"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/src/cryptsetup_reencrypt.c" (13 Jan 2022, 47752 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "cryptsetup_reencrypt.c" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 2.4.1_vs_2.4.2.

    1 /*
    2  * cryptsetup-reencrypt - crypt utility for offline re-encryption
    3  *
    4  * Copyright (C) 2012-2021 Red Hat, Inc. All rights reserved.
    5  * Copyright (C) 2012-2021 Milan Broz All rights reserved.
    6  *
    7  * This program is free software; you can redistribute it and/or
    8  * modify it under the terms of the GNU General Public License
    9  * as published by the Free Software Foundation; either version 2
   10  * of the License, or (at your option) any later version.
   11  *
   12  * This program is distributed in the hope that it will be useful,
   13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
   14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   15  * GNU General Public License for more details.
   16  *
   17  * You should have received a copy of the GNU General Public License
   18  * along with this program; if not, write to the Free Software
   19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
   20  */
   21 
   22 #include <sys/ioctl.h>
   23 #include <linux/fs.h>
   24 #include <uuid/uuid.h>
   25 
   26 #include "cryptsetup.h"
   27 #include "cryptsetup_reencrypt_args.h"
   28 
   29 #define PACKAGE_REENC "cryptsetup-reencrypt"
   30 
   31 #define NO_UUID "cafecafe-cafe-cafe-cafe-cafecafeeeee"
   32 
   33 static const char **action_argv;
   34 
   35 static const char *set_pbkdf = NULL;
   36 
   37 static struct tools_log_params log_parms;
   38 
   39 #define MAX_SLOT 32
   40 #define MAX_TOKEN 32
   41 struct reenc_ctx {
   42     char *device;
   43     char *device_header;
   44     char *device_uuid;
   45     const char *type;
   46     uint64_t device_size; /* overridden by parameter */
   47     uint64_t device_size_new_real;
   48     uint64_t device_size_org_real;
   49     uint64_t device_offset;
   50     uint64_t device_shift;
   51     uint64_t data_offset;
   52 
   53     unsigned int stained:1;
   54     unsigned int in_progress:1;
   55     enum { FORWARD = 0, BACKWARD = 1 } reencrypt_direction;
   56     enum { REENCRYPT = 0, ENCRYPT = 1, DECRYPT = 2 } reencrypt_mode;
   57 
   58     char header_file_org[PATH_MAX];
   59     char header_file_tmp[PATH_MAX];
   60     char header_file_new[PATH_MAX];
   61     char log_file[PATH_MAX];
   62 
   63     char crypt_path_org[PATH_MAX];
   64     char crypt_path_new[PATH_MAX];
   65     int log_fd;
   66     char log_buf[SECTOR_SIZE];
   67 
   68     struct {
   69         char *password;
   70         size_t passwordLen;
   71     } p[MAX_SLOT];
   72     int keyslot;
   73 
   74     uint64_t resume_bytes;
   75 };
   76 
   77 char MAGIC[]   = {'L','U','K','S', 0xba, 0xbe};
   78 char NOMAGIC[] = {'L','U','K','S', 0xde, 0xad};
   79 int  MAGIC_L = 6;
   80 
   81 typedef enum {
   82     MAKE_UNUSABLE,
   83     MAKE_USABLE,
   84     CHECK_UNUSABLE,
   85     CHECK_OPEN,
   86 } header_magic;
   87 
   88 void tools_cleanup(void)
   89 {
   90     tools_args_free(tool_core_args, ARRAY_SIZE(tool_core_args));
   91 }
   92 
   93 static void _quiet_log(int level, const char *msg, void *usrptr)
   94 {
   95     if (!ARG_SET(OPT_DEBUG_ID))
   96         return;
   97     tool_log(level, msg, usrptr);
   98 }
   99 
  100 static int alignment(int fd)
  101 {
  102     int alignment;
  103 
  104     alignment = fpathconf(fd, _PC_REC_XFER_ALIGN);
  105     if (alignment < 0)
  106         alignment = 4096;
  107     return alignment;
  108 }
  109 
  110 static size_t pagesize(void)
  111 {
  112     long r = sysconf(_SC_PAGESIZE);
  113     return r < 0 ? 4096 : (size_t)r;
  114 }
  115 
  116 static const char *luksType(const char *type)
  117 {
  118     if (type && !strcmp(type, "luks2"))
  119         return CRYPT_LUKS2;
  120 
  121     if (type && !strcmp(type, "luks1"))
  122         return CRYPT_LUKS1;
  123 
  124     if (!type || !strcmp(type, "luks"))
  125         return crypt_get_default_type();
  126 
  127     return NULL;
  128 }
  129 
  130 static const char *hdr_device(const struct reenc_ctx *rc)
  131 {
  132     return rc->device_header ?: rc->device;
  133 }
  134 
  135 static int set_reencrypt_requirement(const struct reenc_ctx *rc)
  136 {
  137     uint32_t reqs;
  138     int r = -EINVAL;
  139     struct crypt_device *cd = NULL;
  140     struct crypt_params_integrity ip = { 0 };
  141 
  142     if (crypt_init(&cd, hdr_device(rc)) ||
  143         crypt_load(cd, CRYPT_LUKS2, NULL) ||
  144         crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs))
  145         goto out;
  146 
  147     /* reencrypt already in-progress */
  148     if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
  149         log_err(_("Reencryption already in-progress."));
  150         goto out;
  151     }
  152 
  153     /* raw integrity info is available since 2.0 */
  154     if (crypt_get_integrity_info(cd, &ip) || ip.tag_size) {
  155         log_err(_("Reencryption of device with integrity profile is not supported."));
  156         r = -ENOTSUP;
  157         goto out;
  158     }
  159 
  160     r = crypt_persistent_flags_set(cd, CRYPT_FLAGS_REQUIREMENTS, reqs | CRYPT_REQUIREMENT_OFFLINE_REENCRYPT);
  161 out:
  162     crypt_free(cd);
  163     return r;
  164 }
  165 
  166 /* Depends on the first two fields of LUKS1 header format, magic and version */
  167 static int device_check(struct reenc_ctx *rc, const char *device, header_magic set_magic)
  168 {
  169     char *buf = NULL;
  170     int r, devfd;
  171     ssize_t s;
  172     uint16_t version;
  173     size_t buf_size = pagesize();
  174     struct stat st;
  175 
  176     if (stat(device, &st)) {
  177         log_err(_("Cannot open device %s."), device);
  178         return -EINVAL;
  179     }
  180 
  181     /* coverity[toctou] */
  182     devfd = open(device, O_RDWR | (S_ISBLK(st.st_mode) ? O_EXCL : 0));
  183     if (devfd == -1) {
  184         if (errno == EBUSY) {
  185             log_err(_("Cannot exclusively open %s, device in use."),
  186                 device);
  187             return -EBUSY;
  188         }
  189         log_err(_("Cannot open device %s."), device);
  190         return -EINVAL;
  191     }
  192 
  193     if (set_magic == CHECK_OPEN) {
  194         r = 0;
  195         goto out;
  196     }
  197 
  198     if (posix_memalign((void *)&buf, alignment(devfd), buf_size)) {
  199         log_err(_("Allocation of aligned memory failed."));
  200         r = -ENOMEM;
  201         goto out;
  202     }
  203 
  204     s = read(devfd, buf, buf_size);
  205     if (s < 0 || s != (ssize_t)buf_size) {
  206         log_err(_("Cannot read device %s."), device);
  207         r = -EIO;
  208         goto out;
  209     }
  210 
  211     /* Be sure that we do not process new version of header */
  212     memcpy((void*)&version, &buf[MAGIC_L], sizeof(uint16_t));
  213     version = be16_to_cpu(version);
  214 
  215     if (set_magic == MAKE_UNUSABLE && !memcmp(buf, MAGIC, MAGIC_L) &&
  216         version == 1) {
  217         log_verbose(_("Marking LUKS1 device %s unusable."), device);
  218         memcpy(buf, NOMAGIC, MAGIC_L);
  219         r = 0;
  220     } else if (set_magic == MAKE_UNUSABLE && version == 2) {
  221         log_verbose(_("Setting LUKS2 offline reencrypt flag on device %s."), device);
  222         r = set_reencrypt_requirement(rc);
  223         if (!r)
  224             rc->stained = 1;
  225     } else if (set_magic == CHECK_UNUSABLE && version == 1) {
  226         r = memcmp(buf, NOMAGIC, MAGIC_L) ? -EINVAL : 0;
  227         if (!r)
  228             rc->device_uuid = strndup(&buf[0xa8], 40);
  229         goto out;
  230     } else
  231         r = -EINVAL;
  232 
  233     if (!r && version == 1) {
  234         if (lseek(devfd, 0, SEEK_SET) == -1)
  235             goto out;
  236         s = write(devfd, buf, buf_size);
  237         if (s < 0 || s != (ssize_t)buf_size || fsync(devfd) < 0) {
  238             log_err(_("Cannot write device %s."), device);
  239             r = -EIO;
  240         }
  241         if (s > 0 && set_magic == MAKE_UNUSABLE)
  242             rc->stained = 1;
  243     }
  244     if (r)
  245         log_dbg("LUKS signature check failed for %s.", device);
  246 out:
  247     if (buf)
  248         memset(buf, 0, buf_size);
  249     free(buf);
  250     close(devfd);
  251     return r;
  252 }
  253 
  254 static int create_empty_header(const char *new_file)
  255 {
  256     int fd, r = 0;
  257 
  258     log_dbg("Creating empty file %s of size 4096.", new_file);
  259 
  260     /* coverity[toctou] */
  261     fd = open(new_file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR|S_IWUSR);
  262     if (fd == -1 || posix_fallocate(fd, 0, 4096))
  263         r = -EINVAL;
  264     if (fd >= 0)
  265         close(fd);
  266 
  267     return r;
  268 }
  269 
  270 static int write_log(struct reenc_ctx *rc)
  271 {
  272     ssize_t r;
  273 
  274     memset(rc->log_buf, 0, SECTOR_SIZE);
  275     snprintf(rc->log_buf, SECTOR_SIZE, "# LUKS reencryption log, DO NOT EDIT OR DELETE.\n"
  276         "version = %d\nUUID = %s\ndirection = %d\nmode = %d\n"
  277         "offset = %" PRIu64 "\nshift = %" PRIu64 "\n# EOF\n",
  278         2, rc->device_uuid, rc->reencrypt_direction, rc->reencrypt_mode,
  279         rc->device_offset, rc->device_shift);
  280 
  281     if (lseek(rc->log_fd, 0, SEEK_SET) == -1)
  282         return -EIO;
  283 
  284     r = write(rc->log_fd, rc->log_buf, SECTOR_SIZE);
  285     if (r < 0 || r != SECTOR_SIZE) {
  286         log_err(_("Cannot write reencryption log file."));
  287         return -EIO;
  288     }
  289 
  290     return 0;
  291 }
  292 
  293 static int parse_line_log(struct reenc_ctx *rc, const char *line)
  294 {
  295     uint64_t u64;
  296     int i;
  297     char s[64];
  298 
  299     /* whole line is comment */
  300     if (*line == '#')
  301         return 0;
  302 
  303     if (sscanf(line, "version = %d", &i) == 1) {
  304         if (i < 1 || i > 2) {
  305             log_dbg("Log: Unexpected version = %i", i);
  306             return -EINVAL;
  307         }
  308     } else if (sscanf(line, "UUID = %40s", s) == 1) {
  309         if (!rc->device_uuid || strcmp(rc->device_uuid, s)) {
  310             log_dbg("Log: Unexpected UUID %s", s);
  311             return -EINVAL;
  312         }
  313     } else if (sscanf(line, "direction = %d", &i) == 1) {
  314         log_dbg("Log: direction = %i", i);
  315         rc->reencrypt_direction = i;
  316     } else if (sscanf(line, "offset = %" PRIu64, &u64) == 1) {
  317         log_dbg("Log: offset = %" PRIu64, u64);
  318         rc->device_offset = u64;
  319     } else if (sscanf(line, "shift = %" PRIu64, &u64) == 1) {
  320         log_dbg("Log: shift = %" PRIu64, u64);
  321         rc->device_shift = u64;
  322     } else if (sscanf(line, "mode = %d", &i) == 1) { /* added in v2 */
  323         log_dbg("Log: mode = %i", i);
  324         rc->reencrypt_mode = i;
  325         if (rc->reencrypt_mode != REENCRYPT &&
  326             rc->reencrypt_mode != ENCRYPT &&
  327             rc->reencrypt_mode != DECRYPT)
  328             return -EINVAL;
  329     } else
  330         return -EINVAL;
  331 
  332     return 0;
  333 }
  334 
  335 static int parse_log(struct reenc_ctx *rc)
  336 {
  337     char *start, *end;
  338     ssize_t s;
  339 
  340     s = read(rc->log_fd, rc->log_buf, SECTOR_SIZE);
  341     if (s == -1) {
  342         log_err(_("Cannot read reencryption log file."));
  343         return -EIO;
  344     }
  345 
  346     rc->log_buf[SECTOR_SIZE - 1] = '\0';
  347     start = rc->log_buf;
  348     do {
  349         end = strchr(start, '\n');
  350         if (end) {
  351             *end++ = '\0';
  352             if (parse_line_log(rc, start)) {
  353                 log_err(_("Wrong log format."));
  354                 return -EINVAL;
  355             }
  356         }
  357 
  358         start = end;
  359     } while (start);
  360 
  361     return 0;
  362 }
  363 
  364 static void close_log(struct reenc_ctx *rc)
  365 {
  366     log_dbg("Closing LUKS reencryption log file %s.", rc->log_file);
  367     if (rc->log_fd != -1)
  368         close(rc->log_fd);
  369 }
  370 
  371 static int open_log(struct reenc_ctx *rc)
  372 {
  373     int flags = ARG_SET(OPT_USE_FSYNC_ID) ? O_SYNC : 0;
  374 
  375     rc->log_fd = open(rc->log_file, O_RDWR|O_EXCL|O_CREAT|flags, S_IRUSR|S_IWUSR);
  376     if (rc->log_fd != -1) {
  377         log_dbg("Created LUKS reencryption log file %s.", rc->log_file);
  378         rc->stained = 0;
  379     } else if (errno == EEXIST) {
  380         log_std(_("Log file %s exists, resuming reencryption.\n"), rc->log_file);
  381         rc->log_fd = open(rc->log_file, O_RDWR|flags);
  382         rc->in_progress = 1;
  383     }
  384 
  385     if (rc->log_fd == -1)
  386         return -EINVAL;
  387 
  388     if (!rc->in_progress && write_log(rc) < 0) {
  389         close_log(rc);
  390         return -EIO;
  391     }
  392 
  393     /* Be sure it is correct format */
  394     return parse_log(rc);
  395 }
  396 
  397 static int activate_luks_headers(struct reenc_ctx *rc)
  398 {
  399     struct crypt_device *cd = NULL, *cd_new = NULL;
  400     const char *pwd_old, *pwd_new, pwd_empty[] = "";
  401     size_t pwd_old_len, pwd_new_len;
  402     int r;
  403 
  404     log_dbg("Activating LUKS devices from headers.");
  405 
  406     /* Never use real password for empty header processing */
  407     if (rc->reencrypt_mode == REENCRYPT) {
  408         pwd_old = rc->p[rc->keyslot].password;
  409         pwd_old_len = rc->p[rc->keyslot].passwordLen;
  410         pwd_new = pwd_old;
  411         pwd_new_len = pwd_old_len;
  412     } else if (rc->reencrypt_mode == DECRYPT) {
  413         pwd_old = rc->p[rc->keyslot].password;
  414         pwd_old_len = rc->p[rc->keyslot].passwordLen;
  415         pwd_new = pwd_empty;
  416         pwd_new_len = 0;
  417     } else if (rc->reencrypt_mode == ENCRYPT) {
  418         pwd_old = pwd_empty;
  419         pwd_old_len = 0;
  420         pwd_new = rc->p[rc->keyslot].password;
  421         pwd_new_len = rc->p[rc->keyslot].passwordLen;
  422     } else
  423         return -EINVAL;
  424 
  425     if ((r = crypt_init_data_device(&cd, rc->header_file_org, rc->device)) ||
  426         (r = crypt_load(cd, CRYPT_LUKS, NULL)))
  427         goto out;
  428 
  429     log_verbose(_("Activating temporary device using old LUKS header."));
  430     if ((r = crypt_activate_by_passphrase(cd, rc->header_file_org,
  431         ARG_INT32(OPT_KEY_SLOT_ID), pwd_old, pwd_old_len,
  432         CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_PRIVATE)) < 0)
  433         goto out;
  434 
  435     if ((r = crypt_init_data_device(&cd_new, rc->header_file_new, rc->device)) ||
  436         (r = crypt_load(cd_new, CRYPT_LUKS, NULL)))
  437         goto out;
  438 
  439     log_verbose(_("Activating temporary device using new LUKS header."));
  440     if ((r = crypt_activate_by_passphrase(cd_new, rc->header_file_new,
  441         ARG_INT32(OPT_KEY_SLOT_ID), pwd_new, pwd_new_len,
  442         CRYPT_ACTIVATE_SHARED|CRYPT_ACTIVATE_PRIVATE)) < 0)
  443         goto out;
  444     r = 0;
  445 out:
  446     crypt_free(cd);
  447     crypt_free(cd_new);
  448     if (r < 0)
  449         log_err(_("Activation of temporary devices failed."));
  450     return r;
  451 }
  452 
  453 static int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
  454 {
  455     const struct crypt_pbkdf_type *pbkdf_default;
  456     struct crypt_pbkdf_type pbkdf = {};
  457 
  458     pbkdf_default = crypt_get_pbkdf_default(dev_type);
  459     if (!pbkdf_default)
  460         return -EINVAL;
  461 
  462     pbkdf.type = set_pbkdf ?: pbkdf_default->type;
  463     pbkdf.hash = ARG_STR(OPT_HASH_ID) ?: pbkdf_default->hash;
  464     pbkdf.time_ms = ARG_UINT32(OPT_ITER_TIME_ID) ?: pbkdf_default->time_ms;
  465     if (strcmp(pbkdf.type, CRYPT_KDF_PBKDF2)) {
  466         pbkdf.max_memory_kb = ARG_UINT32(OPT_PBKDF_MEMORY_ID) ?: pbkdf_default->max_memory_kb;
  467         pbkdf.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID) ?: pbkdf_default->parallel_threads;
  468     }
  469 
  470     if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID)) {
  471         pbkdf.iterations = ARG_UINT32(OPT_PBKDF_FORCE_ITERATIONS_ID);
  472         pbkdf.time_ms = 0;
  473         pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
  474     }
  475 
  476     return crypt_set_pbkdf_type(cd, &pbkdf);
  477 }
  478 
  479 static int create_new_keyslot(struct reenc_ctx *rc, int keyslot,
  480                   struct crypt_device *cd_old,
  481                   struct crypt_device *cd_new)
  482 {
  483     int r;
  484     char *key = NULL;
  485     size_t key_size;
  486 
  487     if (cd_old && crypt_keyslot_status(cd_old, keyslot) == CRYPT_SLOT_UNBOUND) {
  488         key_size = 4096;
  489         key = crypt_safe_alloc(key_size);
  490         if (!key)
  491             return -ENOMEM;
  492         r = crypt_volume_key_get(cd_old, keyslot, key, &key_size,
  493             rc->p[keyslot].password, rc->p[keyslot].passwordLen);
  494         if (r == keyslot) {
  495             r = crypt_keyslot_add_by_key(cd_new, keyslot, key, key_size,
  496                 rc->p[keyslot].password, rc->p[keyslot].passwordLen,
  497                 CRYPT_VOLUME_KEY_NO_SEGMENT);
  498         } else
  499             r = -EINVAL;
  500         crypt_safe_free(key);
  501     } else
  502         r = crypt_keyslot_add_by_volume_key(cd_new, keyslot, NULL, 0,
  503             rc->p[keyslot].password, rc->p[keyslot].passwordLen);
  504 
  505     return r;
  506 }
  507 
  508 static int create_new_header(struct reenc_ctx *rc, struct crypt_device *cd_old,
  509                  const char *cipher, const char *cipher_mode,
  510                  const char *uuid,
  511                  const char *key, int key_size,
  512                  const char *type,
  513                  uint64_t metadata_size,
  514                  uint64_t keyslots_size,
  515                  void *params)
  516 {
  517     struct crypt_device *cd_new = NULL;
  518     int i, r;
  519 
  520     if ((r = crypt_init(&cd_new, rc->header_file_new)))
  521         goto out;
  522 
  523     if (ARG_SET(OPT_USE_RANDOM_ID))
  524         crypt_set_rng_type(cd_new, CRYPT_RNG_RANDOM);
  525     else if (ARG_SET(OPT_USE_URANDOM_ID))
  526         crypt_set_rng_type(cd_new, CRYPT_RNG_URANDOM);
  527 
  528     r = set_pbkdf_params(cd_new, type);
  529     if (r) {
  530         log_err(_("Failed to set pbkdf parameters."));
  531         goto out;
  532     }
  533 
  534     r = crypt_set_data_offset(cd_new, rc->data_offset);
  535     if (r) {
  536         log_err(_("Failed to set data offset."));
  537         goto out;
  538     }
  539 
  540     r = crypt_set_metadata_size(cd_new, metadata_size, keyslots_size);
  541     if (r) {
  542         log_err(_("Failed to set metadata size."));
  543         goto out;
  544     }
  545 
  546     r = crypt_format(cd_new, type, cipher, cipher_mode, uuid, key, key_size, params);
  547     check_signal(&r);
  548     if (r < 0)
  549         goto out;
  550     log_verbose(_("New LUKS header for device %s created."), rc->device);
  551 
  552     for (i = 0; i < crypt_keyslot_max(type); i++) {
  553         if (!rc->p[i].password)
  554             continue;
  555 
  556         r = create_new_keyslot(rc, i, cd_old, cd_new);
  557         check_signal(&r);
  558         if (r < 0)
  559             goto out;
  560         tools_keyslot_msg(r, CREATED);
  561         r = 0;
  562     }
  563 out:
  564     crypt_free(cd_new);
  565     return r;
  566 }
  567 
  568 static int isLUKS2(const char *type)
  569 {
  570     return (type && !strcmp(type, CRYPT_LUKS2));
  571 }
  572 
  573 static int luks2_metadata_copy(struct reenc_ctx *rc)
  574 {
  575     const char *json, *type;
  576     crypt_token_info ti;
  577     uint32_t flags;
  578     int i, r = -EINVAL;
  579     struct crypt_device *cd_old = NULL, *cd_new = NULL;
  580 
  581     if (crypt_init(&cd_old, rc->header_file_tmp) ||
  582         crypt_load(cd_old, CRYPT_LUKS2, NULL))
  583         goto out;
  584 
  585     if (crypt_init(&cd_new, rc->header_file_new) ||
  586         crypt_load(cd_new, CRYPT_LUKS2, NULL))
  587         goto out;
  588 
  589     /*
  590      * we have to erase keyslots missing in new header so that we can
  591      * transfer tokens from old header to new one
  592      */
  593     for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++)
  594         if (!rc->p[i].password && crypt_keyslot_status(cd_old, i) == CRYPT_SLOT_ACTIVE) {
  595             r = crypt_keyslot_destroy(cd_old, i);
  596             if (r < 0)
  597                 goto out;
  598         }
  599 
  600     for (i = 0; i < MAX_TOKEN; i++) {
  601         ti = crypt_token_status(cd_old, i, &type);
  602         switch (ti) {
  603         case CRYPT_TOKEN_INVALID:
  604             log_dbg("Internal error.");
  605             r = -EINVAL;
  606             goto out;
  607         case CRYPT_TOKEN_INACTIVE:
  608             break;
  609         case CRYPT_TOKEN_INTERNAL_UNKNOWN:
  610             log_err(_("This version of cryptsetup-reencrypt can't handle new internal token type %s."), type);
  611             r = -EINVAL;
  612             goto out;
  613         case CRYPT_TOKEN_INTERNAL:
  614             /* fallthrough */
  615         case CRYPT_TOKEN_EXTERNAL:
  616             /* fallthrough */
  617         case CRYPT_TOKEN_EXTERNAL_UNKNOWN:
  618             if (crypt_token_json_get(cd_old, i, &json) != i) {
  619                 log_dbg("Failed to get %s token (%d).", type, i);
  620                 r = -EINVAL;
  621                 goto out;
  622             }
  623             if (crypt_token_json_set(cd_new, i, json) != i) {
  624                 log_dbg("Failed to create %s token (%d).", type, i);
  625                 r = -EINVAL;
  626                 goto out;
  627             }
  628         }
  629     }
  630 
  631     if ((r = crypt_persistent_flags_get(cd_old, CRYPT_FLAGS_ACTIVATION, &flags))) {
  632         log_err(_("Failed to read activation flags from backup header."));
  633         goto out;
  634     }
  635     if ((r = crypt_persistent_flags_set(cd_new, CRYPT_FLAGS_ACTIVATION, flags))) {
  636         log_err(_("Failed to write activation flags to new header."));
  637         goto out;
  638     }
  639     if ((r = crypt_persistent_flags_get(cd_old, CRYPT_FLAGS_REQUIREMENTS, &flags))) {
  640         log_err(_("Failed to read requirements from backup header."));
  641         goto out;
  642     }
  643     if ((r = crypt_persistent_flags_set(cd_new, CRYPT_FLAGS_REQUIREMENTS, flags)))
  644         log_err(_("Failed to read requirements from backup header."));
  645 out:
  646     crypt_free(cd_old);
  647     crypt_free(cd_new);
  648     unlink(rc->header_file_tmp);
  649 
  650     return r;
  651 }
  652 
  653 static int backup_luks_headers(struct reenc_ctx *rc)
  654 {
  655     struct crypt_device *cd = NULL;
  656     struct crypt_params_luks1 params = {0};
  657     struct crypt_params_luks2 params2 = {0};
  658     struct stat st;
  659     char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
  660     char *key = NULL;
  661     size_t key_size;
  662     uint64_t mdata_size = 0, keyslots_size = 0;
  663     int r;
  664 
  665     log_dbg("Creating LUKS header backup for device %s.", hdr_device(rc));
  666 
  667     if ((r = crypt_init(&cd, hdr_device(rc))) ||
  668         (r = crypt_load(cd, CRYPT_LUKS, NULL)))
  669         goto out;
  670 
  671     if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org)))
  672         goto out;
  673     if (isLUKS2(rc->type)) {
  674         if ((r = crypt_header_backup(cd, CRYPT_LUKS2, rc->header_file_tmp)))
  675             goto out;
  676         if ((r = stat(rc->header_file_tmp, &st)))
  677             goto out;
  678         /* coverity[toctou] */
  679         if ((r = chmod(rc->header_file_tmp, st.st_mode | S_IWUSR)))
  680             goto out;
  681     }
  682     log_verbose(_("%s header backup of device %s created."), isLUKS2(rc->type) ? "LUKS2" : "LUKS1", rc->device);
  683 
  684     /* For decrypt, new header will be fake one, so we are done here. */
  685     if (rc->reencrypt_mode == DECRYPT)
  686         goto out;
  687 
  688     rc->data_offset = crypt_get_data_offset(cd) + ROUND_SECTOR(ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID));
  689 
  690     if ((r = create_empty_header(rc->header_file_new)))
  691         goto out;
  692 
  693     params.hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH;
  694     params2.data_device = params.data_device = rc->device;
  695     params2.sector_size = crypt_get_sector_size(cd);
  696 
  697     if (ARG_SET(OPT_CIPHER_ID)) {
  698         r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID), cipher, NULL, cipher_mode);
  699         if (r < 0) {
  700             log_err(_("No known cipher specification pattern detected."));
  701             goto out;
  702         }
  703     }
  704 
  705     key_size = ARG_SET(OPT_KEY_SIZE_ID) ? ARG_UINT32(OPT_KEY_SIZE_ID) / 8 : (uint32_t)crypt_get_volume_key_size(cd);
  706 
  707     if (ARG_SET(OPT_KEEP_KEY_ID)) {
  708         log_dbg("Keeping key from old header.");
  709         key_size = crypt_get_volume_key_size(cd);
  710         key = crypt_safe_alloc(key_size);
  711         if (!key) {
  712             r = -ENOMEM;
  713             goto out;
  714         }
  715         r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size,
  716             rc->p[rc->keyslot].password, rc->p[rc->keyslot].passwordLen);
  717     } else if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
  718         log_dbg("Loading new key from file.");
  719         r = tools_read_mk(ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, key_size);
  720     }
  721 
  722     if (r < 0)
  723         goto out;
  724 
  725     if (isLUKS2(crypt_get_type(cd)) && crypt_get_metadata_size(cd, &mdata_size, &keyslots_size))
  726         goto out;
  727 
  728     r = create_new_header(rc, cd,
  729         ARG_SET(OPT_CIPHER_ID) ? cipher : crypt_get_cipher(cd),
  730         ARG_SET(OPT_CIPHER_ID) ? cipher_mode : crypt_get_cipher_mode(cd),
  731         crypt_get_uuid(cd),
  732         key,
  733         key_size,
  734         rc->type,
  735         mdata_size,
  736         keyslots_size,
  737         isLUKS2(rc->type) ? (void*)&params2 : (void*)&params);
  738 
  739     if (!r && isLUKS2(rc->type))
  740         r = luks2_metadata_copy(rc);
  741 out:
  742     crypt_free(cd);
  743     crypt_safe_free(key);
  744     if (r)
  745         log_err(_("Creation of LUKS backup headers failed."));
  746     return r;
  747 }
  748 
  749 /* Create fake header for original device */
  750 static int backup_fake_header(struct reenc_ctx *rc)
  751 {
  752     struct crypt_device *cd_new = NULL;
  753     struct crypt_params_luks1 params = {0};
  754     struct crypt_params_luks2 params2 = {0};
  755     char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
  756     const char *header_file_fake;
  757     int r;
  758 
  759     log_dbg("Creating fake (cipher_null) header for %s device.",
  760         (rc->reencrypt_mode == DECRYPT) ? "new" : "original");
  761 
  762     header_file_fake = (rc->reencrypt_mode == DECRYPT) ? rc->header_file_new : rc->header_file_org;
  763 
  764     if (!ARG_SET(OPT_KEY_SIZE_ID))
  765         ARG_SET_UINT32(OPT_KEY_SIZE_ID, DEFAULT_LUKS1_KEYBITS);
  766 
  767     if (ARG_SET(OPT_CIPHER_ID)) {
  768         r = crypt_parse_name_and_mode(ARG_STR(OPT_CIPHER_ID), cipher, NULL, cipher_mode);
  769         if (r < 0) {
  770             log_err(_("No known cipher specification pattern detected."));
  771             goto out;
  772         }
  773     }
  774 
  775     r = create_empty_header(header_file_fake);
  776     if (r < 0)
  777         return r;
  778 
  779     params.hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH;
  780     params2.data_alignment = params.data_alignment = 0;
  781     params2.data_device = params.data_device = rc->device;
  782     params2.sector_size = crypt_get_sector_size(NULL);
  783     params2.pbkdf = crypt_get_pbkdf_default(CRYPT_LUKS2);
  784 
  785     r = crypt_init(&cd_new, header_file_fake);
  786     if (r < 0)
  787         return r;
  788 
  789     r = crypt_format(cd_new, CRYPT_LUKS1, "cipher_null", "ecb",
  790              NO_UUID, NULL, ARG_UINT32(OPT_KEY_SIZE_ID) / 8, &params);
  791     check_signal(&r);
  792     if (r < 0)
  793         goto out;
  794 
  795     r = crypt_keyslot_add_by_volume_key(cd_new, rc->keyslot, NULL, 0,
  796             rc->p[rc->keyslot].password, rc->p[rc->keyslot].passwordLen);
  797     check_signal(&r);
  798     if (r < 0)
  799         goto out;
  800 
  801     /* The real header is backup header created in backup_luks_headers() */
  802     if (rc->reencrypt_mode == DECRYPT) {
  803         r = 0;
  804         goto out;
  805     }
  806 
  807     r = create_empty_header(rc->header_file_new);
  808     if (r < 0)
  809         goto out;
  810 
  811     params2.data_alignment = params.data_alignment = ROUND_SECTOR(ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID));
  812     r = create_new_header(rc, NULL,
  813         ARG_SET(OPT_CIPHER_ID) ? cipher : DEFAULT_LUKS1_CIPHER,
  814         ARG_SET(OPT_CIPHER_ID) ? cipher_mode : DEFAULT_LUKS1_MODE,
  815         NULL, NULL,
  816         ARG_UINT32(OPT_KEY_SIZE_ID) / 8,
  817         rc->type,
  818         0,
  819         0,
  820         isLUKS2(rc->type) ? (void*)&params2 : (void*)&params);
  821 out:
  822     crypt_free(cd_new);
  823     return r;
  824 }
  825 
  826 static void remove_headers(struct reenc_ctx *rc)
  827 {
  828     struct crypt_device *cd = NULL;
  829 
  830     log_dbg("Removing headers.");
  831 
  832     if (crypt_init(&cd, NULL))
  833         return;
  834     crypt_set_log_callback(cd, _quiet_log, NULL);
  835     if (*rc->header_file_org)
  836         (void)crypt_deactivate(cd, rc->header_file_org);
  837     if (*rc->header_file_new)
  838         (void)crypt_deactivate(cd, rc->header_file_new);
  839     crypt_free(cd);
  840 }
  841 
  842 static int restore_luks_header(struct reenc_ctx *rc)
  843 {
  844     struct stat st;
  845     struct crypt_device *cd = NULL;
  846     int fd, r;
  847 
  848     log_dbg("Restoring header for %s from %s.", hdr_device(rc), rc->header_file_new);
  849 
  850     /*
  851      * For new encryption and new detached header in file just move it.
  852      * For existing file try to ensure we have preallocated space for restore.
  853      */
  854     if (ARG_SET(OPT_NEW_ID) && rc->device_header) {
  855         r = stat(rc->device_header, &st);
  856         if (r == -1) {
  857             r = rename(rc->header_file_new, rc->device_header);
  858             goto out;
  859         } else if ((st.st_mode & S_IFMT) == S_IFREG &&
  860             stat(rc->header_file_new, &st) != -1) {
  861             /* coverity[toctou] */
  862             fd = open(rc->device_header, O_WRONLY);
  863             if (fd != -1) {
  864                 if (posix_fallocate(fd, 0, st.st_size)) {};
  865                 close(fd);
  866             }
  867         }
  868     }
  869 
  870     r = crypt_init(&cd, hdr_device(rc));
  871     if (r == 0) {
  872         r = crypt_header_restore(cd, rc->type, rc->header_file_new);
  873     }
  874 
  875     crypt_free(cd);
  876 out:
  877     if (r)
  878         log_err(_("Cannot restore %s header on device %s."), isLUKS2(rc->type) ? "LUKS2" : "LUKS1", hdr_device(rc));
  879     else {
  880         log_verbose(_("%s header on device %s restored."), isLUKS2(rc->type) ? "LUKS2" : "LUKS1", hdr_device(rc));
  881         rc->stained = 0;
  882     }
  883     return r;
  884 }
  885 
  886 static ssize_t read_buf(int fd, void *buf, size_t count)
  887 {
  888     size_t read_size = 0;
  889     ssize_t s;
  890 
  891     do {
  892         /* This expects that partial read is aligned in buffer */
  893         s = read(fd, buf, count - read_size);
  894         if (s == -1 && errno != EINTR)
  895             return s;
  896         if (s == 0)
  897             return (ssize_t)read_size;
  898         if (s > 0) {
  899             if (s != (ssize_t)count)
  900                 log_dbg("Partial read %zd / %zu.", s, count);
  901             read_size += (size_t)s;
  902             buf = (uint8_t*)buf + s;
  903         }
  904     } while (read_size != count);
  905 
  906     return (ssize_t)count;
  907 }
  908 
  909 static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new,
  910                  size_t block_size, void *buf, uint64_t *bytes)
  911 {
  912     ssize_t s1, s2;
  913     struct tools_progress_params prog_parms = {
  914         .frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
  915         .batch_mode = ARG_SET(OPT_BATCH_MODE_ID)
  916     };
  917 
  918     log_dbg("Reencrypting in forward direction.");
  919 
  920     if (lseek64(fd_old, rc->device_offset, SEEK_SET) < 0 ||
  921         lseek64(fd_new, rc->device_offset, SEEK_SET) < 0) {
  922         log_err(_("Cannot seek to device offset."));
  923         return -EIO;
  924     }
  925 
  926     rc->resume_bytes = *bytes = rc->device_offset;
  927 
  928     tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
  929 
  930     if (write_log(rc) < 0)
  931         return -EIO;
  932 
  933     while (!quit && rc->device_offset < rc->device_size) {
  934         s1 = read_buf(fd_old, buf, block_size);
  935         if (s1 < 0 || ((size_t)s1 != block_size &&
  936             (rc->device_offset + s1) != rc->device_size)) {
  937             log_dbg("Read error, expecting %zu, got %zd.",
  938                 block_size, s1);
  939             return -EIO;
  940         }
  941 
  942         /* If device_size is forced, never write more than limit */
  943         if ((s1 + rc->device_offset) > rc->device_size)
  944             s1 = rc->device_size - rc->device_offset;
  945 
  946         s2 = write(fd_new, buf, s1);
  947         if (s2 < 0) {
  948             log_dbg("Write error, expecting %zu, got %zd.",
  949                 block_size, s2);
  950             return -EIO;
  951         }
  952 
  953         rc->device_offset += s1;
  954         if (ARG_SET(OPT_WRITE_LOG_ID) && write_log(rc) < 0)
  955             return -EIO;
  956 
  957         if (ARG_SET(OPT_USE_FSYNC_ID) && fsync(fd_new) < 0) {
  958             log_dbg("Write error, fsync.");
  959             return -EIO;
  960         }
  961 
  962         *bytes += (uint64_t)s2;
  963 
  964         tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
  965     }
  966 
  967     return quit ? -EAGAIN : 0;
  968 }
  969 
  970 static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
  971                   size_t block_size, void *buf, uint64_t *bytes)
  972 {
  973     ssize_t s1, s2, working_block;
  974     off64_t working_offset;
  975     struct tools_progress_params prog_parms = {
  976         .frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
  977         .batch_mode = ARG_SET(OPT_BATCH_MODE_ID)
  978     };
  979 
  980     log_dbg("Reencrypting in backward direction.");
  981 
  982     if (!rc->in_progress) {
  983         rc->device_offset = rc->device_size;
  984         rc->resume_bytes = 0;
  985         *bytes = 0;
  986     } else {
  987         rc->resume_bytes = rc->device_size - rc->device_offset;
  988         *bytes = rc->resume_bytes;
  989     }
  990 
  991     tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
  992 
  993     if (write_log(rc) < 0)
  994         return -EIO;
  995 
  996     /* dirty the device during ENCRYPT mode */
  997     rc->stained = 1;
  998 
  999     while (!quit && rc->device_offset) {
 1000         if (rc->device_offset < block_size) {
 1001             working_offset = 0;
 1002             working_block = rc->device_offset;
 1003         } else {
 1004             working_offset = rc->device_offset - block_size;
 1005             working_block = block_size;
 1006         }
 1007 
 1008         if (lseek64(fd_old, working_offset, SEEK_SET) < 0 ||
 1009             lseek64(fd_new, working_offset, SEEK_SET) < 0) {
 1010             log_err(_("Cannot seek to device offset."));
 1011             return -EIO;
 1012         }
 1013 
 1014         s1 = read_buf(fd_old, buf, working_block);
 1015         if (s1 < 0 || (s1 != working_block)) {
 1016             log_dbg("Read error, expecting %zu, got %zd.",
 1017                 block_size, s1);
 1018             return -EIO;
 1019         }
 1020 
 1021         s2 = write(fd_new, buf, working_block);
 1022         if (s2 < 0) {
 1023             log_dbg("Write error, expecting %zu, got %zd.",
 1024                 block_size, s2);
 1025             return -EIO;
 1026         }
 1027 
 1028         rc->device_offset -= s1;
 1029         if (ARG_SET(OPT_WRITE_LOG_ID) && write_log(rc) < 0)
 1030             return -EIO;
 1031 
 1032         if (ARG_SET(OPT_USE_FSYNC_ID) && fsync(fd_new) < 0) {
 1033             log_dbg("Write error, fsync.");
 1034             return -EIO;
 1035         }
 1036 
 1037         *bytes += (uint64_t)s2;
 1038 
 1039         tools_reencrypt_progress(rc->device_size, *bytes, &prog_parms);
 1040     }
 1041 
 1042     return quit ? -EAGAIN : 0;
 1043 }
 1044 
 1045 static void zero_rest_of_device(int fd, size_t block_size, void *buf,
 1046                 uint64_t *bytes, uint64_t offset)
 1047 {
 1048     ssize_t s1, s2;
 1049 
 1050     log_dbg("Zeroing rest of device.");
 1051 
 1052     if (lseek64(fd, offset, SEEK_SET) < 0) {
 1053         log_dbg("Cannot seek to device offset.");
 1054         return;
 1055     }
 1056 
 1057     memset(buf, 0, block_size);
 1058     s1 = block_size;
 1059 
 1060     while (!quit && *bytes) {
 1061         if (*bytes < (uint64_t)s1)
 1062             s1 = *bytes;
 1063 
 1064         s2 = write(fd, buf, s1);
 1065         if (s2 != s1) {
 1066             log_dbg("Write error, expecting %zd, got %zd.",
 1067                 s1, s2);
 1068             return;
 1069         }
 1070 
 1071         if (ARG_SET(OPT_USE_FSYNC_ID) && fsync(fd) < 0) {
 1072             log_dbg("Write error, fsync.");
 1073             return;
 1074         }
 1075 
 1076         *bytes -= s2;
 1077     }
 1078 }
 1079 
 1080 static int copy_data(struct reenc_ctx *rc)
 1081 {
 1082     size_t block_size = ARG_UINT32(OPT_BLOCK_SIZE_ID) * 1024 * 1024;
 1083     int fd_old = -1, fd_new = -1;
 1084     int r = -EINVAL;
 1085     void *buf = NULL;
 1086     uint64_t bytes = 0;
 1087 
 1088     log_dbg("Data copy preparation.");
 1089 
 1090     fd_old = open(rc->crypt_path_org, O_RDONLY | (ARG_SET(OPT_USE_DIRECTIO_ID) ? O_DIRECT : 0));
 1091     if (fd_old == -1) {
 1092         log_err(_("Cannot open temporary LUKS device."));
 1093         goto out;
 1094     }
 1095 
 1096     fd_new = open(rc->crypt_path_new, O_WRONLY | (ARG_SET(OPT_USE_DIRECTIO_ID) ? O_DIRECT : 0));
 1097     if (fd_new == -1) {
 1098         log_err(_("Cannot open temporary LUKS device."));
 1099         goto out;
 1100     }
 1101 
 1102     if (ioctl(fd_old, BLKGETSIZE64, &rc->device_size_org_real) < 0) {
 1103         log_err(_("Cannot get device size."));
 1104         goto out;
 1105     }
 1106 
 1107     if (ioctl(fd_new, BLKGETSIZE64, &rc->device_size_new_real) < 0) {
 1108         log_err(_("Cannot get device size."));
 1109         goto out;
 1110     }
 1111 
 1112     if (ARG_SET(OPT_DEVICE_SIZE_ID))
 1113         rc->device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID);
 1114     else if (rc->reencrypt_mode == DECRYPT)
 1115         rc->device_size = rc->device_size_org_real;
 1116     else
 1117         rc->device_size = rc->device_size_new_real;
 1118 
 1119     if (posix_memalign((void *)&buf, alignment(fd_new), block_size)) {
 1120         log_err(_("Allocation of aligned memory failed."));
 1121         r = -ENOMEM;
 1122         goto out;
 1123     }
 1124 
 1125     set_int_handler(0);
 1126 
 1127     if (rc->reencrypt_direction == FORWARD)
 1128         r = copy_data_forward(rc, fd_old, fd_new, block_size, buf, &bytes);
 1129     else
 1130         r = copy_data_backward(rc, fd_old, fd_new, block_size, buf, &bytes);
 1131 
 1132     /* Zero (wipe) rest of now plain-only device when decrypting.
 1133      * (To not leave any sign of encryption here.) */
 1134     if (!r && rc->reencrypt_mode == DECRYPT &&
 1135         rc->device_size_new_real > rc->device_size_org_real) {
 1136         bytes = rc->device_size_new_real - rc->device_size_org_real;
 1137         zero_rest_of_device(fd_new, block_size, buf, &bytes, rc->device_size_org_real);
 1138     }
 1139 
 1140     set_int_block(1);
 1141 
 1142     if (r < 0 && r != -EAGAIN)
 1143         log_err(_("IO error during reencryption."));
 1144 
 1145     (void)write_log(rc);
 1146 out:
 1147     if (fd_old != -1)
 1148         close(fd_old);
 1149     if (fd_new != -1)
 1150         close(fd_new);
 1151     free(buf);
 1152     return r;
 1153 }
 1154 
 1155 static int initialize_uuid(struct reenc_ctx *rc)
 1156 {
 1157     struct crypt_device *cd = NULL;
 1158     int r;
 1159     uuid_t device_uuid;
 1160 
 1161     log_dbg("Initialising UUID.");
 1162 
 1163     if (ARG_SET(OPT_NEW_ID)) {
 1164         rc->device_uuid = strdup(NO_UUID);
 1165         rc->type = luksType(ARG_STR(OPT_TYPE_ID));
 1166         return 0;
 1167     }
 1168 
 1169     if (ARG_SET(OPT_DECRYPT_ID) && ARG_SET(OPT_UUID_ID)) {
 1170         r = uuid_parse(ARG_STR(OPT_UUID_ID), device_uuid);
 1171         if (!r)
 1172             rc->device_uuid = strdup(ARG_STR(OPT_UUID_ID));
 1173         else
 1174             log_err(_("Provided UUID is invalid."));
 1175 
 1176         return r;
 1177     }
 1178 
 1179     /* Try to load LUKS from device */
 1180     if ((r = crypt_init(&cd, hdr_device(rc))))
 1181         return r;
 1182     crypt_set_log_callback(cd, _quiet_log, NULL);
 1183     r = crypt_load(cd, CRYPT_LUKS, NULL);
 1184     if (!r)
 1185         rc->device_uuid = strdup(crypt_get_uuid(cd));
 1186     else
 1187         /* Reencryption already in progress - magic header? */
 1188         r = device_check(rc, hdr_device(rc), CHECK_UNUSABLE);
 1189 
 1190     if (!r)
 1191         rc->type = isLUKS2(crypt_get_type(cd)) ? CRYPT_LUKS2 : CRYPT_LUKS1;
 1192 
 1193     crypt_free(cd);
 1194     return r;
 1195 }
 1196 
 1197 static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd,
 1198                 const char *msg, int slot_to_check, int check, int verify)
 1199 {
 1200     crypt_keyslot_info ki;
 1201     char *password;
 1202     int r = -EINVAL, retry_count;
 1203     size_t passwordLen;
 1204 
 1205     /* mode ENCRYPT call this without header */
 1206     if (cd && slot_to_check != CRYPT_ANY_SLOT) {
 1207         ki = crypt_keyslot_status(cd, slot_to_check);
 1208         if (ki < CRYPT_SLOT_ACTIVE)
 1209             return -ENOENT;
 1210     } else
 1211         ki = CRYPT_SLOT_ACTIVE;
 1212 
 1213     retry_count = ARG_UINT32(OPT_TRIES_ID) ?: 1;
 1214     while (retry_count--) {
 1215         r = tools_get_key(msg,  &password, &passwordLen, 0, 0,
 1216                   NULL /*opt_key_file*/, 0, verify, 0 /*pwquality*/, cd);
 1217         if (r < 0)
 1218             return r;
 1219         if (quit) {
 1220             crypt_safe_free(password);
 1221             password = NULL;
 1222             passwordLen = 0;
 1223             return -EAGAIN;
 1224         }
 1225 
 1226         if (check)
 1227             r = crypt_activate_by_passphrase(cd, NULL, slot_to_check,
 1228                 password, passwordLen, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY);
 1229         else
 1230             r = (slot_to_check == CRYPT_ANY_SLOT) ? 0 : slot_to_check;
 1231 
 1232         if (r < 0) {
 1233             crypt_safe_free(password);
 1234             password = NULL;
 1235             passwordLen = 0;
 1236         }
 1237         if (r < 0 && r != -EPERM)
 1238             return r;
 1239 
 1240         if (r >= 0) {
 1241             tools_keyslot_msg(r, UNLOCKED);
 1242             rc->p[r].password = password;
 1243             rc->p[r].passwordLen = passwordLen;
 1244             if (ki != CRYPT_SLOT_UNBOUND)
 1245                 rc->keyslot = r;
 1246             break;
 1247         }
 1248         tools_passphrase_msg(r);
 1249     }
 1250 
 1251     password = NULL;
 1252     passwordLen = 0;
 1253 
 1254     return r;
 1255 }
 1256 
 1257 static int init_keyfile(struct reenc_ctx *rc, struct crypt_device *cd, int slot_check)
 1258 {
 1259     char *password;
 1260     int r;
 1261     size_t passwordLen;
 1262 
 1263     r = tools_get_key(NULL, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
 1264               ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), 0, 0, 0, cd);
 1265     if (r < 0)
 1266         return r;
 1267 
 1268     /* mode ENCRYPT call this without header */
 1269     if (cd) {
 1270         r = crypt_activate_by_passphrase(cd, NULL, slot_check, password,
 1271                          passwordLen, 0);
 1272 
 1273         /*
 1274          * Allow keyslot only if it is last slot or if user explicitly
 1275          * specify which slot to use (IOW others will be disabled).
 1276          */
 1277         if (r >= 0 && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT &&
 1278             crypt_keyslot_status(cd, r) != CRYPT_SLOT_ACTIVE_LAST) {
 1279             log_err(_("Key file can be used only with --key-slot or with "
 1280                   "exactly one key slot active."));
 1281             r = -EINVAL;
 1282         }
 1283     } else {
 1284         r = slot_check == CRYPT_ANY_SLOT ? 0 : slot_check;
 1285     }
 1286 
 1287     if (r < 0) {
 1288         crypt_safe_free(password);
 1289         tools_passphrase_msg(r);
 1290     } else {
 1291         rc->keyslot = r;
 1292         rc->p[r].password = password;
 1293         rc->p[r].passwordLen = passwordLen;
 1294     }
 1295 
 1296     password = NULL;
 1297     passwordLen = 0;
 1298 
 1299     return r;
 1300 }
 1301 
 1302 static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
 1303 {
 1304     struct crypt_device *cd = NULL;
 1305     char msg[256];
 1306     int i, r;
 1307 
 1308     log_dbg("Passphrases initialization.");
 1309 
 1310     if (rc->reencrypt_mode == ENCRYPT && !rc->in_progress) {
 1311         if (ARG_SET(OPT_KEY_FILE_ID))
 1312             r = init_keyfile(rc, NULL, ARG_INT32(OPT_KEY_SLOT_ID));
 1313         else
 1314             r = init_passphrase1(rc, NULL, _("Enter new passphrase: "), ARG_INT32(OPT_KEY_SLOT_ID), 0, 1);
 1315         return r > 0 ? 0 : r;
 1316     }
 1317 
 1318     if ((r = crypt_init_data_device(&cd, device, rc->device)) ||
 1319         (r = crypt_load(cd, CRYPT_LUKS, NULL))) {
 1320         crypt_free(cd);
 1321         return r;
 1322     }
 1323 
 1324     if (ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT)
 1325         snprintf(msg, sizeof(msg),
 1326              _("Enter passphrase for key slot %d: "), ARG_INT32(OPT_KEY_SLOT_ID));
 1327     else
 1328         snprintf(msg, sizeof(msg), _("Enter any existing passphrase: "));
 1329 
 1330     if (ARG_SET(OPT_KEY_FILE_ID)) {
 1331         r = init_keyfile(rc, cd, ARG_INT32(OPT_KEY_SLOT_ID));
 1332     } else if (rc->in_progress ||
 1333            ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT ||
 1334            rc->reencrypt_mode == DECRYPT) {
 1335         r = init_passphrase1(rc, cd, msg, ARG_INT32(OPT_KEY_SLOT_ID), 1, 0);
 1336     } else for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++) {
 1337         snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %d: "), i);
 1338         r = init_passphrase1(rc, cd, msg, i, 1, 0);
 1339         if (r == -ENOENT) {
 1340             r = 0;
 1341             continue;
 1342         }
 1343         if (r < 0)
 1344             break;
 1345     }
 1346 
 1347     crypt_free(cd);
 1348     return r > 0 ? 0 : r;
 1349 }
 1350 
 1351 static int initialize_context(struct reenc_ctx *rc, const char *device)
 1352 {
 1353     log_dbg("Initialising reencryption context.");
 1354 
 1355     rc->log_fd = -1;
 1356 
 1357     /* FIXME: replace MAX_KEYSLOT with crypt_keyslot_max(CRYPT_LUKS2) */
 1358     if (crypt_keyslot_max(CRYPT_LUKS2) > MAX_SLOT) {
 1359         log_dbg("Internal error");
 1360         return -EINVAL;
 1361     }
 1362 
 1363     if (!(rc->device = strndup(device, PATH_MAX)))
 1364         return -ENOMEM;
 1365 
 1366     if (ARG_SET(OPT_HEADER_ID) && !(rc->device_header = strndup(ARG_STR(OPT_HEADER_ID), PATH_MAX)))
 1367         return -ENOMEM;
 1368 
 1369     if (device_check(rc, rc->device, CHECK_OPEN) < 0)
 1370         return -EINVAL;
 1371 
 1372     if (initialize_uuid(rc)) {
 1373         log_err(_("Device %s is not a valid LUKS device."), device);
 1374         return -EINVAL;
 1375     }
 1376 
 1377     if (ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT &&
 1378         ARG_INT32(OPT_KEY_SLOT_ID) >= crypt_keyslot_max(rc->type)) {
 1379         log_err(_("Key slot is invalid."));
 1380         return -EINVAL;
 1381     }
 1382 
 1383     /* Prepare device names */
 1384     if (snprintf(rc->log_file, PATH_MAX,
 1385              "LUKS-%s.log", rc->device_uuid) < 0)
 1386         return -ENOMEM;
 1387     if (snprintf(rc->header_file_org, PATH_MAX,
 1388              "LUKS-%s.org", rc->device_uuid) < 0)
 1389         return -ENOMEM;
 1390     if (snprintf(rc->header_file_new, PATH_MAX,
 1391              "LUKS-%s.new", rc->device_uuid) < 0)
 1392         return -ENOMEM;
 1393     if (snprintf(rc->header_file_tmp, PATH_MAX,
 1394              "LUKS-%s.tmp", rc->device_uuid) < 0)
 1395         return -ENOMEM;
 1396 
 1397     /* Paths to encrypted devices */
 1398     if (snprintf(rc->crypt_path_org, PATH_MAX,
 1399              "%s/%s", crypt_get_dir(), rc->header_file_org) < 0)
 1400         return -ENOMEM;
 1401     if (snprintf(rc->crypt_path_new, PATH_MAX,
 1402              "%s/%s", crypt_get_dir(), rc->header_file_new) < 0)
 1403         return -ENOMEM;
 1404 
 1405     remove_headers(rc);
 1406 
 1407     if (open_log(rc) < 0) {
 1408         log_err(_("Cannot open reencryption log file."));
 1409         return -EINVAL;
 1410     }
 1411 
 1412     if (!rc->in_progress) {
 1413         if (ARG_SET(OPT_UUID_ID)) {
 1414             log_err(_("No decryption in progress, provided UUID can "
 1415             "be used only to resume suspended decryption process."));
 1416             return -EINVAL;
 1417         }
 1418 
 1419         if (!ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID))
 1420             rc->reencrypt_direction = FORWARD;
 1421         else {
 1422             rc->reencrypt_direction = BACKWARD;
 1423             rc->device_offset = (uint64_t)~0;
 1424         }
 1425 
 1426         if (ARG_SET(OPT_NEW_ID))
 1427             rc->reencrypt_mode = ENCRYPT;
 1428         else if (ARG_SET(OPT_DECRYPT_ID))
 1429             rc->reencrypt_mode = DECRYPT;
 1430         else
 1431             rc->reencrypt_mode = REENCRYPT;
 1432     }
 1433 
 1434     return 0;
 1435 }
 1436 
 1437 static void destroy_context(struct reenc_ctx *rc)
 1438 {
 1439     int i;
 1440 
 1441     log_dbg("Destroying reencryption context.");
 1442 
 1443     close_log(rc);
 1444     remove_headers(rc);
 1445 
 1446     if (!rc->stained) {
 1447         unlink(rc->log_file);
 1448         unlink(rc->header_file_org);
 1449         unlink(rc->header_file_new);
 1450         unlink(rc->header_file_tmp);
 1451     }
 1452 
 1453     for (i = 0; i < MAX_SLOT; i++)
 1454         crypt_safe_free(rc->p[i].password);
 1455 
 1456     free(rc->device);
 1457     free(rc->device_header);
 1458     free(rc->device_uuid);
 1459 }
 1460 
 1461 static int luks2_change_pbkdf_params(struct reenc_ctx *rc)
 1462 {
 1463     int i, r;
 1464     struct crypt_device *cd = NULL;
 1465 
 1466     if ((r = initialize_passphrase(rc, hdr_device(rc))))
 1467         return r;
 1468 
 1469     if (crypt_init(&cd, hdr_device(rc)) ||
 1470         crypt_load(cd, CRYPT_LUKS2, NULL)) {
 1471         r = -EINVAL;
 1472         goto out;
 1473     }
 1474 
 1475     if ((r = set_pbkdf_params(cd, CRYPT_LUKS2)))
 1476         goto out;
 1477 
 1478     log_dbg("LUKS2 keyslot pbkdf params change.");
 1479 
 1480     r = -EINVAL;
 1481 
 1482     for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++) {
 1483         if (!rc->p[i].password)
 1484             continue;
 1485         if ((r = crypt_keyslot_change_by_passphrase(cd, i, i,
 1486             rc->p[i].password, rc->p[i].passwordLen,
 1487             rc->p[i].password, rc->p[i].passwordLen)) < 0)
 1488             goto out;
 1489         log_verbose(_("Changed pbkdf parameters in keyslot %i."), r);
 1490         r = 0;
 1491     }
 1492 
 1493     if (r)
 1494         goto out;
 1495 
 1496     /* see create_new_header */
 1497     for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++)
 1498         if (!rc->p[i].password)
 1499             (void)crypt_keyslot_destroy(cd, i);
 1500 out:
 1501     crypt_free(cd);
 1502     return r;
 1503 }
 1504 
 1505 static int run_reencrypt(const char *device)
 1506 {
 1507     int r = -EINVAL;
 1508     static struct reenc_ctx rc = {
 1509         .stained = 1
 1510     };
 1511 
 1512     set_int_handler(0);
 1513 
 1514     if (initialize_context(&rc, device))
 1515         goto out;
 1516 
 1517     /* short-circuit LUKS2 keyslot parameters change */
 1518     if (ARG_SET(OPT_KEEP_KEY_ID) && isLUKS2(rc.type)) {
 1519         r = luks2_change_pbkdf_params(&rc);
 1520         goto out;
 1521     }
 1522 
 1523     log_dbg("Running reencryption.");
 1524 
 1525     if (!rc.in_progress) {
 1526         if ((r = initialize_passphrase(&rc, hdr_device(&rc))))
 1527             goto out;
 1528 
 1529         log_dbg("Storing backup of LUKS headers.");
 1530         if (rc.reencrypt_mode == ENCRYPT) {
 1531             /* Create fake header for existing device */
 1532             if ((r = backup_fake_header(&rc)))
 1533                 goto out;
 1534         } else {
 1535             if ((r = backup_luks_headers(&rc)))
 1536                 goto out;
 1537             /* Create fake header for decrypted device */
 1538             if (rc.reencrypt_mode == DECRYPT &&
 1539                 (r = backup_fake_header(&rc)))
 1540                 goto out;
 1541             if ((r = device_check(&rc, hdr_device(&rc), MAKE_UNUSABLE)))
 1542                 goto out;
 1543         }
 1544     } else {
 1545         if ((r = initialize_passphrase(&rc, ARG_SET(OPT_DECRYPT_ID) ? rc.header_file_org : rc.header_file_new)))
 1546             goto out;
 1547     }
 1548 
 1549     if (!ARG_SET(OPT_KEEP_KEY_ID)) {
 1550         log_dbg("Running data area reencryption.");
 1551         if ((r = activate_luks_headers(&rc)))
 1552             goto out;
 1553 
 1554         if ((r = copy_data(&rc)))
 1555             goto out;
 1556     } else
 1557         log_dbg("Keeping existing key, skipping data area reencryption.");
 1558 
 1559     // FIXME: fix error path above to not skip this
 1560     if (rc.reencrypt_mode != DECRYPT)
 1561         r = restore_luks_header(&rc);
 1562     else
 1563         rc.stained = 0;
 1564 out:
 1565     destroy_context(&rc);
 1566     return r;
 1567 }
 1568 
 1569 static void help(poptContext popt_context,
 1570          enum poptCallbackReason reason __attribute__((unused)),
 1571          struct poptOption *key,
 1572          const char *arg __attribute__((unused)),
 1573          void *data __attribute__((unused)))
 1574 {
 1575     if (key->shortName == '?') {
 1576         log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
 1577         poptPrintHelp(popt_context, stdout, 0);
 1578         tools_cleanup();
 1579         poptFreeContext(popt_context);
 1580         exit(EXIT_SUCCESS);
 1581     } else if (key->shortName == 'V') {
 1582         log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
 1583         tools_cleanup();
 1584         poptFreeContext(popt_context);
 1585         exit(EXIT_SUCCESS);
 1586     } else
 1587         usage(popt_context, EXIT_SUCCESS, NULL, NULL);
 1588 }
 1589 
 1590 static bool needs_size_conversion(unsigned arg_id)
 1591 {
 1592     return arg_id == OPT_DEVICE_SIZE_ID || arg_id == OPT_REDUCE_DEVICE_SIZE_ID;
 1593 }
 1594 
 1595 static void basic_options_cb(poptContext popt_context,
 1596          enum poptCallbackReason reason __attribute__((unused)),
 1597          struct poptOption *key,
 1598          const char *arg,
 1599          void *data __attribute__((unused)))
 1600 {
 1601     tools_parse_arg_value(popt_context, tool_core_args[key->val].type, tool_core_args + key->val, arg, key->val, needs_size_conversion);
 1602 
 1603     /* special cases additional handling */
 1604     switch (key->val) {
 1605     case OPT_DEBUG_ID:
 1606         log_parms.debug = true;
 1607         /* fall through */
 1608     case OPT_VERBOSE_ID:
 1609         log_parms.verbose = true;
 1610         break;
 1611     case OPT_BLOCK_SIZE_ID:
 1612         if (ARG_UINT32(OPT_BLOCK_SIZE_ID) < 1 || ARG_UINT32(OPT_BLOCK_SIZE_ID) > 64)
 1613             usage(popt_context, EXIT_FAILURE,
 1614                   _("Only values between 1 MiB and 64 MiB allowed for reencryption block size."),
 1615                   poptGetInvocationName(popt_context));
 1616         break;
 1617     case OPT_KEY_SIZE_ID:
 1618         if (ARG_UINT32(OPT_KEY_SIZE_ID) == 0)
 1619             usage(popt_context, EXIT_FAILURE, poptStrerror(POPT_ERROR_BADNUMBER),
 1620                   poptGetInvocationName(popt_context));
 1621         if (ARG_UINT32(OPT_KEY_SIZE_ID) % 8)
 1622             usage(popt_context, EXIT_FAILURE,
 1623                   _("Key size must be a multiple of 8 bits"),
 1624                   poptGetInvocationName(popt_context));
 1625         break;
 1626     case OPT_REDUCE_DEVICE_SIZE_ID:
 1627         if (ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID) > 64 * 1024 * 1024)
 1628             usage(popt_context, EXIT_FAILURE, _("Maximum device reduce size is 64 MiB."),
 1629                   poptGetInvocationName(popt_context));
 1630         if (ARG_UINT64(OPT_REDUCE_DEVICE_SIZE_ID) % SECTOR_SIZE)
 1631             usage(popt_context, EXIT_FAILURE, _("Reduce size must be multiple of 512 bytes sector."),
 1632                   poptGetInvocationName(popt_context));
 1633         break;
 1634     }
 1635 }
 1636 
 1637 int main(int argc, const char **argv)
 1638 {
 1639     static struct poptOption popt_help_options[] = {
 1640         { NULL,    '\0', POPT_ARG_CALLBACK, help, 0, NULL,                         NULL },
 1641         { "help",  '?',  POPT_ARG_NONE,     NULL, 0, N_("Show this help message"), NULL },
 1642         { "usage", '\0', POPT_ARG_NONE,     NULL, 0, N_("Display brief usage"),    NULL },
 1643         { "version",'V', POPT_ARG_NONE,     NULL, 0, N_("Print package version"),  NULL },
 1644         POPT_TABLEEND
 1645     };
 1646     static struct poptOption popt_basic_options[] = {
 1647         { NULL,    '\0', POPT_ARG_CALLBACK, basic_options_cb, 0, NULL, NULL },
 1648 #define ARG(A, B, C, D, E, F, G) { A, B, C, NULL, A ## _ID, D, E },
 1649 #include "cryptsetup_reencrypt_arg_list.h"
 1650 #undef arg
 1651         POPT_TABLEEND
 1652     };
 1653     static struct poptOption popt_options[] = {
 1654         { NULL,                '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
 1655         { NULL,                '\0', POPT_ARG_INCLUDE_TABLE, popt_basic_options, 0, NULL, NULL },
 1656         POPT_TABLEEND
 1657     };
 1658     poptContext popt_context;
 1659     int r;
 1660 
 1661     crypt_set_log_callback(NULL, tool_log, &log_parms);
 1662 
 1663     setlocale(LC_ALL, "");
 1664     bindtextdomain(PACKAGE, LOCALEDIR);
 1665     textdomain(PACKAGE);
 1666 
 1667     popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
 1668     poptSetOtherOptionHelp(popt_context,
 1669                            _("[OPTION...] <device>"));
 1670 
 1671     while((r = poptGetNextOpt(popt_context)) > 0) ;
 1672     if (r < -1)
 1673         usage(popt_context, EXIT_FAILURE, poptStrerror(r),
 1674               poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
 1675 
 1676     if (!ARG_SET(OPT_BATCH_MODE_ID))
 1677         log_verbose(_("Reencryption will change: %s%s%s%s%s%s."),
 1678             ARG_SET(OPT_KEEP_KEY_ID) ? "" :  _("volume key"),
 1679             (!ARG_SET(OPT_KEEP_KEY_ID) && ARG_SET(OPT_HASH_ID)) ? ", " : "",
 1680             ARG_SET(OPT_HASH_ID) ? _("set hash to ") : "", ARG_STR(OPT_HASH_ID) ?: "",
 1681             ARG_SET(OPT_CIPHER_ID) ? _(", set cipher to "): "", ARG_STR(OPT_CIPHER_ID) ?: "");
 1682 
 1683     action_argv = poptGetArgs(popt_context);
 1684     if(!action_argv)
 1685         usage(popt_context, EXIT_FAILURE, _("Argument required."),
 1686               poptGetInvocationName(popt_context));
 1687 
 1688     if (ARG_SET(OPT_USE_RANDOM_ID) && ARG_SET(OPT_USE_URANDOM_ID))
 1689         usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
 1690               poptGetInvocationName(popt_context));
 1691 
 1692     if (ARG_SET(OPT_PBKDF_ID) && crypt_parse_pbkdf(ARG_STR(OPT_PBKDF_ID), &set_pbkdf))
 1693         usage(popt_context, EXIT_FAILURE,
 1694         _("Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."),
 1695         poptGetInvocationName(popt_context));
 1696 
 1697     if (ARG_SET(OPT_PBKDF_FORCE_ITERATIONS_ID) && ARG_SET(OPT_ITER_TIME_ID))
 1698         usage(popt_context, EXIT_FAILURE,
 1699         _("PBKDF forced iterations cannot be combined with iteration time option."),
 1700         poptGetInvocationName(popt_context));
 1701 
 1702     if (ARG_INT32(OPT_KEY_SLOT_ID) != CRYPT_ANY_SLOT &&
 1703         (ARG_INT32(OPT_KEY_SLOT_ID) < 0 || ARG_INT32(OPT_KEY_SLOT_ID) >= crypt_keyslot_max(CRYPT_LUKS2)))
 1704         usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
 1705               poptGetInvocationName(popt_context));
 1706 
 1707     if (ARG_SET(OPT_USE_RANDOM_ID) && ARG_SET(OPT_USE_URANDOM_ID))
 1708         usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
 1709               poptGetInvocationName(popt_context));
 1710 
 1711     if (ARG_SET(OPT_NEW_ID) && (!ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) && !ARG_SET(OPT_HEADER_ID)))
 1712         usage(popt_context, EXIT_FAILURE, _("Option --new must be used together with --reduce-device-size or --header."),
 1713               poptGetInvocationName(popt_context));
 1714 
 1715     if (ARG_SET(OPT_KEEP_KEY_ID) && (ARG_SET(OPT_CIPHER_ID) || ARG_SET(OPT_NEW_ID) || ARG_SET(OPT_MASTER_KEY_FILE_ID)))
 1716         usage(popt_context, EXIT_FAILURE, _("Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."),
 1717               poptGetInvocationName(popt_context));
 1718 
 1719     if (ARG_SET(OPT_NEW_ID) && ARG_SET(OPT_DECRYPT_ID))
 1720         usage(popt_context, EXIT_FAILURE, _("Option --new cannot be used together with --decrypt."),
 1721               poptGetInvocationName(popt_context));
 1722 
 1723     if (ARG_SET(OPT_DECRYPT_ID) &&
 1724         (ARG_SET(OPT_CIPHER_ID) || ARG_SET(OPT_HASH_ID) || ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) ||
 1725          ARG_SET(OPT_KEEP_KEY_ID) || ARG_SET(OPT_DEVICE_SIZE_ID)))
 1726         usage(popt_context, EXIT_FAILURE, _("Option --decrypt is incompatible with specified parameters."),
 1727               poptGetInvocationName(popt_context));
 1728 
 1729     if (ARG_SET(OPT_UUID_ID) && !ARG_SET(OPT_DECRYPT_ID))
 1730         usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only together with --decrypt."),
 1731               poptGetInvocationName(popt_context));
 1732 
 1733     if (!luksType(ARG_STR(OPT_TYPE_ID)))
 1734         usage(popt_context, EXIT_FAILURE, _("Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."),
 1735               poptGetInvocationName(popt_context));
 1736 
 1737     if (ARG_SET(OPT_DEBUG_ID)) {
 1738         crypt_set_debug_level(CRYPT_DEBUG_ALL);
 1739         dbg_version_and_cmd(argc, argv);
 1740     }
 1741 
 1742     r = run_reencrypt(action_argv[0]);
 1743     tools_cleanup();
 1744     poptFreeContext(popt_context);
 1745     return translate_errno(r);
 1746 }