"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/luks2/luks2_keyslot_luks2.c" between
cryptsetup-2.0.6.tar.xz and cryptsetup-2.1.0.tar.xz

About: cryptsetup is a utility used to conveniently setup disk encryption based on the dm-crypt kernel module. These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt compatible format.

luks2_keyslot_luks2.c  (cryptsetup-2.0.6.tar.xz):luks2_keyslot_luks2.c  (cryptsetup-2.1.0.tar.xz)
/* /*
* LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
* *
* Copyright (C) 2015-2018, Red Hat, Inc. All rights reserved. * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
* Copyright (C) 2015-2018, Milan Broz. All rights reserved. * Copyright (C) 2015-2019 Milan Broz
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License * modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2 * as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version. * of the License, or (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, * This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
skipping to change at line 44 skipping to change at line 44
struct crypt_device *cd) struct crypt_device *cd)
{ {
struct device *device = crypt_metadata_device(cd); struct device *device = crypt_metadata_device(cd);
#ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */ #ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
int r = device_write_lock(cd, device); int r = device_write_lock(cd, device);
if (r) { if (r) {
log_err(cd, _("Failed to acquire write lock on device %s."), devi ce_path(device)); log_err(cd, _("Failed to acquire write lock on device %s."), devi ce_path(device));
return r; return r;
} }
r = LUKS_encrypt_to_storage(src, srcLength, cipher, cipher_mode, vk, sect or, cd); r = LUKS_encrypt_to_storage(src, srcLength, cipher, cipher_mode, vk, sect or, cd);
device_write_unlock(crypt_metadata_device(cd)); device_write_unlock(cd, crypt_metadata_device(cd));
return r; return r;
#else #else
struct crypt_storage *s; struct crypt_storage *s;
int devfd = -1, r; int devfd = -1, r;
/* Only whole sector writes supported */ /* Only whole sector writes supported */
if (MISALIGNED_512(srcLength)) if (MISALIGNED_512(srcLength))
return -EINVAL; return -EINVAL;
/* Encrypt buffer */ /* Encrypt buffer */
r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength ); r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength );
if (r) { if (r) {
log_dbg("Userspace crypto wrapper cannot use %s-%s (%d).", log_dbg(cd, "Userspace crypto wrapper cannot use %s-%s (%d).",
cipher, cipher_mode, r); cipher, cipher_mode, r);
return r; return r;
} }
r = crypt_storage_encrypt(s, 0, srcLength / SECTOR_SIZE, src); r = crypt_storage_encrypt(s, 0, srcLength / SECTOR_SIZE, src);
crypt_storage_destroy(s); crypt_storage_destroy(s);
if (r) if (r)
return r; return r;
r = device_write_lock(cd, device); r = device_write_lock(cd, device);
if (r) { if (r) {
log_err(cd, _("Failed to acquire write lock on device %s."), log_err(cd, _("Failed to acquire write lock on device %s."),
device_path(device)); device_path(device));
return r; return r;
} }
devfd = device_open_locked(device, O_RDWR); devfd = device_open_locked(cd, device, O_RDWR);
if (devfd >= 0) { if (devfd >= 0) {
if (write_lseek_blockwise(devfd, device_block_size(device), if (write_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), src, device_alignment(device), src,
srcLength, sector * SECTOR_SIZE) < 0) srcLength, sector * SECTOR_SIZE) < 0)
r = -EIO; r = -EIO;
else else
r = 0; r = 0;
device_sync(device, devfd); device_sync(cd, device, devfd);
close(devfd); close(devfd);
} else } else
r = -EIO; r = -EIO;
device_write_unlock(device); device_write_unlock(cd, device);
if (r) if (r)
log_err(cd, _("IO error while encrypting keyslot.")); log_err(cd, _("IO error while encrypting keyslot."));
return r; return r;
#endif #endif
} }
static int luks2_decrypt_from_storage(char *dst, size_t dstLength, static int luks2_decrypt_from_storage(char *dst, size_t dstLength,
const char *cipher, const char *cipher_mode, struct volume_key *vk, const char *cipher, const char *cipher_mode, struct volume_key *vk,
unsigned int sector, struct crypt_device *cd) unsigned int sector, struct crypt_device *cd)
{ {
struct device *device = crypt_metadata_device(cd); struct device *device = crypt_metadata_device(cd);
#ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */ #ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
int r = device_read_lock(cd, device); int r = device_read_lock(cd, device);
if (r) { if (r) {
log_err(cd, _("Failed to acquire read lock on device %s."), devic e_path(device)); log_err(cd, _("Failed to acquire read lock on device %s."), devic e_path(device));
return r; return r;
} }
r = LUKS_decrypt_from_storage(dst, dstLength, cipher, cipher_mode, vk, se ctor, cd); r = LUKS_decrypt_from_storage(dst, dstLength, cipher, cipher_mode, vk, se ctor, cd);
device_read_unlock(crypt_metadata_device(cd)); device_read_unlock(cd, crypt_metadata_device(cd));
return r; return r;
#else #else
struct crypt_storage *s; struct crypt_storage *s;
int devfd = -1, r; int devfd = -1, r;
/* Only whole sector writes supported */ /* Only whole sector writes supported */
if (MISALIGNED_512(dstLength)) if (MISALIGNED_512(dstLength))
return -EINVAL; return -EINVAL;
r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength ); r = crypt_storage_init(&s, 0, cipher, cipher_mode, vk->key, vk->keylength );
if (r) { if (r) {
log_dbg("Userspace crypto wrapper cannot use %s-%s (%d).", log_dbg(cd, "Userspace crypto wrapper cannot use %s-%s (%d).",
cipher, cipher_mode, r); cipher, cipher_mode, r);
return r; return r;
} }
r = device_read_lock(cd, device); r = device_read_lock(cd, device);
if (r) { if (r) {
log_err(cd, _("Failed to acquire read lock on device %s."), log_err(cd, _("Failed to acquire read lock on device %s."),
device_path(device)); device_path(device));
crypt_storage_destroy(s); crypt_storage_destroy(s);
return r; return r;
} }
devfd = device_open_locked(device, O_RDONLY); devfd = device_open_locked(cd, device, O_RDONLY);
if (devfd >= 0) { if (devfd >= 0) {
if (read_lseek_blockwise(devfd, device_block_size(device), if (read_lseek_blockwise(devfd, device_block_size(cd, device),
device_alignment(device), dst, device_alignment(device), dst,
dstLength, sector * SECTOR_SIZE) < 0) dstLength, sector * SECTOR_SIZE) < 0)
r = -EIO; r = -EIO;
else else
r = 0; r = 0;
close(devfd); close(devfd);
} else } else
r = -EIO; r = -EIO;
device_read_unlock(device); device_read_unlock(cd, device);
/* Decrypt buffer */ /* Decrypt buffer */
if (!r) if (!r)
r = crypt_storage_decrypt(s, 0, dstLength / SECTOR_SIZE, dst); r = crypt_storage_decrypt(s, 0, dstLength / SECTOR_SIZE, dst);
else else
log_err(cd, _("IO error while decrypting keyslot.")); log_err(cd, _("IO error while decrypting keyslot."));
crypt_storage_destroy(s); crypt_storage_destroy(s);
return r; return r;
#endif #endif
skipping to change at line 284 skipping to change at line 284
} }
// FIXME: verity key_size to AFEKSize // FIXME: verity key_size to AFEKSize
AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE; AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE;
AfKey = crypt_safe_alloc(AFEKSize); AfKey = crypt_safe_alloc(AFEKSize);
if (!AfKey) { if (!AfKey) {
crypt_free_volume_key(derived_key); crypt_free_volume_key(derived_key);
return -ENOMEM; return -ENOMEM;
} }
r = AF_split(volume_key, AfKey, volume_key_len, LUKS_STRIPES, af_hash); r = AF_split(cd, volume_key, AfKey, volume_key_len, LUKS_STRIPES, af_hash );
if (r == 0) { if (r == 0) {
log_dbg("Updating keyslot area [0x%04x].", (unsigned)area_offset) ; log_dbg(cd, "Updating keyslot area [0x%04x].", (unsigned)area_off set);
/* FIXME: sector_offset should be size_t, fix LUKS_encrypt... acc ordingly */ /* FIXME: sector_offset should be size_t, fix LUKS_encrypt... acc ordingly */
r = luks2_encrypt_to_storage(AfKey, AFEKSize, cipher, cipher_mode , r = luks2_encrypt_to_storage(AfKey, AFEKSize, cipher, cipher_mode ,
derived_key, (unsigned)(area_offset / SECTOR_ SIZE), cd); derived_key, (unsigned)(area_offset / SECTOR_ SIZE), cd);
} }
crypt_safe_free(AfKey); crypt_safe_free(AfKey);
crypt_free_volume_key(derived_key); crypt_free_volume_key(derived_key);
if (r < 0) if (r < 0)
return r; return r;
skipping to change at line 365 skipping to change at line 365
/* /*
* Calculate derived key, decrypt keyslot content and merge it. * Calculate derived key, decrypt keyslot content and merge it.
*/ */
r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen, r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen,
salt, LUKS_SALTSIZE, salt, LUKS_SALTSIZE,
derived_key->key, derived_key->keylength, derived_key->key, derived_key->keylength,
pbkdf.iterations, pbkdf.max_memory_kb, pbkdf.iterations, pbkdf.max_memory_kb,
pbkdf.parallel_threads); pbkdf.parallel_threads);
if (r == 0) { if (r == 0) {
log_dbg("Reading keyslot area [0x%04x].", (unsigned)area_offset); log_dbg(cd, "Reading keyslot area [0x%04x].", (unsigned)area_offs et);
/* FIXME: sector_offset should be size_t, fix LUKS_decrypt... acc ordingly */ /* FIXME: sector_offset should be size_t, fix LUKS_decrypt... acc ordingly */
r = luks2_decrypt_from_storage(AfKey, AFEKSize, cipher, cipher_mo de, r = luks2_decrypt_from_storage(AfKey, AFEKSize, cipher, cipher_mo de,
derived_key, (unsigned)(area_offset / SECTO R_SIZE), cd); derived_key, (unsigned)(area_offset / SECTO R_SIZE), cd);
} }
if (r == 0) if (r == 0)
r = AF_merge(AfKey, volume_key, volume_key_len, LUKS_STRIPES, af_ hash); r = AF_merge(cd, AfKey, volume_key, volume_key_len, LUKS_STRIPES, af_hash);
crypt_free_volume_key(derived_key); crypt_free_volume_key(derived_key);
crypt_safe_free(AfKey); crypt_safe_free(AfKey);
return r; return r;
} }
/* /*
* currently we support update of only: * currently we support update of only:
* *
* - af hash function * - af hash function
* - kdf params * - kdf params
*/ */
static int luks2_keyslot_update_json(struct crypt_device *cd, static int luks2_keyslot_update_json(struct crypt_device *cd,
json_object *jobj_keyslot, json_object *jobj_keyslot,
const struct luks2_keyslot_params *params) const struct luks2_keyslot_params *params)
{ {
const struct crypt_pbkdf_type *pbkdf; const struct crypt_pbkdf_type *pbkdf;
json_object *jobj_af, *jobj_area, *jobj_kdf, *jobj1; json_object *jobj_af, *jobj_area, *jobj_kdf;
char salt[LUKS_SALTSIZE], *salt_base64 = NULL; char salt[LUKS_SALTSIZE], *salt_base64 = NULL;
int r, keyslot_key_len; int r;
/* jobj_keyslot is not yet validated */ /* jobj_keyslot is not yet validated */
if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) || if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area) || !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
!json_object_object_get_ex(jobj_area, "key_size", &jobj1))
return -EINVAL; return -EINVAL;
/* we do not allow any 'area' object modifications yet */ /* update area encryption parameters */
keyslot_key_len = json_object_get_int(jobj1); json_object_object_add(jobj_area, "encryption", json_object_new_string(pa
if (keyslot_key_len < 0) rams->area.raw.encryption));
return -EINVAL; json_object_object_add(jobj_area, "key_size", json_object_new_int(params-
>area.raw.key_size));
pbkdf = crypt_get_pbkdf_type(cd); pbkdf = crypt_get_pbkdf_type(cd);
if (!pbkdf) if (!pbkdf)
return -EINVAL; return -EINVAL;
r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, keyslot_key_len); r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, params->area.raw.key_size);
if (r < 0) if (r < 0)
return r; return r;
/* refresh whole 'kdf' object */ /* refresh whole 'kdf' object */
jobj_kdf = json_object_new_object(); jobj_kdf = json_object_new_object();
if (!jobj_kdf) if (!jobj_kdf)
return -ENOMEM; return -ENOMEM;
json_object_object_add(jobj_kdf, "type", json_object_new_string(pbkdf->ty pe)); json_object_object_add(jobj_kdf, "type", json_object_new_string(pbkdf->ty pe));
if (!strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) { if (!strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
json_object_object_add(jobj_kdf, "hash", json_object_new_string(p bkdf->hash)); json_object_object_add(jobj_kdf, "hash", json_object_new_string(p bkdf->hash));
skipping to change at line 445 skipping to change at line 443
return r; return r;
base64_encode_alloc(salt, LUKS_SALTSIZE, &salt_base64); base64_encode_alloc(salt, LUKS_SALTSIZE, &salt_base64);
if (!salt_base64) if (!salt_base64)
return -ENOMEM; return -ENOMEM;
json_object_object_add(jobj_kdf, "salt", json_object_new_string(salt_base 64)); json_object_object_add(jobj_kdf, "salt", json_object_new_string(salt_base 64));
free(salt_base64); free(salt_base64);
/* update 'af' hash */ /* update 'af' hash */
json_object_object_add(jobj_af, "hash", json_object_new_string(params->af .luks1.hash)); json_object_object_add(jobj_af, "hash", json_object_new_string(params->af .luks1.hash));
JSON_DBG(jobj_keyslot, "Keyslot JSON"); JSON_DBG(cd, jobj_keyslot, "Keyslot JSON:");
return 0; return 0;
} }
static int luks2_keyslot_alloc(struct crypt_device *cd, static int luks2_keyslot_alloc(struct crypt_device *cd,
int keyslot, int keyslot,
size_t volume_key_len, size_t volume_key_len,
const struct luks2_keyslot_params *params) const struct luks2_keyslot_params *params)
{ {
struct luks2_hdr *hdr; struct luks2_hdr *hdr;
char num[16];
uint64_t area_offset, area_length; uint64_t area_offset, area_length;
json_object *jobj_keyslots, *jobj_keyslot, *jobj_af, *jobj_area; json_object *jobj_keyslots, *jobj_keyslot, *jobj_af, *jobj_area;
int r; int r;
log_dbg("Trying to allocate LUKS2 keyslot %d.", keyslot); log_dbg(cd, "Trying to allocate LUKS2 keyslot %d.", keyslot);
if (!params || params->area_type != LUKS2_KEYSLOT_AREA_RAW || if (!params || params->area_type != LUKS2_KEYSLOT_AREA_RAW ||
params->af_type != LUKS2_KEYSLOT_AF_LUKS1) { params->af_type != LUKS2_KEYSLOT_AF_LUKS1) {
log_dbg("Invalid LUKS2 keyslot parameters."); log_dbg(cd, "Invalid LUKS2 keyslot parameters.");
return -EINVAL; return -EINVAL;
} }
if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2))) if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
return -EINVAL; return -EINVAL;
if (keyslot == CRYPT_ANY_SLOT) if (keyslot == CRYPT_ANY_SLOT)
keyslot = LUKS2_keyslot_find_empty(hdr, "luks2"); keyslot = LUKS2_keyslot_find_empty(hdr, "luks2");
if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX) if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
return -ENOMEM; return -ENOMEM;
if (LUKS2_get_keyslot_jobj(hdr, keyslot)) { if (LUKS2_get_keyslot_jobj(hdr, keyslot)) {
log_dbg("Cannot modify already active keyslot %d.", keyslot); log_dbg(cd, "Cannot modify already active keyslot %d.", keyslot);
return -EINVAL; return -EINVAL;
} }
if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots)) if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
return -EINVAL; return -EINVAL;
r = LUKS2_find_area_gap(cd, hdr, volume_key_len, &area_offset, &area_leng th); r = LUKS2_find_area_gap(cd, hdr, volume_key_len, &area_offset, &area_leng th);
if (r < 0) if (r < 0)
return r; return r;
skipping to change at line 502 skipping to change at line 499
/* AF object */ /* AF object */
jobj_af = json_object_new_object(); jobj_af = json_object_new_object();
json_object_object_add(jobj_af, "type", json_object_new_string("luks1")); json_object_object_add(jobj_af, "type", json_object_new_string("luks1"));
json_object_object_add(jobj_af, "stripes", json_object_new_int(params->af .luks1.stripes)); json_object_object_add(jobj_af, "stripes", json_object_new_int(params->af .luks1.stripes));
json_object_object_add(jobj_keyslot, "af", jobj_af); json_object_object_add(jobj_keyslot, "af", jobj_af);
/* Area object */ /* Area object */
jobj_area = json_object_new_object(); jobj_area = json_object_new_object();
json_object_object_add(jobj_area, "type", json_object_new_string("raw")); json_object_object_add(jobj_area, "type", json_object_new_string("raw"));
json_object_object_add(jobj_area, "encryption", json_object_new_string(pa
rams->area.raw.encryption));
json_object_object_add(jobj_area, "key_size", json_object_new_int(params-
>area.raw.key_size));
json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_o ffset)); json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_o ffset));
json_object_object_add(jobj_area, "size", json_object_new_uint64(area_len gth)); json_object_object_add(jobj_area, "size", json_object_new_uint64(area_len gth));
json_object_object_add(jobj_keyslot, "area", jobj_area); json_object_object_add(jobj_keyslot, "area", jobj_area);
snprintf(num, sizeof(num), "%d", keyslot); json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
json_object_object_add(jobj_keyslots, num, jobj_keyslot);
r = luks2_keyslot_update_json(cd, jobj_keyslot, params); r = luks2_keyslot_update_json(cd, jobj_keyslot, params);
if (!r && LUKS2_check_json_size(hdr)) { if (!r && LUKS2_check_json_size(cd, hdr)) {
log_dbg("Not enough space in header json area for new keyslot."); log_dbg(cd, "Not enough space in header json area for new keyslot
.");
r = -ENOSPC; r = -ENOSPC;
} }
if (r) if (r)
json_object_object_del(jobj_keyslots, num); json_object_object_del_by_uint(jobj_keyslots, keyslot);
return r; return r;
} }
static int luks2_keyslot_open(struct crypt_device *cd, static int luks2_keyslot_open(struct crypt_device *cd,
int keyslot, int keyslot,
const char *password, const char *password,
size_t password_len, size_t password_len,
char *volume_key, char *volume_key,
size_t volume_key_len) size_t volume_key_len)
{ {
struct luks2_hdr *hdr; struct luks2_hdr *hdr;
json_object *jobj_keyslot; json_object *jobj_keyslot;
log_dbg("Trying to open LUKS2 keyslot %d.", keyslot); log_dbg(cd, "Trying to open LUKS2 keyslot %d.", keyslot);
if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2))) if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
return -EINVAL; return -EINVAL;
jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot); jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
if (!jobj_keyslot) if (!jobj_keyslot)
return -EINVAL; return -EINVAL;
return luks2_keyslot_get_key(cd, jobj_keyslot, return luks2_keyslot_get_key(cd, jobj_keyslot,
password, password_len, password, password_len,
skipping to change at line 564 skipping to change at line 557
int keyslot, int keyslot,
const char *password, const char *password,
size_t password_len, size_t password_len,
const char *volume_key, const char *volume_key,
size_t volume_key_len) size_t volume_key_len)
{ {
struct luks2_hdr *hdr; struct luks2_hdr *hdr;
json_object *jobj_keyslot; json_object *jobj_keyslot;
int r; int r;
log_dbg("Calculating attributes for LUKS2 keyslot %d.", keyslot); log_dbg(cd, "Calculating attributes for LUKS2 keyslot %d.", keyslot);
if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2))) if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
return -EINVAL; return -EINVAL;
jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot); jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
if (!jobj_keyslot) if (!jobj_keyslot)
return -EINVAL; return -EINVAL;
r = luks2_keyslot_set_key(cd, jobj_keyslot, r = luks2_keyslot_set_key(cd, jobj_keyslot,
password, password_len, password, password_len,
skipping to change at line 616 skipping to change at line 609
return -EINVAL; return -EINVAL;
if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) || if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) || !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area)) !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
return -EINVAL; return -EINVAL;
json_object_object_get_ex(jobj_area, "encryption", &jobj1); json_object_object_get_ex(jobj_area, "encryption", &jobj1);
log_std(cd, "\tCipher: %s\n", json_object_get_string(jobj1)); log_std(cd, "\tCipher: %s\n", json_object_get_string(jobj1));
json_object_object_get_ex(jobj_area, "key_size", &jobj1);
log_std(cd, "\tCipher key: %u bits\n", json_object_get_uint32(jobj1) * 8)
;
json_object_object_get_ex(jobj_kdf, "type", &jobj1); json_object_object_get_ex(jobj_kdf, "type", &jobj1);
log_std(cd, "\tPBKDF: %s\n", json_object_get_string(jobj1)); log_std(cd, "\tPBKDF: %s\n", json_object_get_string(jobj1));
if (!strcmp(json_object_get_string(jobj1), CRYPT_KDF_PBKDF2)) { if (!strcmp(json_object_get_string(jobj1), CRYPT_KDF_PBKDF2)) {
json_object_object_get_ex(jobj_kdf, "hash", &jobj1); json_object_object_get_ex(jobj_kdf, "hash", &jobj1);
log_std(cd, "\tHash: %s\n", json_object_get_string(jobj1)); log_std(cd, "\tHash: %s\n", json_object_get_string(jobj1));
json_object_object_get_ex(jobj_kdf, "iterations", &jobj1); json_object_object_get_ex(jobj_kdf, "iterations", &jobj1);
log_std(cd, "\tIterations: %" PRIu64 "\n", json_object_get_uint64 (jobj1)); log_std(cd, "\tIterations: %" PRIu64 "\n", json_object_get_uint64 (jobj1));
} else { } else {
skipping to change at line 642 skipping to change at line 638
json_object_object_get_ex(jobj_kdf, "cpus", &jobj1); json_object_object_get_ex(jobj_kdf, "cpus", &jobj1);
log_std(cd, "\tThreads: %" PRIu64 "\n", json_object_get_int64( jobj1)); log_std(cd, "\tThreads: %" PRIu64 "\n", json_object_get_int64( jobj1));
} }
json_object_object_get_ex(jobj_kdf, "salt", &jobj1); json_object_object_get_ex(jobj_kdf, "salt", &jobj1);
log_std(cd, "\tSalt: "); log_std(cd, "\tSalt: ");
hexprint_base64(cd, jobj1, " ", " "); hexprint_base64(cd, jobj1, " ", " ");
json_object_object_get_ex(jobj_af, "stripes", &jobj1); json_object_object_get_ex(jobj_af, "stripes", &jobj1);
log_std(cd, "\tAF stripes: %u\n", json_object_get_int(jobj1)); log_std(cd, "\tAF stripes: %u\n", json_object_get_int(jobj1));
json_object_object_get_ex(jobj_af, "hash", &jobj1);
log_std(cd, "\tAF hash: %s\n", json_object_get_string(jobj1));
json_object_object_get_ex(jobj_area, "offset", &jobj1); json_object_object_get_ex(jobj_area, "offset", &jobj1);
log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64 (jobj1)); log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64 (jobj1));
json_object_object_get_ex(jobj_area, "size", &jobj1); json_object_object_get_ex(jobj_area, "size", &jobj1);
log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64 (jobj1)); log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64 (jobj1));
return 0; return 0;
} }
static int luks2_keyslot_validate(struct crypt_device *cd, json_object *jobj_key slot) static int luks2_keyslot_validate(struct crypt_device *cd, json_object *jobj_key slot)
skipping to change at line 667 skipping to change at line 666
if (!jobj_keyslot) if (!jobj_keyslot)
return -EINVAL; return -EINVAL;
if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) || if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) || !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area)) !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
return -EINVAL; return -EINVAL;
count = json_object_object_length(jobj_kdf); count = json_object_object_length(jobj_kdf);
jobj1 = json_contains(jobj_kdf, "", "kdf section", "type", json_type_stri ng); jobj1 = json_contains(cd, jobj_kdf, "", "kdf section", "type", json_type_ string);
if (!jobj1) if (!jobj1)
return -EINVAL; return -EINVAL;
type = json_object_get_string(jobj1); type = json_object_get_string(jobj1);
if (!strcmp(type, CRYPT_KDF_PBKDF2)) { if (!strcmp(type, CRYPT_KDF_PBKDF2)) {
if (count != 4 || /* type, salt, hash, iterations only */ if (count != 4 || /* type, salt, hash, iterations only */
!json_contains(jobj_kdf, "kdf type", type, "hash", json_type_ !json_contains(cd, jobj_kdf, "kdf type", type, "hash", json_t
string) || ype_string) ||
!json_contains(jobj_kdf, "kdf type", type, "iterations", json !json_contains(cd, jobj_kdf, "kdf type", type, "iterations",
_type_int) || json_type_int) ||
!json_contains(jobj_kdf, "kdf type", type, "salt", json_type_ !json_contains(cd, jobj_kdf, "kdf type", type, "salt", json_t
string)) ype_string))
return -EINVAL; return -EINVAL;
} else if (!strcmp(type, CRYPT_KDF_ARGON2I) || !strcmp(type, CRYPT_KDF_AR GON2ID)) { } else if (!strcmp(type, CRYPT_KDF_ARGON2I) || !strcmp(type, CRYPT_KDF_AR GON2ID)) {
if (count != 5 || /* type, salt, time, memory, cpus only */ if (count != 5 || /* type, salt, time, memory, cpus only */
!json_contains(jobj_kdf, "kdf type", type, "time", json_type_ !json_contains(cd, jobj_kdf, "kdf type", type, "time", json_t
int) || ype_int) ||
!json_contains(jobj_kdf, "kdf type", type, "memory", json_typ !json_contains(cd, jobj_kdf, "kdf type", type, "memory", json
e_int) || _type_int) ||
!json_contains(jobj_kdf, "kdf type", type, "cpus", json_type_ !json_contains(cd, jobj_kdf, "kdf type", type, "cpus", json_t
int) || ype_int) ||
!json_contains(jobj_kdf, "kdf type", type, "salt", json_type_ !json_contains(cd, jobj_kdf, "kdf type", type, "salt", json_t
string)) ype_string))
return -EINVAL; return -EINVAL;
} }
if (!json_object_object_get_ex(jobj_af, "type", &jobj1)) if (!json_object_object_get_ex(jobj_af, "type", &jobj1))
return -EINVAL; return -EINVAL;
if (!strcmp(json_object_get_string(jobj1), "luks1")) { if (!strcmp(json_object_get_string(jobj1), "luks1")) {
if (!json_contains(jobj_af, "", "luks1 af", "hash", json_type_str if (!json_contains(cd, jobj_af, "", "luks1 af", "hash", json_type
ing) || _string) ||
!json_contains(jobj_af, "", "luks1 af", "stripes", json_type_ !json_contains(cd, jobj_af, "", "luks1 af", "stripes", json_t
int)) ype_int))
return -EINVAL; return -EINVAL;
} else } else
return -EINVAL; return -EINVAL;
// FIXME check numbered // FIXME check numbered
if (!json_object_object_get_ex(jobj_area, "type", &jobj1)) if (!json_object_object_get_ex(jobj_area, "type", &jobj1))
return -EINVAL; return -EINVAL;
if (!strcmp(json_object_get_string(jobj1), "raw")) { if (!strcmp(json_object_get_string(jobj1), "raw")) {
if (!json_contains(jobj_area, "area", "raw type", "encryption", j if (!json_contains(cd, jobj_area, "area", "raw type", "encryption
son_type_string) || ", json_type_string) ||
!json_contains(jobj_area, "area", "raw type", "key_size", jso !json_contains(cd, jobj_area, "area", "raw type", "key_size",
n_type_int) || json_type_int) ||
!json_contains(jobj_area, "area", "raw type", "offset", json_ !json_contains(cd, jobj_area, "area", "raw type", "offset", j
type_string) || son_type_string) ||
!json_contains(jobj_area, "area", "raw type", "size", json_ty !json_contains(cd, jobj_area, "area", "raw type", "size", jso
pe_string)) n_type_string))
return -EINVAL; return -EINVAL;
} else } else
return -EINVAL; return -EINVAL;
return 0; return 0;
} }
static int luks2_keyslot_update(struct crypt_device *cd, static int luks2_keyslot_update(struct crypt_device *cd,
int keyslot, int keyslot,
const struct luks2_keyslot_params *params) const struct luks2_keyslot_params *params)
{ {
struct luks2_hdr *hdr; struct luks2_hdr *hdr;
json_object *jobj_keyslot; json_object *jobj_keyslot;
int r; int r;
log_dbg("Updating LUKS2 keyslot %d.", keyslot); log_dbg(cd, "Updating LUKS2 keyslot %d.", keyslot);
if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2))) if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
return -EINVAL; return -EINVAL;
jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot); jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
if (!jobj_keyslot) if (!jobj_keyslot)
return -EINVAL; return -EINVAL;
r = luks2_keyslot_update_json(cd, jobj_keyslot, params); r = luks2_keyslot_update_json(cd, jobj_keyslot, params);
if (!r && LUKS2_check_json_size(hdr)) { if (!r && LUKS2_check_json_size(cd, hdr)) {
log_dbg("Not enough space in header json area for updated keyslot log_dbg(cd, "Not enough space in header json area for updated key
%d.", keyslot); slot %d.", keyslot);
r = -ENOSPC; r = -ENOSPC;
} }
return r; return r;
} }
static void luks2_keyslot_repair(struct crypt_device *cd, json_object *jobj_keys lot) static void luks2_keyslot_repair(struct crypt_device *cd, json_object *jobj_keys lot)
{ {
const char *type; const char *type;
json_object *jobj_kdf, *jobj_type; json_object *jobj_kdf, *jobj_type;
 End of changes. 41 change blocks. 
74 lines changed or deleted 75 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)