"Fossies" - the Fresh Open Source Software Archive 
Member "cryptsetup-2.4.3/lib/luks2/luks2_keyslot.c" (13 Jan 2022, 26584 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "luks2_keyslot.c" see the
Fossies "Dox" file reference documentation and the latest
Fossies "Diffs" side-by-side code changes report:
2.4.2_vs_2.4.3.
1 /*
2 * LUKS - Linux Unified Key Setup v2, keyslot handling
3 *
4 * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2015-2021 Milan Broz
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 */
21
22 #include "luks2_internal.h"
23
24 /* Internal implementations */
25 extern const keyslot_handler luks2_keyslot;
26 extern const keyslot_handler reenc_keyslot;
27
28 static const keyslot_handler *keyslot_handlers[LUKS2_KEYSLOTS_MAX] = {
29 &luks2_keyslot,
30 #if USE_LUKS2_REENCRYPTION
31 &reenc_keyslot,
32 #endif
33 NULL
34 };
35
36 static const keyslot_handler
37 *LUKS2_keyslot_handler_type(struct crypt_device *cd __attribute__((unused)), const char *type)
38 {
39 int i;
40
41 for (i = 0; i < LUKS2_KEYSLOTS_MAX && keyslot_handlers[i]; i++) {
42 if (!strcmp(keyslot_handlers[i]->name, type))
43 return keyslot_handlers[i];
44 }
45
46 return NULL;
47 }
48
49 static const keyslot_handler
50 *LUKS2_keyslot_handler(struct crypt_device *cd, int keyslot)
51 {
52 struct luks2_hdr *hdr;
53 json_object *jobj1, *jobj2;
54
55 if (keyslot < 0)
56 return NULL;
57
58 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
59 return NULL;
60
61 if (!(jobj1 = LUKS2_get_keyslot_jobj(hdr, keyslot)))
62 return NULL;
63
64 if (!json_object_object_get_ex(jobj1, "type", &jobj2))
65 return NULL;
66
67 return LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj2));
68 }
69
70 int LUKS2_keyslot_find_empty(struct crypt_device *cd, struct luks2_hdr *hdr, size_t keylength)
71 {
72 int i;
73
74 for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++)
75 if (!LUKS2_get_keyslot_jobj(hdr, i))
76 break;
77
78 if (i == LUKS2_KEYSLOTS_MAX)
79 return -EINVAL;
80
81 /* Check also there is a space for the key in keyslots area */
82 if (keylength && LUKS2_find_area_gap(cd, hdr, keylength, NULL, NULL) < 0)
83 return -ENOSPC;
84
85 return i;
86 }
87
88 /* Check if a keyslot is assigned to specific segment */
89 static int _keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
90 {
91 int keyslot_digest, count = 0;
92 unsigned s;
93
94 keyslot_digest = LUKS2_digest_by_keyslot(hdr, keyslot);
95 if (keyslot_digest < 0)
96 return keyslot_digest;
97
98 if (segment >= 0)
99 return keyslot_digest == LUKS2_digest_by_segment(hdr, segment);
100
101 for (s = 0; s < json_segments_count(LUKS2_get_segments_jobj(hdr)); s++) {
102 if (keyslot_digest == LUKS2_digest_by_segment(hdr, s))
103 count++;
104 }
105
106 return count;
107 }
108
109 static int _keyslot_for_digest(struct luks2_hdr *hdr, int keyslot, int digest)
110 {
111 int r = -EINVAL;
112
113 r = LUKS2_digest_by_keyslot(hdr, keyslot);
114 if (r < 0)
115 return r;
116 return r == digest ? 0 : -ENOENT;
117 }
118
119 int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
120 {
121 int r = -EINVAL;
122
123 /* no need to check anything */
124 if (segment == CRYPT_ANY_SEGMENT)
125 return 0; /* ok */
126 if (segment == CRYPT_DEFAULT_SEGMENT) {
127 segment = LUKS2_get_default_segment(hdr);
128 if (segment < 0)
129 return segment;
130 }
131
132 r = _keyslot_for_segment(hdr, keyslot, segment);
133 if (r < 0)
134 return r;
135
136 return r >= 1 ? 0 : -ENOENT;
137 }
138
139 /* Number of keyslots assigned to a segment or all keyslots for CRYPT_ANY_SEGMENT */
140 int LUKS2_keyslot_active_count(struct luks2_hdr *hdr, int segment)
141 {
142 int num = 0;
143 json_object *jobj_keyslots;
144
145 json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
146
147 json_object_object_foreach(jobj_keyslots, slot, val) {
148 UNUSED(val);
149 if (!LUKS2_keyslot_for_segment(hdr, atoi(slot), segment))
150 num++;
151 }
152
153 return num;
154 }
155
156 int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd, const char *cipher_spec)
157 {
158 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
159
160 if (!cipher_spec || crypt_is_cipher_null(cipher_spec))
161 return 1;
162
163 if (crypt_parse_name_and_mode(cipher_spec, cipher, NULL, cipher_mode) < 0)
164 return 1;
165
166 /* Keyslot is already authenticated; we cannot use integrity tags here */
167 if (crypt_get_integrity_tag_size(cd))
168 return 1;
169
170 /* Wrapped key schemes cannot be used for keyslot encryption */
171 if (crypt_cipher_wrapped_key(cipher, cipher_mode))
172 return 1;
173
174 /* Check if crypto backend can use the cipher */
175 if (crypt_cipher_ivsize(cipher, cipher_mode) < 0)
176 return 1;
177
178 return 0;
179 }
180
181 int LUKS2_keyslot_params_default(struct crypt_device *cd, struct luks2_hdr *hdr,
182 struct luks2_keyslot_params *params)
183 {
184 const struct crypt_pbkdf_type *pbkdf = crypt_get_pbkdf_type(cd);
185 const char *cipher_spec;
186 size_t key_size;
187 int r;
188
189 if (!hdr || !pbkdf || !params)
190 return -EINVAL;
191
192 /*
193 * set keyslot area encryption parameters
194 */
195 params->area_type = LUKS2_KEYSLOT_AREA_RAW;
196 cipher_spec = crypt_keyslot_get_encryption(cd, CRYPT_ANY_SLOT, &key_size);
197 if (!cipher_spec || !key_size)
198 return -EINVAL;
199
200 params->area.raw.key_size = key_size;
201 r = snprintf(params->area.raw.encryption, sizeof(params->area.raw.encryption), "%s", cipher_spec);
202 if (r < 0 || (size_t)r >= sizeof(params->area.raw.encryption))
203 return -EINVAL;
204
205 /*
206 * set keyslot AF parameters
207 */
208 params->af_type = LUKS2_KEYSLOT_AF_LUKS1;
209 /* currently we use hash for AF from pbkdf settings */
210 r = snprintf(params->af.luks1.hash, sizeof(params->af.luks1.hash), "%s", pbkdf->hash ?: DEFAULT_LUKS1_HASH);
211 if (r < 0 || (size_t)r >= sizeof(params->af.luks1.hash))
212 return -EINVAL;
213 params->af.luks1.stripes = 4000;
214
215 return 0;
216 }
217
218 int LUKS2_keyslot_pbkdf(struct luks2_hdr *hdr, int keyslot, struct crypt_pbkdf_type *pbkdf)
219 {
220 json_object *jobj_keyslot, *jobj_kdf, *jobj;
221
222 if (!hdr || !pbkdf)
223 return -EINVAL;
224
225 if (LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
226 return -EINVAL;
227
228 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
229 if (!jobj_keyslot)
230 return -ENOENT;
231
232 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf))
233 return -EINVAL;
234
235 if (!json_object_object_get_ex(jobj_kdf, "type", &jobj))
236 return -EINVAL;
237
238 memset(pbkdf, 0, sizeof(*pbkdf));
239
240 pbkdf->type = json_object_get_string(jobj);
241 if (json_object_object_get_ex(jobj_kdf, "hash", &jobj))
242 pbkdf->hash = json_object_get_string(jobj);
243 if (json_object_object_get_ex(jobj_kdf, "iterations", &jobj))
244 pbkdf->iterations = json_object_get_int(jobj);
245 if (json_object_object_get_ex(jobj_kdf, "time", &jobj))
246 pbkdf->iterations = json_object_get_int(jobj);
247 if (json_object_object_get_ex(jobj_kdf, "memory", &jobj))
248 pbkdf->max_memory_kb = json_object_get_int(jobj);
249 if (json_object_object_get_ex(jobj_kdf, "cpus", &jobj))
250 pbkdf->parallel_threads = json_object_get_int(jobj);
251
252 return 0;
253 }
254
255 static int LUKS2_keyslot_unbound(struct luks2_hdr *hdr, int keyslot)
256 {
257 json_object *jobj_digest, *jobj_segments;
258 int digest = LUKS2_digest_by_keyslot(hdr, keyslot);
259
260 if (digest < 0)
261 return 0;
262
263 if (!(jobj_digest = LUKS2_get_digest_jobj(hdr, digest)))
264 return 0;
265
266 json_object_object_get_ex(jobj_digest, "segments", &jobj_segments);
267 if (!jobj_segments || !json_object_is_type(jobj_segments, json_type_array) ||
268 json_object_array_length(jobj_segments) == 0)
269 return 1;
270
271 return 0;
272 }
273
274 crypt_keyslot_info LUKS2_keyslot_info(struct luks2_hdr *hdr, int keyslot)
275 {
276 if(keyslot >= LUKS2_KEYSLOTS_MAX || keyslot < 0)
277 return CRYPT_SLOT_INVALID;
278
279 if (!LUKS2_get_keyslot_jobj(hdr, keyslot))
280 return CRYPT_SLOT_INACTIVE;
281
282 if (LUKS2_digest_by_keyslot(hdr, keyslot) < 0 ||
283 LUKS2_keyslot_unbound(hdr, keyslot))
284 return CRYPT_SLOT_UNBOUND;
285
286 if (LUKS2_keyslot_active_count(hdr, CRYPT_DEFAULT_SEGMENT) == 1 &&
287 !LUKS2_keyslot_for_segment(hdr, keyslot, CRYPT_DEFAULT_SEGMENT))
288 return CRYPT_SLOT_ACTIVE_LAST;
289
290 return CRYPT_SLOT_ACTIVE;
291 }
292
293 int LUKS2_keyslot_jobj_area(json_object *jobj_keyslot, uint64_t *offset, uint64_t *length)
294 {
295 json_object *jobj_area, *jobj;
296
297 if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
298 return -EINVAL;
299
300 if (!json_object_object_get_ex(jobj_area, "offset", &jobj))
301 return -EINVAL;
302 *offset = crypt_jobj_get_uint64(jobj);
303
304 if (!json_object_object_get_ex(jobj_area, "size", &jobj))
305 return -EINVAL;
306 *length = crypt_jobj_get_uint64(jobj);
307
308 return 0;
309 }
310
311 int LUKS2_keyslot_area(struct luks2_hdr *hdr,
312 int keyslot,
313 uint64_t *offset,
314 uint64_t *length)
315 {
316 json_object *jobj_keyslot;
317
318 if (LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
319 return -EINVAL;
320
321 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
322 if (!jobj_keyslot)
323 return -ENOENT;
324
325 return LUKS2_keyslot_jobj_area(jobj_keyslot, offset, length);
326 }
327
328 static int _open_and_verify(struct crypt_device *cd,
329 struct luks2_hdr *hdr,
330 const keyslot_handler *h,
331 int keyslot,
332 const char *password,
333 size_t password_len,
334 struct volume_key **vk)
335 {
336 int r, key_size = LUKS2_get_keyslot_stored_key_size(hdr, keyslot);
337
338 if (key_size < 0)
339 return -EINVAL;
340
341 *vk = crypt_alloc_volume_key(key_size, NULL);
342 if (!*vk)
343 return -ENOMEM;
344
345 r = h->open(cd, keyslot, password, password_len, (*vk)->key, (*vk)->keylength);
346 if (r < 0)
347 log_dbg(cd, "Keyslot %d (%s) open failed with %d.", keyslot, h->name, r);
348 else
349 r = LUKS2_digest_verify(cd, hdr, *vk, keyslot);
350
351 if (r < 0) {
352 crypt_free_volume_key(*vk);
353 *vk = NULL;
354 }
355
356 crypt_volume_key_set_id(*vk, r);
357
358 return r < 0 ? r : keyslot;
359 }
360
361 static int LUKS2_open_and_verify_by_digest(struct crypt_device *cd,
362 struct luks2_hdr *hdr,
363 int keyslot,
364 int digest,
365 const char *password,
366 size_t password_len,
367 struct volume_key **vk)
368 {
369 const keyslot_handler *h;
370 int r;
371
372 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
373 return -ENOENT;
374
375 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
376 if (r) {
377 log_dbg(cd, "Keyslot %d validation failed.", keyslot);
378 return r;
379 }
380
381 r = _keyslot_for_digest(hdr, keyslot, digest);
382 if (r) {
383 if (r == -ENOENT)
384 log_dbg(cd, "Keyslot %d unusable for digest %d.", keyslot, digest);
385 return r;
386 }
387
388 return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
389 }
390
391 static int LUKS2_open_and_verify(struct crypt_device *cd,
392 struct luks2_hdr *hdr,
393 int keyslot,
394 int segment,
395 const char *password,
396 size_t password_len,
397 struct volume_key **vk)
398 {
399 const keyslot_handler *h;
400 int r;
401
402 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
403 return -ENOENT;
404
405 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
406 if (r) {
407 log_dbg(cd, "Keyslot %d validation failed.", keyslot);
408 return r;
409 }
410
411 r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
412 if (r) {
413 if (r == -ENOENT)
414 log_dbg(cd, "Keyslot %d unusable for segment %d.", keyslot, segment);
415 return r;
416 }
417
418 return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
419 }
420
421 static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
422 struct luks2_hdr *hdr,
423 crypt_keyslot_priority priority,
424 const char *password,
425 size_t password_len,
426 int digest,
427 struct volume_key **vk)
428 {
429 json_object *jobj_keyslots, *jobj;
430 crypt_keyslot_priority slot_priority;
431 int keyslot, r = -ENOENT;
432
433 json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
434
435 json_object_object_foreach(jobj_keyslots, slot, val) {
436 if (!json_object_object_get_ex(val, "priority", &jobj))
437 slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
438 else
439 slot_priority = json_object_get_int(jobj);
440
441 keyslot = atoi(slot);
442 if (slot_priority != priority) {
443 log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
444 keyslot, slot_priority, priority);
445 continue;
446 }
447
448 r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
449
450 /* Do not retry for errors that are no -EPERM or -ENOENT,
451 former meaning password wrong, latter key slot unusable for segment */
452 if ((r != -EPERM) && (r != -ENOENT))
453 break;
454 }
455
456 return r;
457 }
458
459 static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
460 struct luks2_hdr *hdr,
461 crypt_keyslot_priority priority,
462 const char *password,
463 size_t password_len,
464 int segment,
465 struct volume_key **vk)
466 {
467 json_object *jobj_keyslots, *jobj;
468 crypt_keyslot_priority slot_priority;
469 int keyslot, r = -ENOENT;
470
471 json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
472
473 json_object_object_foreach(jobj_keyslots, slot, val) {
474 if (!json_object_object_get_ex(val, "priority", &jobj))
475 slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
476 else
477 slot_priority = json_object_get_int(jobj);
478
479 keyslot = atoi(slot);
480 if (slot_priority != priority) {
481 log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
482 keyslot, slot_priority, priority);
483 continue;
484 }
485
486 r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
487
488 /* Do not retry for errors that are no -EPERM or -ENOENT,
489 former meaning password wrong, latter key slot unusable for segment */
490 if ((r != -EPERM) && (r != -ENOENT))
491 break;
492 }
493
494 return r;
495 }
496
497 static int LUKS2_keyslot_open_by_digest(struct crypt_device *cd,
498 struct luks2_hdr *hdr,
499 int keyslot,
500 int digest,
501 const char *password,
502 size_t password_len,
503 struct volume_key **vk)
504 {
505 int r_prio, r = -EINVAL;
506
507 if (digest < 0)
508 return r;
509
510 if (keyslot == CRYPT_ANY_SLOT) {
511 r_prio = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
512 password, password_len, digest, vk);
513 if (r_prio >= 0)
514 r = r_prio;
515 else if (r_prio != -EPERM && r_prio != -ENOENT)
516 r = r_prio;
517 else
518 r = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
519 password, password_len, digest, vk);
520 /* Prefer password wrong to no entry from priority slot */
521 if (r_prio == -EPERM && r == -ENOENT)
522 r = r_prio;
523 } else
524 r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
525
526 return r;
527 }
528
529 int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
530 int keyslot_old,
531 int keyslot_new,
532 const char *password,
533 size_t password_len,
534 struct volume_key **vks)
535 {
536 struct volume_key *vk = NULL;
537 int digest_old, digest_new, r = -EINVAL;
538 struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
539
540 digest_old = LUKS2_reencrypt_digest_old(hdr);
541 if (digest_old >= 0) {
542 log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_old, keyslot_old);
543 r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_old, digest_old, password, password_len, &vk);
544 if (r < 0)
545 goto out;
546 crypt_volume_key_add_next(vks, vk);
547 }
548
549 digest_new = LUKS2_reencrypt_digest_new(hdr);
550 if (digest_new >= 0 && digest_old != digest_new) {
551 log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_new, keyslot_new);
552 r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_new, digest_new, password, password_len, &vk);
553 if (r < 0)
554 goto out;
555 crypt_volume_key_add_next(vks, vk);
556 }
557 out:
558 if (r < 0) {
559 crypt_free_volume_key(*vks);
560 *vks = NULL;
561
562 if (r == -ENOMEM)
563 log_err(cd, _("Not enough available memory to open a keyslot."));
564 else if (r != -EPERM && r != -ENOENT)
565 log_err(cd, _("Keyslot open failed."));
566 }
567 return r;
568 }
569
570 int LUKS2_keyslot_open(struct crypt_device *cd,
571 int keyslot,
572 int segment,
573 const char *password,
574 size_t password_len,
575 struct volume_key **vk)
576 {
577 struct luks2_hdr *hdr;
578 int r_prio, r = -EINVAL;
579
580 hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
581
582 if (keyslot == CRYPT_ANY_SLOT) {
583 r_prio = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
584 password, password_len, segment, vk);
585 if (r_prio >= 0)
586 r = r_prio;
587 else if (r_prio != -EPERM && r_prio != -ENOENT)
588 r = r_prio;
589 else
590 r = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
591 password, password_len, segment, vk);
592 /* Prefer password wrong to no entry from priority slot */
593 if (r_prio == -EPERM && r == -ENOENT)
594 r = r_prio;
595 } else
596 r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
597
598 if (r < 0) {
599 if (r == -ENOMEM)
600 log_err(cd, _("Not enough available memory to open a keyslot."));
601 else if (r != -EPERM && r != -ENOENT)
602 log_err(cd, _("Keyslot open failed."));
603 }
604
605 return r;
606 }
607
608 int LUKS2_keyslot_reencrypt_allocate(struct crypt_device *cd,
609 struct luks2_hdr *hdr,
610 int keyslot,
611 const struct crypt_params_reencrypt *params)
612 {
613 const keyslot_handler *h;
614 int r;
615
616 if (keyslot == CRYPT_ANY_SLOT)
617 return -EINVAL;
618
619 h = LUKS2_keyslot_handler_type(cd, "reencrypt");
620 if (!h)
621 return -EINVAL;
622
623 r = reenc_keyslot_alloc(cd, hdr, keyslot, params);
624 if (r < 0)
625 return r;
626
627 r = LUKS2_keyslot_priority_set(cd, hdr, keyslot, CRYPT_SLOT_PRIORITY_IGNORE, 0);
628 if (r < 0)
629 return r;
630
631 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
632 if (r) {
633 log_dbg(cd, "Keyslot validation failed.");
634 return r;
635 }
636
637 return 0;
638 }
639
640 int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
641 struct luks2_hdr *hdr,
642 int keyslot,
643 const void *buffer,
644 size_t buffer_length)
645 {
646 const keyslot_handler *h;
647 int r;
648
649 if (!(h = LUKS2_keyslot_handler(cd, keyslot)) || strcmp(h->name, "reencrypt"))
650 return -EINVAL;
651
652 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
653 if (r) {
654 log_dbg(cd, "Keyslot validation failed.");
655 return r;
656 }
657
658 return h->store(cd, keyslot, NULL, 0,
659 buffer, buffer_length);
660 }
661
662 int LUKS2_keyslot_store(struct crypt_device *cd,
663 struct luks2_hdr *hdr,
664 int keyslot,
665 const char *password,
666 size_t password_len,
667 const struct volume_key *vk,
668 const struct luks2_keyslot_params *params)
669 {
670 const keyslot_handler *h;
671 int r;
672
673 if (keyslot == CRYPT_ANY_SLOT)
674 return -EINVAL;
675
676 if (!LUKS2_get_keyslot_jobj(hdr, keyslot)) {
677 /* Try to allocate default and empty keyslot type */
678 h = LUKS2_keyslot_handler_type(cd, "luks2");
679 if (!h)
680 return -EINVAL;
681
682 r = h->alloc(cd, keyslot, vk->keylength, params);
683 if (r)
684 return r;
685 } else {
686 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
687 return -EINVAL;
688
689 r = h->update(cd, keyslot, params);
690 if (r) {
691 log_dbg(cd, "Failed to update keyslot %d json.", keyslot);
692 return r;
693 }
694 }
695
696 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
697 if (r) {
698 log_dbg(cd, "Keyslot validation failed.");
699 return r;
700 }
701
702 if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
703 return -EINVAL;
704
705 return h->store(cd, keyslot, password, password_len,
706 vk->key, vk->keylength);
707 }
708
709 int LUKS2_keyslot_wipe(struct crypt_device *cd,
710 struct luks2_hdr *hdr,
711 int keyslot,
712 int wipe_area_only)
713 {
714 struct device *device = crypt_metadata_device(cd);
715 uint64_t area_offset, area_length;
716 int r;
717 json_object *jobj_keyslot, *jobj_keyslots;
718 const keyslot_handler *h;
719
720 h = LUKS2_keyslot_handler(cd, keyslot);
721
722 if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
723 return -EINVAL;
724
725 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
726 if (!jobj_keyslot)
727 return -ENOENT;
728
729 if (wipe_area_only)
730 log_dbg(cd, "Wiping keyslot %d area only.", keyslot);
731
732 r = LUKS2_device_write_lock(cd, hdr, device);
733 if (r)
734 return r;
735
736 /* secure deletion of possible key material in keyslot area */
737 r = crypt_keyslot_area(cd, keyslot, &area_offset, &area_length);
738 if (r && r != -ENOENT)
739 goto out;
740
741 if (!r) {
742 r = crypt_wipe_device(cd, device, CRYPT_WIPE_SPECIAL, area_offset,
743 area_length, area_length, NULL, NULL);
744 if (r) {
745 if (r == -EACCES) {
746 log_err(cd, _("Cannot write to device %s, permission denied."),
747 device_path(device));
748 r = -EINVAL;
749 } else
750 log_err(cd, _("Cannot wipe device %s."), device_path(device));
751 goto out;
752 }
753 }
754
755 if (wipe_area_only)
756 goto out;
757
758 /* Slot specific wipe */
759 if (h) {
760 r = h->wipe(cd, keyslot);
761 if (r < 0)
762 goto out;
763 } else
764 log_dbg(cd, "Wiping keyslot %d without specific-slot handler loaded.", keyslot);
765
766 json_object_object_del_by_uint(jobj_keyslots, keyslot);
767
768 r = LUKS2_hdr_write(cd, hdr);
769 out:
770 device_write_unlock(cd, crypt_metadata_device(cd));
771 return r;
772 }
773
774 int LUKS2_keyslot_dump(struct crypt_device *cd, int keyslot)
775 {
776 const keyslot_handler *h;
777
778 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
779 return -EINVAL;
780
781 return h->dump(cd, keyslot);
782 }
783
784 crypt_keyslot_priority LUKS2_keyslot_priority_get(struct crypt_device *cd __attribute__((unused)),
785 struct luks2_hdr *hdr, int keyslot)
786 {
787 json_object *jobj_keyslot, *jobj_priority;
788
789 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
790 if (!jobj_keyslot)
791 return CRYPT_SLOT_PRIORITY_INVALID;
792
793 if (!json_object_object_get_ex(jobj_keyslot, "priority", &jobj_priority))
794 return CRYPT_SLOT_PRIORITY_NORMAL;
795
796 return json_object_get_int(jobj_priority);
797 }
798
799 int LUKS2_keyslot_priority_set(struct crypt_device *cd, struct luks2_hdr *hdr,
800 int keyslot, crypt_keyslot_priority priority, int commit)
801 {
802 json_object *jobj_keyslot;
803
804 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
805 if (!jobj_keyslot)
806 return -EINVAL;
807
808 if (priority == CRYPT_SLOT_PRIORITY_NORMAL)
809 json_object_object_del(jobj_keyslot, "priority");
810 else
811 json_object_object_add(jobj_keyslot, "priority", json_object_new_int(priority));
812
813 return commit ? LUKS2_hdr_write(cd, hdr) : 0;
814 }
815
816 int placeholder_keyslot_alloc(struct crypt_device *cd,
817 int keyslot,
818 uint64_t area_offset,
819 uint64_t area_length,
820 size_t volume_key_len __attribute__((unused)))
821 {
822 struct luks2_hdr *hdr;
823 json_object *jobj_keyslots, *jobj_keyslot, *jobj_area;
824
825 log_dbg(cd, "Allocating placeholder keyslot %d for LUKS1 down conversion.", keyslot);
826
827 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
828 return -EINVAL;
829
830 if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
831 return -EINVAL;
832
833 if (LUKS2_get_keyslot_jobj(hdr, keyslot))
834 return -EINVAL;
835
836 if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
837 return -EINVAL;
838
839 jobj_keyslot = json_object_new_object();
840 json_object_object_add(jobj_keyslot, "type", json_object_new_string("placeholder"));
841 /*
842 * key_size = -1 makes placeholder keyslot impossible to pass validation.
843 * It's a safeguard against accidentally storing temporary conversion
844 * LUKS2 header.
845 */
846 json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(-1));
847
848 /* Area object */
849 jobj_area = json_object_new_object();
850 json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
851 json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
852 json_object_object_add(jobj_keyslot, "area", jobj_area);
853
854 json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
855
856 return 0;
857 }
858
859 static unsigned LUKS2_get_keyslot_digests_count(json_object *hdr_jobj, int keyslot)
860 {
861 char num[16];
862 json_object *jobj_digests, *jobj_keyslots;
863 unsigned count = 0;
864
865 if (!json_object_object_get_ex(hdr_jobj, "digests", &jobj_digests))
866 return 0;
867
868 if (snprintf(num, sizeof(num), "%u", keyslot) < 0)
869 return 0;
870
871 json_object_object_foreach(jobj_digests, key, val) {
872 UNUSED(key);
873 json_object_object_get_ex(val, "keyslots", &jobj_keyslots);
874 if (LUKS2_array_jobj(jobj_keyslots, num))
875 count++;
876 }
877
878 return count;
879 }
880
881 /* run only on header that passed basic format validation */
882 int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
883 {
884 const keyslot_handler *h;
885 int keyslot;
886 json_object *jobj_keyslots, *jobj_type;
887 uint32_t reqs, reencrypt_count = 0;
888 struct luks2_hdr dummy = {
889 .jobj = hdr_jobj
890 };
891
892 if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
893 return -EINVAL;
894
895 if (LUKS2_config_get_requirements(cd, &dummy, &reqs))
896 return -EINVAL;
897
898 json_object_object_foreach(jobj_keyslots, slot, val) {
899 keyslot = atoi(slot);
900 json_object_object_get_ex(val, "type", &jobj_type);
901 h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
902 if (!h)
903 continue;
904 if (h->validate && h->validate(cd, val)) {
905 log_dbg(cd, "Keyslot type %s validation failed on keyslot %d.", h->name, keyslot);
906 return -EINVAL;
907 }
908
909 if (!strcmp(h->name, "luks2") && LUKS2_get_keyslot_digests_count(hdr_jobj, keyslot) != 1) {
910 log_dbg(cd, "Keyslot %d is not assigned to exactly 1 digest.", keyslot);
911 return -EINVAL;
912 }
913
914 if (!strcmp(h->name, "reencrypt"))
915 reencrypt_count++;
916 }
917
918 if ((reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT) && reencrypt_count == 0) {
919 log_dbg(cd, "Missing reencryption keyslot.");
920 return -EINVAL;
921 }
922
923 if (!(reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT) && reencrypt_count) {
924 log_dbg(cd, "Missing reencryption requirement flag.");
925 return -EINVAL;
926 }
927
928 if (reencrypt_count > 1) {
929 log_dbg(cd, "Too many reencryption keyslots.");
930 return -EINVAL;
931 }
932
933 return 0;
934 }
935
936 void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_keyslots)
937 {
938 const keyslot_handler *h;
939 json_object *jobj_type;
940
941 json_object_object_foreach(jobj_keyslots, slot, val) {
942 UNUSED(slot);
943 if (!json_object_is_type(val, json_type_object) ||
944 !json_object_object_get_ex(val, "type", &jobj_type) ||
945 !json_object_is_type(jobj_type, json_type_string))
946 continue;
947
948 h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
949 if (h && h->repair)
950 h->repair(cd, val);
951 }
952 }
953
954 /* assumes valid header */
955 int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type)
956 {
957 int i;
958 json_object *jobj_keyslot, *jobj_type;
959
960 if (!type)
961 return -EINVAL;
962
963 for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++) {
964 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, i);
965 if (!jobj_keyslot)
966 continue;
967
968 json_object_object_get_ex(jobj_keyslot, "type", &jobj_type);
969 if (!strcmp(json_object_get_string(jobj_type), type))
970 return i;
971 }
972
973 return -ENOENT;
974 }
975
976 /* assumes valid header, it does not move references in tokens/digests etc! */
977 int LUKS2_keyslot_swap(struct crypt_device *cd, struct luks2_hdr *hdr,
978 int keyslot, int keyslot2)
979 {
980 json_object *jobj_keyslots, *jobj_keyslot, *jobj_keyslot2;
981 int r;
982
983 if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
984 return -EINVAL;
985
986 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
987 if (!jobj_keyslot)
988 return -EINVAL;
989
990 jobj_keyslot2 = LUKS2_get_keyslot_jobj(hdr, keyslot2);
991 if (!jobj_keyslot2)
992 return -EINVAL;
993
994 /* This transfer owner of object, no need for json_object_put */
995 json_object_get(jobj_keyslot);
996 json_object_get(jobj_keyslot2);
997
998 json_object_object_del_by_uint(jobj_keyslots, keyslot);
999 r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot2);
1000 if (r < 0) {
1001 log_dbg(cd, "Failed to swap keyslot %d.", keyslot);
1002 return r;
1003 }
1004
1005 json_object_object_del_by_uint(jobj_keyslots, keyslot2);
1006 r = json_object_object_add_by_uint(jobj_keyslots, keyslot2, jobj_keyslot);
1007 if (r < 0)
1008 log_dbg(cd, "Failed to swap keyslot2 %d.", keyslot2);
1009
1010 return r;
1011 }