"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/libcryptsetup.h" between
cryptsetup-2.3.6.tar.xz and cryptsetup-2.4.0.tar.xz

About: cryptsetup is a utility used to conveniently setup disk encryption based on the dm-crypt kernel module. These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt compatible format.

libcryptsetup.h  (cryptsetup-2.3.6.tar.xz):libcryptsetup.h  (cryptsetup-2.4.0.tar.xz)
skipping to change at line 218 skipping to change at line 218
/** /**
* Defines log function or use the default one otherwise. * Defines log function or use the default one otherwise.
* *
* @see crypt_set_log_callback * @see crypt_set_log_callback
* *
* @param cd crypt device handle * @param cd crypt device handle
* @param level log level * @param level log level
* @param msg log message * @param msg log message
*/ */
void crypt_log(struct crypt_device *cd, int level, const char *msg); void crypt_log(struct crypt_device *cd, int level, const char *msg);
/**
* Log function with variable arguments.
*
* @param cd crypt device handle
* @param level log level
* @param format formatted log message
*/
void crypt_logf(struct crypt_device *cd, int level, const char *format, ...);
/** @} */ /** @} */
/** /**
* @defgroup crypt-set Cryptsetup settings (RNG, PBKDF, locking) * @defgroup crypt-set Cryptsetup settings (RNG, PBKDF, locking)
* @addtogroup crypt-set * @addtogroup crypt-set
* @{ * @{
*/ */
/** CRYPT_RNG_URANDOM - use /dev/urandom */ /** CRYPT_RNG_URANDOM - use /dev/urandom */
#define CRYPT_RNG_URANDOM 0 #define CRYPT_RNG_URANDOM 0
skipping to change at line 593 skipping to change at line 602
* @note during crypt_format @e data_device attribute determines * @note during crypt_format @e data_device attribute determines
* if the LUKS2 header is separated from encrypted payload device * if the LUKS2 header is separated from encrypted payload device
* *
*/ */
struct crypt_params_luks2 { struct crypt_params_luks2 {
const struct crypt_pbkdf_type *pbkdf; /**< PBKDF (and hash) parameters or @e NULL*/ const struct crypt_pbkdf_type *pbkdf; /**< PBKDF (and hash) parameters or @e NULL*/
const char *integrity; /**< integrity algorithm or @e NULL */ const char *integrity; /**< integrity algorithm or @e NULL */
const struct crypt_params_integrity *integrity_params; /**< Data integrit y parameters or @e NULL*/ const struct crypt_params_integrity *integrity_params; /**< Data integrit y parameters or @e NULL*/
size_t data_alignment; /**< data area alignment in 512B sectors, data o ffset is multiple of this */ size_t data_alignment; /**< data area alignment in 512B sectors, data o ffset is multiple of this */
const char *data_device; /**< detached encrypted data device or @e NULL * / const char *data_device; /**< detached encrypted data device or @e NULL * /
uint32_t sector_size; /**< encryption sector size */ uint32_t sector_size; /**< encryption sector size, 0 triggers auto-det ection for optimal encryption sector size */
const char *label; /**< header label or @e NULL*/ const char *label; /**< header label or @e NULL*/
const char *subsystem; /**< header subsystem label or @e NULL*/ const char *subsystem; /**< header subsystem label or @e NULL*/
}; };
/** @} */ /** @} */
/** /**
* @defgroup crypt-actions Cryptsetup device context actions * @defgroup crypt-actions Cryptsetup device context actions
* Set of functions for formatting and manipulating with specific crypt_type * Set of functions for formatting and manipulating with specific crypt_type
* @addtogroup crypt-actions * @addtogroup crypt-actions
* @{ * @{
skipping to change at line 1116 skipping to change at line 1125
/** device is suspended (key should be wiped from memory), output only */ /** device is suspended (key should be wiped from memory), output only */
#define CRYPT_ACTIVATE_SUSPENDED (1 << 21) #define CRYPT_ACTIVATE_SUSPENDED (1 << 21)
/** use IV sector counted in sector_size instead of default 512 bytes sectors */ /** use IV sector counted in sector_size instead of default 512 bytes sectors */
#define CRYPT_ACTIVATE_IV_LARGE_SECTORS (1 << 22) #define CRYPT_ACTIVATE_IV_LARGE_SECTORS (1 << 22)
/** dm-verity: panic_on_corruption flag - panic kernel on corruption */ /** dm-verity: panic_on_corruption flag - panic kernel on corruption */
#define CRYPT_ACTIVATE_PANIC_ON_CORRUPTION (1 << 23) #define CRYPT_ACTIVATE_PANIC_ON_CORRUPTION (1 << 23)
/** dm-crypt: bypass internal workqueue and process read requests synchronously. */ /** dm-crypt: bypass internal workqueue and process read requests synchronously. */
#define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (1 << 24) #define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (1 << 24)
/** dm-crypt: bypass internal workqueue and process write requests synchronously . */ /** dm-crypt: bypass internal workqueue and process write requests synchronously . */
#define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (1 << 25) #define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (1 << 25)
/** dm-integrity: reset automatic recalculation */
#define CRYPT_ACTIVATE_RECALCULATE_RESET (1 << 26)
/** /**
* Active device runtime attributes * Active device runtime attributes
*/ */
struct crypt_active_device { struct crypt_active_device {
uint64_t offset; /**< offset in sectors */ uint64_t offset; /**< offset in sectors */
uint64_t iv_offset; /**< IV initialization sector */ uint64_t iv_offset; /**< IV initialization sector */
uint64_t size; /**< active device size */ uint64_t size; /**< active device size */
uint32_t flags; /**< activation flags */ uint32_t flags; /**< activation flags */
}; };
skipping to change at line 1358 skipping to change at line 1369
int crypt_activate_by_keyring(struct crypt_device *cd, int crypt_activate_by_keyring(struct crypt_device *cd,
const char *name, const char *name,
const char *key_description, const char *key_description,
int keyslot, int keyslot,
uint32_t flags); uint32_t flags);
/** lazy deactivation - remove once last user releases it */ /** lazy deactivation - remove once last user releases it */
#define CRYPT_DEACTIVATE_DEFERRED (1 << 0) #define CRYPT_DEACTIVATE_DEFERRED (1 << 0)
/** force deactivation - if the device is busy, it is replaced by error device * / /** force deactivation - if the device is busy, it is replaced by error device * /
#define CRYPT_DEACTIVATE_FORCE (1 << 1) #define CRYPT_DEACTIVATE_FORCE (1 << 1)
/** if set, remove lazy deactivation */
#define CRYPT_DEACTIVATE_DEFERRED_CANCEL (1 << 2)
/** /**
* Deactivate crypt device. This function tries to remove active device-mapper * Deactivate crypt device. This function tries to remove active device-mapper
* mapping from kernel. Also, sensitive data like the volume key are removed fro m * mapping from kernel. Also, sensitive data like the volume key are removed fro m
* memory * memory
* *
* @param cd crypt device handle, can be @e NULL * @param cd crypt device handle, can be @e NULL
* @param name name of device to deactivate * @param name name of device to deactivate
* @param flags deactivation flags * @param flags deactivation flags
* *
skipping to change at line 1462 skipping to change at line 1475
/** /**
* Dump text-formatted information about crypt or verity device to log output. * Dump text-formatted information about crypt or verity device to log output.
* *
* @param cd crypt device handle * @param cd crypt device handle
* *
* @return @e 0 on success or negative errno value otherwise. * @return @e 0 on success or negative errno value otherwise.
*/ */
int crypt_dump(struct crypt_device *cd); int crypt_dump(struct crypt_device *cd);
/** /**
* Dump JSON-formatted information about LUKS2 device
*
* @param cd crypt device handle (only LUKS2 format supported)
* @param json buffer with JSON, if NULL use log callback for output
* @param flags dump flags (reserved)
*
* @return @e 0 on success or negative errno value otherwise.
*/
int crypt_dump_json(struct crypt_device *cd, const char **json, uint32_t flags);
/**
* Get cipher used in device. * Get cipher used in device.
* *
* @param cd crypt device handle * @param cd crypt device handle
* *
* @return used cipher, e.g. "aes" or @e NULL otherwise * @return used cipher, e.g. "aes" or @e NULL otherwise
* *
*/ */
const char *crypt_get_cipher(struct crypt_device *cd); const char *crypt_get_cipher(struct crypt_device *cd);
/** /**
skipping to change at line 1554 skipping to change at line 1578
* Get size (in bytes) of encryption sector for crypt device. * Get size (in bytes) of encryption sector for crypt device.
* *
* @param cd crypt device handle * @param cd crypt device handle
* *
* @return sector size * @return sector size
* *
*/ */
int crypt_get_sector_size(struct crypt_device *cd); int crypt_get_sector_size(struct crypt_device *cd);
/** /**
* Check if initialized LUKS context uses detached header
* (LUKS header located on a different device than data.)
*
* @param cd crypt device handle
*
* @return @e 1 if detached header is used, @e 0 if not
* or negative errno value otherwise.
*
* @note This is a runtime attribute, it does not say
* if a LUKS device requires detached header.
* This function works only with LUKS devices.
*/
int crypt_header_is_detached(struct crypt_device *cd);
/**
* Get device parameters for VERITY device. * Get device parameters for VERITY device.
* *
* @param cd crypt device handle * @param cd crypt device handle
* @param vp verity device info * @param vp verity device info
* *
* @e 0 on success or negative errno value otherwise. * @e 0 on success or negative errno value otherwise.
* *
*/ */
int crypt_get_verity_info(struct crypt_device *cd, int crypt_get_verity_info(struct crypt_device *cd,
struct crypt_params_verity *vp); struct crypt_params_verity *vp);
skipping to change at line 1950 skipping to change at line 1989
* *
* Utilities for handling tokens LUKS2 * Utilities for handling tokens LUKS2
* Token is a device or a method how to read password for particular keyslot * Token is a device or a method how to read password for particular keyslot
* automatically. It can be chunk of data stored on hardware token or * automatically. It can be chunk of data stored on hardware token or
* just a metadata how to generate the password. * just a metadata how to generate the password.
* *
* @addtogroup crypt-tokens * @addtogroup crypt-tokens
* @{ * @{
*/ */
/**
* Get number of tokens supported for device type.
*
* @param type crypt device type
*
* @return token count or negative errno otherwise if device
* doesn't not support tokens.
*
* @note Real number of supported tokens for a particular device depends
* on usable metadata area size.
*/
int crypt_token_max(const char *type);
/** Iterate through all tokens */ /** Iterate through all tokens */
#define CRYPT_ANY_TOKEN -1 #define CRYPT_ANY_TOKEN -1
/** /**
* Get content of a token definition in JSON format. * Get content of a token definition in JSON format.
* *
* @param cd crypt device handle * @param cd crypt device handle
* @param token token id * @param token token id
* @param json buffer with JSON * @param json buffer with JSON
* *
skipping to change at line 2107 skipping to change at line 2159
* Token handler open function prototype. * Token handler open function prototype.
* This function retrieves password from a token and return allocated buffer * This function retrieves password from a token and return allocated buffer
* containing this password. This buffer has to be deallocated by calling * containing this password. This buffer has to be deallocated by calling
* free() function and content should be wiped before deallocation. * free() function and content should be wiped before deallocation.
* *
* @param cd crypt device handle * @param cd crypt device handle
* @param token token id * @param token token id
* @param buffer returned allocated buffer with password * @param buffer returned allocated buffer with password
* @param buffer_len length of the buffer * @param buffer_len length of the buffer
* @param usrptr user data in @link crypt_activate_by_token @endlink * @param usrptr user data in @link crypt_activate_by_token @endlink
*
* @return 0 on success (token passed LUKS2 keyslot passphrase in buffer) or
* negative errno otherwise.
*
* @note Negative ENOANO errno means that token is PIN protected and caller shou
ld
* use @link crypt_activate_by_token_pin @endlink with PIN provided.
*
* @note Negative EAGAIN errno means token handler requires additional hardware
* not present in the system.
*/ */
typedef int (*crypt_token_open_func) ( typedef int (*crypt_token_open_func) (
struct crypt_device *cd, struct crypt_device *cd,
int token, int token,
char **buffer, char **buffer,
size_t *buffer_len, size_t *buffer_len,
void *usrptr); void *usrptr);
/** /**
* Token handler open with passphrase/PIN function prototype.
* This function retrieves password from a token and return allocated buffer
* containing this password. This buffer has to be deallocated by calling
* free() function and content should be wiped before deallocation.
*
* @param cd crypt device handle
* @param token token id
* @param pin passphrase (or PIN) to unlock token (may be binary data)
* @param pin_size size of @e pin
* @param buffer returned allocated buffer with password
* @param buffer_len length of the buffer
* @param usrptr user data in @link crypt_activate_by_token @endlink
*
* @return 0 on success (token passed LUKS2 keyslot passphrase in buffer) or
* negative errno otherwise.
*
* @note Negative ENOANO errno means that token is PIN protected and PIN was
* missing or wrong.
*
* @note Negative EAGAIN errno means token handler requires additional hardware
* not present in the system.
*/
typedef int (*crypt_token_open_pin_func) (
struct crypt_device *cd,
int token,
const char *pin,
size_t pin_size,
char **buffer,
size_t *buffer_len,
void *usrptr);
/**
* Token handler buffer free function prototype. * Token handler buffer free function prototype.
* This function is used by library to free the buffer with keyslot * This function is used by library to free the buffer with keyslot
* passphrase when it's no longer needed. If not defined the library * passphrase when it's no longer needed. If not defined the library
* overwrites buffer with zeroes and call free(). * overwrites buffer with zeroes and call free().
* *
* @param buffer the buffer with keyslot passphrase * @param buffer the buffer with keyslot passphrase
* @param buffer_len the buffer length * @param buffer_len the buffer length
*/ */
typedef void (*crypt_token_buffer_free_func) (void *buffer, size_t buffer_len); typedef void (*crypt_token_buffer_free_func) (void *buffer, size_t buffer_len);
skipping to change at line 2153 skipping to change at line 2246
* *
* @param cd crypt device handle * @param cd crypt device handle
* @param json buffer with token JSON * @param json buffer with token JSON
* *
* @note dump implementations are advised to use @link crypt_log @endlink functi on * @note dump implementations are advised to use @link crypt_log @endlink functi on
* to dump token details. * to dump token details.
*/ */
typedef void (*crypt_token_dump_func) (struct crypt_device *cd, const char *json ); typedef void (*crypt_token_dump_func) (struct crypt_device *cd, const char *json );
/** /**
* Token handler version function prototype.
* This function is supposed to return pointer to version string information.
*
* @note The returned string is advised to contain only version.
* For example '1.0.0' or 'v1.2.3.4'.
*
*/
typedef const char * (*crypt_token_version_func) (void);
/**
* Token handler * Token handler
*/ */
typedef struct { typedef struct {
const char *name; /**< token handler name */ const char *name; /**< token handler name */
crypt_token_open_func open; /**< token handler open function */ crypt_token_open_func open; /**< token handler open function */
crypt_token_buffer_free_func buffer_free; /**< token handler buffer_free function (optional) */ crypt_token_buffer_free_func buffer_free; /**< token handler buffer_free function (optional) */
crypt_token_validate_func validate; /**< token handler validate function (optional) */ crypt_token_validate_func validate; /**< token handler validate function (optional) */
crypt_token_dump_func dump; /**< token handler dump function (optional) * / crypt_token_dump_func dump; /**< token handler dump function (optional) * /
} crypt_token_handler; } crypt_token_handler;
/** /**
* Register token handler * Register token handler
* *
* @param handler token handler to register * @param handler token handler to register
* *
* @return @e 0 on success or negative errno value otherwise. * @return @e 0 on success or negative errno value otherwise.
*/ */
int crypt_token_register(const crypt_token_handler *handler); int crypt_token_register(const crypt_token_handler *handler);
/** /**
* Report configured path where library searches for external token handlers
*
* @return @e absolute path when external tokens are enabled or @e NULL otherwis
e.
*/
const char *crypt_token_external_path(void);
/**
* Disable external token handlers (plugins) support
* If disabled, it cannot be enabled again.
*/
void crypt_token_external_disable(void);
/** ABI version for external token in libcryptsetup-token-<name>.so */
#define CRYPT_TOKEN_ABI_VERSION1 "CRYPTSETUP_TOKEN_1.0"
/** ABI exported symbol for external token */
#define CRYPT_TOKEN_ABI_OPEN "cryptsetup_token_open" /* mandatory */
#define CRYPT_TOKEN_ABI_OPEN_PIN "cryptsetup_token_open_pin"
#define CRYPT_TOKEN_ABI_BUFFER_FREE "cryptsetup_token_buffer_free"
#define CRYPT_TOKEN_ABI_VALIDATE "cryptsetup_token_validate"
#define CRYPT_TOKEN_ABI_DUMP "cryptsetup_token_dump"
#define CRYPT_TOKEN_ABI_VERSION "cryptsetup_token_version"
/**
* Activate device or check key using a token. * Activate device or check key using a token.
* *
* @param cd crypt device handle * @param cd crypt device handle
* @param name name of device to create, if @e NULL only check token * @param name name of device to create, if @e NULL only check token
* @param token requested token to check or CRYPT_ANY_TOKEN to check all * @param token requested token to check or CRYPT_ANY_TOKEN to check all
* @param usrptr provided identification in callback * @param usrptr provided identification in callback
* @param flags activation flags * @param flags activation flags
* *
* @return unlocked key slot number or negative errno otherwise. * @return unlocked key slot number or negative errno otherwise.
*
* @note EPERM errno means token provided passphrase successfully, but
* passphrase did not unlock any keyslot associated with the token.
*
* @note ENOENT errno means no token (or subsequently assigned keyslot) was
* eligible to unlock device.
*
* @note ENOANO errno means that token is PIN protected and you should call
* @link crypt_activate_by_token_pin @endlink with PIN
*
* @note Negative EAGAIN errno means token handler requires additional hardware
* not present in the system.
*
* @note with @param token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort
loop
* to unlock device using any available token. It may happen that various
token handlers
* return different error codes. At the end loop returns error codes in th
e following
* order (from the most significant to the least) any negative errno excep
t those
* listed below, non negative token id (success), -ENOANO, -EAGAIN, -EPERM
, -ENOENT.
*/ */
int crypt_activate_by_token(struct crypt_device *cd, int crypt_activate_by_token(struct crypt_device *cd,
const char *name, const char *name,
int token, int token,
void *usrptr, void *usrptr,
uint32_t flags); uint32_t flags);
/**
* Activate device or check key using a token with PIN.
*
* @param cd crypt device handle
* @param name name of device to create, if @e NULL only check token
* @param type restrict type of token, if @e NULL all types are allowed
* @param token requested token to check or CRYPT_ANY_TOKEN to check all
* @param pin passphrase (or PIN) to unlock token (may be binary data)
* @param pin_size size of @e pin
* @param usrptr provided identification in callback
* @param flags activation flags
*
* @return unlocked key slot number or negative errno otherwise.
*
* @note EPERM errno means token provided passphrase successfully, but
* passphrase did not unlock any keyslot associated with the token.
*
* @note ENOENT errno means no token (or subsequently assigned keyslot) was
* eligible to unlock device.
*
* @note ENOANO errno means that token is PIN protected and was either missing
* (NULL) or wrong.
*
* @note Negative EAGAIN errno means token handler requires additional hardware
* not present in the system.
*
* @note with @param token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort
loop
* to unlock device using any available token. It may happen that various
token handlers
* return different error codes. At the end loop returns error codes in th
e following
* order (from the most significant to the least) any negative errno excep
t those
* listed below, non negative token id (success), -ENOANO, -EAGAIN, -EPERM
, -ENOENT.
*/
int crypt_activate_by_token_pin(struct crypt_device *cd,
const char *name,
const char *type,
int token,
const char *pin,
size_t pin_size,
void *usrptr,
uint32_t flags);
/** @} */ /** @} */
/** /**
* @defgroup crypt-reencryption LUKS2 volume reencryption support * @defgroup crypt-reencryption LUKS2 volume reencryption support
* *
* Set of functions to handling LUKS2 volume reencryption * Set of functions to handling LUKS2 volume reencryption
* *
* @addtogroup crypt-reencryption * @addtogroup crypt-reencryption
* @{ * @{
*/ */
skipping to change at line 2299 skipping to change at line 2485
int crypt_reencrypt_init_by_keyring(struct crypt_device *cd, int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
const char *name, const char *name,
const char *key_description, const char *key_description,
int keyslot_old, int keyslot_old,
int keyslot_new, int keyslot_new,
const char *cipher, const char *cipher,
const char *cipher_mode, const char *cipher_mode,
const struct crypt_params_reencrypt *params); const struct crypt_params_reencrypt *params);
/** /**
* Run data reencryption. * Legacy data reencryption function.
* *
* @param cd crypt device handle * @param cd crypt device handle
* @param progress is a callback function reporting device \b size, * @param progress is a callback function reporting device \b size,
* current \b offset of reencryption and provided \b usrptr identification * current \b offset of reencryption and provided \b usrptr identification
* *
* @return @e 0 on success or negative errno value otherwise. * @return @e 0 on success or negative errno value otherwise.
*
* @deprecated Use @link crypt_reencrypt_run @endlink instead.
*/ */
int crypt_reencrypt(struct crypt_device *cd, int crypt_reencrypt(struct crypt_device *cd,
int (*progress)(uint64_t size, uint64_t offset, void *usrptr) int (*progress)(uint64_t size, uint64_t offset, void *usrptr)
); )
__attribute__((deprecated));
/**
* Run data reencryption.
*
* @param cd crypt device handle
* @param progress is a callback function reporting device \b size,
* current \b offset of reencryption and provided \b usrptr identification
* @param usrptr progress specific data
*
* @return @e 0 on success or negative errno value otherwise.
*/
int crypt_reencrypt_run(struct crypt_device *cd,
int (*progress)(uint64_t size, uint64_t offset, void *usrptr)
,
void *usrptr);
/** /**
* Reencryption status info * Reencryption status info
*/ */
typedef enum { typedef enum {
CRYPT_REENCRYPT_NONE = 0, /**< No reencryption in progress */ CRYPT_REENCRYPT_NONE = 0, /**< No reencryption in progress */
CRYPT_REENCRYPT_CLEAN, /**< Ongoing reencryption in a clean state. */ CRYPT_REENCRYPT_CLEAN, /**< Ongoing reencryption in a clean state. */
CRYPT_REENCRYPT_CRASH, /**< Aborted reencryption that need internal re covery. */ CRYPT_REENCRYPT_CRASH, /**< Aborted reencryption that need internal re covery. */
CRYPT_REENCRYPT_INVALID /**< Invalid state. */ CRYPT_REENCRYPT_INVALID /**< Invalid state. */
} crypt_reencrypt_info; } crypt_reencrypt_info;
 End of changes. 16 change blocks. 
4 lines changed or deleted 220 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)