfile) +{ + unlink (tempfile); + free (tempfile); +} + +static int +luks_open (const char *device, const char *key, const char *mapname, + int readonly) +{ + /* Sanity check: /dev/mapper/mapname must not exist already. Note + * that the device-mapper control device (/dev/mapper/control) is + * always there, so you can't ever have mapname == "control". + */ + size_t len = strlen (mapname); + char devmapper[len+32]; + snprintf (devmapper, len+32, "/dev/mapper/%s", mapname); + if (access (devmapper, F_OK) == 0) { + reply_with_error ("%s: device already exists", devmapper); return -1; } + char *tempfile = write_key_to_temp (key); + if (!tempfile) + return -1; + const char *argv[16]; size_t i = 0; @@ -84,7 +110,7 @@ luks_open (const char *device, const char *key, const char *mapname, char *err; int r = commandv (NULL, &err, (const char * const *) argv); - unlink (tempfile); + remove_temp (tempfile); if (r == -1) { reply_with_error ("%s", err); @@ -136,3 +162,141 @@ do_luks_close (const char *device) return 0; } + +static int +luks_format (const char *device, const char *key, int keyslot, + const char *cipher) +{ + char *tempfile = write_key_to_temp (key); + if (!tempfile) + return -1; + + const char *argv[16]; + char keyslot_s[16]; + size_t i = 0; + + argv[i++] = "cryptsetup"; + argv[i++] = "-q"; + if (cipher) { + argv[i++] = "--cipher"; + argv[i++] = cipher; + } + argv[i++] = "--key-slot"; + snprintf (keyslot_s, sizeof keyslot_s, "%d", keyslot); + argv[i++] = keyslot_s; + argv[i++] = "luksFormat"; + argv[i++] = device; + argv[i++] = tempfile; + argv[i++] = NULL; + + char *err; + int r = commandv (NULL, &err, (const char * const *) argv); + remove_temp (tempfile); + + if (r == -1) { + reply_with_error ("%s", err); + free (err); + return -1; + } + + free (err); + + udev_settle (); + + return 0; +} + +int +do_luks_format (const char *device, const char *key, int keyslot) +{ + return luks_format (device, key, keyslot, NULL); +} + +int +do_luks_format_cipher (const char *device, const char *key, int keyslot, + const char *cipher) +{ + return luks_format (device, key, keyslot, cipher); +} + +int +do_luks_add_key (const char *device, const char *key, const char *newkey, + int keyslot) +{ + char *keyfile = write_key_to_temp (key); + if (!keyfile) + return -1; + + char *newkeyfile = write_key_to_temp (newkey); + if (!newkeyfile) { + remove_temp (keyfile); + return -1; + } + + const char *argv[16]; + char keyslot_s[16]; + size_t i = 0; + + argv[i++] = "cryptsetup"; + argv[i++] = "-q"; + argv[i++] = "-d"; + argv[i++] = keyfile; + argv[i++] = "--key-slot"; + snprintf (keyslot_s, sizeof keyslot_s, "%d", keyslot); + argv[i++] = keyslot_s; + argv[i++] = "luksAddKey"; + argv[i++] = device; + argv[i++] = newkeyfile; + argv[i++] = NULL; + + char *err; + int r = commandv (NULL, &err, (const char * const *) argv); + remove_temp (keyfile); + remove_temp (newkeyfile); + + if (r == -1) { + reply_with_error ("%s", err); + free (err); + return -1; + } + + free (err); + + return 0; +} + +int +do_luks_kill_slot (const char *device, const char *key, int keyslot) +{ + char *tempfile = write_key_to_temp (key); + if (!tempfile) + return -1; + + const char *argv[16]; + char keyslot_s[16]; + size_t i = 0; + + argv[i++] = "cryptsetup"; + argv[i++] = "-q"; + argv[i++] = "-d"; + argv[i++] = tempfile; + argv[i++] = "luksKillSlot"; + argv[i++] = device; + snprintf (keyslot_s, sizeof keyslot_s, "%d", keyslot); + argv[i++] = keyslot_s; + argv[i++] = NULL; + + char *err; + int r = commandv (NULL, &err, (const char * const *) argv); + remove_temp (tempfile); + + if (r == -1) { + reply_with_error ("%s", err); + free (err); + return -1; + } + + free (err); + + return 0; +} |